From 4a5c49363a58e711c2016b9ebb6f642e3c9c1be5 Mon Sep 17 00:00:00 2001 From: MetaDark Date: Wed, 21 Oct 2020 18:55:55 -0400 Subject: [PATCH] fetchzip: remove write permissions for unpacked files Fixes https://github.com/NixOS/nixpkgs/issues/38649 --- pkgs/applications/editors/eclipse/plugins.nix | 3 --- pkgs/applications/misc/ipmicfg/default.nix | 1 - pkgs/applications/office/atlassian-cli/default.nix | 1 - pkgs/build-support/fetchzip/default.nix | 9 +++++++-- pkgs/servers/web-apps/engelsystem/default.nix | 2 -- 5 files changed, 7 insertions(+), 9 deletions(-) diff --git a/pkgs/applications/editors/eclipse/plugins.nix b/pkgs/applications/editors/eclipse/plugins.nix index cdf36bc3c21..43ab2a796eb 100644 --- a/pkgs/applications/editors/eclipse/plugins.nix +++ b/pkgs/applications/editors/eclipse/plugins.nix @@ -355,9 +355,6 @@ rec { url = "https://download.jboss.org/drools/release/${version}/droolsjbpm-tools-distribution-${version}.zip"; sha512 = "2qzc1iszqfrfnw8xip78n3kp6hlwrvrr708vlmdk7nv525xhs0ssjaxriqdhcr0s6jripmmazxivv3763rnk2bfkh31hmbnckpx4r3m"; extraPostFetch = '' - # work around https://github.com/NixOS/nixpkgs/issues/38649 - chmod go-w $out; - # update site is a couple levels deep, alongside some other irrelevant stuff cd $out; find . -type f -not -path ./binaries/org.drools.updatesite/\* -exec rm {} \; diff --git a/pkgs/applications/misc/ipmicfg/default.nix b/pkgs/applications/misc/ipmicfg/default.nix index f561f15ab3e..f3d8d5cbc20 100644 --- a/pkgs/applications/misc/ipmicfg/default.nix +++ b/pkgs/applications/misc/ipmicfg/default.nix @@ -8,7 +8,6 @@ stdenv.mkDerivation rec { src = fetchzip { url = "https://www.supermicro.com/wftp/utility/IPMICFG/IPMICFG_${version}_build.${buildVersion}.zip"; sha256 = "0srkzivxa4qlf3x9zdkri7xfq7kjj4fsmn978vzmzsvbxkqswd5a"; - extraPostFetch = "chmod u+rwX,go-rwx+X $out/"; }; installPhase = '' diff --git a/pkgs/applications/office/atlassian-cli/default.nix b/pkgs/applications/office/atlassian-cli/default.nix index 1140bb9bee2..ec8e2b396c5 100644 --- a/pkgs/applications/office/atlassian-cli/default.nix +++ b/pkgs/applications/office/atlassian-cli/default.nix @@ -7,7 +7,6 @@ stdenv.mkDerivation rec { src = fetchzip { url = "https://bobswift.atlassian.net/wiki/download/attachments/16285777/${pname}-${version}-distribution.zip"; sha256 = "091dhjkx7fdn23cj7c4071swncsbmknpvidmmjzhc0355l3p4k2g"; - extraPostFetch = "chmod go-w $out"; }; tools = [ diff --git a/pkgs/build-support/fetchzip/default.nix b/pkgs/build-support/fetchzip/default.nix index c61df8ceb00..44748f231bc 100644 --- a/pkgs/build-support/fetchzip/default.nix +++ b/pkgs/build-support/fetchzip/default.nix @@ -44,8 +44,13 @@ mv "$unpackDir/$fn" "$out" '' else '' mv "$unpackDir" "$out" - '') #*/ - + extraPostFetch; + '') + + extraPostFetch + # Remove write permissions for files unpacked with write bits set + # Fixes https://github.com/NixOS/nixpkgs/issues/38649 + + '' + chmod -R a-w "$out" + ''; } // removeAttrs args [ "stripRoot" "extraPostFetch" ])).overrideAttrs (x: { # Hackety-hack: we actually need unzip hooks, too nativeBuildInputs = x.nativeBuildInputs ++ [ unzip ]; diff --git a/pkgs/servers/web-apps/engelsystem/default.nix b/pkgs/servers/web-apps/engelsystem/default.nix index ad3a6995800..92d50ff67c8 100644 --- a/pkgs/servers/web-apps/engelsystem/default.nix +++ b/pkgs/servers/web-apps/engelsystem/default.nix @@ -11,8 +11,6 @@ in stdenv.mkDerivation rec { url = "https://github.com/engelsystem/engelsystem/releases/download/v3.1.0/engelsystem-v3.1.0.zip"; sha256 = "01wra7li7n5kn1l6xkrmw4vlvvyqh089zs43qzn98hj0mw8gw7ai"; - # This is needed, because the zip contains a directory with world write access, which is not allowed in nix - extraPostFetch = "chmod -R a-w $out"; }; buildInputs = [ phpExt ];