From 464e7437f46e7c4199fa98dcc52b4d46e8d8a48e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Sun, 8 Nov 2020 23:35:45 +0100 Subject: [PATCH] publish: Create files in the cache as #o644. Reported by Ricardo Wurmus . * guix/scripts/publish.scm (compress-nar): Add 'chmod' call to ensure PORT is #o644, in the uncompressed case. (bake-narinfo+nar): Likewise for the narinfo file. * tests/publish.scm ("with cache"): Check permissions on CACHED and NAR. --- guix/scripts/publish.scm | 12 ++++++++++-- tests/publish.scm | 5 +++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm index e8faf379e2..e3c8711f5b 100644 --- a/guix/scripts/publish.scm +++ b/guix/scripts/publish.scm @@ -583,7 +583,10 @@ (define nar ;; guarantee the TTL (see .) (with-atomic-file-output nar (lambda (port) - (write-file item port)))))) + (write-file item port) + ;; Make the file world-readable, contrary to what + ;; 'with-atomic-file-output' does. + (chmod port (logand #o644 (lognot (umask))))))))) (define* (bake-narinfo+nar cache item #:key ttl (compressions (list %no-compression)) @@ -615,7 +618,12 @@ (define (compressed-nar-size compression) #:nar-path nar-path #:compressions compressions #:file-sizes sizes) - port))))) + port))) + + ;; Make the cached narinfo world-readable, contrary to what + ;; 'with-atomic-file-output' does, so that other users can rsync + ;; the whole cache. + (chmod port (logand #o644 (lognot (umask)))))) ;; Make narinfo files for OTHERS hard links to NARINFO such that the ;; atime-based cache eviction considers either all the nars or none diff --git a/tests/publish.scm b/tests/publish.scm index e46e6256b7..cafd0f13a2 100644 --- a/tests/publish.scm +++ b/tests/publish.scm @@ -434,6 +434,11 @@ (define %gzip-magic-bytes (< ttl 3600))) (wait-for-file cached) + + ;; Both the narinfo and nar should be world-readable. + (= #o644 (stat:perms (lstat cached))) + (= #o644 (stat:perms (lstat nar))) + (let* ((body (http-get-port url)) (compressed (http-get nar-url)) (uncompressed (http-get (string-append base "nar/"