[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: where should one set rpm file and dir permissions?

Circa 2002-Jan-15 08:06:48 -0500 dixit rpjday@mindspring.com:

:   i'm curious about the proper place to set the file and directory
: permissions when you're building an rpm.
:   on the one hand, i've seen postings describing how to make sure
: you're copying files and directories into the build root with the
: appropriate permissions you want them to have.  fair enough --
: this suggests you should make sure that everything in the build
: root has the attributes you want it to have before building the
: rpm file.
:   on the other hand, we have the %defattr and %attr directives.
: the drawback, as i see it, with %defattr is that you get to use it
: only once, and the default permissions you want with directories
: almost always is not the default permissions you want on files.
: unfortunately, that single %defattr applies to both.
:   so what's the politically correct to make sure all your rpm contents
: have the correct attributes?  careful copying?  %defattr and %attr?
: a (clearly redundant) combination of both?

The best way to be certain that a package contains the proper
permissions is with %attr().  Using 'install' or 'chmod' in the
%install section works most of the time, but beware of permissions like
0111 (--x--x--x) or 4111 (--s--x--x), which don't let RPM read
executables and perform automatic dependency analysis.

%defattr can work, but some older versions of RPM (somewhat older than
rpm-3.0.5) don't understand %defattr(), only %attr().  To make your
spec file work everywhere, use %attr().  Also, as you note above,
%defattr() can be misleading; using %defattr(0644,root,root) leaves the
executable (search) bit off of directories.

That said, it can sometimes be advantageous to make automagically
generated %file listings rather than listing files and attributes
explicitly by hand.  Unfortunately, the rpm-list archive appears to
stop on 2002-Jan-10, and the message i sent to rpm-list explaining how
to do this is from 2002-Jan-11.  Harrumph.  Hence, i include the
message below.

One further item about RPM and file permissions: Beware the umask of
the user actually performing the install.  Any directories not listed
in an RPM package but not present on the filesystem will be created
with the installing user's umask.

For example, if the installing user is 'root', with a umask of 077
(default permissions 0600 [rw-------] for files and 0700 [rwx------]
for directories), and an RPM package contains the directory
/var/opt/myapp/, but /var/opt/ doesn't exist, then RPM creates
/var/opt/ with mode 0700 (rwx------).  This can cause problems later
on.  This is true with rpm-3.0.5 and rpm-3.0.6; don't know for certain
about other versions.

Good luck.

jim knoble | jmknoble@pobox.com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)

-------- Begin forwarded message --------
From: Jim Knoble <jmknoble@pobox.com>
To: rpm-list@redhat.com
Subject: Re: %defattr & file permission confusion
Message-ID: <20020111182110.K24779@zax.half.pint-stowp.cx>
References: <OFCAFC3681.E44F839F-ON86256B3E.0076CB5A@notes.seagate.com>
In-Reply-To: <OFCAFC3681.E44F839F-ON86256B3E.0076CB5A@notes.seagate.com>; from Rebecca.R.Hepper@seagate.com on Fri, Jan 11, 2002 at 03:43:19PM -0600
Date: Fri, 11 Jan 2002 18:21:10 -0500

Circa 2002-Jan-11 15:43:19 -0600 dixit Rebecca.R.Hepper@seagate.com:

: I built and installed my package using rpm-4.03-1.03 and I still
: have problems with incorrect file permissions.  They way I see it
: (and I'm hoping I am wrong) is that I have 2 choices.  1) in the
: %files section I can individually list every single file in my
: package with the permissions that I want it to have.  2) someone
: else suggested that in the %install section I could list every file
: I have and use the install command rather than copy.  It would be
: something like the following: install -d -m 664 -o mln -g mln Disc.i
: ${RPM_BUILD_ROOT}/usr/local/mln/cm/Discovery
: ls that correct?  Or is there an easier way of doing this rather than
: having to list every single file in my package with the permissions I want
: it to have.

Those are the two usual ways of doing things.  You may find it easier
to generate a %files listing automatically, though, and "include" it

  %files -f <filename>

for example:

  <do stuff to install the package, then:>
  # Zero the manifest.
  # Handle directories.
  find "${RPM_BUILD_ROOT}" -type d -print \
    |sed -e "s/^${RPM_BUILD_ROOT}//" \
    |sort \
    |gawk '!/^(/bin|/sbin|/usr(/bin|/lib|/sbin)?)$/ {
      if ($0 ~ /\/usr\/bin\/(dir1|dir2)/) {
        printf("%attr(0700,root,root) %dir %s\n", $0)
      } else {
        printf("%attr(0755,root,root) %dir %s\n", $0)
    ' \
  # Handle non-directories.
  find "${RPM_BUILD_ROOT}" -not -type d -print \
    |sed -e "s/^${RPM_BUILD_ROOT}//" \
    |sort \
    |gawk '{
      if ($0 ~ /\/usr\/bin\/(file1|file2)/) {
        printf("%attr(0644,root,root) %s\n", $0)
      } else {
        printf("%attr(0755,root,root) %s\n", $0)
    ' \

and then:

  %files -f %{name}-manifest.lst

Note that the manifest gets created in the package's "build directory"
(*not* the "build root", which is really the install root).

jim knoble | jmknoble@pobox.com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)

-------- End of message --------

Attachment: pgp00016.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []