From 57b4a7efcecd3e80a547b9652d1e2e2b6c665379 Mon Sep 17 00:00:00 2001
From: James Shubin <james@shubin.ca>
Date: Wed, 18 Sep 2024 21:03:58 -0400
Subject: [PATCH] lib, engine: graph: Let children directories be readable

We want to be able to put useful scripts in $vardir type places, but if
the perms at the higher levels block this, then that can't work. The
top-level should always be more permissive, and then it grows more
restricted as we descend.
---
 engine/graph/engine.go |  5 +++--
 engine/graph/vardir.go |  3 ++-
 lib/main.go            | 10 ++++++++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/engine/graph/engine.go b/engine/graph/engine.go
index c02eaf4c..5394dc1c 100644
--- a/engine/graph/engine.go
+++ b/engine/graph/engine.go
@@ -106,7 +106,8 @@ func (obj *Engine) Init() error {
 	if obj.Prefix == "" || obj.Prefix == "/" {
 		return fmt.Errorf("the prefix of `%s` is invalid", obj.Prefix)
 	}
-	if err := os.MkdirAll(obj.Prefix, 0770); err != nil {
+	// 0775 since we want children to be able to read this!
+	if err := os.MkdirAll(obj.Prefix, 0775); err != nil {
 		return errwrap.Wrapf(err, "can't create prefix")
 	}
 
@@ -224,7 +225,7 @@ func (obj *Engine) Commit() error {
 		statePrefix := fmt.Sprintf("%s/", path.Join(obj.statePrefix(), pathUID))
 
 		// don't create this unless it *will* be used
-		//if err := os.MkdirAll(statePrefix, 0770); err != nil {
+		//if err := os.MkdirAll(statePrefix, 0775); err != nil {
 		//	return errwrap.Wrapf(err, "can't create state prefix")
 		//}
 
diff --git a/engine/graph/vardir.go b/engine/graph/vardir.go
index e361e037..aa53d03f 100644
--- a/engine/graph/vardir.go
+++ b/engine/graph/vardir.go
@@ -54,7 +54,8 @@ func (obj *State) varDir(extra string) (string, error) {
 
 	// an empty string at the end has no effect
 	p := fmt.Sprintf("%s/", path.Join(obj.Prefix, extra))
-	if err := os.MkdirAll(p, 0770); err != nil {
+	// 0775 since we want children to be able to read this!
+	if err := os.MkdirAll(p, 0775); err != nil {
 		return "", errwrap.Wrapf(err, "can't create prefix in: %s", p)
 	}
 
diff --git a/lib/main.go b/lib/main.go
index 4159bf06..f2c48ea0 100644
--- a/lib/main.go
+++ b/lib/main.go
@@ -346,12 +346,17 @@ func (obj *Main) Run() error {
 		prefix = *p
 	}
 	// make sure the working directory prefix exists
-	if obj.TmpPrefix || os.MkdirAll(prefix, 0770) != nil {
+	if obj.TmpPrefix || os.MkdirAll(prefix, 0775) != nil { // 0775 =D
 		if obj.TmpPrefix || obj.AllowTmpPrefix {
 			var err error
+			// This temp dir always gets created with 0700 mode. :(
 			if prefix, err = os.MkdirTemp("", obj.Program+"-"+hostname+"-"); err != nil {
 				return fmt.Errorf("can't create temporary prefix")
 			}
+			// 0775 since we want children to be able to read this!
+			if err := os.Chmod(prefix, 0775); err != nil {
+				return fmt.Errorf("can't set mode correctly")
+			}
 			Logf("warning: working prefix directory is temporary!")
 
 		} else {
@@ -392,7 +397,8 @@ func (obj *Main) Run() error {
 			obj.Logf("pgp: "+format, v...)
 		}
 		pgpPrefix := fmt.Sprintf("%s/", path.Join(prefix, "pgp"))
-		if err := os.MkdirAll(pgpPrefix, 0770); err != nil {
+		// 0700 since we DON'T want anyone else to be able to read this!
+		if err := os.MkdirAll(pgpPrefix, 0700); err != nil {
 			return errwrap.Wrapf(err, "can't create pgp prefix")
 		}