lourenco/mgmt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lib, engine: graph: Let children directories be readable

Browse Source 
We want to be able to put useful scripts in $vardir type places, but if
the perms at the higher levels block this, then that can't work. The
top-level should always be more permissive, and then it grows more
restricted as we descend.
This commit is contained in:
James Shubin
2024-09-18 21:03:58 -04:00
parent fd508fbc0d
commit 57b4a7efce
3 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
engine/graph/engine.go
View File

@@ -106,7 +106,8 @@ func (obj *Engine) Init() error {
if obj.Prefix == "" || obj.Prefix == "/" { if obj.Prefix == "" || obj.Prefix == "/" {
return fmt.Errorf("the prefix of `%s` is invalid", obj.Prefix) return fmt.Errorf("the prefix of `%s` is invalid", obj.Prefix)
} }
if err := os.MkdirAll(obj.Prefix, 0770); err != nil { // 0775 since we want children to be able to read this!
if err := os.MkdirAll(obj.Prefix, 0775); err != nil {
return errwrap.Wrapf(err, "can't create prefix") return errwrap.Wrapf(err, "can't create prefix")
} }
@@ -224,7 +225,7 @@ func (obj *Engine) Commit() error {
statePrefix := fmt.Sprintf("%s/", path.Join(obj.statePrefix(), pathUID)) statePrefix := fmt.Sprintf("%s/", path.Join(obj.statePrefix(), pathUID))
// don't create this unless it *will* be used // don't create this unless it *will* be used
//if err := os.MkdirAll(statePrefix, 0770); err != nil { //if err := os.MkdirAll(statePrefix, 0775); err != nil {
// return errwrap.Wrapf(err, "can't create state prefix") // return errwrap.Wrapf(err, "can't create state prefix")
//} //}

3
engine/graph/vardir.go
View File

@@ -54,7 +54,8 @@ func (obj *State) varDir(extra string) (string, error) {
// an empty string at the end has no effect // an empty string at the end has no effect
p := fmt.Sprintf("%s/", path.Join(obj.Prefix, extra)) p := fmt.Sprintf("%s/", path.Join(obj.Prefix, extra))
if err := os.MkdirAll(p, 0770); err != nil { // 0775 since we want children to be able to read this!
if err := os.MkdirAll(p, 0775); err != nil {
return "", errwrap.Wrapf(err, "can't create prefix in: %s", p) return "", errwrap.Wrapf(err, "can't create prefix in: %s", p)
} }

10
lib/main.go
View File

@@ -346,12 +346,17 @@ func (obj *Main) Run() error {
prefix = *p prefix = *p
} }
// make sure the working directory prefix exists // make sure the working directory prefix exists
if obj.TmpPrefix || os.MkdirAll(prefix, 0770) != nil { if obj.TmpPrefix || os.MkdirAll(prefix, 0775) != nil { // 0775 =D
if obj.TmpPrefix || obj.AllowTmpPrefix { if obj.TmpPrefix || obj.AllowTmpPrefix {
var err error var err error
// This temp dir always gets created with 0700 mode. :(
if prefix, err = os.MkdirTemp("", obj.Program+"-"+hostname+"-"); err != nil { if prefix, err = os.MkdirTemp("", obj.Program+"-"+hostname+"-"); err != nil {
return fmt.Errorf("can't create temporary prefix") return fmt.Errorf("can't create temporary prefix")
} }
// 0775 since we want children to be able to read this!
if err := os.Chmod(prefix, 0775); err != nil {
return fmt.Errorf("can't set mode correctly")
}
Logf("warning: working prefix directory is temporary!") Logf("warning: working prefix directory is temporary!")
} else { } else {
@@ -392,7 +397,8 @@ func (obj *Main) Run() error {
obj.Logf("pgp: "+format, v...) obj.Logf("pgp: "+format, v...)
} }
pgpPrefix := fmt.Sprintf("%s/", path.Join(prefix, "pgp")) pgpPrefix := fmt.Sprintf("%s/", path.Join(prefix, "pgp"))
if err := os.MkdirAll(pgpPrefix, 0770); err != nil { // 0700 since we DON'T want anyone else to be able to read this!
if err := os.MkdirAll(pgpPrefix, 0700); err != nil {
return errwrap.Wrapf(err, "can't create pgp prefix") return errwrap.Wrapf(err, "can't create pgp prefix")
} }