From 8d7adb7d947154ca5019ae34b649e81938142b95 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Mon, 11 May 2020 13:02:56 -0700 Subject: [PATCH] Fix umask better While the umask was previously set for builds (and in fact `docker run` sets it to 0022 by default), the release pipeline `cp`'s files (with `-a`) which respect the user's umask, and is outside of the build path. This sets the umask in a common function called by all build tools, which Stephen agreed was the simplest and most complete fix. The `verify-prereqs` function is already poorly named for what it does, and this only makes it epsilon worse. --- build/common.sh | 3 +++ hack/lib/golang.sh | 7 +++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/build/common.sh b/build/common.sh index 5368f98f6f0..453c7b9b1d7 100755 --- a/build/common.sh +++ b/build/common.sh @@ -163,6 +163,9 @@ function kube::build::verify_prereqs() { kube::version::get_version_vars kube::version::save_version_vars "${KUBE_ROOT}/.dockerized-kube-version-defs" + + # Without this, the user's umask can leak through. + umask 0022 } # --------------------------------------------------------------------------- diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh index b1e42acee5a..fa6bba14095 100755 --- a/hack/lib/golang.sh +++ b/hack/lib/golang.sh @@ -523,10 +523,6 @@ kube::golang::setup_env() { # This seems to matter to some tools export GO15VENDOREXPERIMENT=1 - - # This is for sanity. Without it, user umasks leak through into release - # artifacts. - umask 0022 } # This will take binaries from $GOPATH/bin and copy them to the appropriate @@ -678,6 +674,9 @@ kube::golang::build_some_binaries() { } kube::golang::build_binaries_for_platform() { + # This is for sanity. Without it, user umasks can leak through. + umask 0022 + local platform=$1 local -a statics=()