publish: Create files in the cache as #o644.

Reported by Ricardo Wurmus <rekado@elephly.net>. * guix/scripts/publish.scm (compress-nar): Add 'chmod' call to ensure PORT is #o644, in the uncompressed case. (bake-narinfo+nar): Likewise for the narinfo file. * tests/publish.scm ("with cache"): Check permissions on CACHED and NAR.
2024-11-07 07:26:13 -05:00 · 2020-11-08 23:35:45 +01:00 · 2020-11-08 23:35:45 +01:00 · 464e7437f4
commit 464e7437f4
parent 495acfc566
2 changed files with 15 additions and 2 deletions
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@ -583,7 +583,10 @@ (define nar
     ;; guarantee the TTL (see <https://bugs.gnu.org/28664>.)
     (with-atomic-file-output nar
       (lambda (port)
-         (write-file item port))))))
+         (write-file item port)
+         ;; Make the file world-readable, contrary to what
+         ;; 'with-atomic-file-output' does.
+         (chmod port (logand #o644 (lognot (umask)))))))))

 (define* (bake-narinfo+nar cache item
                           #:key ttl (compressions (list %no-compression))
@ -615,7 +618,12 @@ (define (compressed-nar-size compression)
                                          #:nar-path nar-path
                                          #:compressions compressions
                                          #:file-sizes sizes)
-                          port)))))
+                          port)))
+
+             ;; Make the cached narinfo world-readable, contrary to what
+             ;; 'with-atomic-file-output' does, so that other users can rsync
+             ;; the whole cache.
+             (chmod port (logand #o644 (lognot (umask))))))

         ;; Make narinfo files for OTHERS hard links to NARINFO such that the
         ;; atime-based cache eviction considers either all the nars or none
--- a/tests/publish.scm
+++ b/tests/publish.scm
@ -434,6 +434,11 @@ (define %gzip-magic-bytes
                 (< ttl 3600)))

              (wait-for-file cached)
+
+              ;; Both the narinfo and nar should be world-readable.
+              (= #o644 (stat:perms (lstat cached)))
+              (= #o644 (stat:perms (lstat nar)))
+
              (let* ((body         (http-get-port url))
                     (compressed   (http-get nar-url))
                     (uncompressed (http-get (string-append base "nar/"