From 07f57314afb260d6b14227b932d66345c55ffab3 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Mon, 21 Aug 2017 14:10:05 +0200 Subject: [PATCH] package[-static].bash: stop leaking the local user id in the tarball The local user id of the packager is not interesting for users who download the tarball. Also it will cause the gocryptfs binary to have an unintended owner when the tarball is extraced as root. Fix the issue by using "tar --owner=root --group=root" which overwrites user and group id with zero. --- package-static.bash | 4 ++-- package.bash | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/package-static.bash b/package-static.bash index a30d649..f2dc0d7 100755 --- a/package-static.bash +++ b/package-static.bash @@ -1,6 +1,6 @@ #!/bin/bash -eu -cd $(dirname "$0") +cd "$(dirname "$0")" # Compiles the gocryptfs binary and sets $GITVERSION source build-without-openssl.bash @@ -19,7 +19,7 @@ OS=$(go env GOOS) TARGZ=gocryptfs_${GITVERSION}_${OS}-static_${ARCH}.tar.gz -tar czf $TARGZ gocryptfs gocryptfs.1 +tar --owner=root --group=root -czf $TARGZ gocryptfs gocryptfs.1 echo "Tar created." echo "Hint for signing: gpg -u 23A02740 --armor --detach-sig $TARGZ" diff --git a/package.bash b/package.bash index fe01709..469a17b 100755 --- a/package.bash +++ b/package.bash @@ -1,7 +1,6 @@ -#!/bin/bash +#!/bin/bash -eu -set -eu -cd $(dirname "$0") +cd "$(dirname "$0")" # Build binary and sets $GITVERSION (example: v0.7-15-gf01f599) source build.bash @@ -28,7 +27,7 @@ cp -a ./Documentation/gocryptfs.1 . TARGZ=gocryptfs_${GITVERSION}_${ID}${VERSION_ID}_${ARCH}.tar.gz -tar czf $TARGZ gocryptfs gocryptfs.1 +tar --owner=root --group=root -czf $TARGZ gocryptfs gocryptfs.1 echo "Tar created." echo "Hint for signing: gpg -u 23A02740 --armor --detach-sig $TARGZ"