From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 14 Oct 2023 11:45:30 +0200 Subject: [PATCH] allow secrets to be group-readable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Systemd's LoadCredential feature makes have the following 0o440 permissions. Services cannot modify secrets or their permission. By relaxing the check we allow buildbot to use secrets provided by systemd. Signed-off-by: Jörg Thalheim --- master/buildbot/secrets/providers/file.py | 2 +- master/buildbot/test/unit/test_secret_in_file.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py index 11daf327a..293a9f410 100644 --- a/buildbot/secrets/providers/file.py +++ b/buildbot/secrets/providers/file.py @@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase): def checkFileIsReadOnly(self, dirname, secretfile): filepath = os.path.join(dirname, secretfile) obs_stat = stat.S_IMODE(os.stat(filepath).st_mode) - if (obs_stat & 0o77) != 0 and os.name == "posix": + if (obs_stat & 0o7) != 0 and os.name == "posix": config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open." " It is required that your secret files are NOT" " accessible by others!") diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py index 01750172d..041b9654f 100644 --- a/buildbot/test/unit/test_secret_in_file.py +++ b/buildbot/test/unit/test_secret_in_file.py @@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self): if os.name != "posix": self.skipTest("Permission checks only works on posix systems") filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt", - chmodRights=stat.S_IRGRP) + chmodRights=stat.S_IROTH) expctd_msg_error = " on file tempfile2.txt are too " \ "open. It is required that your secret files are" \ " NOT accessible by others!" -- 2.42.0