<div dir="ltr"><div><div>Hi all,<br><br></div>I did some more digging into this issue, trying to understand why Brian and I are having different results - especially on the privileges associated to the jars. It turns out that the wildfly builds for 10,11 and 12 are indeed associating the proper privileges to jars ( so -rw-r--r--.), but the build of EAP 7.1 are creating an archive with different set of priviliges (-rw-rw-r--) for jars... Same thing with the directory privileges. The &#39;domain&#39; directory produced by all 3 final version of Wildfly (10,11 and 12) is associated to drwxr-xr-x and not drwxrwxr-x (as the EAP 7 builds produces):<br><br></div>I&#39;ve a small script to check and the output clearly shows this discrepencies:<br><div><br>$ ./show-privileges.sh <br>Extracting archive into /tmp/tmp.Aufm1F6d2h...Done.<br>-rw-r--r--. 1 rpelisse rpelisse 364930 29 janv.  2016 /tmp/tmp.Aufm1F6d2h/wildfly-10<wbr>.0.0.Final/jboss-modules.jar<br>drwxr-xr-x. 5 rpelisse rpelisse 100 29 janv.  2016 /tmp/tmp.Aufm1F6d2h/wildfly-10<wbr>.0.0.Final/domain/<br>Done.<br>$ export ZIP_FILE=jboss-eap-7.1.zip <br>$ ./show-privileges.sh <br>Extracting archive into /tmp/tmp.sErv7wRwoS...Done.<br>-rw-rw-r--. 1 rpelisse rpelisse 401354  8 nov.  20:47 /tmp/tmp.sErv7wRwoS/jboss-eap-<wbr>7.1/jboss-modules.jar<br>drwxrwxr-x. 5 rpelisse rpelisse 100  8 nov.  20:47 /tmp/tmp.sErv7wRwoS/jboss-eap-<wbr>7.1/domain/<br>Done.<br><br>I am going to investigate why EAP builds behaves differently than Wildlfy (but it does not really concern this mailing list). Thus, I consider this topic closed for upstream (at least for now, once EAP builds behavior is aligned with the one of Wildfly we can see if there is some more discrepencies to be worried about). <br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 12, 2017 at 9:12 PM, James Perkins <span dir="ltr">&lt;<a href="mailto:jperkins@redhat.com" target="_blank">jperkins@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">My apologies after rereading the comment I think you&#39;re just saying permissions need to be consistent across all deliverables which I agree with. Sorry for the confusion.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 12, 2017 at 8:47 AM, James Perkins <span dir="ltr">&lt;<a href="mailto:jperkins@redhat.com" target="_blank">jperkins@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">That means the packaging tool has to know about all the files it consumes. That would make the feature pack concept irrelevant. There could be a reason the feature pack set specific permissions on a file and the provisioning tool should honor that. It shouldn&#39;t be making assumptions. Especially if that assumption is determined by a file extension.</div><div class="m_-7660000378379959351HOEnZb"><div class="m_-7660000378379959351h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 12, 2017 at 12:20 AM, Carlo de Wolf <span dir="ltr">&lt;<a href="mailto:cdewolf@redhat.com" target="_blank">cdewolf@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    If any target platform needs more restrictive permissions, those
    need to apply to all deliverables (whether it is ZIP or RPMs).<span class="m_-7660000378379959351m_2338899648334483390HOEnZb"><font color="#888888"><br>
    <br>
    Carlo</font></span><div><div class="m_-7660000378379959351m_2338899648334483390h5"><br>
    <br>
    <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721moz-cite-prefix">On 11-12-17 23:28, James Perkins wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">I personally don&#39;t have any strong opinions on what
        the permissions should be. However as I said before it should
        definitely not be the provisioning plugin that sets these
        permissions. If they need to be different we need to change them
        in the feature pack.</div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Dec 11, 2017 at 4:47 AM, Romain
          Pelisse <span dir="ltr">&lt;<a href="mailto:belaran@redhat.com" target="_blank">belaran@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Hi all,<br>
              <br>
              Not too much involvement except from Brian and I :) -
              sadly, we cannot move forward on this topic without a
              minimum of consensus. If you don&#39;t to participate, can you
              at least reply &quot;+1 Brian&quot; (if you think we should NOT try
              to change the current behavior&quot;) or &quot;+1 Romain&quot; (if you
              think we should address this issue somehow).<br>
              <br>
              (please don&#39;t vote on the PR I&#39;ve proposed, it&#39;s just a
              proposal on HOW we could do it - here I want to assert IF
              we want to do it, not voting on the &quot;how&quot;).<br>
            </div>
            <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721HOEnZb">
              <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721h5">
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Wed, Dec 6, 2017 at 6:05
                    PM, Brian Stansberry <span dir="ltr">&lt;<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">
                        <div class="gmail_extra">
                          <div class="gmail_quote"><span>On Wed, Dec 6,
                              2017 at 4:27 AM, Romain Pelisse <span dir="ltr">&lt;<a href="mailto:belaran@redhat.com" target="_blank">belaran@redhat.com</a>&gt;</span>
                              wrote:<br>
                              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                <div dir="ltr">
                                  <div>
                                    <div>Hi Brian (and all),<br>
                                      <br>
                                    </div>
                                    I honestly understand your
                                    resistance, and I&#39;m completely fine
                                    if we end up closing this all issue
                                    as WONTDO or REJECTED. I just do
                                    want to have a discussion about it
                                    and come back with clear reasons and
                                    motivations for changing or not the
                                    privileges of each of those files.<br>
                                  </div>
                                </div>
                              </blockquote>
                              <div><br>
                              </div>
                            </span>
                            <div>Thanks for doing this! There have been
                              a number of issues filed over the last
                              year or so on this general topic so I&#39;m
                              very happy to see them getting addressed
                              here via the WildFly community. Most of
                              the issues I&#39;ve been talking about are
                              JBEAP issues in JIRA, which is fine, but
                              the best way to get this solid is to get
                              WildFly the way we want it first.</div>
                            <div><br>
                            </div>
                            <div>Even on the config file read perms
                              thing I mentioned in my last post, I&#39;m
                              personally resistant to changing it, but
                              my biggest resistance is to doing that
                              without a full community discussion.</div>
                            <span>
                              <div><br>
                              </div>
                              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                <div dir="ltr">
                                  <div><br>
                                  </div>
                                  Given that we see different things on
                                  our local setup, I think the best will
                                  be to use a build on a CI Server and
                                  works from what we see there. Is there
                                  an easy way for me to clone a job
                                  building Wildfly and tweak it on some
                                  (publicly) accessible instance ?<br>
                                </div>
                              </blockquote>
                              <div><br>
                              </div>
                            </span>
                            <div><a href="https://developer.jboss.org/thread/224262" target="_blank">https://developer.jboss.org/th<wbr>read/224262</a>
                              describes how to get a zip built from a
                              daily CI job.</div>
                            <div><br>
                            </div>
                            <div>If anyone has any insights on this,
                              please speak up!</div>
                            <div>
                              <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485h5">
                                <div> </div>
                                <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                  <div dir="ltr"><br>
                                  </div>
                                  <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-HOEnZb">
                                    <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-h5">
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote">On Mon,
                                          Dec 4, 2017 at 6:48 PM, Brian
                                          Stansberry <span dir="ltr">&lt;<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>&gt;</span>
                                          wrote:<br>
                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                            <div dir="ltr">A slightly
                                              different topic, related
                                              to the
                                              &quot;logging.properties/xml
                                              config file&quot; topic is
                                              whether these files should
                                              be world and/or group
                                              readable.
                                              <div><br>
                                              </div>
                                              <div>Changing this has
                                                been proposed in the
                                                past on the EAP side,
                                                primarily based on the
                                                argument that users
                                                could put sensitive data
                                                in these files. This
                                                thread seems like a good
                                                time to debate this a
                                                bit in community.</div>
                                              <div><br>
                                              </div>
                                              <div>I&#39;ve resisted that
                                                primarily on the basis
                                                of:</div>
                                              <div><br>
                                              </div>
                                              <div>1) These files or
                                                those similarly used
                                                have had these perms as
                                                far back as I can find
                                                in JBoss AS. So the odds
                                                that some people are
                                                relying upon those perms
                                                is fairly high and we
                                                need to assume a change
                                                would be a breaking
                                                change for some people.</div>
                                              <div><br>
                                              </div>
                                              <div>2) Other software
                                                I&#39;ve looked at like
                                                Tomcat and httpd have
                                                similar permission
                                                schemes to what we have
                                                for their config files,
                                                which can also
                                                potentially include
                                                sensitive data.</div>
                                              <div><br>
                                              </div>
                                              <div>3) We provide
                                                facilities like the
                                                vault or elytron
                                                credential store refs
                                                for keeping sensitive
                                                data out of the config
                                                files.</div>
                                              <div> </div>
                                            </div>
                                            <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818HOEnZb">
                                              <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818h5">
                                                <div class="gmail_extra"><br>
                                                  <div class="gmail_quote">On
                                                    Mon, Dec 4, 2017 at
                                                    11:38 AM, Brian
                                                    Stansberry <span dir="ltr">&lt;<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>&gt;</span> wrote:<br>
                                                    <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                      <div dir="ltr">
                                                        <div>Thanks,
                                                          Romain.</div>
                                                        <div><br>
                                                        </div>
                                                        Re: what the
                                                        actual
                                                        permissions are,
                                                        FWIW I get what
                                                        I see on both my
                                                        macbook and my
                                                        Fedora 27
                                                        machine, both
                                                        when unzipping
                                                        the actual
                                                        11.0.0.Final and
                                                        when unzipping
                                                        the result of a
                                                        build of master,
                                                        and both with
                                                        and without the
                                                        -Prelease
                                                        -Pjboss-release
                                                        args to maven
                                                        that we include
                                                        when doing
                                                        actual releases.
                                                        Unzipping the
                                                        zip in
                                                        build/target
                                                        doesn&#39;t include
                                                        the jars of
                                                        course.
                                                        <div><br>
                                                        </div>
                                                        <div>So it
                                                          sounds like we
                                                          need input
                                                          from others.</div>
                                                        <div><br>
                                                        </div>
                                                        <div>Re:
                                                          modules.xml,
                                                          if you are
                                                          seeing those
                                                          as rw-r--r--
                                                          as well, then
                                                          +1 to ignoring
                                                          them in
                                                          further
                                                          discussion.</div>
                                                        <div><br>
                                                        </div>
                                                        <div>Re:
                                                          logging.properties,
                                                          those serve a
                                                          very similar
                                                          conceptual
                                                          role to the
                                                          standalone|host|domain.xml
                                                          files so I see
                                                          no reason for
                                                          them to have
                                                          different
                                                          perms.
                                                          However, you
                                                          and I are
                                                          getting
                                                          different
                                                          results, where
                                                          you report
                                                          them as group
                                                          writable and I
                                                          don&#39;t. What do
                                                          you see for
                                                          the xml config
                                                          files?</div>
                                                        <div><br>
                                                        </div>
                                                        <div>Re: RPM
                                                          changing to
                                                          match WildFly,
                                                          that&#39;s an EAP
                                                          discussion, so
                                                          that can be
                                                          taken up
                                                          elsewhere once
                                                          we have
                                                          WildFly the
                                                          way we want
                                                          it.</div>
                                                        <div><br>
                                                        </div>
                                                      </div>
                                                      <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177HOEnZb">
                                                        <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177h5">
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Fri, Dec 1,
                                                          2017 at 4:11
                                                          AM, Romain
                                                          Pelisse <span dir="ltr">&lt;<a href="mailto:belaran@redhat.com" target="_blank">belaran@redhat.com</a>&gt;</span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">Hi
                                                          Brian and all,<br>
                                                          <br>
                                                          err, my own
                                                          observation
                                                          differs from
                                                          yours. I&#39;ve
                                                          rebuild
                                                          Wildfly from
                                                          the last
                                                          content of the
                                                          master branch
                                                          and get the
                                                          same
                                                          privileges on
                                                          the
                                                          jboss-modules.jar
                                                          (so -rw-rw-r--
                                                          and not as you
                                                          are seeing 
                                                          rwxr--r--).
                                                          Same with the
                                                          domain folder,
                                                          which turns
                                                          out on my
                                                          local system
                                                          associated to
                                                          &#39;drwxrwxr-x.&#39;
                                                          and not
                                                          &#39;rwxr-xr-x&#39; as
                                                          you are
                                                          seeing). See
                                                          below for a
                                                          transcript of
                                                          what I did -
                                                          maybe you can
                                                          spot why our
                                                          results
                                                          differs so
                                                          much.<br>
                                                          <br>
                                                          $ git show<br>
                                                          commit
                                                          46e119c65d9e32bc0ec69f3933267f<wbr>ece959ed3f<br>
                                                          Merge: 051f080
                                                          c7d9075<br>
                                                          Author: Kabir
                                                          Khan &lt;<a href="mailto:kkhan@redhat.com" target="_blank">kkhan@redhat.com</a>&gt;<br>
                                                          Date:   Tue
                                                          Nov 28
                                                          17:46:40 2017
                                                          +0000<br>
                                                          <br>
                                                              Merge pull
                                                          request #10669
                                                          from
                                                          praxeo/WFLY-9284<br>
                                                          <br>
                                                              WFLY-9284
                                                          Correct MVN
                                                          env variable
                                                          to mvnw.cmd<br>
                                                          <br>
                                                          $ unzip
                                                          ./build/target/wildfly-12.0.0.<wbr>Alpha1-SNAPSHOT.zip
                                                          -d
                                                          wildfly-12.zip<br>
                                                          ...<br>
                                                          $ ls -l
                                                          wildfly-12.zip/wildfly-12.0.0.<wbr>Alpha1-SNAPSHOT/jboss-modules.<wbr>jar<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse
                                                          403683 30
                                                          nov.  11:41
                                                          wildfly-12.zip/wildfly-12.0.0.<wbr>Alpha1-SNAPSHOT/jboss-modules.<wbr>jar<br>
                                                          $ ls -l
                                                          wildfly-12.zip/wildfly-12.0.0.<wbr>Alpha1-SNAPSHOT/domain/ 
                                                          -d<br>
                                                          drwxrwxr-x. 5
                                                          rpelisse
                                                          rpelisse 4096
                                                          30 nov.  11:41
wildfly-12.zip/wildfly-12.0.0.<wbr>Alpha1-SNAPSHOT/domain/<br>
                                                          <br>
                                                          Checking all
                                                          the jars in
                                                          the
                                                          distribution,
                                                          they all
                                                          appears to
                                                          have the mask
                                                          &#39;-rw-rw-r--&#39;:<br>
                                                          <br>
                                                          $ for jar in
                                                          $(find dist/
                                                          -name *.jar);
                                                          do ls -l
                                                          &quot;${jar}&quot; ;
                                                          done | sed -e
&#39;/-rw-rw-r--/d&#39;<br>
                                                          $<br>
                                                          <br>
                                                          Regarding
                                                          properties
                                                          files, here is
                                                          the exhaustive
                                                          list of
                                                          properties
                                                          that RPM
                                                          packaging has
                                                          modified the
                                                          privileges of:<br>
                                                          <br>
appclient/configuration/loggin<wbr>g.properties rw-------<br>
domain/configuration/applicati<wbr>on-roles.properties rw-------<br>
domain/configuration/default-s<wbr>erver-logging.properties rw-------<br>
domain/configuration/logging.p<wbr>roperties rw-------<br>
domain/configuration/mgmt-grou<wbr>ps.properties rw-------<br>
standalone/configuration/appli<wbr>cation-roles.properties rw-------<br>
standalone/configuration/loggi<wbr>ng.properties rw-------<br>
standalone/configuration/mgmt-<wbr>groups.properties rw-------<br>
                                                          <br>
                                                          If I compare
                                                          that with the
                                                          content of the
                                                          extract zip
                                                          (same fresh
                                                          built as
                                                          above), I can
                                                          see that 4
                                                          files are not
                                                          having the
                                                          same mask
                                                          (rw------):<br>
                                                          <br>
                                                          $ for file in
                                                          $(cut -f1 -d\ 
../../../list-props-files.txt ); do ls -l $file ; done<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 2314
                                                          30 nov.  11:41
appclient/configuration/loggin<wbr>g.properties<br>
                                                          -rw-------. 1
                                                          rpelisse
                                                          rpelisse 710
                                                          30 nov.  11:41
domain/configuration/applicati<wbr>on-roles.properties<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 1528
                                                          30 nov.  11:41
domain/configuration/default-s<wbr>erver-logging.properties<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 2328
                                                          30 nov.  11:41
domain/configuration/logging.p<wbr>roperties<br>
                                                          -rw-------. 1
                                                          rpelisse
                                                          rpelisse 669
                                                          30 nov.  11:41
domain/configuration/mgmt-grou<wbr>ps.properties<br>
                                                          -rw-------. 1
                                                          rpelisse
                                                          rpelisse 711
                                                          30 nov.  11:41
standalone/configuration/appli<wbr>cation-roles.properties<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 2395
                                                          30 nov.  11:41
standalone/configuration/loggi<wbr>ng.properties<br>
                                                          -rw-------. 1
                                                          rpelisse
                                                          rpelisse 669
                                                          30 nov.  11:41
standalone/configuration/mgmt-<wbr>groups.properties<br>
                                                          <br>
                                                          Now, as you
                                                          said, those
                                                          files
                                                          privileges are
                                                          indeed
                                                          fine-grained,
                                                          so maybe we
                                                          can push back
                                                          to people
                                                          making the RPM
                                                          for them to
                                                          NOT change the
                                                          following
                                                          files
                                                          privileges:<br>
                                                          <br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 2314
                                                          30 nov.  11:41
appclient/configuration/loggin<wbr>g.properties<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 1528
                                                          30 nov.  11:41
domain/configuration/default-s<wbr>erver-logging.properties<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 2328
                                                          30 nov.  11:41
domain/configuration/logging.p<wbr>roperties<br>
                                                          -rw-rw-r--. 1
                                                          rpelisse
                                                          rpelisse 2395
                                                          30 nov.  11:41
standalone/configuration/loggi<wbr>ng.properties<br>
                                                          <br>
                                                          However, I
                                                          don&#39;t see the
                                                          value of
                                                          letting those
                                                          files
                                                          accessible
                                                          either group
                                                          member or any
                                                          user on the
                                                          system, but
                                                          maybe we can
                                                          make the
                                                          argument they
                                                          should. But
                                                          the write
                                                          privileges for
                                                          group member
                                                          sounds wrong
                                                          to me.<br>
                                                          <br>
                                                          Also, I&#39;m
                                                          puzzled Brian
                                                          and I are
                                                          seeing
                                                          different
                                                          things - am I
                                                          looking at the
                                                          correct
                                                          zipfile here ?<br>
                                                          <br>
                                                          Note: You also
                                                          mention the
                                                          module.xml -
                                                          as far as I
                                                          can see from
                                                          the diff
                                                          provided with
                                                          issue
                                                          JBEAP-12374, I
                                                          don&#39;t see any
                                                          issue with
                                                          privileges
                                                          regarding
                                                          those files,
                                                          so we can
                                                          remove them of
                                                          the
                                                          discussion.
                                                          The only
                                                          changes we
                                                          need to
                                                          discuss is
                                                          removing the
                                                          &#39;write&#39;
                                                          privileges&#39;
                                                          for the group
                                                          on jars,
                                                          reducing the
                                                          scope of
                                                          permissions on
                                                          (some)
                                                          folders, and
                                                          privileges on
                                                          (some)
                                                          properties
                                                          files. So,
                                                          module.xml are
                                                          out of the
                                                          scope.<br>
                                                          </div>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204HOEnZb">
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204h5">
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Thu, Nov 30,
                                                          2017 at 7:17
                                                          PM, Brian
                                                          Stansberry <span dir="ltr">&lt;<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>&gt;</span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">Seems
                                                          I forgot to
                                                          &quot;Reply to All&quot;
                                                          yesterday. The
                                                          following was
                                                          meant to be
                                                          sent to
                                                          wildfly-dev.</div>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198HOEnZb">
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198h5">
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Wed, Nov 29,
                                                          2017 at 10:04
                                                          AM, Brian
                                                          Stansberry <span dir="ltr">&lt;<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>&gt;</span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div class="gmail_extra">
                                                          <div class="gmail_quote">Before
                                                          getting into
                                                          the specifics,
                                                          first a
                                                          general note
                                                          re: perms.</div>
                                                          <div class="gmail_quote"><br>
                                                          </div>
                                                          <div class="gmail_quote">Our
                                                          general
                                                          permission set
                                                          for is
                                                          rwxr-xr-x for
                                                          directories
                                                          and rwxr--r--
                                                          for files. If
                                                          someone thinks
                                                          that&#39;s wrong
                                                          in general;
                                                          speak up. ;).
                                                          Otherwise I
                                                          think any
                                                          deviation from
                                                          that we should
                                                          justify. Not
                                                          that
                                                          deviations are
                                                          wrong, just
                                                          that they need
                                                          to have a
                                                          reason.</div>
                                                          <div class="gmail_quote"><br>
                                                          </div>
                                                          <div class="gmail_quote"><span>On
                                                          Wed, Nov 29,
                                                          2017 at 3:12
                                                          AM, Romain
                                                          Pelisse <span dir="ltr">&lt;<a href="mailto:belaran@redhat.com" target="_blank">belaran@redhat.com</a>&gt;</span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">Well,
                                                          the diff is
                                                          between the
                                                          RPM and the
                                                          zipfile is
                                                          pretty long,
                                                          but it boils
                                                          down to the 3
                                                          set of
                                                          differences
                                                          I&#39;ve pointed
                                                          out on <a href="https://issues.jboss.org/browse/WFLY-9574" target="_blank">WFLY-9574:</a><br>
                                                          <ul>
                                                          <li><b>.properties
                                                          and .jar</b>
                                                          files are
                                                          associated
                                                          with the mask
                                                          rw-rw-r--
                                                          giving access
                                                          to it to any
                                                          other users
                                                          and allowing
                                                          group member
                                                          to modify the
                                                          file - the RPM
                                                          distribution
                                                          fixes that by
                                                          removing the
                                                          write
                                                          privileges for
                                                          the group
                                                          (rw-r--r--). I
                                                          personnaly
                                                          don&#39;t see the
                                                          value of
                                                          letting the
                                                          group members
                                                          modify those
                                                          files, I just
                                                          can see how
                                                          this could be
                                                          exploited, so
                                                          I would say it
                                                          falls into
                                                          &quot;clearly wrong
                                                          and not our
                                                          intent&quot;. A
                                                          case might be
                                                          made for the
                                                          .properties
                                                          files, but for
                                                          jars file I
                                                          really don&#39;t
                                                          see a valid
                                                          use case
                                                          (unless of
                                                          course, any of
                                                          you know one)
                                                          ;<br>
                                                          </li>
                                                          </ul>
                                                          </div>
                                                          </blockquote>
                                                          </span>
                                                          <div>There are
                                                          a few
                                                          different
                                                          things here,
                                                          so let&#39;s deal
                                                          with them
                                                          separately.<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>For jars,
                                                          with an unzip
                                                          of
                                                          wildfly-11.0.0.Final.zip,
                                                          I see them as
                                                          rwxr--r--.
                                                          Which seems
                                                          correct to me.
                                                          In case I&#39;m
                                                          seeing
                                                          something
                                                          wrong, I don&#39;t
                                                          see why they
                                                          should vary
                                                          from the
                                                          general
                                                          standard. And
                                                          the module.xml
                                                          file should be
                                                          consistent,
                                                          since there&#39;s
                                                          not much point
                                                          in locking
                                                          people from
                                                          touching jars
                                                          but letting
                                                          them change
                                                          what jars get
                                                          loaded.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>For
                                                          properties
                                                          files, let&#39;s
                                                          consider them
                                                          on a more
                                                          fine-grained
                                                          basis. For
                                                          example, the
                                                          properties
                                                          files used by
                                                          the security
                                                          realms have
                                                          different
                                                          kinds of data
                                                          than
                                                          logging.properties
                                                          does.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>The perms
                                                          on the
                                                          security realm
                                                          property files
                                                          are rw-------,
                                                          not rw-rw-r--.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>The
                                                          logging.properties
                                                          files are
                                                          rw-r--r--
                                                          which is
                                                          consistent
                                                          with the
                                                          domain|host|standalone.xml
                                                          files and with
                                                          the general
                                                          standard.</div>
                                                          <span>
                                                          <div> </div>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">
                                                          <ul>
                                                          <li><br>
                                                          </li>
                                                          <li><b>some
                                                          directories</b>
                                                          like
                                                          &#39;domain/tmp/auth&#39;
                                                          have too
                                                          restrictive
                                                          mask like
                                                          rwx------ and
                                                          RPMS to turned
                                                          them into
                                                          rwxrwxr-x
                                                          (that I don&#39;t
                                                          really agree
                                                          with) and</li>
                                                          </ul>
                                                          </div>
                                                          </blockquote>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">
                                                          <ul>
                                                          <li><b>other
                                                          directories</b>,
                                                          likes &#39;domain&#39;
                                                          have again a
                                                          too permissive
                                                          mask rwxrwxr-x
                                                          (should be
                                                          rwxr-xr-x) -
                                                          and this IMHO,
                                                          make senses.</li>
                                                          </ul>
                                                          </div>
                                                          </blockquote>
                                                          </span>
                                                          <div>In the
                                                          unzip I see
                                                          these
                                                          directories as
                                                          rwxr-xr-x,
                                                          which I think
                                                          is fine.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Are you
                                                          concerned with
                                                          any other
                                                          directories
                                                          besides
                                                          $JBOSS_HOME/domain
                                                          and
                                                          $JBOSS_HOME/standalone?  </div>
                                                          <span>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">
                                                          <p>So we need
                                                          to find an
                                                          agreement on
                                                          those three
                                                          items, and
                                                          then see how
                                                          we proceed to
                                                          implement the
                                                          fix (if
                                                          needed).<br>
                                                          </p>
                                                          </div>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849m_-2116885649071750356gmail-HOEnZb">
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849m_-2116885649071750356gmail-h5">
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Tue, Nov 28,
                                                          2017 at 10:00
                                                          PM, Brian
                                                          Stansberry <span dir="ltr">&lt;<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>&gt;</span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div dir="ltr">I
                                                          think we need
                                                          to start with
                                                          the assumption
                                                          that the
                                                          permissions we
                                                          have in the
                                                          zip are the
                                                          way they are
                                                          for a reason
                                                          and evaluate
                                                          possible
                                                          changes based
                                                          on discussion
                                                          here of each
                                                          type of
                                                          change. Maybe
                                                          the RPM
                                                          settings are
                                                          better, maybe
                                                          they are not.
                                                          Or maybe they
                                                          are better but
                                                          the
                                                          improvement is
                                                          not worth the
                                                          disruption a
                                                          change may
                                                          cause to our
                                                          end users, who
                                                          may rely on
                                                          the current
                                                          zip settings.
                                                          Or maybe what
                                                          we have in the
                                                          zip is clearly
                                                          wrong and
                                                          doesn&#39;t follow
                                                          our own
                                                          intent. I
                                                          expect we&#39;ll
                                                          probably see a
                                                          little of each
                                                          category,
                                                          although
                                                          hopefully some
                                                          changes for WF
                                                          11 removed the
                                                          &quot;clearly wrong
                                                          and doesn&#39;t
                                                          follow our
                                                          intent&quot; cases.
                                                          :)</div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">
                                                          <div>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849m_-2116885649071750356gmail-m_-1180250402260789810h5">On
                                                          Tue, Nov 28,
                                                          2017 at 8:37
                                                          AM, Romain
                                                          Pelisse <span dir="ltr">&lt;<a href="mailto:belaran@redhat.com" target="_blank">belaran@redhat.com</a>&gt;</span>
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                          <div>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849m_-2116885649071750356gmail-m_-1180250402260789810h5">
                                                          <div dir="ltr">Hi,<br>
                                                          <br>
                                                          As reported on
JBEAP-12374[1], there is some discrepancies between the ZIP file we
                                                          provided for
                                                          Widlfy/EAP and
                                                          the RPM
                                                          generate. Most
                                                          of those
                                                          discrepancies
                                                          - or the most
                                                          relevant ones,
                                                          are some fine
                                                          tuning
                                                          performed on
                                                          the (POSIX)
                                                          privileges
                                                          (things such
                                                          as removing
                                                          the write
                                                          privilege for
                                                          member of the
                                                          same group as
                                                          the owner of
                                                          the file). <br>
                                                          <br>
                                                          I&#39;ve looked
                                                          into this and
                                                          because those
                                                          files are
                                                          produced by
                                                          our own Maven
                                                          plugin (as
                                                          part of
                                                          wildfly-build-tools),
                                                          we can not
                                                          simply modify
                                                          the
                                                          assembly.xml.
                                                          Which actually
                                                          is probably
                                                          for the best,
                                                          as it would
                                                          made the
                                                          assembly file
                                                          quite
                                                          cumbersome.<br>
                                                          <br>
                                                          Anyhow, I&#39;ve
                                                          worked on a
                                                          proposal[2]
                                                          for the
                                                          wildfly-build-tools,
                                                          but when I
                                                          reported the
                                                          problem on
                                                          WFLY-9574[3],
                                                          Brian
                                                          suggested I
                                                          started a
                                                          discussion
                                                          here. So does
                                                          anyone have a
                                                          (strong)
                                                          opinion about
                                                          this issue
                                                          and/or how to
                                                          resolve it ?
                                                          :)<br>
                                                          <br>
                                                          (For the
                                                          record, I do
                                                          think it is
                                                          best to fix
                                                          the privileges
                                                          to follow what
                                                          the RPM does
                                                          for us for
                                                          now, but if
                                                          you feel this
                                                          issue should
                                                          not be
                                                          addressed, and
                                                          dev- the
                                                          issue, I&#39;m
                                                          certainly not
                                                          opposed to it
                                                          either).<br>
                                                          <br>
                                                          [1] <a href="https://issues.jboss.org/browse/JBEAP-12374" target="_blank">https://issues.jboss.org/brows<wbr>e/JBEAP-12374</a><br>
                                                          [2] <a href="https://github.com/wildfly/wildfly-build-tools/pull/40" target="_blank">https://github.com/wildfly/wil<wbr>dfly-build-tools/pull/40</a><br>
                                                          [3] <a href="https://issues.jboss.org/browse/WFLY-9574" target="_blank">https://issues.jboss.org/brows<wbr>e/WFLY-9574</a><br>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <span>______________________________<wbr>_________________<br>
                                                          wildfly-dev
                                                          mailing list<br>
                                                          <a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
                                                          <a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/wildfly-dev</a><br>
                                                          </span></blockquote>
                                                          </div>
                                                          <span class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849m_-2116885649071750356gmail-m_-1180250402260789810HOEnZb"><font color="#888888"><br>
                                                          <br clear="all">
                                                          <div><br>
                                                          </div>
                                                          -- <br>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849m_-2116885649071750356gmail-m_-1180250402260789810m_-5783924410412555088gmail_signature">
                                                          <div dir="ltr">Brian
                                                          Stansberry
                                                          <div>Manager,
                                                          Senior
                                                          Principal
                                                          Software
                                                          Engineer</div>
                                                          <div>Red Hat</div>
                                                          </div>
                                                          </div>
                                                          </font></span></div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </span></div>
                                                          <span><br>
                                                          <br clear="all">
                                                          <div><br>
                                                          </div>
                                                          -- <br>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849m_-2116885649071750356gmail_signature">
                                                          <div dir="ltr">Brian
                                                          Stansberry
                                                          <div>Manager,
                                                          Senior
                                                          Principal
                                                          Software
                                                          Engineer</div>
                                                          <div>Red Hat</div>
                                                          </div>
                                                          </div>
                                                          </span></div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          <br clear="all">
                                                          <div><br>
                                                          </div>
                                                          -- <br>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204m_1573533529752805198m_-2683071029277055849gmail_signature">
                                                          <div dir="ltr">Brian
                                                          Stansberry
                                                          <div>Manager,
                                                          Senior
                                                          Principal
                                                          Software
                                                          Engineer</div>
                                                          <div>Red Hat</div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          <br clear="all">
                                                          <div><br>
                                                          </div>
                                                          -- <br>
                                                          <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177m_-1134558253926058204gmail_signature">
                                                          <div dir="ltr">Brian
                                                          Stansberry
                                                          <div>Manager,
                                                          Senior
                                                          Principal
                                                          Software
                                                          Engineer</div>
                                                          <div>Red Hat</div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </blockquote>
                                                  </div>
                                                  <br>
                                                  <br clear="all">
                                                  <div><br>
                                                  </div>
                                                  -- <br>
                                                  <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail-m_3738924265233397818m_-1122520411078172177gmail_signature">
                                                    <div dir="ltr">Brian
                                                      Stansberry
                                                      <div>Manager,
                                                        Senior Principal
                                                        Software
                                                        Engineer</div>
                                                      <div>Red Hat</div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </div>
                                </blockquote>
                              </div>
                            </div>
                          </div>
                          <div>
                            <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485h5"><br>
                              <br clear="all">
                              <div><br>
                              </div>
                              -- <br>
                              <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721m_-5043903221733006485m_5952794579503701161gmail_signature">
                                <div dir="ltr">Brian Stansberry
                                  <div>Manager, Senior Principal
                                    Software Engineer</div>
                                  <div>Red Hat</div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
            <br>
            ______________________________<wbr>_________________<br>
            wildfly-dev mailing list<br>
            <a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
            <a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/wildfly-dev</a><br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721gmail_signature" data-smartmail="gmail_signature">
          <div dir="ltr">
            <div>
              <div dir="ltr">
                <div>James R. Perkins</div>
                <div>JBoss by Red Hat</div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721mimeAttachmentHeader"></fieldset>
      <br>
      <pre>______________________________<wbr>_________________
wildfly-dev mailing list
<a class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721moz-txt-link-abbreviated" href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a>
<a class="m_-7660000378379959351m_2338899648334483390m_4712350184903213721moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/wildfly-dev</a></pre>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-7660000378379959351m_2338899648334483390gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>James R. Perkins</div><div>JBoss by Red Hat</div></div></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-7660000378379959351gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>James R. Perkins</div><div>JBoss by Red Hat</div></div></div></div></div>
</div>
</div></div><br>______________________________<wbr>_________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/wildfly-dev</a><br></blockquote></div><br></div>