Bug 4081 - /usr/local/bin/hg permission & owner
Summary: /usr/local/bin/hg permission & owner
Status: RESOLVED FIXED
Alias: None
Product: Mercurial
Classification: Unclassified
Component: Mercurial (show other bugs)
Version: 2.8
Hardware: Macintosh Mac OS
: normal bug
Assignee: Bugzilla
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-03 11:15 UTC by jasonmader
Modified: 2015-01-31 01:00 UTC (History)
6 users (show)

See Also:
Python Version: ---

Attachments
Script to rewrite Mac package archive in-memory to fix permissions (1.50 KB, text/plain)
2015-01-22 19:19 UTC, Matt Mackall 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jasonmader 2013-11-03 11:15 UTC 
The permission and ownership of /usr/local/bin/hg after running the Mercurial 2.8 for MacOS X 10.9 package installer is,

-rwxrwxr-x   1 jason  admin    1078 Nov  1 18:18 hg

It really should be,

-rwxr-xr-x  1 root  wheel  1078 Nov  1 18:18 hg

It also did not clean up the Mercurial 2.7.2 site-package,

drwxr-xr-x    6 root   wheel   204 Oct 22 15:35 mercurial-2.7.2_20131002-py2.7.egg-info
drwxrwxr-x    6 jason  admin   204 Nov  1 18:18 mercurial-2.8_20131101-py2.7.egg-info

and had the wrong permission on the egg.

site-packages/hgext and site-packages/mercurial are probably wrong too.
Comment 1 Matt Mackall 2013-11-03 13:58 UTC 
Which of the five possible ways of installing Mac packages did you use for 2.8 and 2.7.2?
Comment 2 jasonmader 2013-11-03 15:54 UTC 
(In reply to comment #1)
The point and click way?

October 11th:
Mercurial 2.7.2 for MacOS X 10.8
http://mercurial.selenic.com/mac/binaries/Mercurial-2.7.2-py2.7-macosx10.8.zip
mercurial-2.7.2+20131002-py2.7-macosx10.8.mpkg

November 3rd:
Mercurial 2.8 for MacOS X 10.9
http://mercurial.selenic.com/mac/binaries/Mercurial-2.8-py2.7-macosx10.9.zip
mercurial-2.8+20131101-py2.7-macosx10.9.mpkg
Comment 3 kiilerix 2015-01-22 16:55 UTC 
From the description I guess it is caused by the mpkg format storing the uid of the user creating the package. Building as 'first uid on a system' and installing as root on another system will installer the files as owned by that uid. If my guess is right, it is thus not really possible to build mpkg as an unprivileged user.

Yeah ... https://github.com/MacPython/bdist_mpkg/issues/3 ... what a lovely platform ...

It must be possible to specify something similar to GNU tar --owner and --group ...
Comment 5 kiilerix 2015-01-22 16:57 UTC 
- except that this command must run as a privilged user ...
Comment 6 Matt Mackall 2015-01-22 19:19 UTC 
Created attachment 1803 [details]
Script to rewrite Mac package archive in-memory to fix permissions
Comment 7 Matt Mackall 2015-01-22 19:21 UTC 
I've attached a proof-of-concept script that rewrites a zip, rewriting the owners of any Archive.pax.gz files it finds. Someone with a Mac will need to actually test it.
Comment 8 kiilerix 2015-01-23 00:31 UTC 
I hacked the script and took it to the next level of proof-of-concept where it works for me. Sent as patch to the mailing list.
Comment 9 HG Bot 2015-01-23 19:00 UTC 
Fixed by http://selenic.com/repo/hg/rev/d0ef40776999
Mads Kiilerich <madski@unity3d.com>
osx: patch .pax.gz files in pkg bundles so they extract as root (issue4081)

The packages has to be installed by root but they would be installed
insecurely, owned by the uid of the unprivileged user that made the package.
The local user with that uid could thus write to /usr/local/bin/hg .

bdist_mpkg calls out to pax to create the package, but pax do apparently not
have the power to control what it is writing.

Instead, patch the pax files and set their uid fields to 0 before they are
wrapped in a dmg.

(please test the fix)
Comment 10 Bugzilla 2015-01-31 01:00 UTC 
Bug was set to TESTING for 7 days, resolving