Open packages directory permissions to 755

[#152935621](https://www.pivotaltracker.com/story/show/152935621) Signed-off-by: Kai Hofstetter <[email protected]>
speer · Nov 17, 2017 · 005a01a · 005a01a
1 parent 23a22f2
commit 005a01a
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 15 deletions.
diff --git a/agent/applier/bundlecollection/file_bundle.go b/agent/applier/bundlecollection/file_bundle.go
@@ -12,25 +12,26 @@ import (
 
 const (
 	fileBundleLogTag = "FileBundle"
-	installDirsPerms = os.FileMode(0750)
-	enableDirPerms   = os.FileMode(0750)
 )
 
 type FileBundle struct {
 	installPath string
 	enablePath  string
+	fileMode    os.FileMode
 	fs          boshsys.FileSystem
 	logger      boshlog.Logger
 }
 
 func NewFileBundle(
 	installPath, enablePath string,
+	fileMode os.FileMode,
 	fs boshsys.FileSystem,
 	logger boshlog.Logger,
 ) FileBundle {
 	return FileBundle{
 		installPath: installPath,
 		enablePath:  enablePath,
+		fileMode:    fileMode,
 		fs:          fs,
 		logger:      logger,
 	}
@@ -39,7 +40,7 @@ func NewFileBundle(
 func (b FileBundle) Install(sourcePath string) (boshsys.FileSystem, string, error) {
 	b.logger.Debug(fileBundleLogTag, "Installing %v", b)
 
-	err := b.fs.Chmod(sourcePath, installDirsPerms)
+	err := b.fs.Chmod(sourcePath, b.fileMode)
 	if err != nil {
 		return nil, "", bosherr.WrapError(err, "Setting permissions on source directory")
 	}
@@ -49,7 +50,7 @@ func (b FileBundle) Install(sourcePath string) (boshsys.FileSystem, string, erro
 		return nil, "", bosherr.WrapError(err, "Setting ownership on source directory")
 	}
 
-	err = b.fs.MkdirAll(path.Dir(b.installPath), installDirsPerms)
+	err = b.fs.MkdirAll(path.Dir(b.installPath), b.fileMode)
 	if err != nil {
 		return nil, "", bosherr.WrapError(err, "Creating parent installation directory")
 	}
@@ -74,7 +75,7 @@ func (b FileBundle) InstallWithoutContents() (boshsys.FileSystem, string, error)
 
 	// MkdirAll MUST be the last possibly-failing operation
 	// because IsInstalled() relies on installPath presence.
-	err := b.fs.MkdirAll(b.installPath, installDirsPerms)
+	err := b.fs.MkdirAll(b.installPath, b.fileMode)
 	if err != nil {
 		return nil, "", bosherr.WrapError(err, "Creating installation directory")
 	}
@@ -106,7 +107,7 @@ func (b FileBundle) Enable() (boshsys.FileSystem, string, error) {
 		return nil, "", bosherr.Error("bundle must be installed")
 	}
 
-	err := b.fs.MkdirAll(filepath.Dir(b.enablePath), enableDirPerms)
+	err := b.fs.MkdirAll(filepath.Dir(b.enablePath), b.fileMode)
 	if err != nil {
 		return nil, "", bosherr.WrapError(err, "failed to create enable dir")
 	}

diff --git a/agent/applier/bundlecollection/file_bundle_collection.go b/agent/applier/bundlecollection/file_bundle_collection.go
@@ -9,6 +9,7 @@ import (
 	bosherr "github.com/cloudfoundry/bosh-utils/errors"
 	boshlog "github.com/cloudfoundry/bosh-utils/logger"
 	boshsys "github.com/cloudfoundry/bosh-utils/system"
+	"os"
 )
 
 const fileBundleCollectionLogTag = "FileBundleCollection"
@@ -44,19 +45,22 @@ type FileBundleCollection struct {
 	name        string
 	installPath string
 	enablePath  string
+	fileMode    os.FileMode
 	fs          boshsys.FileSystem
 	logger      boshlog.Logger
 }
 
 func NewFileBundleCollection(
 	installPath, enablePath, name string,
+	fileMode os.FileMode,
 	fs boshsys.FileSystem,
 	logger boshlog.Logger,
 ) FileBundleCollection {
 	return FileBundleCollection{
 		name:        cleanPath(name),
 		installPath: cleanPath(installPath),
 		enablePath:  cleanPath(enablePath),
+		fileMode:    fileMode,
 		fs:          fs,
 		logger:      logger,
 	}
@@ -79,7 +83,7 @@ func (bc FileBundleCollection) Get(definition BundleDefinition) (Bundle, error)
 	installPath := path.Join(bc.installPath, bc.name, definition.BundleName(), bundleVersionDigest.String())
 	enablePath := path.Join(bc.enablePath, bc.name, definition.BundleName())
 
-	return NewFileBundle(installPath, enablePath, bc.fs, bc.logger), nil
+	return NewFileBundle(installPath, enablePath, bc.fileMode, bc.fs, bc.logger), nil
 }
 
 func (bc FileBundleCollection) getDigested(definition BundleDefinition) (Bundle, error) {
@@ -93,7 +97,7 @@ func (bc FileBundleCollection) getDigested(definition BundleDefinition) (Bundle,
 
 	installPath := path.Join(bc.installPath, bc.name, definition.BundleName(), definition.BundleVersion())
 	enablePath := path.Join(bc.enablePath, bc.name, definition.BundleName())
-	return NewFileBundle(installPath, enablePath, bc.fs, bc.logger), nil
+	return NewFileBundle(installPath, enablePath, bc.fileMode, bc.fs, bc.logger), nil
 }
 
 func (bc FileBundleCollection) List() ([]Bundle, error) {

diff --git a/agent/applier/bundlecollection/file_bundle_collection_test.go b/agent/applier/bundlecollection/file_bundle_collection_test.go
@@ -9,6 +9,7 @@ import (
 
 	boshlog "github.com/cloudfoundry/bosh-utils/logger"
 	fakesys "github.com/cloudfoundry/bosh-utils/system/fakes"
+	"os"
 )
 
 type testBundle struct {
@@ -33,6 +34,7 @@ var _ = Describe("FileBundleCollection", func() {
 			"/fake-collection-path/data",
 			"/fake-collection-path",
 			"fake-collection-name",
+			os.FileMode(0750),
 			fs,
 			logger,
 		)
@@ -51,6 +53,7 @@ var _ = Describe("FileBundleCollection", func() {
 			expectedBundle := NewFileBundle(
 				"/fake-collection-path/data/fake-collection-name/fake-bundle-name/faf990988742db852eec285122b5c4e7180e7be5",
 				"/fake-collection-path/fake-collection-name/fake-bundle-name",
+				os.FileMode(0750),
 				fs,
 				logger,
 			)
@@ -93,18 +96,21 @@ var _ = Describe("FileBundleCollection", func() {
 				NewFileBundle(
 					installPath+"/fake-bundle-1-name/fake-bundle-1-version-1",
 					enablePath+"/fake-bundle-1-name",
+					os.FileMode(0750),
 					fs,
 					logger,
 				),
 				NewFileBundle(
 					installPath+"/fake-bundle-1-name/fake-bundle-1-version-2",
 					enablePath+"/fake-bundle-1-name",
+					os.FileMode(0750),
 					fs,
 					logger,
 				),
 				NewFileBundle(
 					installPath+"/fake-bundle-2-name/fake-bundle-2-version-1",
 					enablePath+"/fake-bundle-2-name",
+					os.FileMode(0750),
 					fs,
 					logger,
 				),

diff --git a/agent/applier/bundlecollection/file_bundle_collection_windows_test.go b/agent/applier/bundlecollection/file_bundle_collection_windows_test.go
@@ -1,11 +1,13 @@
 package bundlecollection_test
 
 import (
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
+	"os"
 	"path"
 	"path/filepath"
 
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
 	. "github.com/cloudfoundry/bosh-agent/agent/applier/bundlecollection"
 	boshlog "github.com/cloudfoundry/bosh-utils/logger"
 	fakesys "github.com/cloudfoundry/bosh-utils/system/fakes"
@@ -25,6 +27,7 @@ var _ = Describe("FileBundleCollection", func() {
 			`C:\fake-collection-path\data`,
 			`C:\fake-collection-path`,
 			`fake-collection-name`,
+			os.FileMode(0750),
 			fs,
 			logger,
 		)
@@ -43,6 +46,7 @@ var _ = Describe("FileBundleCollection", func() {
 			expectedBundle := NewFileBundle(
 				`C:/fake-collection-path/data/fake-collection-name/fake-bundle-name/faf990988742db852eec285122b5c4e7180e7be5`,
 				`C:/fake-collection-path/fake-collection-name/fake-bundle-name`,
+				os.FileMode(0750),
 				fs,
 				logger,
 			)
@@ -85,18 +89,21 @@ var _ = Describe("FileBundleCollection", func() {
 				NewFileBundle(
 					cleanPath(installPath+`\fake-bundle-1-name\fake-bundle-1-version-1`),
 					cleanPath(enablePath+`\fake-bundle-1-name`),
+					os.FileMode(0750),
 					fs,
 					logger,
 				),
 				NewFileBundle(
 					cleanPath(installPath+`\fake-bundle-1-name\fake-bundle-1-version-2`),
 					cleanPath(enablePath+`\fake-bundle-1-name`),
+					os.FileMode(0750),
 					fs,
 					logger,
 				),
 				NewFileBundle(
 					cleanPath(installPath+`\fake-bundle-1-name\fake-bundle-2-version-1`),
 					cleanPath(enablePath+`\fake-bundle-1-name`),
+					os.FileMode(0750),
 					fs,
 					logger,
 				),

diff --git a/agent/applier/bundlecollection/file_bundle_test.go b/agent/applier/bundlecollection/file_bundle_test.go
@@ -27,7 +27,7 @@ var _ = Describe("FileBundle", func() {
 		installPath = "/install-path"
 		enablePath = "/enable-path"
 		logger = boshlog.NewLogger(boshlog.LevelNone)
-		fileBundle = NewFileBundle(installPath, enablePath, fs, logger)
+		fileBundle = NewFileBundle(installPath, enablePath, os.FileMode(0750), fs, logger)
 	})
 
 	createSourcePath := func() string {
@@ -310,7 +310,7 @@ var _ = Describe("FileBundle", func() {
 				_, _, err = fileBundle.Enable()
 				Expect(err).NotTo(HaveOccurred())
 
-				newerFileBundle := NewFileBundle(newerInstallPath, enablePath, fs, logger)
+				newerFileBundle := NewFileBundle(newerInstallPath, enablePath, os.FileMode(0750), fs, logger)
 
 				otherSourcePath := createSourcePath()
 				_, _, err = newerFileBundle.Install(otherSourcePath)

diff --git a/agent/applier/packages/compiled_package_applier_provider.go b/agent/applier/packages/compiled_package_applier_provider.go
@@ -8,6 +8,7 @@ import (
 	boshcmd "github.com/cloudfoundry/bosh-utils/fileutil"
 	boshlog "github.com/cloudfoundry/bosh-utils/logger"
 	boshsys "github.com/cloudfoundry/bosh-utils/system"
+	"os"
 )
 
 type compiledPackageApplierProvider struct {
@@ -51,10 +52,10 @@ func (p compiledPackageApplierProvider) Root() Applier {
 // (e.g manages /var/vcap/jobs/job-name/packages/pkg-a -> /var/vcap/data/packages/pkg-a)
 func (p compiledPackageApplierProvider) JobSpecific(jobName string) Applier {
 	enablePath := path.Join(p.jobSpecificEnablePath, jobName)
-	packagesBc := boshbc.NewFileBundleCollection(p.installPath, enablePath, p.name, p.fs, p.logger)
+	packagesBc := boshbc.NewFileBundleCollection(p.installPath, enablePath, p.name, os.FileMode(0755), p.fs, p.logger)
 	return NewCompiledPackageApplier(packagesBc, false, p.blobstore, p.compressor, p.fs, p.logger)
 }
 
 func (p compiledPackageApplierProvider) RootBundleCollection() boshbc.BundleCollection {
-	return boshbc.NewFileBundleCollection(p.installPath, p.rootEnablePath, p.name, p.fs, p.logger)
+	return boshbc.NewFileBundleCollection(p.installPath, p.rootEnablePath, p.name, os.FileMode(0755), p.fs, p.logger)
 }
diff --git a/agent/applier/packages/compiled_package_applier_provider_test.go b/agent/applier/packages/compiled_package_applier_provider_test.go
@@ -10,6 +10,7 @@ import (
 	fakecmd "github.com/cloudfoundry/bosh-utils/fileutil/fakes"
 	boshlog "github.com/cloudfoundry/bosh-utils/logger"
 	fakesys "github.com/cloudfoundry/bosh-utils/system/fakes"
+	"os"
 )
 
 var _ = Describe("compiledPackageApplierProvider", func() {
@@ -45,6 +46,7 @@ var _ = Describe("compiledPackageApplierProvider", func() {
 					"fake-install-path",
 					"fake-root-enable-path",
 					"fake-name",
+					os.FileMode(0755),
 					fs,
 					logger,
 				),
@@ -65,6 +67,7 @@ var _ = Describe("compiledPackageApplierProvider", func() {
 					"fake-install-path",
 					"fake-job-specific-enable-path/fake-job-name",
 					"fake-name",
+					os.FileMode(0755),
 					fs,
 					logger,
 				),

diff --git a/app/app.go b/app/app.go
@@ -8,6 +8,8 @@ import (
 
 	"code.cloudfoundry.org/clock"
 
+	"os"
+
 	boshagent "github.com/cloudfoundry/bosh-agent/agent"
 	boshaction "github.com/cloudfoundry/bosh-agent/agent/action"
 	boshapplier "github.com/cloudfoundry/bosh-agent/agent/applier"
@@ -243,6 +245,7 @@ func (app *app) buildApplierAndCompiler(
 		dirProvider.DataDir(),
 		dirProvider.BaseDir(),
 		"jobs",
+		os.FileMode(0750),
 		fileSystem,
 		app.logger,
 	)

diff --git a/integration/apply_test.go b/integration/apply_test.go
@@ -78,7 +78,7 @@ var _ = Describe("apply", func() {
 		Expect(err).ToNot(HaveOccurred())
 	})
 
-	It("should send agent apply and create appropriate /var/vcap/data directories for a job", func() {
+	FIt("should send agent apply and create appropriate /var/vcap/data directories for a job", func() {
 		_, err := testEnvironment.RunCommand("sudo mkdir -p /var/vcap/data")
 		Expect(err).NotTo(HaveOccurred())
 
@@ -139,6 +139,30 @@ var _ = Describe("apply", func() {
 		Expect(err).NotTo(HaveOccurred())
 		Expect(output).To(ContainSubstring("Access: (0770/drwxrwx---)  Uid: (    0/    root)   Gid: ( 1002/    vcap)"))
 
+		output, err = testEnvironment.RunCommand("stat /var/vcap/packages")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(output).To(ContainSubstring("Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: ( 1002/    vcap)"))
+
+		output, err = testEnvironment.RunCommand("stat /var/vcap/data/packages/bar")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(output).To(ContainSubstring("Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: ( 1002/    vcap)"))
+
+		output, err = testEnvironment.RunCommand("stat /var/vcap/data/packages/foo")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(output).To(ContainSubstring("Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: ( 1002/    vcap)"))
+
+		output, err = testEnvironment.RunCommand("stat /var/vcap/jobs")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(output).To(ContainSubstring("Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: ( 1002/    vcap)"))
+
+		output, err = testEnvironment.RunCommand("stat /var/vcap/data/jobs/foobar")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(output).To(ContainSubstring("Access: (0750/drwxr-x---)  Uid: (    0/    root)   Gid: ( 1002/    vcap)"))
+
+		output, err = testEnvironment.RunCommand("stat /var/vcap/data/jobs/foobar/*")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(output).To(ContainSubstring("Access: (0750/drwxr-x---)  Uid: (    0/    root)   Gid: ( 1002/    vcap)"))
+
 		err = testEnvironment.StopAgent()
 		Expect(err).ToNot(HaveOccurred())