diff --git a/src/libostree/ostree-core-private.h b/src/libostree/ostree-core-private.h index c1a82386..5d9d948a 100644 --- a/src/libostree/ostree-core-private.h +++ b/src/libostree/ostree-core-private.h @@ -30,6 +30,12 @@ G_BEGIN_DECLS /* It's what gzip does, 9 is too slow */ #define OSTREE_ARCHIVE_DEFAULT_COMPRESSION_LEVEL (6) +/* Note the permissive group bits. We want to be liberal here and let individual machines + * narrow permissions as needed via umask. This is important in setups where group ownership + * can matter for repo management (like OpenShift). */ +#define DEFAULT_DIRECTORY_MODE 0775 +#define DEFAULT_REGFILE_MODE 0660 + /* This file contains private implementation data format definitions * read by multiple implementation .c files. */ diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c index 8dd14640..dc36370f 100644 --- a/src/libostree/ostree-repo-checkout.c +++ b/src/libostree/ostree-repo-checkout.c @@ -92,8 +92,8 @@ checkout_object_for_uncompressed_cache (OstreeRepo *self, if (self->uncompressed_objects_dir_fd == -1) { - if (!glnx_shutil_mkdir_p_at (self->repo_dir_fd, "uncompressed-objects-cache", 0755, - cancellable, error)) + if (!glnx_shutil_mkdir_p_at (self->repo_dir_fd, "uncompressed-objects-cache", + DEFAULT_DIRECTORY_MODE, cancellable, error)) return FALSE; if (!glnx_opendirat (self->repo_dir_fd, "uncompressed-objects-cache", TRUE, &self->uncompressed_objects_dir_fd, diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c index 586b34fe..125c113d 100644 --- a/src/libostree/ostree-repo-pull.c +++ b/src/libostree/ostree-repo-pull.c @@ -2925,7 +2925,7 @@ _ostree_repo_cache_summary (OstreeRepo *self, if (self->cache_dir_fd == -1) return TRUE; - if (!glnx_shutil_mkdir_p_at (self->cache_dir_fd, _OSTREE_SUMMARY_CACHE_DIR, 0775, cancellable, error)) + if (!glnx_shutil_mkdir_p_at (self->cache_dir_fd, _OSTREE_SUMMARY_CACHE_DIR, DEFAULT_DIRECTORY_MODE, cancellable, error)) return FALSE; const char *summary_cache_file = glnx_strjoina (_OSTREE_SUMMARY_CACHE_DIR, "/", remote); diff --git a/src/libostree/ostree-repo-refs.c b/src/libostree/ostree-repo-refs.c index 536a763a..d1d679b2 100644 --- a/src/libostree/ostree-repo-refs.c +++ b/src/libostree/ostree-repo-refs.c @@ -1181,7 +1181,7 @@ _ostree_repo_write_ref (OstreeRepo *self, char *parent = strdupa (ref->ref_name); parent[lastslash - ref->ref_name] = '\0'; - if (!glnx_shutil_mkdir_p_at (dfd, parent, 0755, cancellable, error)) + if (!glnx_shutil_mkdir_p_at (dfd, parent, DEFAULT_DIRECTORY_MODE, cancellable, error)) return FALSE; } diff --git a/src/libostree/ostree-repo-static-delta-compilation.c b/src/libostree/ostree-repo-static-delta-compilation.c index 054ac06f..88e9ddf6 100644 --- a/src/libostree/ostree-repo-static-delta-compilation.c +++ b/src/libostree/ostree-repo-static-delta-compilation.c @@ -1427,7 +1427,7 @@ ostree_repo_static_delta_generate (OstreeRepo *self, g_autofree char *dnbuf = g_strdup (descriptor_relpath); const char *dn = dirname (dnbuf); - if (!glnx_shutil_mkdir_p_at (self->repo_dir_fd, dn, 0755, cancellable, error)) + if (!glnx_shutil_mkdir_p_at (self->repo_dir_fd, dn, DEFAULT_DIRECTORY_MODE, cancellable, error)) goto out; if (!glnx_opendirat (self->repo_dir_fd, dn, TRUE, &descriptor_dfd, error)) goto out; diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c index b6a5db69..3aeecc5c 100644 --- a/src/libostree/ostree-repo.c +++ b/src/libostree/ostree-repo.c @@ -359,7 +359,7 @@ push_repo_lock (OstreeRepo *self, g_debug ("Opening repo lock file"); lock->fd = TEMP_FAILURE_RETRY (openat (self->repo_dir_fd, ".lock", O_CREAT | O_RDWR | O_CLOEXEC, - 0600)); + DEFAULT_REGFILE_MODE)); if (lock->fd < 0) { free_repo_lock (lock); @@ -2491,7 +2491,7 @@ repo_create_at_internal (int dfd, } } - if (mkdirat (dfd, path, 0755) != 0) + if (mkdirat (dfd, path, DEFAULT_DIRECTORY_MODE) != 0) { if (G_UNLIKELY (errno != EEXIST)) return glnx_throw_errno_prefix (error, "mkdirat"); @@ -2529,7 +2529,7 @@ repo_create_at_internal (int dfd, for (guint i = 0; i < G_N_ELEMENTS (state_dirs); i++) { const char *elt = state_dirs[i]; - if (mkdirat (repo_dfd, elt, 0755) == -1) + if (mkdirat (repo_dfd, elt, DEFAULT_DIRECTORY_MODE) == -1) { if (G_UNLIKELY (errno != EEXIST)) return glnx_throw_errno_prefix (error, "mkdirat"); @@ -3325,7 +3325,7 @@ ostree_repo_open (OstreeRepo *self, * * https://github.com/ostreedev/ostree/issues/1018 */ - if (mkdirat (self->repo_dir_fd, "tmp", 0755) == -1) + if (mkdirat (self->repo_dir_fd, "tmp", DEFAULT_DIRECTORY_MODE) == -1) { if (G_UNLIKELY (errno != EEXIST)) return glnx_throw_errno_prefix (error, "mkdir(tmp)"); @@ -3337,7 +3337,7 @@ ostree_repo_open (OstreeRepo *self, if (self->writable) { - if (!glnx_shutil_mkdir_p_at (self->tmp_dir_fd, _OSTREE_CACHE_DIR, 0775, cancellable, error)) + if (!glnx_shutil_mkdir_p_at (self->tmp_dir_fd, _OSTREE_CACHE_DIR, DEFAULT_DIRECTORY_MODE, cancellable, error)) return FALSE; if (!glnx_opendirat (self->tmp_dir_fd, _OSTREE_CACHE_DIR, TRUE, &self->cache_dir_fd, error)) @@ -6129,7 +6129,7 @@ _ostree_repo_allocate_tmpdir (int tmpdir_dfd, { g_auto(GLnxTmpDir) new_tmpdir = { 0, }; /* No existing tmpdir found, create a new */ - if (!glnx_mkdtempat (tmpdir_dfd, tmpdir_name_template, 0755, + if (!glnx_mkdtempat (tmpdir_dfd, tmpdir_name_template, DEFAULT_DIRECTORY_MODE, &new_tmpdir, error)) return FALSE;