search

NuGet / Home

Repo for NuGet Client issues
Other
1.5k stars 253 forks source link

NuGet should not set u+x for all unzipped files on non-Windows platforms #6778

Open peterhuene opened 6 years ago

peterhuene commented 6 years ago

Details about Problem

As a workaround for #4424, NuGet now sets the user execute bit on files unzipped for non-Windows platforms (see code here).

While I understand that this is to prevent 1.x packages from breaking, this is very undesirable from a security perspective and has implications for dotnet publish (see repro steps).

I think there should be a mechanism that allows package authors to mark their packages as "respect the mode from the zip" so that going forward at least the shared frameworks copied to self-contained apps won't have every file be +x.

Repro steps

$ export RID=osx-x64
$ dotnet new console
$ dotnet publish -r $RID --self-contained
$ cd bin/Debug/netcoreapp2.0/$RID/publish
$ ls -l

Expected behavior

Only the apphost file in the directory should be +x.

Actual behavior

All of the CoreFX/CoreCLR files that were copied from the NuGet cache are +x, even files like sosdocsunix.txt.

System information

$ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   2.1.300-preview3-008443
 Commit:    1e2e8138b9

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.13
 OS Platform: Darwin
 RID:         osx-x64
 Base Path:   /Users/peterhuene/src/cli/bin/2/osx-x64/dotnet/sdk/2.1.300-preview3-008443/

Host (useful for support):
  Version: 2.1.0-preview3-26404-01
  Commit:  1b1a652c15

.NET Core SDKs installed:
  2.1.300-preview3-008443 [/Users/peterhuene/src/cli/bin/2/osx-x64/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.0-preview2-30431 [/Users/peterhuene/src/cli/bin/2/osx-x64/dotnet/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.0-preview2-30431 [/Users/peterhuene/src/cli/bin/2/osx-x64/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.0-preview3-26404-01 [/Users/peterhuene/src/cli/bin/2/osx-x64/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.13.4
BuildVersion:   17E199
ghost commented 6 years ago

@blowdart, @Petermarcu, @richlander this is a definitely a security issue on Unix?

nkolev92 commented 6 years ago

//cc @rrelyea

eerhardt commented 6 years ago

As of netcoreapp2.0, ZipArchiveEntry now supports the ExternalAttributes property. This can be set during dotnet pack, and read during restore to set the correct file permissions.

NuGet.Packaging could add a new netcoreapp2.0 TFM to https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Packaging/NuGet.Packaging.csproj#L7, and we can start using this new property.