From 422afc4cfac3ccb52a9942edc364b210778c5e86 Mon Sep 17 00:00:00 2001
From: DCCooper <1866858@gmail.com>
Date: Mon, 26 Jul 2021 17:28:10 +0800
Subject: [PATCH] isula-build: change isula-build file mode

reason: since isula-build client file mode is too large(0551),
we decided to remove other's permission(0550) on it.
Beside, we change the public key(isula-build.pub) file
mode to 0400(from 0444), so only the owner of the public
key can read the key.
After this commit, if the non-root user want to use command
login, logout, build with args(http_proxy, https_proxy, etc...),
they need use sudo to temporarily obtain root permission.

Signed-off-by: DCCooper <1866858@gmail.com>
---
 VERSION-openeuler                             |  2 +-
 git-commit                                    |  2 +-
 isula-build.spec                              | 12 +++--
 ...a-build-change-isula-build-file-mode.patch | 49 +++++++++++++++++++
 series.conf                                   |  1 +
 5 files changed, 61 insertions(+), 5 deletions(-)
 create mode 100644 patch/0055-isula-build-change-isula-build-file-mode.patch

diff --git a/VERSION-openeuler b/VERSION-openeuler
index a53abc6..a2edf51 100644
--- a/VERSION-openeuler
+++ b/VERSION-openeuler
@@ -1 +1 @@
-0.9.5-8
+0.9.5-9
diff --git a/git-commit b/git-commit
index 0722e46..b02fc9f 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-e94aba5277b21e40c4120b9e847a74575e63fed7
+2c805b03e8628304bc116ed885941d6ecc89cd44
diff --git a/isula-build.spec b/isula-build.spec
index 24146cf..890d713 100644
--- a/isula-build.spec
+++ b/isula-build.spec
@@ -2,7 +2,7 @@
 
 Name: isula-build
 Version: 0.9.5
-Release: 8
+Release: 9
 Summary: A tool to build container images
 License: Mulan PSL V2
 URL: https://gitee.com/openeuler/isula-build
@@ -63,7 +63,7 @@ install -p -m 600 __isula-build %{buildroot}/usr/share/bash-completion/completio
 %clean
 rm -rf %{buildroot}
 
-%post
+%pretrans
 if ! getent group isula > /dev/null; then
     groupadd --system isula
 fi
@@ -74,7 +74,7 @@ fi
 %if 0%{?is_systemd}
 %config(noreplace) %attr(0640,root,root) %{_unitdir}/isula-build.service
 %endif
-%attr(551,root,root) %{_bindir}/isula-build
+%attr(550,root,isula) %{_bindir}/isula-build
 %attr(550,root,root) %{_bindir}/isula-builder
 
 %dir %attr(650,root,root) %{_sysconfdir}/isula-build
@@ -85,6 +85,12 @@ fi
 /usr/share/bash-completion/completions/isula-build
 
 %changelog
+* Mon Jul 26 2021 DCCooper <1866858@gmail.com> - 0.9.5-9
+- Type:bugfix
+- CVE:NA
+- SUG:restart
+- DESC:modify file mode for isula-build client binary and public key
+
 * Wed Jun 16 2021 DCCooper <1866858@gmail.com> - 0.9.5-8
 - Type:enhancement
 - CVE:NA
diff --git a/patch/0055-isula-build-change-isula-build-file-mode.patch b/patch/0055-isula-build-change-isula-build-file-mode.patch
new file mode 100644
index 0000000..2164b67
--- /dev/null
+++ b/patch/0055-isula-build-change-isula-build-file-mode.patch
@@ -0,0 +1,49 @@
+From f22214ca3bcb452238d2390a06891cf6d446e8ac Mon Sep 17 00:00:00 2001
+From: DCCooper <1866858@gmail.com>
+Date: Mon, 26 Jul 2021 16:58:31 +0800
+Subject: [PATCH] isula-build: change isula-build file mode
+
+reason: since isula-build client file mode is too large(0551),
+we decided to remove other's permission(0550) on it.
+Beside, we change the public key(isula-build.pub) file
+mode to 0400(from 0444), so only the owner of the public
+key can read the key.
+After this commit, if the non-root user want to use command
+login, logout, build with args(http_proxy, https_proxy, etc...),
+they need use sudo to temporarily obtain root permission.
+
+Signed-off-by: DCCooper <1866858@gmail.com>
+---
+ Makefile    | 2 +-
+ constant.go | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 925968a..a9d4c93 100644
+--- a/Makefile
++++ b/Makefile
+@@ -102,7 +102,7 @@ proto:
+ 
+ .PHONY: install
+ install:
+-	install -D -m0551 bin/isula-build $(BINDIR)
++	install -D -m0550 bin/isula-build $(BINDIR)
+ 	install -D -m0550 bin/isula-builder $(BINDIR)
+ 	@( getent group isula > /dev/null ) || ( groupadd --system isula )
+ 	@[ ! -d ${CONFIG_DIR}/${CONFIG_FILE} ] && install -dm0650 ${CONFIG_DIR}
+diff --git a/constant.go b/constant.go
+index 9926728..bfe399b 100644
+--- a/constant.go
++++ b/constant.go
+@@ -50,7 +50,7 @@ const (
+ 	// DefaultRootDirMode is the default root dir mode
+ 	DefaultRootDirMode = 0700
+ 	// DefaultReadOnlyFileMode is the default root read only file mode
+-	DefaultReadOnlyFileMode = 0444
++	DefaultReadOnlyFileMode = 0400
+ 	// DefaultUmask is the working umask of isula-builder as a process, not for users
+ 	DefaultUmask = 0022
+ 	// CliLogBufferLen is log channel buffer size
+-- 
+1.8.3.1
+
diff --git a/series.conf b/series.conf
index 5b3e157..7baf6fd 100644
--- a/series.conf
+++ b/series.conf
@@ -18,3 +18,4 @@ patch/0051-bugfix-set-user-s-uid-and-gid-for-containers.patch
 patch/0052-hack-make-isula-build-binary-static.patch
 patch/0053-integration-test-from-new-flaw-of-run-and-data-root-.patch
 patch/0054-isula-build-cleancode-for-errors.Wrap-function.patch
+patch/0055-isula-build-change-isula-build-file-mode.patch