make-initrd-ng: fix file permissions

r-vdp · r-vdp · commit a9c75e768956 · 2025-05-08T12:13:50.000+02:00
We want to strip the write bit from files after we copied them.
XOR is not the right operator for this, since if the bit is 0 in both
the actual permissions and the mask, then the result will be a 1.
So in practice, we were assigning write permissions for group and others
to all files and we were only stripping the write permissions of the
owner (since the owner had write permissions, and so the result of the
XOR is 0).

The correct thing to do is to AND with the maximum permissions that we
want to maintain (which is the inverse of what we want to strip), so
that only those bits are preserved and the others are always set to 0.
diff --git a/pkgs/build-support/kernel/make-initrd-ng/src/main.rs b/pkgs/build-support/kernel/make-initrd-ng/src/main.rs
@@ -212,7 +212,7 @@ fn copy_file<
         }
 
         // Remove writable permissions
-        permissions.set_mode(permissions.mode() ^ 0o222);
+        permissions.set_mode(permissions.mode() & 0o555);
         fs::set_permissions(&target, permissions)
             .wrap_err_with(|| format!("failed to remove writable permissions for {:?}", target))?;
     };

Original file line number	Diff line number	Diff line change
`@@ -212,7 +212,7 @@ fn copy_file<`
`212`	`212`	`}`
`213`	`213`
`214`	`214`	`// Remove writable permissions`
`215`		`- permissions.set_mode(permissions.mode() ^ 0o222);`
	`215`	`+ permissions.set_mode(permissions.mode() & 0o555);`
`216`	`216`	`fs::set_permissions(&target, permissions)`
`217`	`217`	`.wrap_err_with(\|\| format!("failed to remove writable permissions for {:?}", target))?;`
`218`	`218`	`};`