Reduce file permission

peterfication · pjbgf · peterfication · commit 625fb88e4810 · 2022-04-12T21:28:10.000+02:00
As suggested by @pjbgf Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> Co-authored-by: Paulo Gomes <paulo.gomes.uk@gmail.com> Signed-off-by: Peter Gundel <mail@petergundel.de>
diff --git a/controllers/storage.go b/controllers/storage.go
@@ -112,7 +112,7 @@ func (s Storage) SetHostname(URL string) string {
 // MkdirAll calls os.MkdirAll for the given v1beta1.Artifact base dir.
 func (s *Storage) MkdirAll(artifact sourcev1.Artifact) error {
 	dir := filepath.Dir(s.LocalPath(artifact))
-	return os.MkdirAll(dir, 0o777)
+	return os.MkdirAll(dir, 0o770)
 }
 
 // RemoveAll calls os.RemoveAll for the given v1beta1.Artifact base dir.
@@ -432,7 +432,7 @@ func (s *Storage) Archive(artifact *sourcev1.Artifact, dir string, filter Archiv
 		return err
 	}
 
-	if err := os.Chmod(tmpName, 0o644); err != nil {
+	if err := os.Chmod(tmpName, 0o640); err != nil {
 		return err
 	}
 
diff --git a/controllers/storage_test.go b/controllers/storage_test.go
@@ -136,7 +136,7 @@ func TestStorage_Archive(t *testing.T) {
 		}
 		for name, b := range files {
 			absPath := filepath.Join(dir, name)
-			if err = os.MkdirAll(filepath.Dir(absPath), 0o755); err != nil {
+			if err = os.MkdirAll(filepath.Dir(absPath), 0o750); err != nil {
 				return
 			}
 			f, err := os.Create(absPath)
diff --git a/internal/fs/fs_test.go b/internal/fs/fs_test.go
@@ -42,12 +42,12 @@ func TestRenameWithFallback(t *testing.T) {
 	}
 
 	srcpath = filepath.Join(dir, "a")
-	if err = os.MkdirAll(srcpath, 0o777); err != nil {
+	if err = os.MkdirAll(srcpath, 0o770); err != nil {
 		t.Fatal(err)
 	}
 
 	dstpath := filepath.Join(dir, "b")
-	if err = os.MkdirAll(dstpath, 0o777); err != nil {
+	if err = os.MkdirAll(dstpath, 0o770); err != nil {
 		t.Fatal(err)
 	}
 
@@ -64,7 +64,7 @@ func TestCopyDir(t *testing.T) {
 	defer os.RemoveAll(dir)
 
 	srcdir := filepath.Join(dir, "src")
-	if err := os.MkdirAll(srcdir, 0o755); err != nil {
+	if err := os.MkdirAll(srcdir, 0o750); err != nil {
 		t.Fatal(err)
 	}
 
@@ -81,7 +81,7 @@ func TestCopyDir(t *testing.T) {
 	for i, file := range files {
 		fn := filepath.Join(srcdir, file.path)
 		dn := filepath.Dir(fn)
-		if err = os.MkdirAll(dn, 0o755); err != nil {
+		if err = os.MkdirAll(dn, 0o750); err != nil {
 			t.Fatal(err)
 		}
 
@@ -151,7 +151,7 @@ func TestCopyDirFail_SrcInaccessible(t *testing.T) {
 
 	cleanup := setupInaccessibleDir(t, func(dir string) error {
 		srcdir = filepath.Join(dir, "src")
-		return os.MkdirAll(srcdir, 0o755)
+		return os.MkdirAll(srcdir, 0o750)
 	})
 	defer cleanup()
 
@@ -184,7 +184,7 @@ func TestCopyDirFail_DstInaccessible(t *testing.T) {
 	defer os.RemoveAll(dir)
 
 	srcdir = filepath.Join(dir, "src")
-	if err = os.MkdirAll(srcdir, 0o755); err != nil {
+	if err = os.MkdirAll(srcdir, 0o750); err != nil {
 		t.Fatal(err)
 	}
 
@@ -235,12 +235,12 @@ func TestCopyDirFail_DstExists(t *testing.T) {
 	defer os.RemoveAll(dir)
 
 	srcdir = filepath.Join(dir, "src")
-	if err = os.MkdirAll(srcdir, 0o755); err != nil {
+	if err = os.MkdirAll(srcdir, 0o750); err != nil {
 		t.Fatal(err)
 	}
 
 	dstdir = filepath.Join(dir, "dst")
-	if err = os.MkdirAll(dstdir, 0o755); err != nil {
+	if err = os.MkdirAll(dstdir, 0o750); err != nil {
 		t.Fatal(err)
 	}
 
@@ -273,7 +273,7 @@ func TestCopyDirFailOpen(t *testing.T) {
 	defer os.RemoveAll(dir)
 
 	srcdir = filepath.Join(dir, "src")
-	if err = os.MkdirAll(srcdir, 0o755); err != nil {
+	if err = os.MkdirAll(srcdir, 0o750); err != nil {
 		t.Fatal(err)
 	}
 
@@ -285,7 +285,7 @@ func TestCopyDirFailOpen(t *testing.T) {
 	srcf.Close()
 
 	// setup source file so that it cannot be read
-	if err = os.Chmod(srcfn, 0o222); err != nil {
+	if err = os.Chmod(srcfn, 0o220); err != nil {
 		t.Fatal(err)
 	}
 
@@ -419,11 +419,11 @@ func TestCopyFileLongFilePath(t *testing.T) {
 	}
 
 	fullPath := filepath.Join(dir, dirName, string(os.PathSeparator))
-	if err := os.MkdirAll(fullPath, 0o755); err != nil && !os.IsExist(err) {
+	if err := os.MkdirAll(fullPath, 0o750); err != nil && !os.IsExist(err) {
 		t.Fatalf("%+v", fmt.Errorf("unable to create temp directory: %s", fullPath))
 	}
 
-	err = os.WriteFile(fullPath+"src", []byte(nil), 0o644)
+	err = os.WriteFile(fullPath+"src", []byte(nil), 0o640)
 	if err != nil {
 		t.Fatalf("%+v", err)
 	}
@@ -460,7 +460,7 @@ func TestCopyFileFail(t *testing.T) {
 
 	cleanup := setupInaccessibleDir(t, func(dir string) error {
 		dstdir = filepath.Join(dir, "dir")
-		return os.Mkdir(dstdir, 0o777)
+		return os.Mkdir(dstdir, 0o770)
 	})
 	defer cleanup()
 
@@ -493,15 +493,15 @@ func setupInaccessibleDir(t *testing.T, op func(dir string) error) func() {
 	subdir := filepath.Join(dir, "dir")
 
 	cleanup := func() {
-		if err := os.Chmod(subdir, 0o777); err != nil {
+		if err := os.Chmod(subdir, 0o770); err != nil {
 			t.Error(err)
 		}
 		if err := os.RemoveAll(dir); err != nil {
 			t.Error(err)
 		}
 	}
 
-	if err := os.Mkdir(subdir, 0o777); err != nil {
+	if err := os.Mkdir(subdir, 0o770); err != nil {
 		cleanup()
 		t.Fatal(err)
 		return nil
@@ -513,7 +513,7 @@ func setupInaccessibleDir(t *testing.T, op func(dir string) error) func() {
 		return nil
 	}
 
-	if err := os.Chmod(subdir, 0o666); err != nil {
+	if err := os.Chmod(subdir, 0o660); err != nil {
 		cleanup()
 		t.Fatal(err)
 		return nil
@@ -532,7 +532,7 @@ func TestIsDir(t *testing.T) {
 
 	cleanup := setupInaccessibleDir(t, func(dir string) error {
 		dn = filepath.Join(dir, "dir")
-		return os.Mkdir(dn, 0o777)
+		return os.Mkdir(dn, 0o770)
 	})
 	defer cleanup()
 
@@ -575,7 +575,7 @@ func TestIsSymlink(t *testing.T) {
 	defer os.RemoveAll(dir)
 
 	dirPath := filepath.Join(dir, "directory")
-	if err = os.MkdirAll(dirPath, 0o777); err != nil {
+	if err = os.MkdirAll(dirPath, 0o770); err != nil {
 		t.Fatal(err)
 	}
 
diff --git a/internal/helm/chart/builder_local_test.go b/internal/helm/chart/builder_local_test.go
@@ -201,7 +201,7 @@ fullnameOverride: "full-foo-name-override"`),
 			// Write value file in the base dir.
 			for _, f := range tt.valuesFiles {
 				vPath := filepath.Join(localRef.WorkDir, f.Name)
-				g.Expect(os.WriteFile(vPath, f.Data, 0o644)).ToNot(HaveOccurred())
+				g.Expect(os.WriteFile(vPath, f.Data, 0o640)).ToNot(HaveOccurred())
 			}
 
 			// Write chart dependencies in the base dir.
@@ -336,7 +336,7 @@ func Test_mergeFileValues(t *testing.T) {
 			defer os.RemoveAll(baseDir)
 
 			for _, f := range tt.files {
-				g.Expect(os.WriteFile(filepath.Join(baseDir, f.Name), f.Data, 0o644)).To(Succeed())
+				g.Expect(os.WriteFile(filepath.Join(baseDir, f.Name), f.Data, 0o640)).To(Succeed())
 			}
 
 			got, err := mergeFileValues(baseDir, tt.paths)
diff --git a/internal/helm/chart/metadata_test.go b/internal/helm/chart/metadata_test.go
@@ -140,7 +140,7 @@ func TestLoadChartMetadataFromDir(t *testing.T) {
 	copy.Copy("../testdata/charts/helmchart", tmpDir)
 	bigRequirementsFile := filepath.Join(tmpDir, "requirements.yaml")
 	data := make([]byte, helm.MaxChartFileSize+10)
-	g.Expect(os.WriteFile(bigRequirementsFile, data, 0o644)).ToNot(HaveOccurred())
+	g.Expect(os.WriteFile(bigRequirementsFile, data, 0o640)).ToNot(HaveOccurred())
 
 	tests := []struct {
 		name                string
@@ -205,7 +205,7 @@ func TestLoadChartMetadataFromArchive(t *testing.T) {
 	defer os.RemoveAll(tmpDir)
 	bigArchiveFile := filepath.Join(tmpDir, "chart.tgz")
 	data := make([]byte, helm.MaxChartSize+10)
-	g.Expect(os.WriteFile(bigArchiveFile, data, 0o644)).ToNot(HaveOccurred())
+	g.Expect(os.WriteFile(bigArchiveFile, data, 0o640)).ToNot(HaveOccurred())
 
 	tests := []struct {
 		name                string
diff --git a/internal/helm/repository/chart_repository_test.go b/internal/helm/repository/chart_repository_test.go
@@ -363,7 +363,7 @@ func TestChartRepository_LoadIndexFromFile(t *testing.T) {
 	defer os.RemoveAll(tmpDir)
 	bigIndexFile := filepath.Join(tmpDir, "index.yaml")
 	data := make([]byte, helm.MaxIndexSize+10)
-	g.Expect(os.WriteFile(bigIndexFile, data, 0o644)).ToNot(HaveOccurred())
+	g.Expect(os.WriteFile(bigIndexFile, data, 0o640)).ToNot(HaveOccurred())
 
 	tests := []struct {
 		name     string
diff --git a/main.go b/main.go
@@ -299,7 +299,7 @@ func mustInitStorage(path string, storageAdvAddr string, artifactRetentionTTL ti
 	if path == "" {
 		p, _ := os.Getwd()
 		path = filepath.Join(p, "bin")
-		os.MkdirAll(path, 0o777)
+		os.MkdirAll(path, 0o770)
 	}
 
 	storage, err := controllers.NewStorage(path, storageAdvAddr, artifactRetentionTTL, artifactRetentionRecords)
diff --git a/pkg/sourceignore/sourceignore_test.go b/pkg/sourceignore/sourceignore_test.go
@@ -209,10 +209,10 @@ func TestLoadExcludePatterns(t *testing.T) {
 		"a/b/.sourceignore": "subdir.txt",
 	}
 	for n, c := range files {
-		if err = os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(n)), 0o755); err != nil {
+		if err = os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(n)), 0o750); err != nil {
 			t.Fatal(err)
 		}
-		if err = os.WriteFile(filepath.Join(tmpDir, n), []byte(c), 0o644); err != nil {
+		if err = os.WriteFile(filepath.Join(tmpDir, n), []byte(c), 0o640); err != nil {
 			t.Fatal(err)
 		}
 	}
diff --git a/tests/fuzz/gitrepository_fuzzer.go b/tests/fuzz/gitrepository_fuzzer.go
@@ -494,7 +494,7 @@ func createRandomFiles(f *fuzz.ConsumeFuzzer, fs billy.Filesystem, wt *git.Workt
 			return errors.New("Dir contains '..'")
 		}
 
-		err = fs.MkdirAll(dirPath, 0o777)
+		err = fs.MkdirAll(dirPath, 0o770)
 		if err != nil {
 			return errors.New("Could not create the subDir")
 		}

Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ func (s Storage) SetHostname(URL string) string {`
`112`	`112`	`// MkdirAll calls os.MkdirAll for the given v1beta1.Artifact base dir.`
`113`	`113`	`func (s *Storage) MkdirAll(artifact sourcev1.Artifact) error {`
`114`	`114`	`dir := filepath.Dir(s.LocalPath(artifact))`
`115`		`- return os.MkdirAll(dir, 0o777)`
	`115`	`+ return os.MkdirAll(dir, 0o770)`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`// RemoveAll calls os.RemoveAll for the given v1beta1.Artifact base dir.`
`@@ -432,7 +432,7 @@ func (s Storage) Archive(artifact sourcev1.Artifact, dir string, filter Archiv`
`432`	`432`	`return err`
`433`	`433`	`}`
`434`	`434`
`435`		`- if err := os.Chmod(tmpName, 0o644); err != nil {`
	`435`	`+ if err := os.Chmod(tmpName, 0o640); err != nil {`
`436`	`436`	`return err`
`437`	`437`	`}`
`438`	`438`
Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ func TestStorage_Archive(t *testing.T) {`
`136`	`136`	`}`
`137`	`137`	`for name, b := range files {`
`138`	`138`	`absPath := filepath.Join(dir, name)`
`139`		`- if err = os.MkdirAll(filepath.Dir(absPath), 0o755); err != nil {`
	`139`	`+ if err = os.MkdirAll(filepath.Dir(absPath), 0o750); err != nil {`
`140`	`140`	`return`
`141`	`141`	`}`
`142`	`142`	`f, err := os.Create(absPath)`
Original file line number	Diff line number	Diff line change
@@ -201,7 +201,7 @@ fullnameOverride: "full-foo-name-override"`),
`201`	`201`	`// Write value file in the base dir.`
`202`	`202`	`for _, f := range tt.valuesFiles {`
`203`	`203`	`vPath := filepath.Join(localRef.WorkDir, f.Name)`
`204`		`- g.Expect(os.WriteFile(vPath, f.Data, 0o644)).ToNot(HaveOccurred())`
	`204`	`+ g.Expect(os.WriteFile(vPath, f.Data, 0o640)).ToNot(HaveOccurred())`
`205`	`205`	`}`
`206`	`206`
`207`	`207`	`// Write chart dependencies in the base dir.`
`@@ -336,7 +336,7 @@ func Test_mergeFileValues(t *testing.T) {`
`336`	`336`	`defer os.RemoveAll(baseDir)`
`337`	`337`
`338`	`338`	`for _, f := range tt.files {`
`339`		`- g.Expect(os.WriteFile(filepath.Join(baseDir, f.Name), f.Data, 0o644)).To(Succeed())`
	`339`	`+ g.Expect(os.WriteFile(filepath.Join(baseDir, f.Name), f.Data, 0o640)).To(Succeed())`
`340`	`340`	`}`
`341`	`341`
`342`	`342`	`got, err := mergeFileValues(baseDir, tt.paths)`
Original file line number	Diff line number	Diff line change
`@@ -299,7 +299,7 @@ func mustInitStorage(path string, storageAdvAddr string, artifactRetentionTTL ti`
`299`	`299`	`if path == "" {`
`300`	`300`	`p, _ := os.Getwd()`
`301`	`301`	`path = filepath.Join(p, "bin")`
`302`		`- os.MkdirAll(path, 0o777)`
	`302`	`+ os.MkdirAll(path, 0o770)`
`303`	`303`	`}`
`304`	`304`
`305`	`305`	`storage, err := controllers.NewStorage(path, storageAdvAddr, artifactRetentionTTL, artifactRetentionRecords)`
Original file line number	Diff line number	Diff line change
`@@ -209,10 +209,10 @@ func TestLoadExcludePatterns(t *testing.T) {`
`209`	`209`	`"a/b/.sourceignore": "subdir.txt",`
`210`	`210`	`}`
`211`	`211`	`for n, c := range files {`
`212`		`- if err = os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(n)), 0o755); err != nil {`
	`212`	`+ if err = os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(n)), 0o750); err != nil {`
`213`	`213`	`t.Fatal(err)`
`214`	`214`	`}`
`215`		`- if err = os.WriteFile(filepath.Join(tmpDir, n), []byte(c), 0o644); err != nil {`
	`215`	`+ if err = os.WriteFile(filepath.Join(tmpDir, n), []byte(c), 0o640); err != nil {`
`216`	`216`	`t.Fatal(err)`
`217`	`217`	`}`
`218`	`218`	`}`
Original file line number	Diff line number	Diff line change
`@@ -494,7 +494,7 @@ func createRandomFiles(f fuzz.ConsumeFuzzer, fs billy.Filesystem, wt git.Workt`
`494`	`494`	`return errors.New("Dir contains '..'")`
`495`	`495`	`}`
`496`	`496`
`497`		`- err = fs.MkdirAll(dirPath, 0o777)`
	`497`	`+ err = fs.MkdirAll(dirPath, 0o770)`
`498`	`498`	`if err != nil {`
`499`	`499`	`return errors.New("Could not create the subDir")`
`500`	`500`	`}`