Skip to content

Problematic file permissions in crates.io tar archive #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wentasah opened this issue Oct 8, 2022 · 3 comments
Closed

Problematic file permissions in crates.io tar archive #37

wentasah opened this issue Oct 8, 2022 · 3 comments

Comments

@wentasah
Copy link

wentasah commented Oct 8, 2022

Files in the tar archive at crates.io lack read permissions for other users (chmod o+r). This can be demonstrated by running these commands:

$ curl -L https://crates.io/api/v1/crates/pin-utils/0.1.0/download | tar xz
$ ls -lR pin-utils-0.1.0                                                                                                                                                                                                                                  
pin-utils-0.1.0:
total 28
-rw-r--r-- 1 wsh wsh   835 Jan  1  1970 Cargo.toml
-rw-r----- 1 wsh wsh   314 Apr 22  2020 Cargo.toml.orig
-rw-r----- 1 wsh wsh 10841 Apr 22  2020 LICENSE-APACHE
-rw-r----- 1 wsh wsh  1065 Apr 22  2020 LICENSE-MIT
-rw-r----- 1 wsh wsh  1079 Apr 22  2020 README.md
drwxr-xr-x 1 wsh wsh    62 Oct  8 07:26 src
drwxr-xr-x 1 wsh wsh    50 Oct  8 07:26 tests

pin-utils-0.1.0/src:
total 12
-rw-r----- 1 wsh wsh  326 Apr 22  2020 lib.rs
-rw-r----- 1 wsh wsh 2665 Apr 22  2020 projection.rs
-rw-r----- 1 wsh wsh  633 Apr 22  2020 stack_pin.rs

pin-utils-0.1.0/tests:
total 8
-rw-r----- 1 wsh wsh 564 Apr 22  2020 projection.rs
-rw-r----- 1 wsh wsh 376 Apr 22  2020 stack_pin.rs

This is problematic when one uses cargo prefetch to prefetch the crates and then runs builds as another user. Such builds end up with the following error:

error: couldn't read /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/pin-utils-0.1.0/src/lib.rs: Permission denied (os error 13)
@taiki-e
Copy link
Member

taiki-e commented Oct 8, 2022

This seems a cargo bug. Could you open an issue in rust-lang/cargo?

@wentasah
Copy link
Author

wentasah commented Oct 8, 2022

Right. It seems this bug is already known for six years :-( Another similar issue is even older. I'll add comment there.

@taiki-e
Copy link
Member

taiki-e commented Oct 8, 2022

Closing in favor of cargo issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants