Skip to content

Validate file permissions during config apply #1284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
spencerugbo merged 11 commits into from
Oct 2, 2025
Merged

Validate file permissions during config apply #1284

spencerugbo merged 11 commits into from
Oct 2, 2025

Conversation

@spencerugbo
Copy link
Contributor

@spencerugbo spencerugbo commented Sep 22, 2025
edited
Loading

Proposed changes

This PR aims to prevent any files from having execute permissions set during config apply. File permissions are being set by the management plane but this change is an additional check to ensure that no files are written with execute permissions.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING document
  • I have run make install-tools and have attached any dependency changes to this pull request
  • If applicable, I have added tests that prove my fix is effective or that my feature works
  • If applicable, I have checked that any relevant tests pass after adding my changes
  • If applicable, I have updated any relevant documentation (README.md)
  • If applicable, I have tested my cross-platform changes on Ubuntu 22, Redhat 8, SUSE 15 and FreeBSD 13

@spencerugbo spencerugbo self-assigned this Sep 22, 2025
@spencerugbo spencerugbo requested a review from a team as a code owner September 22, 2025 10:31
@github-actions github-actions bot added the chore Pull requests for routine tasks label Sep 22, 2025
UnwashedMeme
UnwashedMeme reviewed Sep 22, 2025
View reviewed changes
Copy link
Member

@UnwashedMeme UnwashedMeme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit message doesn't give any indication why this change is desirable and while for my use case this is nice that doesn't seem obvious that all use cases should block this.

Can you add some text explaining why this is changing?

@spencerugbo spencerugbo changed the title Prevent execute permissions from being set Validate file permissions during config apply Sep 24, 2025
UnwashedMeme
UnwashedMeme reviewed Sep 24, 2025
View reviewed changes
UnwashedMeme
UnwashedMeme reviewed Sep 24, 2025
View reviewed changes
aphralG
aphralG reviewed Sep 25, 2025
View reviewed changes
internal/file/file_manager_service.go Outdated

permissionErr := fms.validateAndFixPermissions(ctx, fileOverview.GetFiles())
if permissionErr != nil {
return model.PermissionChange, permissionErr
Copy link
Contributor

@aphralG aphralG Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be the below instead ?

Suggested change
return model.PermissionChange, permissionErr
return return model.Error, allowedErr

dhurley
dhurley reviewed Sep 25, 2025
View reviewed changes
aphralG
aphralG approved these changes Sep 30, 2025
View reviewed changes
dhurley
dhurley approved these changes Oct 1, 2025
View reviewed changes
@spencerugbo spencerugbo merged commit 3df2793 into main Oct 2, 2025
37 checks passed
@spencerugbo spencerugbo deleted the prevent-execute-file-permissions branch October 2, 2025 12:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@UnwashedMeme UnwashedMeme UnwashedMeme left review comments

@dhurley dhurley dhurley approved these changes

@craigell craigell craigell approved these changes

@aphralG aphralG aphralG approved these changes

Assignees

@spencerugbo spencerugbo

Labels

chore Pull requests for routine tasks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@spencerugbo @UnwashedMeme @dhurley @craigell @aphralG