venv module not respecting ACLs

[piotr-kubiak]

Bug report

Bug description:

First, let's do some setup.

$ docker run -it --rm python:3.13.0 bash

root@45d8ebf9ee61:~# apt-get update     
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8789 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [2468 B]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [204 kB]
Fetched 9250 kB in 5s (1721 kB/s)                        
Reading package lists... Done

root@45d8ebf9ee61:~# apt-get install acl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  acl
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 61.2 kB of archives.
After this operation, 215 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 acl amd64 2.3.1-3 [61.2 kB]
Fetched 61.2 kB in 1s (45.6 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package acl.
(Reading database ... 23969 files and directories currently installed.)
Preparing to unpack .../archives/acl_2.3.1-3_amd64.deb ...
Unpacking acl (2.3.1-3) ...
Setting up acl (2.3.1-3) ...

I've got the same result on my RHEL9.4 machine, the docker here is just to produce a minimal example.
Now, let's grab a control sample:

root@45d8ebf9ee61:~# mkdir foo
root@45d8ebf9ee61:~# python -m venv foo/.venv
root@45d8ebf9ee61:~# touch foo/.venv/bin/bar
root@45d8ebf9ee61:~# ls -Al foo/.venv/bin/
total 36
-rw-r--r-- 1 root root 9031 Nov 12 06:08 Activate.ps1
-rw-r--r-- 1 root root 2045 Nov 22 18:54 activate
-rw-r--r-- 1 root root  904 Nov 22 18:54 activate.csh
-rw-r--r-- 1 root root 2183 Nov 22 18:54 activate.fish
-rw-r--r-- 1 root root    0 Nov 22 18:54 bar
-rwxr-xr-x 1 root root  231 Nov 22 18:54 pip
-rwxr-xr-x 1 root root  231 Nov 22 18:54 pip3
-rwxr-xr-x 1 root root  231 Nov 22 18:54 pip3.13
lrwxrwxrwx 1 root root   21 Nov 22 18:54 python -> /usr/local/bin/python
lrwxrwxrwx 1 root root    6 Nov 22 18:54 python3 -> python
lrwxrwxrwx 1 root root    6 Nov 22 18:54 python3.13 -> python

Now, let's enable some ACLs, and repeat the experiment.

root@45d8ebf9ee61:~# rm -rf -- foo/
root@45d8ebf9ee61:~# mkdir foo
root@45d8ebf9ee61:~# setfacl -d -m group::rwx -m other::rw foo/
root@45d8ebf9ee61:~# python -m venv foo/.venv
root@45d8ebf9ee61:~# touch foo/.venv/bin/bar
root@45d8ebf9ee61:~# ls -Al foo/.venv/bin/
total 36
-rw-r--r-- 1 root root 9031 Nov 12 06:08 Activate.ps1
-rw-r--r-- 1 root root 2045 Nov 22 18:55 activate
-rw-r--r-- 1 root root  904 Nov 22 18:55 activate.csh
-rw-r--r-- 1 root root 2183 Nov 22 18:55 activate.fish
-rw-rw-rw- 1 root root    0 Nov 22 18:55 bar
-rwxrwxrwx 1 root root  231 Nov 22 18:55 pip
-rwxrwxrwx 1 root root  231 Nov 22 18:55 pip3
-rwxrwxrwx 1 root root  231 Nov 22 18:55 pip3.13
lrwxrwxrwx 1 root root   21 Nov 22 18:55 python -> /usr/local/bin/python
lrwxrwxrwx 1 root root    6 Nov 22 18:55 python3 -> python
lrwxrwxrwx 1 root root    6 Nov 22 18:55 python3.13 -> python

As one may notice, the access bits on bar and pip* differ (as expected they got the g+w bit). Unfortunately, the bit is missing from the activate* files which is unexpected.

CPython versions tested on:

3.13

Operating systems tested on:

Linux