20035: Improves file/dir permission setting.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>

diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index e72786ac08d2c156bfad195c5ff47e636fe39d41..21f36faace2934007d7e404ca8ed09c9f9c64dd3 100755 (executable)
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -73,14 +73,12 @@ sync() {
            # and then clone a regular repository (with a checkout)
            # from that.
 
-           ssh $DEPLOY_USER@$NODE git init --bare ${GITTARGET}.git
-               ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}.git
+           ssh $DEPLOY_USER@$NODE git init --bare --shared=0600 ${GITTARGET}.git
            if ! git remote add $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git ; then
                        git remote set-url $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git
            fi
            git push $NODE $BRANCH
-           ssh $DEPLOY_USER@$NODE git clone ${GITTARGET}.git ${GITTARGET}
-               ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}
+           ssh $DEPLOY_USER@$NODE "umask 0077 && git clone ${GITTARGET}.git ${GITTARGET}"
        fi
 
        # The update case.
@@ -174,8 +172,7 @@ case "$subcmd" in
        fi
 
        echo "Initializing $SETUPDIR"
-       git init $SETUPDIR
-       chmod 700 $SETUPDIR
+       git init --shared=0600 $SETUPDIR
        cp -r *.sh tests $SETUPDIR
 
        cp local.params.example.$PARAMS $SETUPDIR/${CONFIG_FILE}

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 8f69a5f8a6396ff72179a7c69e1eea0a5a1ead21..86335ff8ec3d6404a58d31ebe81a0e22e66ac8f3 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -141,19 +141,16 @@ copy_custom_cert() {
   cert_dir=${1}
   cert_name=${2}
 
-  mkdir -p /srv/salt/certs
-  chmod 700 /srv/salt/certs
+  mkdir -p --mode=0700 /srv/salt/certs
 
   if [ -f ${cert_dir}/${cert_name}.crt ]; then
-    cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
-    chmod 600 /srv/salt/certs/arvados-${cert_name}.pem
+    install --mode=0600 ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
   else
     echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
     exit 1
   fi
   if [ -f ${cert_dir}/${cert_name}.key ]; then
-    cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
-    chmod 600 /srv/salt/certs/arvados-${cert_name}.key
+    install --mode=0600 ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
   else
     echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
     exit 1
@@ -569,12 +566,10 @@ if [ -z "${ROLES}" ]; then
     fi
     grep -q "letsencrypt" ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
   else
-    mkdir -p /srv/salt/certs
-    chmod 700 /srv/salt/certs
+    mkdir -p --mode=0700 /srv/salt/certs
     if [ "${SSL_MODE}" = "bring-your-own" ]; then
       # Copy certs to formula extra/files
-      cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
-      chmod 600 /srv/salt/certs/*
+      install --mode=0600 ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
       # We add the custom_certs state
       grep -q "custom_certs" ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
       if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then