From fa93476896700f990e303cf3f60caa77f30df625 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Sun, 4 Jan 2026 00:55:23 +0900 Subject: [PATCH] internal/pkg: override working directory perms This must be writable to enable renaming, and the final result is conventionally read-only alongside the entire directory contents. This change overrides the permission bits as part of Store. Signed-off-by: Ophestra --- internal/pkg/dir_test.go | 6 +++--- internal/pkg/pkg.go | 8 ++++++++ internal/pkg/pkg_test.go | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/internal/pkg/dir_test.go b/internal/pkg/dir_test.go index 63477ff..6418b54 100644 --- a/internal/pkg/dir_test.go +++ b/internal/pkg/dir_test.go @@ -123,7 +123,7 @@ func TestFlatten(t *testing.T) { ".": {Mode: fs.ModeDir | 0700}, "checksum": {Mode: fs.ModeDir | 0700}, - "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP": {Mode: fs.ModeDir | 0700}, + "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP": {Mode: fs.ModeDir | 0500}, "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check": {Mode: 0400, Data: []byte{0, 0}}, "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib": {Mode: fs.ModeDir | 0700}, "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig": {Mode: fs.ModeDir | 0700}, @@ -138,7 +138,7 @@ func TestFlatten(t *testing.T) { {Mode: fs.ModeDir | 0700, Path: "."}, {Mode: fs.ModeDir | 0700, Path: "checksum"}, - {Mode: fs.ModeDir | 0700, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"}, + {Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"}, {Mode: 0400, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}}, {Mode: fs.ModeDir | 0700, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"}, {Mode: fs.ModeSymlink | 0777, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")}, @@ -149,7 +149,7 @@ func TestFlatten(t *testing.T) { {Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")}, {Mode: fs.ModeDir | 0700, Path: "work"}, - }, pkg.MustDecode("N7dntFYbOq9V4iC-rjAQ-By6ofPIQVZkA8V0r0G07M_sdB7Zh42Ttrspsc38ioYa")}, + }, pkg.MustDecode("8OP6YxJAdRrhV2WSBt1BPD7oC_n2Qh7JqUMyVMoGvjDX83bDqq2hgVMNcdiBH_64")}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { diff --git a/internal/pkg/pkg.go b/internal/pkg/pkg.go index 1bc910e..76e25d6 100644 --- a/internal/pkg/pkg.go +++ b/internal/pkg/pkg.go @@ -259,6 +259,11 @@ func (c *Cache) Store( if err = makeArtifact(workPathname); err != nil { return } + // override this before hashing since it will be made read-only after the + // rename anyway so do not let perm bits affect the checksum + if err = os.Chmod(workPathname.String(), 0700); err != nil { + return + } var checksum Checksum if checksum, err = HashDir(workPathname); err != nil { return @@ -280,7 +285,10 @@ func (c *Cache) Store( if !errors.Is(err, os.ErrExist) { return } + } else if err = os.Chmod(checksumPathname.String(), 0500); err != nil { + return } + if linkErr := os.Symlink( "../"+dirChecksum+"/"+path.Base(checksumPathname.String()), pathname.String(), diff --git a/internal/pkg/pkg_test.go b/internal/pkg/pkg_test.go index 46084ff..6f4a256 100644 --- a/internal/pkg/pkg_test.go +++ b/internal/pkg/pkg_test.go @@ -455,7 +455,7 @@ func TestCache(t *testing.T) { } else if !store { t.Fatal("Store did not store nonpresent entry") } - }, pkg.MustDecode("N7dntFYbOq9V4iC-rjAQ-By6ofPIQVZkA8V0r0G07M_sdB7Zh42Ttrspsc38ioYa")}, + }, pkg.MustDecode("8OP6YxJAdRrhV2WSBt1BPD7oC_n2Qh7JqUMyVMoGvjDX83bDqq2hgVMNcdiBH_64")}, } checkWithCache(t, testCases) }