Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vcsrepo: add mode attribute #598

Open
robbat2 opened this issue Apr 9, 2023 · 1 comment
Open

vcsrepo: add mode attribute #598

robbat2 opened this issue Apr 9, 2023 · 1 comment

Comments

@robbat2
Copy link

robbat2 commented Apr 9, 2023

Use Case

Trying to properly restrict access to repo checkouts.

Describe the Solution You Would Like

Please add a mode attributes that correctly sets the permissions on the repo basedir. The Git provider already provides the umask attribute, but if the directory already exists, it does not impact that.

vcsrepo { $title:
  ...
  owner => 'root',
  group => 'somegroup',
  mode => '0750', # permit somegroup to read but not write content.
}

Describe Alternatives You've Considered

An exec resource after the vcsrepo means a small window when the newly created directory has incorrect permissions, which may present a security risk, or cause other apps to break. The umask option only affects new files/dirs, and doesn't change the existing dir.

Additional Context

Open question:
should the chmod be applied recursively to existing repos, or just the toplevel directory?

@robbat2
Copy link
Author

robbat2 commented Apr 9, 2023

Self-decision:
The permission should NOT be applied recursively, because repos should manage permissions of files inside them.

robbat2 added a commit to robbat2/puppetlabs-vcsrepo that referenced this issue Apr 9, 2023
Signed-off-by: Robin H. Johnson <[email protected]>
Reference: puppetlabs#598
robbat2 added a commit to robbat2/puppetlabs-vcsrepo that referenced this issue Apr 9, 2023
Signed-off-by: Robin H. Johnson <[email protected]>
Reference: puppetlabs#598
robbat2 added a commit to robbat2/puppetlabs-vcsrepo that referenced this issue Jul 1, 2023
Signed-off-by: Robin H. Johnson <[email protected]>
Reference: puppetlabs#598
robbat2 added a commit to robbat2/puppetlabs-vcsrepo that referenced this issue Jul 13, 2023
Splits set_ownership_and_permissions into seperate functions per
Metrics/CyclomaticComplexity & Metrics/PerceivedComplexity rubocop
checks.

Signed-off-by: Robin H. Johnson <[email protected]>
Reference: puppetlabs#598
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants