Skip to content

CFE-4590, ENT-13239: Override default directory permissions#5931

Merged
olehermanse merged 5 commits into
cfengine:masterfrom
larsewi:perms
Nov 17, 2025
Merged

CFE-4590, ENT-13239: Override default directory permissions#5931
olehermanse merged 5 commits into
cfengine:masterfrom
larsewi:perms

Conversation

@larsewi

@larsewi larsewi commented Nov 4, 2025

Copy link
Copy Markdown
Contributor
  • Added test for overriding default directory create mode
  • Skip remaining string comparisons after successful match
  • Added override_default_directory_create_mode to body agent control
  • Replaced hardcoded directory create mode with DEFAULTMODE

@larsewi larsewi force-pushed the perms branch 2 times, most recently from c8aa2ca to 294f7ec Compare November 4, 2025 15:10
@larsewi

larsewi commented Nov 4, 2025

Copy link
Copy Markdown
Contributor Author

@cf-bottom Jenkins please :)

@cf-bottom

Copy link
Copy Markdown

@larsewi larsewi marked this pull request as ready for review November 5, 2025 08:26
@larsewi

larsewi commented Nov 5, 2025

Copy link
Copy Markdown
Contributor Author

Build Status
Skipped Debian 13 ARM because it is not happy

Comment thread libpromises/mod_common.c Outdated
Ticket: CFE-4590, ENT-13239
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Allow overriding the default 0700 permissions when `cf-agent` creates
parent directories during file promise repairs.

The new attribute `default_directory_create_mode` in body agent control
enables users to specify custom permissions (e.g., 0755) for
automatically created directories, avoiding the need for explicit perms
promises on each parent directory when deeper paths are required.

This addresses cases where files need broader access permissions but
their auto-created parent directories would otherwise default to 0700,
making the files inaccessible despite having correct permissions.

Example usage:
```
body agent control {
    default_directory_create_mode => "0755";
}
```

Ticket: CFE-4590, ENT-13239
Changelog: Title
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>

@craigcomstock craigcomstock left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good.

Comment thread cf-agent/cf-agent.c
{
Log(LOG_LEVEL_VERBOSE, "SET select_end_match_eof %s", (char *) value);
EvalContextSetSelectEndMatchEof(ctx, BooleanFromString(value));
continue;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? I don't understand the context or the reason for the change and what the change does.

I noticed around line 1141 there is another block that doesn't continue I wonder if this whole block of code needs to be audited for correct logic?

if (strcmp(cp->lval, CFA_CONTROLBODY[AGENT_CONTROL_ALLCLASSESREPORT].lval) == 0)

@larsewi larsewi Nov 7, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are checking if the string matches any of the possible attributes. Once we find a match, we don't need to check if it matches the remaining attributes, because we know implicitly that they will not match.

There is no change in behavior, just less CPU cycles wasted.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels like i am just showing what i dont know about the code

but, @larsewi your description there made me wonder if this would be affected:

body common control
{
   default_directory_create_mode => "000";
   default_directory_create_mode => "770";
}

It's a silly example, but in some policies the same attribtue is set differently in different contexts and multiple contexts might apply.

I just wanted to be sure that not continuing to check for the attribute will not affect this (in the above simple example, expect the last one to win).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think these breaks will affect multiple configurations of the default directory create mode. However, I added a line in the policy to test this, just in case. I will merge once the acceptance test workflow from GitHub Actions have passed.

@larsewi

larsewi commented Nov 7, 2025

Copy link
Copy Markdown
Contributor Author

@cf-bottom Jenkins please :)

@larsewi larsewi requested a review from olehermanse November 7, 2025 15:04
@cf-bottom

Copy link
Copy Markdown

When default create mode is configured multiple times, then make sure
the last configuration always wins.

Ticket: CFE-4590, ENT-13239
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
@olehermanse olehermanse merged commit 0b5c729 into cfengine:master Nov 17, 2025
12 checks passed
@larsewi larsewi deleted the perms branch April 27, 2026 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

5 participants