fix: ensure that setgid and setuid flags are cleared (part 3)

Close electron-userland/electron-builder#3608
develar · Jun 21, 2019 · b34fa7d · b34fa7d
1 parent 97910ac
commit b34fa7d
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 29 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -10,7 +10,7 @@ cache:
     - $HOME/gopath/pkg/mod
 
 go:
-  - 1.11.x
+  - 1.12.x
 
 script:
   - make build

diff --git a/Makefile b/Makefile
@@ -45,6 +45,5 @@ publish: build-all
 	./scripts/publish-npm.sh
 
 update-deps:
-	#GOPROXY=https://proxy.golang.org go get -u
-	go get -u
+	GOPROXY=https://proxy.golang.org go get -u
 	go mod tidy
diff --git a/app-builder-bin/package.json b/app-builder-bin/package.json
@@ -1,7 +1,7 @@
 {
   "name": "app-builder-bin",
   "description": "app-builder precompiled binaries",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "files": [
     "*.js",
     "mac",

diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect
 	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
 	github.com/apex/log v1.1.0
-	github.com/aws/aws-sdk-go v1.20.4
+	github.com/aws/aws-sdk-go v1.20.5
 	github.com/biessek/golang-ico v0.0.0-20180326222316-d348d9ea4670
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -33,8 +33,8 @@ require (
 	github.com/segmentio/ksuid v1.0.2
 	github.com/zieckey/goini v0.0.0-20180118150432-0da17d361d26
 	golang.org/x/image v0.0.0-20190618124811-92942e4437e2 // indirect
-	golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b // indirect
-	golang.org/x/sys v0.0.0-20190620070143-6f217b454f45 // indirect
+	golang.org/x/net v0.0.0-20190620200207-3b0461eec859 // indirect
+	golang.org/x/sys v0.0.0-20190621062556-bf70e4678053 // indirect
 	golang.org/x/text v0.3.2 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/yaml.v2 v2.2.2 // indirect

diff --git a/go.sum b/go.sum
@@ -8,8 +8,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZq
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/apex/log v1.1.0 h1:J5rld6WVFi6NxA6m8GJ1LJqu3+GiTFIt3mYv27gdQWI=
 github.com/apex/log v1.1.0/go.mod h1:yA770aXIDQrhVOIGurT/pVdfCpSq1GQV/auzMN5fzvY=
-github.com/aws/aws-sdk-go v1.20.4 h1:czX3oqFyqz/AELrK/tneNuyZgNIrWnyqP+iQXsQ32E0=
-github.com/aws/aws-sdk-go v1.20.4/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.20.5 h1:Ytq5AxpA2pr4vRJM9onvgAjjVRZKKO63WStbG/jLHw0=
+github.com/aws/aws-sdk-go v1.20.5/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/biessek/golang-ico v0.0.0-20180326222316-d348d9ea4670 h1:FQPKKjDhzG0T4ew6dm6MGrXb4PRAi8ZmTuYuxcF62BM=
 github.com/biessek/golang-ico v0.0.0-20180326222316-d348d9ea4670/go.mod h1:iRWAFbKXMMkVQyxZ1PfGlkBr1TjATx1zy2MRprV7A3Q=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=
@@ -19,8 +19,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/develar/errors v0.9.0 h1:ftXOTwkajtgkUwLTw1iKG+mJwrUTvCp9Zr/Z6Y+rvMY=
 github.com/develar/errors v0.9.0/go.mod h1:zNbO3fZHcBjapJKbvUnvyaNrKGKkxgaL6C8Z7uNzQMc=
-github.com/develar/go-fs-util v0.0.0-20190620142700-070542c9dbf3 h1:StTtJsUf0qF7/Guw5DF6caqll42Dgcn0H8PXPJhKwFk=
-github.com/develar/go-fs-util v0.0.0-20190620142700-070542c9dbf3/go.mod h1:zHJzuOnKTkGSx1ffGhGzkhUIGcBKDB5z/ooCxRAzfOE=
 github.com/develar/go-fs-util v0.0.0-20190620175131-69a2d4542206 h1:+qChA4xPXcSEM0e6ysWUYA0Jl8h+OG+n9scUJWgGtas=
 github.com/develar/go-fs-util v0.0.0-20190620175131-69a2d4542206/go.mod h1:zHJzuOnKTkGSx1ffGhGzkhUIGcBKDB5z/ooCxRAzfOE=
 github.com/develar/go-pkcs12 v0.0.0-20181115143544-54baa4f32c6a h1:OJOyvDaaWj7Q6nMh4qDu702JMAQ+CD6bWduhKpkznaw=
@@ -90,15 +88,15 @@ golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86h
 golang.org/x/image v0.0.0-20190618124811-92942e4437e2 h1:fqF3kMQ0tlBEpnfxavzOrjqW5gokBwllwOABYxETOMA=
 golang.org/x/image v0.0.0-20190618124811-92942e4437e2/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b h1:lkjdUzSyJ5P1+eal9fxXX9Xg2BTfswsonKUse48C0uE=
-golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181021155630-eda9bb28ed51/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190620070143-6f217b454f45 h1:Dl2hc890lrizvUppGbRWhnIh2f8jOTCQpY5IKWRS0oM=
-golang.org/x/sys v0.0.0-20190620070143-6f217b454f45/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190621062556-bf70e4678053 h1:T0MJjz97TtCXa3ZNW2Oenb3KQWB91K965zMEbIJ4ThA=
+golang.org/x/sys v0.0.0-20190621062556-bf70e4678053/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

diff --git a/main.go b/main.go
@@ -41,7 +41,7 @@ func main() {
 		return
 	}
 
-	var app = kingpin.New("app-builder", "app-builder").Version("2.7.0")
+	var app = kingpin.New("app-builder", "app-builder").Version("2.7.1")
 
 	node_modules.ConfigureCommand(app)
 	//codesign.ConfigureCommand(app)
@@ -155,7 +155,7 @@ func configurePrefetchToolsCommand(app *kingpin.Application) {
 			return errors.WithStack(err)
 		}
 
-		_, err = snap.ResolveTemplateFile("", "electron4", "")
+		_, err = snap.ResolveTemplateDir("", "electron4", "")
 		if err != nil {
 			return errors.WithStack(err)
 		}

diff --git a/pkg/package-format/snap/snap.go b/pkg/package-format/snap/snap.go
@@ -74,12 +74,12 @@ func ConfigureCommand(app *kingpin.Application) {
 	isRemoveStage := util.ConfigureIsRemoveStageParam(command)
 
 	command.Action(func(context *kingpin.ParseContext) error {
-		resolvedTemplateFile, err := ResolveTemplateFile(*templateFile, *templateUrl, *templateSha512)
+		resolvedTemplateDir, err := ResolveTemplateDir(*templateFile, *templateUrl, *templateSha512)
 		if err != nil {
 			return errors.WithStack(err)
 		}
 
-		err = Snap(resolvedTemplateFile, options)
+		err = Snap(resolvedTemplateDir, options)
 		if err != nil {
 			switch e := errors.Cause(err).(type) {
 			case util.MessageError:
@@ -101,7 +101,7 @@ func ConfigureCommand(app *kingpin.Application) {
 	})
 }
 
-func ResolveTemplateFile(templateFile string, templateUrl string, templateSha512 string) (string, error) {
+func ResolveTemplateDir(templateFile string, templateUrl string, templateSha512 string) (string, error) {
 	if len(templateFile) != 0 || len(templateUrl) == 0 {
 		return templateFile, nil
 	}
@@ -159,9 +159,9 @@ func doCheckSnapVersion(rawVersion string, installMessage string) error {
 	}
 }
 
-func Snap(templateFile string, options SnapOptions) error {
+func Snap(templateDir string, options SnapOptions) error {
 	stageDir := *options.stageDir
-	isUseTemplateApp := len(templateFile) != 0
+	isUseTemplateApp := len(templateDir) != 0
 	var snapMetaDir string
 	if isUseTemplateApp {
 		snapMetaDir = filepath.Join(stageDir, "meta")
@@ -202,7 +202,7 @@ func Snap(templateFile string, options SnapOptions) error {
 
 	switch {
 	case isUseTemplateApp:
-		return buildUsingTemplate(templateFile, options)
+		return buildUsingTemplate(templateDir, options)
 	default:
 		return buildWithoutTemplate(options, scriptDir)
 	}
@@ -240,7 +240,7 @@ func writeCommandWrapper(options SnapOptions, isUseTemplateApp bool, scriptDir s
 	return nil
 }
 
-func buildUsingTemplate(templateFile string, options SnapOptions) error {
+func buildUsingTemplate(templateDir string, options SnapOptions) error {
 	stageDir := *options.stageDir
 
 	mksquashfsPath, err := linuxTools.GetMksquashfs()
@@ -250,7 +250,7 @@ func buildUsingTemplate(templateFile string, options SnapOptions) error {
 
 	var args []string
 
-	args, err = linuxTools.ReadDirContentTo(templateFile, args, nil)
+	args, err = linuxTools.ReadDirContentTo(templateDir, args, nil)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -260,6 +260,25 @@ func buildUsingTemplate(templateFile string, options SnapOptions) error {
 		return errors.WithStack(err)
 	}
 
+	// https://github.com/electron-userland/electron-builder/issues/3608
+	// even if electron-builder will correctly unset setgid/setuid, still, quite a lot of possibilities for user to create such incorrect permissions,
+	// so, just unset it using chmod right before packaging
+	dirs := []string{stageDir, *options.appDir, templateDir}
+	err = util.MapAsync(len(dirs), func(taskIndex int) (func() error, error) {
+		dir := dirs[taskIndex]
+		return func() error {
+			_, err := util.Execute(exec.Command("chmod", "-R", "g-s", dir), dir)
+			if err != nil {
+				log.WithError(err).Warn("cannot execute chmod")
+			}
+			return nil
+		}, nil
+	})
+
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
 	args, err = linuxTools.ReadDirContentTo(*options.appDir, args, func(name string) bool {
 		if name == "LICENSES.chromium.html" || name == "LICENSE.electron.txt" {
 			return false

diff --git a/pkg/package-format/snap/snap_test.go b/pkg/package-format/snap/snap_test.go
@@ -9,13 +9,16 @@ import (
 func TestCheckWineVersion(t *testing.T) {
 	g := NewGomegaWithT(t)
 
-	err := doCheckSnapVersion("3.0", "")
+	err := doCheckSnapVersion("3.1", "")
 	g.Expect(err).NotTo(HaveOccurred())
 
-	err = doCheckSnapVersion("snapcraft, version 3.0.1", "")
+	err = doCheckSnapVersion("snapcraft, version 3.1.1", "")
 	g.Expect(err).NotTo(HaveOccurred())
 
-	err = doCheckSnapVersion(" version 3.0.1", "")
+	err = doCheckSnapVersion("snapcraft, version '3.1.1'", "")
+	g.Expect(err).NotTo(HaveOccurred())
+
+	err = doCheckSnapVersion(" version 3.2.1", "")
 	g.Expect(err).NotTo(HaveOccurred())
 
 	err = doCheckSnapVersion("2.12", "")

diff --git a/pkg/util/async.go b/pkg/util/async.go
@@ -8,7 +8,7 @@ import (
 )
 
 func MapAsync(taskCount int, taskProducer func(taskIndex int) (func() error, error)) error {
-	return MapAsyncConcurrency(taskCount, runtime.NumCPU(), taskProducer)
+	return MapAsyncConcurrency(taskCount, runtime.NumCPU() + 1, taskProducer)
 }
 
 func MapAsyncConcurrency(taskCount int, concurrency int, taskProducer func(taskIndex int) (func() error, error)) error {
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,7 +10,7 @@ cache: @@
         - $HOME/gopath/pkg/mod
     go:
-      - 1.11.x
+      - 1.12.x
     script:
       - make build
@@ Expand Down @@