From f8f2f0202804a7c6001a98295ec35d43ec5f809c Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Sat, 9 Nov 2019 22:13:00 -0500 Subject: archbuild: use better umask In commit 40a90e2cab479cc64903a62b42eb617a8a7e5842 we tried to protect against system umasks resulting in unreadable chroots. However, we tried to do this in a targeted manner due to not wanting to fiddle with permissions for user-owned files. Unfortuantely, mkdir -p -m755 does not actually work that way -- the parent directory is created with broken permissions. We need umask. Run umask and mkdir in a subshell to prevent leakage. Signed-off-by: Eli Schwartz --- archbuild.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archbuild.in b/archbuild.in index 9e32292..5b98976 100644 --- a/archbuild.in +++ b/archbuild.in @@ -68,7 +68,7 @@ if ${clean_first} || [[ ! -d "${chroots}/${repo}-${arch}" ]]; then lock_close 9 rm -rf --one-file-system "${chroots}/${repo}-${arch}" - mkdir -m755 -p "${chroots}/${repo}-${arch}" + (umask 0022; mkdir -p "${chroots}/${repo}-${arch}") setarch "${arch}" mkarchroot \ -C "${pacman_config}" \ -M "${makepkg_config}" \ -- cgit v1.2.3-70-g09d2