search

JuliaIO / JLD2.jl

HDF5-compatible file format in pure Julia
Other
537 stars 84 forks source link

file permissions after adding JLD2 #482

Closed StephenVavasis closed 9 months ago

StephenVavasis commented 10 months ago

I'm not sure if this is a problem with JLD2 or with the Julia package manager. After I installed JLD2 on a linux system (Ubuntu 22.0.4 LTS), I received the following automated email message from my sysadmin regarding the permissions of the files that were installed.

To prevent abuse and possible loss of your filesystem resources, general write permission has been removed from the following file(s).

=====================

/u4/./vavasis/.julia/compiled/v1.9/FileIO/6iKRU_pb74P.so
/u4/./vavasis/.julia/compiled/v1.9/JLD2/O1EyT_pb74P.so
/u4/./vavasis/.julia/compiled/v1.9/MacroTools/38lnR_pb74P.so
/u4/./vavasis/.julia/compiled/v1.9/OrderedCollections/LtT3J_pb74P.so
/u4/./vavasis/.julia/compiled/v1.9/Reexport/bTpYr_pb74P.so
/u4/./vavasis/.julia/compiled/v1.9/Requires/IyxeS_pb74P.so
/u4/./vavasis/.julia/compiled/v1.9/TranscodingStreams/eJQ7D_pb74P.so

=====================

Sometimes this happens because of a poorly designed program; it's not necessarily anything that you did deliberately.
But since it means that anyone could change the file(s) (e.g. making them big enough to use up all of your disk space), the general write permission is being removed automatically.

Should there be a legitimate reason for a file to have general write permission, please let us know so we can avoid resetting the permissions again.

It is no longer necessary to have general write permissions on files updated by CGI scripts.

This mail is generated automatically by the system program "/software/security/servers/suspicious".
Unless what we have done causes you problems, please do not reply.
JonasIsensee commented 10 months ago

Hi @StephenVavasis,

this does not have to do anything with JLD2 in particular but mostly with the julia pkg management.

If you're on a linux hpc system with shared file systems, you could consider moving your julia depot (the .julia folder) somewhere outside your home directory.

The relevant environment variables would be JULIA_DEPOT_PATH and possibly JULIA_PKG_DEVDIR

StephenVavasis commented 8 months ago

Sorry to reopen this-- my sysadmin tells me that the issue is that the package installation procedure is setting the installed files as world-writeable, which is a security risk regardless of where they are installed. But I am still unclear whether this is a problem specifically for JLD2 or for all Julia package installations on Linux.

JonasIsensee commented 8 months ago

Hi, Sorry for the late reply. This is not an issue specific to JLD2. You could open a bug report on the Julia language repo.