Canvaskit files generated by `flutter build web` have no non-owner read permissions

[Kimi-Arthur]

Steps to Reproduce

1. Create new project with flutter create my_app
2. Build the project, targeting bundled canvaskit files with flutter build web --dart-define=FLUTTER_WEB_CANVASKIT_URL=canvaskit/ --web-renderer canvaskit
3. Copy over to a (remote) folder served by NGINX

Expected results: Everything served properly and the app loads.

Actual results: All requests complete successfully except the canvaskit files, giving 403 errors.

The canvaskit files (both normal ones and profiling ones, both js and wasm) in build/web folder only has read permission for owner (600).

Code sample

Omitted, as it should be the default code generated by `flutter create`.

Logs

It passes with `flutter run` as that user is the owner (myself). But NGINX uses http as the user. So it produces the following errors: ``` Jan 13 20:10:14 *server* nginx[1483408]: 2023/01/13 20:10:14 [error] 1483408#1483408: *6 open() "/var/server/apps/my-app/canvaskit/canvaskit.js" failed (13: Permission denied), client: *client*, server: my-app.domain-name, request: "GET /canvaskit/canvaskit.js HTTP/1.1", host: "my-app.domain-name", referrer: "https://my-app.domain-name/" Jan 13 20:10:14 *server* nginx[1483408]: *server* nginx: 2023/01/13 20:10:14 [error] 1483408#1483408: *6 open() "/var/server/apps/my-app/canvaskit/canvaskit.js" failed (13: Permission denied), client: *client*, server: my-app.domain-name, request: "GET /canvaskit/canvaskit.js HTTP/1.1", host: "my-app.domain-name", referrer: "https://my-app.domain-name/" Jan 13 20:10:14 *server* nginx[1483408]: *server* nginx: *client* - - [13/Jan/2023:20:10:14 +0000] "GET /canvaskit/canvaskit.js HTTP/1.1" 403 555 "https://my-app.domain-name/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-" ``` ``` Analyzing my_app... No issues found! (ran in 1.7s) ``` ``` [✓] Flutter (Channel stable, 3.3.10, on macOS 13.1 22C65 darwin-arm, locale en-CN) • Flutter version 3.3.10 on channel stable at /opt/homebrew/Caskroom/flutter/3.3.10/flutter • Upstream repository https://github.com/flutter/flutter.git • Framework revision 135454af32 (4 weeks ago), 2022-12-15 07:36:55 -0800 • Engine revision 3316dd8728 • Dart version 2.18.6 • DevTools version 2.15.0 • Pub download mirror https://pub.flutter-io.cn • Flutter download mirror https://storage.flutter-io.cn [✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0) • Android SDK at /Users/jingbian/Library/Android/sdk • Platform android-33, build-tools 33.0.0 • Java binary at: /Applications/Android Studio.app/Contents/jre/Contents/Home/bin/java • Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866) • All Android licenses accepted. [✓] Xcode - develop for iOS and macOS (Xcode 14.2) • Xcode at /Applications/Xcode.app/Contents/Developer • Build 14C18 • CocoaPods version 1.11.3 [✓] Chrome - develop for the web • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome [✓] Android Studio (version 2021.3) • Android Studio at /Applications/Android Studio.app/Contents • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart • Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866) [✓] IntelliJ IDEA Ultimate Edition (version 2021.3.3) • IntelliJ at /Applications/IntelliJ UE (stable).app • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin version 213.7371 [✓] VS Code (version 1.74.2) • VS Code at /Applications/Visual Studio Code.app/Contents • Flutter extension can be installed from: 🔨 https://marketplace.visualstudio.com/items?itemName=Dart-Code.flutter [✓] Connected device (2 available) • macOS (desktop) • macos • darwin-arm64 • macOS 13.1 22C65 darwin-arm • Chrome (web) • chrome • web-javascript • Google Chrome 108.0.5359.124 [✓] HTTP Host Availability • All required HTTP hosts are available • No issues found! ```

[exaby73]

Hello @Kimi-Arthur. This does not look like a Flutter issue, but rather a permissions issue on your machine. We also do not provide support for 3rd party libraries / technologies like NGINX.

If you need help with your code, please see https://flutter.dev/community for resources and asking questions like this, you may also get some help if you post it on Stack Overflow Closing, as this isn't an issue with Flutter itself. If you disagree, please write in the comments and I will reopen it. Thank you

[Kimi-Arthur]

The root cause is that the permission of files in the zip package downloaded from here contains files that are not accessible by non-owners. Flutter builder shouldn't take the random files from external sources and not guarantee the consistency.

You can examine the example zip file to see that (maybe not the exact version I get, but should be similar). The files have the permission situations as I said.

It has nothing to do with my machine or NGINX, but for anyone serving the files (since it's targeting the web, which will be served by some web server other than just nodejs) with a different user than default. The files generated by flutter build web should have a consistent permission behavior.

[exaby73]

Could you provide a way to reliably reproduce this issue, without the use of any 3rd party dependencies?

[Kimi-Arthur]

If you mean to verify the permission is problematic. Just do the first two steps and go to build/web/canvaskit folder and list (ls -l) the files there. You will see the files there (like canvaskit.js) have a permission like -rw-------, which is different than those from the upper folder -rw-rw-r--.

[huycozy]

@Kimi-Arthur Can you reproduce this issue on local NGINX server? I tested this on my local NGINX server but it works as expected (using NGINX 1.23.3)

[Kimi-Arthur]

Is your NGINX using a different user than your default?

Here is another to reproduce the case besides just checking the file permissions:

0. Follow the first two steps in the original post
1. su or sudo su to another user
2. Go into the build/web folder
3. Run the server with python3 -m http.server
4. Open the browser (in an incognito window so that cache is not working) to load the app
5. You should see something like below in the terminal

   ::1 - - [18/Jan/2023 10:40:34] "GET /canvaskit/canvaskit.js HTTP/1.1" 404 -
   ::1 - - [18/Jan/2023 10:43:06] code 404, message File not found

[huycozy]

Is your NGINX using a different user than your default?

My NGINX is the default after installing:

➜  ~ cat /usr/local/etc/nginx/nginx.conf

#user  nobody;

Here is another to reproduce the case besides just checking the file permissions:

I also try your second reproduction above, but it still works well:

https://user-images.githubusercontent.com/104349824/213387585-93cc131a-7dee-4668-bca8-666a8a596370.mp4

sh-3.2# python3 -m http.server
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
::1 - - [19/Jan/2023 15:00:51] "GET / HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:51] "GET /flutter.js HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:51] "GET /favicon.png HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:51] "GET /flutter_service_worker.js?v=3550686634 HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:51] "GET /index.html HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:51] "GET /main.dart.js HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:51] "GET /assets/AssetManifest.json HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:51] "GET /assets/FontManifest.json HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:52] "GET /assets/fonts/MaterialIcons-Regular.otf HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:52] "GET /assets/packages/cupertino_icons/assets/CupertinoIcons.ttf HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:54] "GET /manifest.json HTTP/1.1" 200 -
::1 - - [19/Jan/2023 15:00:56] "GET / HTTP/1.1" 304 -
::1 - - [19/Jan/2023 15:00:59] "GET /flutter_service_worker.js?v=3550686634 HTTP/1.1" 304 -

Please check your nginx configuration again and retry.

[Kimi-Arthur]

For the NGINX config, the nobody line is commented out, so it's still using the default user instead of nobody. The common practice would be to use another user, so that access can be limited, like this one suggested by Arch Linux Wiki.

For sudo su, maybe I wasn't super clear in my last comment. You need to change to another user, but not root, which is implied if no user is given to sudo su. So if you have a different user called abc on the same machine, you should do sudo su abc, and that should bring you to the state where the file is not accessible.

Bottom line, could you please screenshot the contents inside the build/web/canvaskit folder (via ls -l)? If it does not have permission like 660 (or -rw-------), then maybe I messed some local configurations.

[huycozy]

You need to change to another user, but not root, which is implied if no user is given to sudo su. So if you have a different user called abc on the same machine, you should do sudo su abc, and that should bring you to the state where the file is not accessible.

I created a normal user but it can not start a server. Perhaps it needs to be added some config.

bash-3.2$ python3 -m http.server
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
Traceback (most recent call last):
  File "/usr/local/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/lib/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/local/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/usr/local/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/lib/python3.10/http/server.py", line 1281, in <module>
    parser.add_argument('--directory', '-d', default=os.getcwd(),
PermissionError: [Errno 13] Permission denied
bash-3.2$ 

Bottom line, could you please screenshot the contents inside the build/web/canvaskit folder (via ls -l)?

➜  canvaskit ls -l
total 13920
-rw-------  1 huynq  staff   125259 Dec 31  1979 canvaskit.js
-rw-------  1 huynq  staff  6999351 Dec 31  1979 canvaskit.wasm
drwxr-xr-x  4 huynq  staff      128 Jan 17 17:56 profiling

The canvaskit files (both normal ones and profiling ones, both js and wasm) in build/web folder only has read permission for owner (600).

Comparing to your result above, it means that the owner has full read and write access.

I'm not sure the reason why you had the error with 404 code (as the log at https://github.com/flutter/flutter/issues/118473#issuecomment-1386765305) but maybe it's a permission issue in the system, please check again and give us the information you find.

[Kimi-Arthur]

I see that you have the same permission as I do. That's the problem I pointed out in the first place, i.e. only the owner can access these files. However, if you look at other files, like flutter.js etc, they are accessible to all users. If you can make them consistent, that'd be great (and will fix this issue in the scenarios I was intented to deploy the Flutter web app).

The 404 is because I don't have other issues, like your user (huynq) doesn't even have access to the root folder of the project.

[Kimi-Arthur]

Just to be clear, in this comment, I said if you see -rw------- in listing the canvaskit files, it means it's broken (or expectedly incorrect state).

To make it work for my scenario, I have to change its permissions to -rw-r--r-- (or -rw-rw-r--) like other files (flutter.js, main.dart.js etc.) to make it work. It would be great if flutter build can fix it during the build process as the canvaskit files are downloaded/imported by that command.

[exaby73]

Hey @Kimi-Arthur. Can you confirm if the issue is reproducible with the latest master version of Flutter?

[Kimi-Arthur]

Yes, same problem. Here is what I see when I recursively list the build/web folder with ls -Rl:

total 2872
drwxrwxr-x  9 foo  primarygroup      288 Jan 25 16:34 assets
drwxrwxr-x  5 foo  primarygroup      160 Jan 25 16:33 canvaskit
-rw-r--r--@ 1 foo  admin             917 Dec 15 22:50 favicon.png
-rw-rw-r--  1 foo  primarygroup    13910 Jan 25 16:33 flutter.js
-rw-rw-r--  1 foo  primarygroup     7599 Jan 25 16:34 flutter_service_worker.js
drwxrwxr-x  6 foo  primarygroup      192 Jan 25 16:34 icons
-rw-rw-r--  1 foo  primarygroup     1827 Jan 25 16:34 index.html
-rw-rw-r--  1 foo  primarygroup  1425761 Jan 25 16:34 main.dart.js
-rw-rw-r--  1 foo  primarygroup      908 Jan 25 16:32 manifest.json
-rw-rw-r--  1 foo  primarygroup       82 Jan 25 16:34 version.json

./assets:
total 3232
-rw-rw-r--  1 foo  primarygroup       56 Jan 25 16:34 AssetManifest.bin
-rw-rw-r--  1 foo  primarygroup      109 Jan 25 16:34 AssetManifest.json
-rw-rw-r--  1 foo  primarygroup      208 Jan 25 16:34 FontManifest.json
-rw-rw-r--  1 foo  primarygroup  1638623 Jan 25 16:34 NOTICES
drwxrwxr-x  3 foo  primarygroup       96 Jan 25 16:34 fonts
drwxrwxr-x  3 foo  primarygroup       96 Jan 25 16:34 packages
drwxrwxr-x  3 foo  primarygroup       96 Jan 25 16:34 shaders

./assets/fonts:
total 16
-rw-rw-r--  1 foo  primarygroup  7504 Jan 25 16:34 MaterialIcons-Regular.otf

./assets/packages:
total 0
drwxrwxr-x  3 foo  primarygroup  96 Jan 25 16:34 cupertino_icons

./assets/packages/cupertino_icons:
total 0
drwxrwxr-x  3 foo  primarygroup  96 Jan 25 16:34 assets

./assets/packages/cupertino_icons/assets:
total 8
-rw-rw-r--  1 foo  primarygroup  1236 Jan 25 16:34 CupertinoIcons.ttf

./assets/shaders:
total 24
-rw-r--r--  1 foo  primarygroup  9242 Jan 25 16:34 ink_sparkle.frag

./canvaskit:
total 13616
-rw-------  1 foo  primarygroup   127640 Dec 31  1979 canvaskit.js
-rw-------  1 foo  primarygroup  6836229 Dec 31  1979 canvaskit.wasm
drwxrwxr-x  4 foo  primarygroup      128 Jan 25 16:33 profiling

./canvaskit/profiling:
total 18056
-rw-------  1 foo  primarygroup   247815 Dec 31  1979 canvaskit.js
-rw-------  1 foo  primarygroup  8994456 Dec 31  1979 canvaskit.wasm

./icons:
total 104
-rw-r--r--@ 1 foo  admin   5292 Dec 15 22:50 Icon-192.png
-rw-r--r--@ 1 foo  admin   8252 Dec 15 22:50 Icon-512.png
-rw-rw-r--  1 foo  admin   5594 Jan 25 16:02 Icon-maskable-192.png
-rw-rw-r--  1 foo  admin  20998 Jan 25 16:02 Icon-maskable-512.png

See the permission diffs of the canvaskit files.

[exaby73]

Triage report

Okay I can reproduce this issue on Master (3.7.0-27.0.pre.25). Looks like specifically canvaskit.js and canvaskit.wasm only have owner read-write permissions (600), while other files have read-write for owners and read for others (644).

Steps to reproduce

• Create a new Flutter project with flutter create <app_name> and cd into <app_name>
• Run flutter build web
• On Unix platforms (mac, linux), run ls -Rl to list all files recursively with their permissions

Expected results:

Like other files, it should show read-write permissions for owners, and read permissions for group and other users (-rw-r--r--)

Actual results:

Notice non-read permissions for group and other users (-rw-------)

build/web/canvaskit:
total 13616
-rw-------  1 nabeelparkar  staff   127640 Dec 31  1979 canvaskit.js
-rw-------  1 nabeelparkar  staff  6836229 Dec 31  1979 canvaskit.wasm
drwxr-xr-x  4 nabeelparkar  staff      128 Jan 26 13:05 profiling

build/web/canvaskit/profiling:
total 18056
-rw-------  1 nabeelparkar  staff   247815 Dec 31  1979 canvaskit.js
-rw-------  1 nabeelparkar  staff  8994456 Dec 31  1979 canvaskit.wasm

Snippet from ls -Rl

flutter doctor -v (Master)

``` [!] Flutter (Channel master, 3.7.0-27.0.pre.25, on macOS 13.1 22C65 darwin-arm64, locale en-US) • Flutter version 3.7.0-27.0.pre.25 on channel master at /Users/nabeelparkar/fvm/versions/master ! Warning: `dart` on your path resolves to /opt/homebrew/Cellar/dart/2.18.6/libexec/bin/dart, which is not inside your current Flutter SDK checkout at /Users/nabeelparkar/fvm/versions/master. Consider adding /Users/nabeelparkar/fvm/versions/master/bin to the front of your path. • Upstream repository https://github.com/flutter/flutter.git • Framework revision c9affdba9d (67 minutes ago), 2023-01-25 21:25:02 -0800 • Engine revision 8f1e5dc1b1 • Dart version 3.0.0 (build 3.0.0-157.0.dev) • DevTools version 2.20.1 • If those were intentional, you can disregard the above warnings; however it is recommended to use "git" directly to perform update checks and upgrades. [✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0) • Android SDK at /Users/nabeelparkar/Library/Android/sdk/ • Platform android-33, build-tools 33.0.0 • ANDROID_SDK_ROOT = /Users/nabeelparkar/Library/Android/sdk/ • Java binary at: /Users/nabeelparkar/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/213.7172.25.2113.9123335/Android Studio.app/Contents/jre/Contents/Home/bin/java • Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866) • All Android licenses accepted. [✓] Xcode - develop for iOS and macOS (Xcode 14.2) • Xcode at /Applications/Xcode.app/Contents/Developer • Build 14C18 • CocoaPods version 1.11.3 [✓] Chrome - develop for the web • CHROME_EXECUTABLE = /Applications/Brave Browser.app/Contents/MacOS/Brave Browser [✓] Android Studio (version 2021.3) • Android Studio at /Users/nabeelparkar/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/213.7172.25.2113.9123335/Android Studio.app/Contents • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart • Java version OpenJDK Runtime Environment (build 11.0.13+0-b1751.21-8125866) [✓] IntelliJ IDEA Ultimate Edition (version 2022.3.1) • IntelliJ at /Users/nabeelparkar/Applications/JetBrains Toolbox/IntelliJ IDEA Ultimate.app • Flutter plugin version 71.3.6 • Dart plugin version 223.8214.16 [✓] IntelliJ IDEA Ultimate Edition (version 2022.3.1) • IntelliJ at /Users/nabeelparkar/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/223.8214.52/IntelliJ IDEA.app • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart [✓] VS Code (version 1.74.3) • VS Code at /Applications/Visual Studio Code.app/Contents • Flutter extension version 3.56.0 [✓] Connected device (2 available) • macOS (desktop) • macos • darwin-arm64 • macOS 13.1 22C65 darwin-arm64 • Chrome (web) • chrome • web-javascript • Brave Browser 109.1.47.171 [✓] HTTP Host Availability • All required HTTP hosts are available ! Doctor found issues in 1 category. ```