!98 isula-build: change isula-build file mode

From: @DCCooper
Reviewed-by: @jingxiaolu
Signed-off-by: @jingxiaolu

VERSION-openeuler

@@ -1 +1 @@
-0.9.5-8
+0.9.5-9

git-commit

@@ -1 +1 @@
-e94aba5277b21e40c4120b9e847a74575e63fed7
+2c805b03e8628304bc116ed885941d6ecc89cd44

isula-build.spec

@@ -2,7 +2,7 @@
 
 Name: isula-build
 Version: 0.9.5
-Release: 8
+Release: 9
 Summary: A tool to build container images
 License: Mulan PSL V2
 URL: https://gitee.com/openeuler/isula-build
@@ -63,7 +63,7 @@ install -p -m 600 __isula-build %{buildroot}/usr/share/bash-completion/completio
 %clean
 rm -rf %{buildroot}
 
-%post
+%pretrans
 if ! getent group isula > /dev/null; then
     groupadd --system isula
 fi
@@ -74,7 +74,7 @@ fi
 %if 0%{?is_systemd}
 %config(noreplace) %attr(0640,root,root) %{_unitdir}/isula-build.service
 %endif
-%attr(551,root,root) %{_bindir}/isula-build
+%attr(550,root,isula) %{_bindir}/isula-build
 %attr(550,root,root) %{_bindir}/isula-builder
 
 %dir %attr(650,root,root) %{_sysconfdir}/isula-build
@@ -85,6 +85,12 @@ fi
 /usr/share/bash-completion/completions/isula-build
 
 %changelog
+* Mon Jul 26 2021 DCCooper <1866858@gmail.com> - 0.9.5-9
+- Type:bugfix
+- CVE:NA
+- SUG:restart
+- DESC:modify file mode for isula-build client binary and public key
+
 * Wed Jun 16 2021 DCCooper <1866858@gmail.com> - 0.9.5-8
 - Type:enhancement
 - CVE:NA

patch/0055-isula-build-change-isula-build-file-mode.patch

@@ -0,0 +1,49 @@
+From f22214ca3bcb452238d2390a06891cf6d446e8ac Mon Sep 17 00:00:00 2001
+From: DCCooper <1866858@gmail.com>
+Date: Mon, 26 Jul 2021 16:58:31 +0800
+Subject: [PATCH] isula-build: change isula-build file mode
+
+reason: since isula-build client file mode is too large(0551),
+we decided to remove other's permission(0550) on it.
+Beside, we change the public key(isula-build.pub) file
+mode to 0400(from 0444), so only the owner of the public
+key can read the key.
+After this commit, if the non-root user want to use command
+login, logout, build with args(http_proxy, https_proxy, etc...),
+they need use sudo to temporarily obtain root permission.
+
+Signed-off-by: DCCooper <1866858@gmail.com>
+---
+ Makefile    | 2 +-
+ constant.go | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 925968a..a9d4c93 100644
+--- a/Makefile
++++ b/Makefile
+@@ -102,7 +102,7 @@ proto:
+ 
+ .PHONY: install
+ install:
+-	install -D -m0551 bin/isula-build $(BINDIR)
++	install -D -m0550 bin/isula-build $(BINDIR)
+ 	install -D -m0550 bin/isula-builder $(BINDIR)
+ 	@( getent group isula > /dev/null ) || ( groupadd --system isula )
+ 	@[ ! -d ${CONFIG_DIR}/${CONFIG_FILE} ] && install -dm0650 ${CONFIG_DIR}
+diff --git a/constant.go b/constant.go
+index 9926728..bfe399b 100644
+--- a/constant.go
++++ b/constant.go
+@@ -50,7 +50,7 @@ const (
+ 	// DefaultRootDirMode is the default root dir mode
+ 	DefaultRootDirMode = 0700
+ 	// DefaultReadOnlyFileMode is the default root read only file mode
+-	DefaultReadOnlyFileMode = 0444
++	DefaultReadOnlyFileMode = 0400
+ 	// DefaultUmask is the working umask of isula-builder as a process, not for users
+ 	DefaultUmask = 0022
+ 	// CliLogBufferLen is log channel buffer size
+-- 
+1.8.3.1
+

series.conf

@@ -18,3 +18,4 @@ patch/0051-bugfix-set-user-s-uid-and-gid-for-containers.patch
 patch/0052-hack-make-isula-build-binary-static.patch
 patch/0053-integration-test-from-new-flaw-of-run-and-data-root-.patch
 patch/0054-isula-build-cleancode-for-errors.Wrap-function.patch
+patch/0055-isula-build-change-isula-build-file-mode.patch