Re: copy-file without preserving the owner

[Patrice Dumas]

On Fri, Aug 23, 2024 at 11:56:06PM +0200, Bruno Haible wrote:
> Hi Patrice,
> 
> > For some code in Texinfo (not public yet), I needed to copy a file.  I
> > used the copy-file Gnulib module code, but I did not want to preserve
> > the owner and group as it is better in my case if the file owner is the
> > same as the generated output files owner.   So I modified the code not to
> > keep the owner.
> 
> In Gnulib, we can accommodate the needs of particular packages. But in this
> case, you'd need to convince me first. My thoughts are:
> 
>   * In most cases, the copy of a file should have the same confidentiality
>     restrictions as the original file. A copy that assigns a new owner and
>     group usually is a confidentiality risk, no?

If a user has the possibility ro read a file and to write it in a
directory that belongs to that user, the user can do that anyway?  For
instance, if the user has a shell access this is the same as doing a
plain 'cp'.

>   * In your patch, you disable the copying of owner and group but keep the
>     copying of the ACL. This makes no sense to me, because on many platforms
>     the owner and group are part of the ACL. So, you might end up with
>     either
>        owner and group copied despite your wishes,
>     or
>        an inconsistent ACL.

I have near 0 knowledge about ACLs, I have never strayed away from the
basic unix files with owner and group and rwxs permissions...  At first
I removed the ACL, but then I assumed, possibly wrongly, that keeping
the ACL is consistent with keeping the permissions.

> Can you please describe your use-case:
>   - What are the owners+groups involved?
>   - What is the expected workflow on the copied file? Who is supposed to
>     view it? Who is supposed to edit it?

In Texinfo, we install javascript/CSS files in datadir, for instance on my
debian I have 
$ ls -l /usr/share/texinfo/js/
total 104
-rw-r--r-- 1 root root  4136 janv. 13  2024 info.css
-rw-r--r-- 1 root root 73505 janv. 13  2024 info.js
-rw-r--r-- 1 root root 20787 janv. 13  2024 modernizr.js

With an appropriate customization variable passed to texi2any, when
generating HTML, texi2any copies the files found in datadir/texinfo/js/
(/usr/share/texinfo/js/ in my example) to the output directory (and add
<script> and <a href> referring to those files in the generated HTML
files).  texi2any does that copy as the user generating the HTML manual,
so, in general, a normal user.  It makes sense to me for the copied
files to also belong to the user running texi2any once they are copied
in the output directory.  Also if the user cannot create a file with the
same owner as the source file, which is the case in my example as the
files are owned by root, I guess that the copy will fail if the owner
and groups are to be conserved.

We have two parallel implementations for HTML conversion in texi2any, in
Perl and in C (this part of the C implementation is not public yet as I
said above, I will push it right after the next release).  When we do
the copy in Perl, we use File::Copy::copy, which uses the default
permissions for the target file (which may depend on the process' umask,
file ownership, inherited ACLs, etc.) (As a side note, we could also
have used File::Copy::cp, which behave more like the shell cp, I do not
know why we chosed one over the other).

It does not matter to me if, in the C implementation, the result is not
exactly the same as what is obtained when using Perl in term of
timestamps and permissions (keeping permissions of the source file or
using default permissions with umask) as long as the result is sensible.

-- 
Pat