From b30ea3cffe05aeedc76fc9eb4dc5dc5f40e11ee7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 2 Jul 2021 01:04:48 +0200
Subject: [PATCH] hooks/post-install: add fix permissions hook

---
 Manual.md                                     |  4 +++
 common/environment/setup-subpkg/subpkg.sh     |  3 ++
 .../hooks/post-install/14-fix-permissions.sh  | 33 +++++++++++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 common/hooks/post-install/14-fix-permissions.sh

diff --git a/Manual.md b/Manual.md
index 33706f20c2..db605c5213 100644
--- a/Manual.md
+++ b/Manual.md
@@ -762,6 +762,10 @@ Examples:
 	```
 A special value `noarch` used to be available, but has since been removed.
 
+- `nocheckperms` If set, xbps-src will not fail on common permission errors (world writable files, etc.)
+
+- `nofixperms` If set, xbps-src will not fix common permission errors (executable manpages, etc.)
+
 <a id="explain_depends"></a>
 #### About the many types of `depends` variables
 
diff --git a/common/environment/setup-subpkg/subpkg.sh b/common/environment/setup-subpkg/subpkg.sh
index 0243d24004..6edab5d882 100644
--- a/common/environment/setup-subpkg/subpkg.sh
+++ b/common/environment/setup-subpkg/subpkg.sh
@@ -8,6 +8,9 @@ unset -v depends run_depends replaces provides conflicts tags
 # hooks/post-install/03-strip-and-debug-pkgs
 unset -v nostrip nostrip_files
 
+# hooks/post-install/14-fix-permissions
+unset -v nocheckperms nofixperms
+
 # hooks/pre-pkg/04-generate-runtime-deps
 unset -v noverifyrdeps skiprdeps allow_unknown_shlibs shlib_requires
 
diff --git a/common/hooks/post-install/14-fix-permissions.sh b/common/hooks/post-install/14-fix-permissions.sh
new file mode 100644
index 0000000000..57b76ae9f4
--- /dev/null
+++ b/common/hooks/post-install/14-fix-permissions.sh
@@ -0,0 +1,33 @@
+# This hook fixes permissions in common places
+
+change_file_perms() {
+	local dir="${PKGDESTDIR}${1}"
+	# permission mask for matching the files
+	local permmask="$2"
+	# permissions which will be set on matched files
+	local perms="$3"
+	if [ -d "$dir" ]; then
+		find "$dir" -type f -perm "/$permmask" -exec chmod -v "$perms" {} +
+	fi
+}
+
+hook() {
+	if [ -z "$nocheckperms" ]; then
+		# check that no files have permission write for all users
+		find "$PKGDESTDIR" -type f -perm -0002 | while read -r file; do
+			msg_error "$pkgver: file ${file#$PKGDESTDIR} has write permission for all users\n"
+		done
+	fi
+
+	if [ -z "$nofixperms" ]; then
+		change_file_perms "/usr/share/man" 133 644
+		change_file_perms "/etc/apparmor.d" 111 644
+		change_file_perms "/usr/share/applications" 133 644
+		change_file_perms "/usr/share/help" 133 644
+		change_file_perms "/usr/share/icons" 133 644
+		change_file_perms "/usr/share/locale" 133 644
+		change_file_perms "/usr/share/metainfo" 133 644
+		change_file_perms "/usr/share/appdata" 133 644
+		change_file_perms "/usr/include" 133 644
+	fi
+}