lix-project/buildbot-nix
14
0
Fork 0
Code Issues 9 Pull requests 3 Packages Projects Releases Wiki Activity
buildbot-nix/nix/0001-allow-secrets-to-be-group-readable.patch

48 lines
2.3 KiB
Diff
Raw Blame History

From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 14 Oct 2023 11:45:30 +0200
Subject: [PATCH] allow secrets to be group-readable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Systemd's LoadCredential feature makes have the following 0o440 permissions.
Services cannot modify secrets or their permission.
By relaxing the check we allow buildbot to use secrets provided by systemd.
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
master/buildbot/secrets/providers/file.py | 2 +-
master/buildbot/test/unit/test_secret_in_file.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py
index 11daf327a..293a9f410 100644
--- a/buildbot/secrets/providers/file.py
+++ b/buildbot/secrets/providers/file.py
@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase):
def checkFileIsReadOnly(self, dirname, secretfile):
filepath = os.path.join(dirname, secretfile)
obs_stat = stat.S_IMODE(os.stat(filepath).st_mode)
- if (obs_stat & 0o77) != 0 and os.name == "posix":
+ if (obs_stat & 0o7) != 0 and os.name == "posix":
config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open."
" It is required that your secret files are NOT"
" accessible by others!")
diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py
index 01750172d..041b9654f 100644
--- a/buildbot/test/unit/test_secret_in_file.py
+++ b/buildbot/test/unit/test_secret_in_file.py
@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self):
if os.name != "posix":
self.skipTest("Permission checks only works on posix systems")
filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt",
- chmodRights=stat.S_IRGRP)
+ chmodRights=stat.S_IROTH)
expctd_msg_error = " on file tempfile2.txt are too " \
"open. It is required that your secret files are" \
" NOT accessible by others!"
--
2.42.0
Reference in a new issue View git blame Copy permalink