conda-package-streaming uses this code from conda to make sure packages extracted as root are owned by root, and not by whatever the tarfile said. Instead, subclass TarFile and override chown() to be a no-op, or, replace each member's uid/gid with os.geteuid() as part of the safety filter. (Overriding Tarfile should be a little faster, since we can avoid chowning at all).
if sys.platform.startswith("linux") and os.getuid() == 0:
# When extracting as root, tarfile will by restore ownership
# of extracted files. However, we want root to be the owner
# (our implementation of --no-same-owner).
# XXX we could only chown collected names from checked_members()
for root, _, files in os.walk(dest_dir):
for fn in files:
p = os.path.join(root, fn)
os.lchown(p, 0, 0)
dholth
commented
2 years ago
conda-package-streaming uses this code from conda to make sure packages extracted as root are owned by root, and not by whatever the tarfile said. Instead, subclass TarFile and override chown() to be a no-op, or, replace each member's uid/gid with
os.geteuid()as part of the safety filter. (Overriding Tarfile should be a little faster, since we can avoid chowning at all).