*** This bug has been split off bug 145720 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.01.20 16:32 ------- This is a very old issue. This message was posted to vendor-sec. GNU cpio -oO appears to generate files with 0666 regardless of the user's umask. This is true for both cpio 2.5 (RH, SuSE) and and the (surprisingly 3x) larger cpio 2.6, but I haven't had the chance to dig into the code yet or sync with the developers yet. (If anyone else can gets to it before me, by all means...) cpio has a need to toggle between a "0" umask and the original umask depending on what it is doing, and gets it wrong in this case. It's a long-known public issue in general -- earliest I can find a record of it goes back to 1996, when the BSD folks fixed it: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391 and fixes against older GNU cpio were posted to gnu.utils.bugs by The Written Word folks: http://groups-beta.google.com/group/gnu.utils.bug/msg/4db088ee6031c9ec but it never seems to have gotten into newer GNU cpio versions.
Fix confirmed with cpio-2.5-7.EL4.1 which is part of RHSA-2005:073.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-073.html