Remove the writable flag, don't set too many permission bits (#718)

Making everything 0o555 is too much, since many files in the store
are not supposed to be executable. Those should be 0o444. Instead
of splatting 0o555 out, take a more measured approach and remove
the writable flag from the on-disk mode.

src/action/base/move_unpacked_nix.rs

@@ -1,5 +1,4 @@
 use std::{
-    fs::Permissions,
     os::unix::prelude::PermissionsExt,
     path::{Path, PathBuf},
 };
@@ -110,13 +109,21 @@ impl Action for MoveUnpackedNix {
                 .map_err(|e| ActionErrorKind::Rename(entry.path(), entry_dest.to_owned(), e))
                 .map_err(Self::error)?;
 
-            let perms: Permissions = PermissionsExt::from_mode(0o555);
             for entry_item in WalkDir::new(&entry_dest)
                 .into_iter()
                 .filter_map(Result::ok)
                 .filter(|e| !e.file_type().is_symlink())
             {
-                tokio::fs::set_permissions(&entry_item.path(), perms.clone())
+                let path = entry_item.path();
+
+                let mut perms = path
+                    .metadata()
+                    .map_err(|e| ActionErrorKind::GetMetadata(path.to_owned(), e))
+                    .map_err(Self::error)?
+                    .permissions();
+                perms.set_readonly(true);
+
+                tokio::fs::set_permissions(path, perms.clone())
                     .await
                     .map_err(|e| {
                         ActionErrorKind::SetPermissions(

src/action/mod.rs

@@ -422,6 +422,8 @@ pub enum ActionErrorKind {
         std::path::PathBuf,
         #[source] std::io::Error,
     ),
+    #[error("Getting filesystem metadata for `{0}` on `{1}`")]
+    GetMetadata(std::path::PathBuf, #[source] std::io::Error),
     #[error("Set mode `{0:#o}` on `{1}`")]
     SetPermissions(u32, std::path::PathBuf, #[source] std::io::Error),
     #[error("Remove file `{0}`")]