CFE-4590, ENT-13239: Override default directory permissions#5931
Conversation
larsewi
commented
Nov 4, 2025
- Added test for overriding default directory create mode
- Skip remaining string comparisons after successful match
- Added override_default_directory_create_mode to body agent control
- Replaced hardcoded directory create mode with DEFAULTMODE
c8aa2ca to
294f7ec
Compare
|
@cf-bottom Jenkins please :) |
|
Alright, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/12934/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-12934/ |
Ticket: CFE-4590, ENT-13239 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Allow overriding the default 0700 permissions when `cf-agent` creates
parent directories during file promise repairs.
The new attribute `default_directory_create_mode` in body agent control
enables users to specify custom permissions (e.g., 0755) for
automatically created directories, avoiding the need for explicit perms
promises on each parent directory when deeper paths are required.
This addresses cases where files need broader access permissions but
their auto-created parent directories would otherwise default to 0700,
making the files inaccessible despite having correct permissions.
Example usage:
```
body agent control {
default_directory_create_mode => "0755";
}
```
Ticket: CFE-4590, ENT-13239
Changelog: Title
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
| { | ||
| Log(LOG_LEVEL_VERBOSE, "SET select_end_match_eof %s", (char *) value); | ||
| EvalContextSetSelectEndMatchEof(ctx, BooleanFromString(value)); | ||
| continue; |
There was a problem hiding this comment.
Why? I don't understand the context or the reason for the change and what the change does.
I noticed around line 1141 there is another block that doesn't continue I wonder if this whole block of code needs to be audited for correct logic?
if (strcmp(cp->lval, CFA_CONTROLBODY[AGENT_CONTROL_ALLCLASSESREPORT].lval) == 0)
There was a problem hiding this comment.
We are checking if the string matches any of the possible attributes. Once we find a match, we don't need to check if it matches the remaining attributes, because we know implicitly that they will not match.
There is no change in behavior, just less CPU cycles wasted.
There was a problem hiding this comment.
Feels like i am just showing what i dont know about the code
but, @larsewi your description there made me wonder if this would be affected:
body common control
{
default_directory_create_mode => "000";
default_directory_create_mode => "770";
}
It's a silly example, but in some policies the same attribtue is set differently in different contexts and multiple contexts might apply.
I just wanted to be sure that not continuing to check for the attribute will not affect this (in the above simple example, expect the last one to win).
There was a problem hiding this comment.
I don't think these breaks will affect multiple configurations of the default directory create mode. However, I added a line in the policy to test this, just in case. I will merge once the acceptance test workflow from GitHub Actions have passed.
|
@cf-bottom Jenkins please :) |
|
Sure, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/12969/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-12969/ |
When default create mode is configured multiple times, then make sure the last configuration always wins. Ticket: CFE-4590, ENT-13239 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>