yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'Avoid a few cases of chmod-after-creation' (#3438) from tangential/clan-core:it-s_a_race into main

Browse Source 
Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/3438
This commit is contained in:
Mic92
2025-05-04 07:08:43 +00:00
parent 08a5ad0848 9f745ff637
commit 655c7e4eed
3 changed files with 17 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
clanModules/dyndns/default.nix
View File

@@ -210,14 +210,18 @@ in
data_dir = Path('data') data_dir = Path('data')
data_dir.mkdir(mode=0o770, exist_ok=True) data_dir.mkdir(mode=0o770, exist_ok=True)
# Create a temporary config file
# with appropriate permissions
tmp_config_path = data_dir / '.config.json'
tmp_config_path.touch(mode=0o660, exist_ok=False)
# Write the config with secrets back # Write the config with secrets back
config_path = data_dir / 'config.json' with open(tmp_config_path, 'w') as f:
with open(config_path, 'w') as f:
f.write(json.dumps(config, indent=4)) f.write(json.dumps(config, indent=4))
# Set file permissions to read and write # Move config into place
# only by the user and group config_path = data_dir / 'config.json'
config_path.chmod(0o660) tmp_config_path.rename(config_path)
# Set file permissions to read # Set file permissions to read
# and write only by the user and group # and write only by the user and group

3
docs/nix/deploy-docs.nix
View File

@@ -26,8 +26,7 @@ writeShellScriptBin "deploy-docs" ''
trap "rm -rf $tmpdir" EXIT trap "rm -rf $tmpdir" EXIT
if [ -n "''${SSH_HOMEPAGE_KEY-}" ]; then if [ -n "''${SSH_HOMEPAGE_KEY-}" ]; then
echo "$SSH_HOMEPAGE_KEY" > "$tmpdir/ssh_key" ( umask 0177 && echo "$SSH_HOMEPAGE_KEY" > "$tmpdir/ssh_key" )
chmod 600 "$tmpdir/ssh_key"
sshExtraArgs="-i $tmpdir/ssh_key" sshExtraArgs="-i $tmpdir/ssh_key"
else else
sshExtraArgs= sshExtraArgs=

11
pkgs/clan-cli/clan_cli/vars/generate.py
View File

@@ -151,12 +151,15 @@ def dependencies_as_dir(
) -> None: ) -> None:
for dep_generator, files in decrypted_dependencies.items(): for dep_generator, files in decrypted_dependencies.items():
dep_generator_dir = tmpdir / dep_generator dep_generator_dir = tmpdir / dep_generator
dep_generator_dir.mkdir() # Explicitly specify parents and exist_ok default values for clarity
dep_generator_dir.chmod(0o700) dep_generator_dir.mkdir(mode=0o700, parents=False, exist_ok=False)
for file_name, file in files.items(): for file_name, file in files.items():
file_path = dep_generator_dir / file_name file_path = dep_generator_dir / file_name
file_path.touch() # Avoid the file creation and chmod race
file_path.chmod(0o600) # If the file already existed,
# we'd have to create a temp one and rename instead;
# however, this is a clean dir so there shouldn't be any collisions
file_path.touch(mode=0o600, exist_ok=False)
file_path.write_bytes(file) file_path.write_bytes(file)