lib, engine: graph: Let children directories be readable

We want to be able to put useful scripts in $vardir type places, but if the perms at the higher levels block this, then that can't work. The top-level should always be more permissive, and then it grows more restricted as we descend.
2024-09-18 21:03:58 -04:00
parent fd508fbc0d
commit 57b4a7efce
3 changed files with 13 additions and 5 deletions
--- a/engine/graph/engine.go
+++ b/engine/graph/engine.go
@@ -106,7 +106,8 @@ func (obj *Engine) Init() error {
 	if obj.Prefix == "" || obj.Prefix == "/" {
 		return fmt.Errorf("the prefix of `%s` is invalid", obj.Prefix)
 	}
-	if err := os.MkdirAll(obj.Prefix, 0770); err != nil {
+	// 0775 since we want children to be able to read this!
+	if err := os.MkdirAll(obj.Prefix, 0775); err != nil {
 		return errwrap.Wrapf(err, "can't create prefix")
 	}

@@ -224,7 +225,7 @@ func (obj *Engine) Commit() error {
 		statePrefix := fmt.Sprintf("%s/", path.Join(obj.statePrefix(), pathUID))

 		// don't create this unless it *will* be used
-		//if err := os.MkdirAll(statePrefix, 0770); err != nil {
+		//if err := os.MkdirAll(statePrefix, 0775); err != nil {
 		//	return errwrap.Wrapf(err, "can't create state prefix")
 		//}

--- a/engine/graph/vardir.go
+++ b/engine/graph/vardir.go
@@ -54,7 +54,8 @@ func (obj *State) varDir(extra string) (string, error) {

 	// an empty string at the end has no effect
 	p := fmt.Sprintf("%s/", path.Join(obj.Prefix, extra))
-	if err := os.MkdirAll(p, 0770); err != nil {
+	// 0775 since we want children to be able to read this!
+	if err := os.MkdirAll(p, 0775); err != nil {
 		return "", errwrap.Wrapf(err, "can't create prefix in: %s", p)
 	}