fix: reduce chmod permissions for created files and directories (#2137)

quiet more security scanner issues: pass one of chmod restriction to remove group and other permissions Signed-off-by: Dave Lee <dave@gray101.com>
2025-05-30 23:44:59 +00:00 · 2024-04-25 18:47:06 -04:00 · 2024-04-25 18:47:06 -04:00 · c8dd8e5ef4
commit c8dd8e5ef4
parent 365ef92530
15 changed files with 36 additions and 35 deletions
--- a/pkg/assets/extract.go
+++ b/pkg/assets/extract.go
@ -10,7 +10,7 @@ import (

 func ExtractFiles(content embed.FS, extractDir string) error {
 	// Create the target directory if it doesn't exist
-	err := os.MkdirAll(extractDir, 0755)
+	err := os.MkdirAll(extractDir, 0750)
 	if err != nil {
 		return fmt.Errorf("failed to create directory: %v", err)
 	}
@ -25,7 +25,7 @@ func ExtractFiles(content embed.FS, extractDir string) error {
 		targetFile := filepath.Join(extractDir, path)
 		if d.IsDir() {
 			// Create the directory in the target directory
-			err := os.MkdirAll(targetFile, 0755)
+			err := os.MkdirAll(targetFile, 0750)
 			if err != nil {
 				return fmt.Errorf("failed to create directory: %v", err)
 			}
@ -39,7 +39,7 @@ func ExtractFiles(content embed.FS, extractDir string) error {
 		}

 		// Create the file in the target directory
-		err = os.WriteFile(targetFile, fileData, 0644)
+		err = os.WriteFile(targetFile, fileData, 0600)
 		if err != nil {
 			return fmt.Errorf("failed to write file: %v", err)
 		}
--- a/pkg/downloader/uri.go
+++ b/pkg/downloader/uri.go
@ -184,7 +184,7 @@ func DownloadFile(url string, filePath, sha string, fileN, total int, downloadSt
 	}

 	// Create parent directory
-	err = os.MkdirAll(filepath.Dir(filePath), 0755)
+	err = os.MkdirAll(filepath.Dir(filePath), 0750)
 	if err != nil {
 		return fmt.Errorf("failed to create parent directory for file %q: %v", filePath, err)
 	}
--- a/pkg/gallery/models.go
+++ b/pkg/gallery/models.go
@ -92,7 +92,7 @@ func ReadConfigFile(filePath string) (*Config, error) {

 func InstallModel(basePath, nameOverride string, config *Config, configOverrides map[string]interface{}, downloadStatus func(string, string, string, float64)) error {
 	// Create base path if it doesn't exist
-	err := os.MkdirAll(basePath, 0755)
+	err := os.MkdirAll(basePath, 0750)
 	if err != nil {
 		return fmt.Errorf("failed to create base path: %v", err)
 	}
@ -125,12 +125,12 @@ func InstallModel(basePath, nameOverride string, config *Config, configOverrides
 		filePath := filepath.Join(basePath, template.Name+".tmpl")

 		// Create parent directory
-		err := os.MkdirAll(filepath.Dir(filePath), 0755)
+		err := os.MkdirAll(filepath.Dir(filePath), 0750)
 		if err != nil {
 			return fmt.Errorf("failed to create parent directory for prompt template %q: %v", template.Name, err)
 		}
 		// Create and write file content
-		err = os.WriteFile(filePath, []byte(template.Content), 0644)
+		err = os.WriteFile(filePath, []byte(template.Content), 0600)
 		if err != nil {
 			return fmt.Errorf("failed to write prompt template %q: %v", template.Name, err)
 		}
@ -170,7 +170,7 @@ func InstallModel(basePath, nameOverride string, config *Config, configOverrides
 			return fmt.Errorf("failed to marshal updated config YAML: %v", err)
 		}

-		err = os.WriteFile(configFilePath, updatedConfigYAML, 0644)
+		err = os.WriteFile(configFilePath, updatedConfigYAML, 0600)
 		if err != nil {
 			return fmt.Errorf("failed to write updated config file: %v", err)
 		}
--- a/pkg/gallery/models_test.go
+++ b/pkg/gallery/models_test.go
@ -48,7 +48,7 @@ var _ = Describe("Model test", func() {
 			}}
 			out, err := yaml.Marshal(gallery)
 			Expect(err).ToNot(HaveOccurred())
-			err = os.WriteFile(filepath.Join(tempdir, "gallery_simple.yaml"), out, 0644)
+			err = os.WriteFile(filepath.Join(tempdir, "gallery_simple.yaml"), out, 0600)
 			Expect(err).ToNot(HaveOccurred())

 			galleries := []Gallery{
--- a/pkg/model/process.go
+++ b/pkg/model/process.go
@ -65,7 +65,7 @@ func (ml *ModelLoader) GetGRPCPID(id string) (int, error) {

 func (ml *ModelLoader) startProcess(grpcProcess, id string, serverAddress string) error {
 	// Make sure the process is executable
-	if err := os.Chmod(grpcProcess, 0755); err != nil {
+	if err := os.Chmod(grpcProcess, 0700); err != nil {
 		return err
 	}

--- a/pkg/templates/cache_test.go
+++ b/pkg/templates/cache_test.go
@ -21,9 +21,9 @@ var _ = Describe("TemplateCache", func() {
 		Expect(err).NotTo(HaveOccurred())

 		// Writing example template files
-		err = os.WriteFile(filepath.Join(tempDir, "example.tmpl"), []byte("Hello, {{.Name}}!"), 0644)
+		err = os.WriteFile(filepath.Join(tempDir, "example.tmpl"), []byte("Hello, {{.Name}}!"), 0600)
 		Expect(err).NotTo(HaveOccurred())
-		err = os.WriteFile(filepath.Join(tempDir, "empty.tmpl"), []byte(""), 0644)
+		err = os.WriteFile(filepath.Join(tempDir, "empty.tmpl"), []byte(""), 0600)
 		Expect(err).NotTo(HaveOccurred())

 		templateCache = templates.NewTemplateCache(tempDir)
--- a/pkg/utils/config.go
+++ b/pkg/utils/config.go
@ -15,7 +15,7 @@ func SaveConfig(filePath, fileName string, obj any) {
 	}

 	absolutePath := filepath.Join(filePath, fileName)
-	err = os.WriteFile(absolutePath, file, 0644)
+	err = os.WriteFile(absolutePath, file, 0600)
 	if err != nil {
 		log.Error().Err(err).Str("filepath", absolutePath).Msg("failed to save configuration file")
 	}