Added documentation on overriding default directory permissions

larsewi · nickanderson · larsewi · commit 4dbb0be82038 · 2025-11-07T14:39:33.000+01:00
Ticket: CFE-4590, ENT-13239 Co-authored-by: Nick Anderson <nick.anderson@northern.tech> Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
diff --git a/content/reference/components/cf-agent.markdown b/content/reference/components/cf-agent.markdown
@@ -1072,6 +1072,47 @@ body agent control
 
 **See also:** [`default:control_agent.nonalphanumfiles`](/reference/special-variables/control_agent/#defaultcontrol_agentnonalphanumfiles)
 
+### default_directory_create_mode
+
+**Description:** Override the default 0700 permissions when `cf-agent` creates
+parent directories during file promise repairs.
+
+The `default_directory_create_mode` attribute in body agent control enables
+users to specify custom permissions (e.g., 0755) for automatically created
+directories, avoiding the need for explicit perms promises on each parent
+directory when deeper paths are required.
+
+This addresses cases where files need broader access permissions but
+their auto-created parent directories would otherwise default to 0700,
+making the files inaccessible despite having correct permissions.
+
+The mode string may be symbolic or numerical, like `chmod`.
+
+**Type:** `string`
+
+**Default value:** `0700`
+
+**Example:**
+
+```cf3
+body agent control {
+  # Override the default directory create mode to 0755 (it defaults to 0700 if
+  # not specified)
+  default_directory_create_mode => "a+rx"; # Can also use octets 0755
+}
+```
+
+**History:**
+
+- Added in 3.28.0
+
+**Notes:**
+
+Please note that modifying this value will affect your entire policy and can
+lead to security vulnerabilities.
+
+**See also:** `filestat()`, [`body perms mode`](/reference/promise-types/files#mode), [`default:control_agent.default_directory_create_mode`](/reference/special-variables/control_agent/#defaultcontrol_agentdefault_directory_create_mode)
+
 ### refresh_processes
 
 **Description:** The `refresh_processes` slist contains bundles to reload
diff --git a/content/reference/special-variables/control_agent.markdown b/content/reference/special-variables/control_agent.markdown
@@ -157,6 +157,12 @@ Determines whether to warn about filenames with no alphanumeric content. This te
 
 **See also:** [`nonalphanumfiles` in `body agent control`][cf-agent#nonalphanumfiles]
 
+### default:control_agent.default_directory_create_mode
+
+Determines the default directory permissions when `cf-agent` creates parent directories during `files` promise repairs.
+
+**See also:** [`default_directory_create_mode` in `body agent control`][cf-agent#default_directory_create_mode]
+
 ### default:control_agent.refresh_processes
 
 Contains bundles to reload the process table before verifying the bundles named in this list (lazy evaluation).
