search

magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.54k stars 9.31k forks source link

Wrong default permissions after composer install #13048

Open dooblem opened 6 years ago

dooblem commented 6 years ago

I believe that there is a problem with the permissions set by many modules. I checked some of our productions platform this morning and they all have this permission problem.

And setting the permissions with the find command as documented will only fix the group permissions, not the permissions for other users.

Preconditions

  1. magento 2.3.4 composer installation

Steps to reproduce

  1. Check that you umask is correct, otherwise set it to distribution default: $ umask 0002 $ umask 0002
  2. composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition

Expected result

  1. No file should be world writable. The following command in the project should return no result: find -perm -o+w -not -type l

Actual result

  1. $ find -perm -o+w -not -type l | wc -l 45415

Sample file with wrong permissions: -rw-rw-rw- 1 x2i www-data 1370 Feb 4 10:28 vendor/magento/magento2-base/index.php

Sample file with good permissions: -rw-r--r-- 1 x2i www-data 2378 Feb 4 2020 .vendor/magento/zendframework1/library/Zend/Date/DateObject.php

magento-engcom-team commented 6 years ago

@dooblem, thank you for your report. We've created internal ticket(s) MAGETWO-86558 to track progress on the issue.

magento-engcom-team commented 6 years ago

@dooblem, thank you for your report. We've acknowledged the issue and added to our backlog.

m2-assistant[bot] commented 4 years ago

Hi @engcom-Alfa. Thank you for working on this issue. Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

magento-deployment-service[bot] commented 4 years ago

Thanks for opening this issue!

magento-deployment-service[bot] commented 4 years ago

Thanks for opening this issue!

magento-engcom-team commented 4 years ago

@engcom-Alfa Thank you for verifying the issue.

Unfortunately, not enough information was provided to acknowledge ticket. Please consider adding the following:

Once all required information is added, please add label "Issue: Confirmed" again. Thanks!

magento-engcom-team commented 4 years ago

:white_check_mark: Confirmed by @engcom-Alfa Thank you for verifying the issue. Based on the provided information internal tickets MC-31120 were created

Issue Available: @engcom-Alfa, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

m2-assistant[bot] commented 4 years ago

Hi @engcom-Alfa. Thank you for working on this issue. Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

engcom-Alfa commented 4 years ago

Hi @dooblem .

Thank you for your contribution and collaboration!

Unfortunately, we are not able to reproduce this issue on a fresh 2.4-develop.

Manual testing scenario:

  1. Check that you umask is correct, otherwise set it to distribution default: umask Screenshot from 2020-10-07 10-57-51
  2. Composer install;
  3. Run in console: find -perm -o+w -not -type l

Actual Result: :heavy_check_mark: The following command in the project returns no result

Screenshot from 2020-10-07 11-01-13

Run in console: find -perm -o+w -not -type l | wc -l

Actual Result: :heavy_check_mark: 0 found

Screenshot from 2020-10-07 11-02-47

So, we have to close it. Please feel free to comment, reopen or create new ticket according to the Issue reporting guidelines if you are still facing this issue on the latest 2.4-develop branch. Thank you for collaboration.

dooblem commented 4 years ago

hello @engcom-Alfa

Just to be sure, are you sure your test is good ?

In order to reproduce, you have to get the magento modules via composer. My understanding is that if you run the composer install from the magento development tree, it will not get magento modules as they are already in the source tree.

I was not able to reproduce with a composer create project for magento v2.4.1. I was not able to test with 2.4-develop branch because those modules are not available in the composer public repository.

Thanks in advance, Marc

dooblem commented 3 years ago

Some permissions are still wrong with a create project for magento v2.4.3.

This is a security issue.

ubuntu@mage2-demo2:~$ composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition /tmp/myproject

Creating a "magento/project-community-edition" project at "/tmp/myproject"
Installing magento/project-community-edition (2.4.3)
  - Installing magento/project-community-edition (2.4.3): Downloading (100%)         
Created project in /tmp/myproject
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/
Updating dependencies (including require-dev)
Package operations: 591 installs, 0 updates, 0 removals
  - Installing laminas/laminas-dependency-plugin (2.2.0): Downloading (100%)         
  - Installing symfony/polyfill-php80 (v1.23.1): Downloading (100%)         
  - Installing symfony/polyfill-mbstring (v1.23.1): Downloading (100%)         
  - Installing symfony/polyfill-intl-normalizer (v1.23.0): Downloading (100%)         

.....
.....

Writing lock file
Generating autoload files
118 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
PHP CodeSniffer Config installed_paths set to ../../magento/magento-coding-standard,../../phpcompatibility/php-compatibility

ubuntu@mage2-demo2:~$ ls -l /tmp/myproject/vendor/magento/module-inventory-catalog/registration.php
-rw-rw-rw- 1 ubuntu ubuntu 298 Jul 13 12:38 /tmp/myproject/vendor/magento/module-inventory-catalog/registration.php
sdzhepa commented 3 years ago

reopen this issue due to the last two comments

@engcom-Alfa Could you please re-check it one more time considering new comments?

m2-assistant[bot] commented 2 years ago

Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

engcom-Delta commented 2 years ago

Hi @dooblem, Thank you for the update , We tried to reproduce the issue on magento 2.4 develop instance.Issue is reproducible. We got the results when we run the command "find -perm -o+w -not -type l | wc -l".

Please find the attached screenshot for reference.

results_command

commands_results

github-jira-sync-bot commented 2 years ago

:white_check_mark: Jira issue https://jira.corp.magento.com/browse/AC-5898 is successfully created for this GitHub issue.

m2-assistant[bot] commented 2 years ago

:white_check_mark: Confirmed by @engcom-Delta. Thank you for verifying the issue.
Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.