Re: Should .so files under python site dir be 755 perms?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi:

Michael Schwendt wrote, at 09/12/2013 07:47 PM +9:00:
On Thu, 12 Sep 2013 00:29:58 +0900, Mamoru TASAKA wrote:

Well, I am so long wondering about this. Actually creating debuginfo,
stripping shared libs and making the shared libs non executable can
be accomplished by using %attr, i.e.
- At %install, install the shared libs with 0755 as before
- On %files, explicitly mark the files with %attr(0644,root,root)

http://koji.fedoraproject.org/koji/taskinfo?taskID=5923317

Some other distros makes non-executable shared libs 0644 permission.
Is %attr approach for this case allowed / preferable / discouraged ?

It is widely accepted practice to limit %attr usage to really special
permissions (such as setuid, setgid) and ownership (non-root user and/or
group), so where that is done in a spec file, it sticks out.
In packages with many files, overusing %attr would decrease readability
even when using spec syntax-highlighting. Ordinary file permissions should
get fixed in %install and upstream.

Is it guaranteed that %attr will set the permission _after_ debuginfo
generation?

Yes, because debuginfo generation is done at %__spec_install_post,
and %check follows after that.

AFAIK, the only thing that wants +x on these libs is the debuginfo
generator, and IIRC there's support already for flipping a flag and making
it work with non-executables, too.

Well, currently I don't know that.

ldd still warns about non-executable libs. And the build tools are not
specific to Fedora/Linux, so they will likely keep making .so files +x.

(While I don't know well about Debian) it seems at least Debian makes
.so files 0644 for most cases (and perhaps also Ubuntu), ref:

https://lists.fedoraproject.org/pipermail/devel/2011-March/149822.html
https://lists.fedoraproject.org/pipermail/devel/2011-March/149857.html

How many of the libs contain special code that can be run?
Perhaps libc, libpthread and some very special exceptions

I don't want to imagine a large configure script running a lib for
some version check or feature list. Would packagers need to check every
lib for whether it may be run or not?

So I think for most cases they do not (need not) run, and only quite
a few cases should be concerned.

Regards,
Mamoru



--
packaging mailing list
packaging@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/packaging





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Forum]     [KDE Users]

  Powered by Linux