From 01a3447b83b96a4eee7b2be07a5e34fb702cfbb1 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Tue, 14 Nov 2023 11:26:23 -0500
Subject: [PATCH] Remove the writable flag, don't set too many permission bits
 (#718)

Making everything 0o555 is too much, since many files in the store
are not supposed to be executable. Those should be 0o444. Instead
of splatting 0o555 out, take a more measured approach and remove
the writable flag from the on-disk mode.
---
 src/action/base/move_unpacked_nix.rs | 13 ++++++++++---
 src/action/mod.rs                    |  2 ++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/action/base/move_unpacked_nix.rs b/src/action/base/move_unpacked_nix.rs
index 875e390..37e034f 100644
--- a/src/action/base/move_unpacked_nix.rs
+++ b/src/action/base/move_unpacked_nix.rs
@@ -1,5 +1,4 @@
 use std::{
-    fs::Permissions,
     os::unix::prelude::PermissionsExt,
     path::{Path, PathBuf},
 };
@@ -110,13 +109,21 @@ impl Action for MoveUnpackedNix {
                 .map_err(|e| ActionErrorKind::Rename(entry.path(), entry_dest.to_owned(), e))
                 .map_err(Self::error)?;
 
-            let perms: Permissions = PermissionsExt::from_mode(0o555);
             for entry_item in WalkDir::new(&entry_dest)
                 .into_iter()
                 .filter_map(Result::ok)
                 .filter(|e| !e.file_type().is_symlink())
             {
-                tokio::fs::set_permissions(&entry_item.path(), perms.clone())
+                let path = entry_item.path();
+
+                let mut perms = path
+                    .metadata()
+                    .map_err(|e| ActionErrorKind::GetMetadata(path.to_owned(), e))
+                    .map_err(Self::error)?
+                    .permissions();
+                perms.set_readonly(true);
+
+                tokio::fs::set_permissions(path, perms.clone())
                     .await
                     .map_err(|e| {
                         ActionErrorKind::SetPermissions(
diff --git a/src/action/mod.rs b/src/action/mod.rs
index 8856651..c9ef099 100644
--- a/src/action/mod.rs
+++ b/src/action/mod.rs
@@ -422,6 +422,8 @@ pub enum ActionErrorKind {
         std::path::PathBuf,
         #[source] std::io::Error,
     ),
+    #[error("Getting filesystem metadata for `{0}` on `{1}`")]
+    GetMetadata(std::path::PathBuf, #[source] std::io::Error),
     #[error("Set mode `{0:#o}` on `{1}`")]
     SetPermissions(u32, std::path::PathBuf, #[source] std::io::Error),
     #[error("Remove file `{0}`")]