CFE-4590, ENT-13239: Override default directory permissions #5931
Conversation
larsewi
commented
Nov 4, 2025
larsewi
commented
- Added test for overriding default directory create mode
- Skip remaining string comparisons after successful match
- Added override_default_directory_create_mode to body agent control
- Replaced hardcoded directory create mode with DEFAULTMODE
larsewi
force-pushed
the
perms
branch
2 times, most recently
from
c8aa2ca to
294f7ec
Compare
|
@cf-bottom Jenkins please :) |
|
Alright, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/12934/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-12934/ |
|
|
Ticket: CFE-4590, ENT-13239 Signed-off-by: Lars Erik Wik <[email protected]>
Signed-off-by: Lars Erik Wik <[email protected]>
Allow overriding the default 0700 permissions when `cf-agent` creates
parent directories during file promise repairs.
The new attribute `default_directory_create_mode` in body agent control
enables users to specify custom permissions (e.g., 0755) for
automatically created directories, avoiding the need for explicit perms
promises on each parent directory when deeper paths are required.
This addresses cases where files need broader access permissions but
their auto-created parent directories would otherwise default to 0700,
making the files inaccessible despite having correct permissions.
Example usage:
```
body agent control {
default_directory_create_mode => "0755";
}
```
Ticket: CFE-4590, ENT-13239
Changelog: Title
Signed-off-by: Lars Erik Wik <[email protected]>
Signed-off-by: Lars Erik Wik <[email protected]>
| { | ||
| Log(LOG_LEVEL_VERBOSE, "SET select_end_match_eof %s", (char *) value); | ||
| EvalContextSetSelectEndMatchEof(ctx, BooleanFromString(value)); | ||
| continue; |
There was a problem hiding this comment.
Why? I don't understand the context or the reason for the change and what the change does.
I noticed around line 1141 there is another block that doesn't continue I wonder if this whole block of code needs to be audited for correct logic?
if (strcmp(cp->lval, CFA_CONTROLBODY[AGENT_CONTROL_ALLCLASSESREPORT].lval) == 0)
There was a problem hiding this comment.
We are checking if the string matches any of the possible attributes. Once we find a match, we don't need to check if it matches the remaining attributes, because we know implicitly that they will not match.
There is no change in behavior, just less CPU cycles wasted.
There was a problem hiding this comment.
Feels like i am just showing what i dont know about the code
but, @larsewi your description there made me wonder if this would be affected:
body common control
{
default_directory_create_mode => "000";
default_directory_create_mode => "770";
}
It's a silly example, but in some policies the same attribtue is set differently in different contexts and multiple contexts might apply.
I just wanted to be sure that not continuing to check for the attribute will not affect this (in the above simple example, expect the last one to win).
|
@cf-bottom Jenkins please :) |
|
Sure, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/12969/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-12969/ |
5 participants
