Skip to content

Commit 5ebf13b

Browse files
committed
Fix shared permissions to not be group writable
1 parent 2219c12 commit 5ebf13b

File tree

3 files changed

+41
-7
lines changed

3 files changed

+41
-7
lines changed

mache/deploy/run.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1013,7 +1013,7 @@ def _apply_deploy_permissions(
10131013
shared_base_path,
10141014
group,
10151015
show_progress=True,
1016-
group_writable=True,
1016+
group_writable=False,
10171017
other_readable=world_readable,
10181018
recursive=True,
10191019
)
@@ -1039,7 +1039,7 @@ def _apply_deploy_permissions(
10391039
update_permissions(
10401040
managed_prefix,
10411041
group,
1042-
group_writable=True,
1042+
group_writable=False,
10431043
other_readable=world_readable,
10441044
recursive=False,
10451045
)

tests/test_deploy_run.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -779,7 +779,7 @@ def _fake_update_permissions(*args, **kwargs):
779779

780780
first_args, first_kwargs = calls[0]
781781
assert first_args == (str(prefix), 'e3sm')
782-
assert first_kwargs['group_writable'] is True
782+
assert first_kwargs['group_writable'] is False
783783
assert first_kwargs['other_readable'] is False
784784
assert first_kwargs['recursive'] is False
785785

@@ -928,12 +928,12 @@ def _fake_update_permissions(*args, **kwargs):
928928

929929
first_args, first_kwargs = calls[0]
930930
assert first_args == (str(prefix), 'e3sm')
931-
assert first_kwargs['group_writable'] is True
931+
assert first_kwargs['group_writable'] is False
932932
assert first_kwargs['recursive'] is False
933933

934934
second_args, second_kwargs = calls[1]
935935
assert second_args == (str(shared_dir), 'e3sm')
936-
assert second_kwargs['group_writable'] is True
936+
assert second_kwargs['group_writable'] is False
937937
assert second_kwargs['recursive'] is False
938938

939939
third_args, third_kwargs = calls[2]
@@ -1017,13 +1017,13 @@ def _fake_update_permissions(*args, **kwargs):
10171017

10181018
first_args, first_kwargs = calls[0]
10191019
assert first_args == (str(shared_base), 'e3sm')
1020-
assert first_kwargs['group_writable'] is True
1020+
assert first_kwargs['group_writable'] is False
10211021
assert first_kwargs['other_readable'] is True
10221022
assert first_kwargs['recursive'] is True
10231023

10241024
second_args, second_kwargs = calls[1]
10251025
assert second_args == (str(managed_dir_outside), 'e3sm')
1026-
assert second_kwargs['group_writable'] is True
1026+
assert second_kwargs['group_writable'] is False
10271027
assert second_kwargs['recursive'] is False
10281028

10291029
third_args, third_kwargs = calls[2]

tests/test_permissions.py

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
import os
2+
import stat
3+
from types import SimpleNamespace
4+
5+
from mache import permissions
6+
7+
8+
def test_update_permissions_removes_group_write_bits(tmp_path, monkeypatch):
9+
shared_dir = tmp_path / 'shared'
10+
shared_dir.mkdir()
11+
shared_file = shared_dir / 'data.txt'
12+
shared_file.write_text('demo\n', encoding='utf-8')
13+
14+
shared_dir.chmod(0o775)
15+
shared_file.chmod(0o664)
16+
17+
monkeypatch.setattr(
18+
permissions.grp,
19+
'getgrnam',
20+
lambda _group: SimpleNamespace(gr_gid=os.getgid()),
21+
)
22+
monkeypatch.setattr(permissions.os, 'chown', lambda *_args: None)
23+
24+
permissions.update_permissions(
25+
str(shared_dir),
26+
'e3sm',
27+
show_progress=False,
28+
group_writable=False,
29+
other_readable=True,
30+
recursive=True,
31+
)
32+
33+
assert stat.S_IMODE(shared_dir.stat().st_mode) == 0o755
34+
assert stat.S_IMODE(shared_file.stat().st_mode) == 0o644

0 commit comments

Comments
 (0)