fix(agent): tighten directory perms in .core/reference/ siblings (Athena #988)
Mantis #324 narrowly tightened fs.go from 0644/0755→0600/0700. Athena audit during task #20 closure-verification (2026-04-25) found sibling files in the same directory still using 0755 for MkdirAll, leaving parent dirs world-listable even when file content is 0600. This commit applies the same hardening to: - .core/reference/error.go:393 — crash-report parent dir 0755→0700 - .core/reference/embed.go:514/567/656 — workspace template extract dirs 0755→0700 - .core/reference/embed.go:595/660 — os.Create→os.OpenFile(...0600) for template renders + standard-file copies (default umask 0644 was leaking workspace-template content to other users on shared hosts) - pkg/lib/workspace/default/.core/reference/error.go:414 — same crash-report fix - pkg/lib/workspace/default/.core/reference/embed.go:518/571/660 — same template fixes Workspace-template duplicates are kept in sync so newly-scaffolded workspaces inherit the hardened perms instead of regressing to 0755/0644. Closes Mantis #988. Co-authored-by: Codex <noreply@openai.com>
This commit is contained in:
Snider
parent
6be6cb095c
commit
f2b6ff29bd
4 changed files with 12 additions and 12 deletions
|
|
@ -511,7 +511,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res
|
|||
if err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
if err := os.MkdirAll(targetDir, 0755); err != nil {
|
||||
if err := os.MkdirAll(targetDir, 0700); err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
|
||||
|
|
@ -564,7 +564,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res
|
|||
if err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
if err := os.MkdirAll(target, 0755); err != nil {
|
||||
if err := os.MkdirAll(target, 0700); err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
}
|
||||
|
|
@ -592,7 +592,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res
|
|||
return Result{err, false}
|
||||
}
|
||||
|
||||
f, err := os.Create(targetFile)
|
||||
f, err := os.OpenFile(targetFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
|
||||
if err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
|
|
@ -653,11 +653,11 @@ func copyFile(fsys fs.FS, source, target string) error {
|
|||
}
|
||||
defer s.Close()
|
||||
|
||||
if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
|
||||
if err := os.MkdirAll(filepath.Dir(target), 0700); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
d, err := os.Create(target)
|
||||
d, err := os.OpenFile(target, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -390,7 +390,7 @@ func (h *ErrorPanic) appendReport(report CrashReport) {
|
|||
Default().Error(Concat("crash report marshal failed: ", err.Error()))
|
||||
return
|
||||
}
|
||||
if err := os.MkdirAll(filepath.Dir(h.filePath), 0755); err != nil {
|
||||
if err := os.MkdirAll(filepath.Dir(h.filePath), 0700); err != nil {
|
||||
Default().Error(Concat("crash report dir failed: ", err.Error()))
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -515,7 +515,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res
|
|||
if err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
if err := os.MkdirAll(targetDir, 0755); err != nil {
|
||||
if err := os.MkdirAll(targetDir, 0700); err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
|
||||
|
|
@ -568,7 +568,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res
|
|||
if err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
if err := os.MkdirAll(target, 0755); err != nil {
|
||||
if err := os.MkdirAll(target, 0700); err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
}
|
||||
|
|
@ -596,7 +596,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res
|
|||
return Result{err, false}
|
||||
}
|
||||
|
||||
f, err := os.Create(targetFile)
|
||||
f, err := os.OpenFile(targetFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
|
||||
if err != nil {
|
||||
return Result{err, false}
|
||||
}
|
||||
|
|
@ -657,11 +657,11 @@ func copyFile(fsys fs.FS, source, target string) error {
|
|||
}
|
||||
defer s.Close()
|
||||
|
||||
if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
|
||||
if err := os.MkdirAll(filepath.Dir(target), 0700); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
d, err := os.Create(target)
|
||||
d, err := os.OpenFile(target, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -411,7 +411,7 @@ func (h *ErrorPanic) appendReport(report CrashReport) {
|
|||
Default().Error(Concat("crash report marshal failed: ", err.Error()))
|
||||
return
|
||||
}
|
||||
if err := os.MkdirAll(filepath.Dir(h.filePath), 0755); err != nil {
|
||||
if err := os.MkdirAll(filepath.Dir(h.filePath), 0700); err != nil {
|
||||
Default().Error(Concat("crash report dir failed: ", err.Error()))
|
||||
return
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue