diff --git a/conda/recipe/recipe.yaml b/conda/recipe/recipe.yaml index 04a74c1e..d8486eae 100644 --- a/conda/recipe/recipe.yaml +++ b/conda/recipe/recipe.yaml @@ -2,7 +2,7 @@ schema_version: 1 context: name: mache - version: "3.4.0" + version: "3.4.1" package: name: ${{ name|lower }} diff --git a/mache/deploy/run.py b/mache/deploy/run.py index 46fe46ac..f7d9ebd6 100644 --- a/mache/deploy/run.py +++ b/mache/deploy/run.py @@ -1013,7 +1013,7 @@ def _apply_deploy_permissions( shared_base_path, group, show_progress=True, - group_writable=True, + group_writable=False, other_readable=world_readable, recursive=True, ) @@ -1039,7 +1039,7 @@ def _apply_deploy_permissions( update_permissions( managed_prefix, group, - group_writable=True, + group_writable=False, other_readable=world_readable, recursive=False, ) diff --git a/mache/version.py b/mache/version.py index 6e3a0851..d424fb7a 100644 --- a/mache/version.py +++ b/mache/version.py @@ -1,2 +1,2 @@ -__version_info__ = (3, 4, 0) +__version_info__ = (3, 4, 1) __version__ = '.'.join(str(vi) for vi in __version_info__) diff --git a/tests/test_deploy_run.py b/tests/test_deploy_run.py index 3b8ea87b..4612bbff 100644 --- a/tests/test_deploy_run.py +++ b/tests/test_deploy_run.py @@ -779,7 +779,7 @@ def _fake_update_permissions(*args, **kwargs): first_args, first_kwargs = calls[0] assert first_args == (str(prefix), 'e3sm') - assert first_kwargs['group_writable'] is True + assert first_kwargs['group_writable'] is False assert first_kwargs['other_readable'] is False assert first_kwargs['recursive'] is False @@ -928,12 +928,12 @@ def _fake_update_permissions(*args, **kwargs): first_args, first_kwargs = calls[0] assert first_args == (str(prefix), 'e3sm') - assert first_kwargs['group_writable'] is True + assert first_kwargs['group_writable'] is False assert first_kwargs['recursive'] is False second_args, second_kwargs = calls[1] assert second_args == (str(shared_dir), 'e3sm') - assert second_kwargs['group_writable'] is True + assert second_kwargs['group_writable'] is False assert second_kwargs['recursive'] is False third_args, third_kwargs = calls[2] @@ -1017,13 +1017,13 @@ def _fake_update_permissions(*args, **kwargs): first_args, first_kwargs = calls[0] assert first_args == (str(shared_base), 'e3sm') - assert first_kwargs['group_writable'] is True + assert first_kwargs['group_writable'] is False assert first_kwargs['other_readable'] is True assert first_kwargs['recursive'] is True second_args, second_kwargs = calls[1] assert second_args == (str(managed_dir_outside), 'e3sm') - assert second_kwargs['group_writable'] is True + assert second_kwargs['group_writable'] is False assert second_kwargs['recursive'] is False third_args, third_kwargs = calls[2] diff --git a/tests/test_permissions.py b/tests/test_permissions.py new file mode 100644 index 00000000..1837d389 --- /dev/null +++ b/tests/test_permissions.py @@ -0,0 +1,34 @@ +import os +import stat +from types import SimpleNamespace + +from mache import permissions + + +def test_update_permissions_removes_group_write_bits(tmp_path, monkeypatch): + shared_dir = tmp_path / 'shared' + shared_dir.mkdir() + shared_file = shared_dir / 'data.txt' + shared_file.write_text('demo\n', encoding='utf-8') + + shared_dir.chmod(0o775) + shared_file.chmod(0o664) + + monkeypatch.setattr( + permissions.grp, + 'getgrnam', + lambda _group: SimpleNamespace(gr_gid=os.getgid()), + ) + monkeypatch.setattr(permissions.os, 'chown', lambda *_args: None) + + permissions.update_permissions( + str(shared_dir), + 'e3sm', + show_progress=False, + group_writable=False, + other_readable=True, + recursive=True, + ) + + assert stat.S_IMODE(shared_dir.stat().st_mode) == 0o755 + assert stat.S_IMODE(shared_file.stat().st_mode) == 0o644