Fix #11240 (#11995)

* extends mkdirs with permissions for intermediate folders Does not use os.makedirs mode parameter because its behavior is changed with Python 3.7 (it ignores it for intermediate dirs), and moreover it was not possible to set different modes for newly-created folders and leaf folder. reference: - https://bugs.python.org/issue19930 - https://docs.python.org/3.7/library/os.html#os.makedirs * comment mkdirp step easing code understanding * revert mkdir to default for package metapath since metapath is nested in package folder, there is no need to specify permissions for intermediate folders because the prefix already exists. * comment create_install_directory package modes
author: albestro <9337627+albestro@users.noreply.github.com> 2019-07-19 17:13:29 +0200
committer: Greg Becker <becker33@llnl.gov> 2019-07-19 10:13:29 -0500
commit: 3a026f14123e8a010e0c969bb38dfdde2738226f (patch)
tree: 0d1c8d198285b08cc852d8722cdc43a24e4ec740
parent: cadff917c7fa6bdbb7c01724dc8831a876c01210 (diff)
download: spack-3a026f14123e8a010e0c969bb38dfdde2738226f.tar.gz
spack-3a026f14123e8a010e0c969bb38dfdde2738226f.tar.bz2
spack-3a026f14123e8a010e0c969bb38dfdde2738226f.tar.xz
spack-3a026f14123e8a010e0c969bb38dfdde2738226f.zip
2 files changed, 37 insertions, 1 deletions
diff --git a/lib/spack/llnl/util/filesystem.py b/lib/spack/llnl/util/filesystem.py
index ced29ad760..e58f657aea 100644
--- a/lib/spack/llnl/util/filesystem.py
+++ b/lib/spack/llnl/util/filesystem.py
@@ -423,14 +423,39 @@ def mkdirp(*paths, **kwargs):
     Keyword Aguments:
         mode (permission bits or None, optional): optional permissions to
             set on the created directory -- use OS default if not provided
+        mode_intermediate (permission bits or None, optional):
+            same as mode, but for newly-created intermediate directories
     """
     mode = kwargs.get('mode', None)
+    mode_intermediate = kwargs.get('mode_intermediate', None)
     for path in paths:
         if not os.path.exists(path):
             try:
+                intermediate_folders = []
+                if mode_intermediate is not None:
+                    # detect missing intermediate folders
+                    intermediate_path = os.path.dirname(path)
+
+                    while intermediate_path:
+                        if os.path.exists(intermediate_path):
+                            break
+
+                        intermediate_folders.append(intermediate_path)
+                        intermediate_path = os.path.dirname(intermediate_path)
+
+                # create folders
                 os.makedirs(path)
+
+                # leaf folder permissions
                 if mode is not None:
                     os.chmod(path, mode)
+
+                # for intermediate folders, change mode just for newly created
+                # ones and if mode_intermediate has been specified, otherwise
+                # intermediate folders list is not populated at all and default
+                # OS mode will be used
+                for intermediate_path in reversed(intermediate_folders):
+                    os.chmod(intermediate_path, mode_intermediate)
             except OSError as e:
                 if e.errno != errno.EEXIST or not os.path.isdir(path):
                     raise e
diff --git a/lib/spack/spack/directory_layout.py b/lib/spack/spack/directory_layout.py
index 5ba8ac144c..35a8e4dcc5 100644
--- a/lib/spack/spack/directory_layout.py
+++ b/lib/spack/spack/directory_layout.py
@@ -254,15 +254,26 @@ class YamlDirectoryLayout(DirectoryLayout):
         # Cannot import at top of file
         from spack.package_prefs import get_package_dir_permissions
         from spack.package_prefs import get_package_group
+
+        # Each package folder can have its own specific permissions, while
+        # intermediate folders (arch/compiler) are set with full access to
+        # everyone (0o777) and install_tree root folder is the chokepoint
+        # for restricting global access.
+        # So, whoever has access to the install_tree is allowed to install
+        # packages for same arch/compiler and since no data is stored in
+        # intermediate folders, it does not represent a security threat.
         group = get_package_group(spec)
         perms = get_package_dir_permissions(spec)
-        mkdirp(spec.prefix, mode=perms)
+        perms_intermediate = 0o777
+
+        mkdirp(spec.prefix, mode=perms, mode_intermediate=perms_intermediate)
         if group:
             chgrp(spec.prefix, group)
             # Need to reset the sticky group bit after chgrp
             os.chmod(spec.prefix, perms)
 
         mkdirp(self.metadata_path(spec), mode=perms)
+
         self.write_spec(spec, self.spec_file_path(spec))
 
     def check_installed(self, spec):
author	albestro <9337627+albestro@users.noreply.github.com>	2019-07-19 17:13:29 +0200
committer	Greg Becker <becker33@llnl.gov>	2019-07-19 10:13:29 -0500
commit	3a026f14123e8a010e0c969bb38dfdde2738226f (patch)
tree	0d1c8d198285b08cc852d8722cdc43a24e4ec740
parent	cadff917c7fa6bdbb7c01724dc8831a876c01210 (diff)
download	spack-3a026f14123e8a010e0c969bb38dfdde2738226f.tar.gz spack-3a026f14123e8a010e0c969bb38dfdde2738226f.tar.bz2 spack-3a026f14123e8a010e0c969bb38dfdde2738226f.tar.xz spack-3a026f14123e8a010e0c969bb38dfdde2738226f.zip