lib, engine: graph: Let children directories be readable
We want to be able to put useful scripts in $vardir type places, but if the perms at the higher levels block this, then that can't work. The top-level should always be more permissive, and then it grows more restricted as we descend.
This commit is contained in:
James Shubin
10
lib/main.go
10
lib/main.go
@@ -346,12 +346,17 @@ func (obj *Main) Run() error {
|
||||
prefix = *p
|
||||
}
|
||||
// make sure the working directory prefix exists
|
||||
if obj.TmpPrefix || os.MkdirAll(prefix, 0770) != nil {
|
||||
if obj.TmpPrefix || os.MkdirAll(prefix, 0775) != nil { // 0775 =D
|
||||
if obj.TmpPrefix || obj.AllowTmpPrefix {
|
||||
var err error
|
||||
// This temp dir always gets created with 0700 mode. :(
|
||||
if prefix, err = os.MkdirTemp("", obj.Program+"-"+hostname+"-"); err != nil {
|
||||
return fmt.Errorf("can't create temporary prefix")
|
||||
}
|
||||
// 0775 since we want children to be able to read this!
|
||||
if err := os.Chmod(prefix, 0775); err != nil {
|
||||
return fmt.Errorf("can't set mode correctly")
|
||||
}
|
||||
Logf("warning: working prefix directory is temporary!")
|
||||
|
||||
} else {
|
||||
@@ -392,7 +397,8 @@ func (obj *Main) Run() error {
|
||||
obj.Logf("pgp: "+format, v...)
|
||||
}
|
||||
pgpPrefix := fmt.Sprintf("%s/", path.Join(prefix, "pgp"))
|
||||
if err := os.MkdirAll(pgpPrefix, 0770); err != nil {
|
||||
// 0700 since we DON'T want anyone else to be able to read this!
|
||||
if err := os.MkdirAll(pgpPrefix, 0700); err != nil {
|
||||
return errwrap.Wrapf(err, "can't create pgp prefix")
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user