This goes into a big old topic about Unix homedir permissions; it's not uncommon
for general purpose OS vendors to have homedirs be 0755. In that case,
applications need to ensure confidentiality for data requiring it (classically
e.g. `~/.ssh`) by making the dirs `0700`.
While most of the data in the flatpak per-user dir probably isn't confidential
(debatably) we have a different issue; if container content includes suid or
world-writable files/dirs, then having that data accessible to other users
is obviously problematic.
We're going to fix flatpak/ostree to not create files with those modes
to begin with, but this simple fix closes off the attack route for
the per-user directory.
A different fix will be necessary for the system-wide repo.
See: https://github.com/flatpak/flatpak/pull/837
Looking at the git history, this code originally retried on
some cases for pull, then stopped doing so, then a later commit
added code after it, which made it incorrect.
Just do an early return again and drop the `res` variable.
This canonicalizes the file modes for directories to 0755, and
for files to 0755 for executables or 0644 otherwise.
This means we never get files/dirs writable by non-root in the
system repo, and we never get setuid/setgid/sticky-bit, all
which could potentially be a problem if we store them in the
system repo.
See https://github.com/flatpak/flatpak/pull/837 for some discussion
about this.
They were being set to an uninitialised set of flags from cxxflags.
Spotted as a compiler warning.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
This was almost certainly meant to be a logical AND, not a bitwise one.
As spotted from compiler warnings.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
We previously required the directory to be writable to expose
it in the app-specific directory. However, the file was already
made visible in the regular location, and it was explicitly requested
by the app, so not allowing it to be there read-only makes no sense.
In particular, this allows KDE apps to use
--filesystem=xdg-config/kdeglobals:ro to allow apps to pick up global
configurations such as theme, etc, in a safe way.
Locale and Debug extensions, and refs for a secondary arch, when the
primary arch alternative exists, are not shown unless you specify
--all or -a.
This makes the default output more useful.
The list of deltas is stored in the summary, so we need to delete
them before we generate the summary, not before.
This means there is a short period where people may use the old summary
which references the old, now deleted summaries. However, that is
better than it referencing the deleted deltas forever.
Meson does not support builddir == srcdir, so there is no reason to
require developers to set "builddir" to true in their manifests, when we
can just do the right thing.