Fix shared permissions to not be group writable

Author: xylar

mache/deploy/run.py

@@ -1013,7 +1013,7 @@ def _apply_deploy_permissions(
             shared_base_path,
             group,
             show_progress=True,
-            group_writable=True,
+            group_writable=False,
             other_readable=world_readable,
             recursive=True,
         )
@@ -1039,7 +1039,7 @@ def _apply_deploy_permissions(
         update_permissions(
             managed_prefix,
             group,
-            group_writable=True,
+            group_writable=False,
             other_readable=world_readable,
             recursive=False,
         )

tests/test_deploy_run.py

@@ -779,7 +779,7 @@ def _fake_update_permissions(*args, **kwargs):
 
     first_args, first_kwargs = calls[0]
     assert first_args == (str(prefix), 'e3sm')
-    assert first_kwargs['group_writable'] is True
+    assert first_kwargs['group_writable'] is False
     assert first_kwargs['other_readable'] is False
     assert first_kwargs['recursive'] is False
 
@@ -928,12 +928,12 @@ def _fake_update_permissions(*args, **kwargs):
 
     first_args, first_kwargs = calls[0]
     assert first_args == (str(prefix), 'e3sm')
-    assert first_kwargs['group_writable'] is True
+    assert first_kwargs['group_writable'] is False
     assert first_kwargs['recursive'] is False
 
     second_args, second_kwargs = calls[1]
     assert second_args == (str(shared_dir), 'e3sm')
-    assert second_kwargs['group_writable'] is True
+    assert second_kwargs['group_writable'] is False
     assert second_kwargs['recursive'] is False
 
     third_args, third_kwargs = calls[2]
@@ -1017,13 +1017,13 @@ def _fake_update_permissions(*args, **kwargs):
 
     first_args, first_kwargs = calls[0]
     assert first_args == (str(shared_base), 'e3sm')
-    assert first_kwargs['group_writable'] is True
+    assert first_kwargs['group_writable'] is False
     assert first_kwargs['other_readable'] is True
     assert first_kwargs['recursive'] is True
 
     second_args, second_kwargs = calls[1]
     assert second_args == (str(managed_dir_outside), 'e3sm')
-    assert second_kwargs['group_writable'] is True
+    assert second_kwargs['group_writable'] is False
     assert second_kwargs['recursive'] is False
 
     third_args, third_kwargs = calls[2]

tests/test_permissions.py

@@ -0,0 +1,34 @@
+import os
+import stat
+from types import SimpleNamespace
+
+from mache import permissions
+
+
+def test_update_permissions_removes_group_write_bits(tmp_path, monkeypatch):
+    shared_dir = tmp_path / 'shared'
+    shared_dir.mkdir()
+    shared_file = shared_dir / 'data.txt'
+    shared_file.write_text('demo\n', encoding='utf-8')
+
+    shared_dir.chmod(0o775)
+    shared_file.chmod(0o664)
+
+    monkeypatch.setattr(
+        permissions.grp,
+        'getgrnam',
+        lambda _group: SimpleNamespace(gr_gid=os.getgid()),
+    )
+    monkeypatch.setattr(permissions.os, 'chown', lambda *_args: None)
+
+    permissions.update_permissions(
+        str(shared_dir),
+        'e3sm',
+        show_progress=False,
+        group_writable=False,
+        other_readable=True,
+        recursive=True,
+    )
+
+    assert stat.S_IMODE(shared_dir.stat().st_mode) == 0o755
+    assert stat.S_IMODE(shared_file.stat().st_mode) == 0o644