Hi Bengt, Bengt Richter <b...@bokr.com> wrote: > I was wanting to check on some executable files in the store, > and happened to see some executable .png files ;-/ > > I suspect they came in when I was playing with icecat > and let it load a "theme", but I am not sure some didn't > also happen trying to get firefox radio buttons to work ;-/
Certainly not. Unless you ran icecat as root, it would not have sufficient permissions to modify /gnu/store. Installing a theme or addon in IceCat, or changing its configuration, modifies files in your ~/.mozilla, not /gnu/store. > Anyway, does anyone else get 555 permissions on files like these? > These are all *.png files with 555 permissons, but I trimmed back to see > common prefixes. > Obviously the moka-con-theme was most of it, but also faba and docbook look > iffy. I looked at docbook-xsl-1.79.1, since I happen to have it installed on my system. Some of the *.png files are incorrectly given executable permissions within the upstream source tarball itself. I guess it's probably the same issue with moka-icon-theme and faba-icon-theme, since I don't see anything in our package code that would have done it. Most of the entries in your list that end with "png" but not ".png" are actually programs whose name ends with "png", so they *should* be executable. The files in /gnu/store/.links that end with "png" are just random chance, because the file names themselves are hashes. > Is this zero-day stuff with a nasty somewhere, waiting for referencing > by another nasty, or am I being paranoid? I think you're being paranoid in this case. I don't see anything here to be concerned about, just some minor sloppiness by 3 upstreams. > What is the safe way to detoxify this mess? The proper solution is to send bug reports to the upstream developers of docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix the permissions of the *.png files in their source tarballs. > I know I shouldn't directly chmod anything in store, right? Right, *never* modify files in /gnu/store directly. > The icecat discussion got moved to mozilla, Which discussion are you referring to? Thanks, Mark