Thanks to visit codestin.com
Credit goes to github.com

Skip to content

"kc build" weakens file permissions #43437

New issue
New issue
Closed
bug
Closed
"kc build" weakens file permissions#43437
bug
Assignees
mabartos
Labels
area/dist/quarkushelp wantedkind/bugCategorizes a PR related to a bugpriority/normalstatus/auto-bumpstatus/auto-expirestatus/blocked-externalUsed for marking Issues/PRs as blocked by some external factors like a bug in Quarkusteam/cloud-native
@fjakop

Description

@fjakop
fjakop
opened on Oct 14, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

dist/quarkus

Describe the bug

On our UNIX systems th user running Keycloak has a restrictive umask of 0027 (no access for others) set.
When we start Keycloak in production mode or run "kc.sh build" the file permissions on files below the lib folder are changed.

Before

lib/lib/boot:
total 1350
drwxr-s--- 2 me users   2048 Aug 21 13:48 .
drwxr-s--- 5 me users     96 Aug 21 13:47 ..
-rw-r----- 1 me users   9341 May 13  2022 io.github.crac.org-crac-0.1.3.jar
-rw-r----- 1 me users  61466 Aug 18 10:40 io.quarkus.quarkus-bootstrap-runner-3.20.2.1.jar
-rw-r----- 1 me users   7704 Aug 18 10:40 io.quarkus.quarkus-classloader-commons-3.20.2.1.jar
-rw-r----- 1 me users  53760 Aug 18 10:40 io.quarkus.quarkus-development-mode-spi-3.20.2.1.jar
-rw-r----- 1 me users  10160 Aug 18 10:40 io.quarkus.quarkus-vertx-latebound-mdc-provider-3.20.2.1.jar
-rw-r----- 1 me users  13968 Apr 11  2025 io.smallrye.common.smallrye-common-constraint-2.12.0.jar
...

then run

me@machine:/opt/keycloak/bin> ./kc.sh build
INFO: The following run time options were found, but will be ignored during build time: kc.cache, kc.cache-config-file, kc.hostname, kc.proxy-headers, kc.http-management-port, kc.vault-dir, kc.db-url, kc.db-username, kc.http-enabled, kc.http-host, kc.http-port, kc.log, kc.log-file, kc.log-level

Updating the configuration and installing your custom providers, if any. Please wait.
Server configuration updated and persisted. Run the following command to review the configuration:

        kc.sh show-config

After

lib/lib/boot:
total 1350
drwxr-sr-- 2 me users   2048 Aug 21 13:48 .
drwxr-sr-- 5 me users     96 Aug 21 13:47 ..
-rw-r--r-- 1 me users   9341 May 13  2022 io.github.crac.org-crac-0.1.3.jar
-rw-r--r-- 1 me users  61466 Aug 18 10:40 io.quarkus.quarkus-bootstrap-runner-3.20.2.1.jar
-rw-r--r-- 1 me users   7704 Aug 18 10:40 io.quarkus.quarkus-classloader-commons-3.20.2.1.jar
-rw-r--r-- 1 me users  53760 Aug 18 10:40 io.quarkus.quarkus-development-mode-spi-3.20.2.1.jar
-rw-r--r-- 1 me users  10160 Aug 18 10:40 io.quarkus.quarkus-vertx-latebound-mdc-provider-3.20.2.1.jar
-rw-r--r-- 1 me users  13968 Apr 11  2025 io.smallrye.common.smallrye-common-constraint-2.12.0.jar
...

Version

26.3.3, 26.3.4, 26.4.0

Regression

  • The issue is a regression

Expected behavior

The file permissions on files/dirs below lib folder should be left unchanged.

Actual behavior

The "kc.sh build" command sets read permissions for others on files/dirs below lib folder.

How to Reproduce?

  • untar a fresh Keycloak 26.4.0
  • chmod -R o-rwx keycloak-26.4.0/lib
  • ls -la keycloak-26.4.0/lib/lib/boot/
  • verify no read permissions for others
  • ./keycloak-26.4.0/bin/kc.sh build
  • ls -la keycloak-26.4.0/lib/lib/boot/
  • notice read permissions for others

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/dist/quarkushelp wantedkind/bugCategorizes a PR related to a bugpriority/normalstatus/auto-bumpstatus/auto-expirestatus/blocked-externalUsed for marking Issues/PRs as blocked by some external factors like a bug in Quarkusteam/cloud-native

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions