Skip to content

Set job log tempfile permissions to 644 (was 600) #3330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 3, 2025
Merged

Set job log tempfile permissions to 644 (was 600) #3330

merged 2 commits into from
Jun 3, 2025

Conversation

moskyb
Copy link
Contributor

@moskyb moskyb commented Jun 3, 2025
edited
Loading

  • Make job log tempfile world-readable

Description

Currently, when users use the --job-log-tempfile flag on the agent, the tempfile is created with 600 permissions (ie, readable and writable by the current user, unavailable to everyone else). This can be frustrating, as a primary use case for this file is ingestion by a log ingestion framework a la Cloudwatch/Stackdriver/Loki, which often run as different users.

To fix this, this PR sets the permissions on the job log tempfile to 644 (readable and writable by us, readable by everyone else). This is relatively in line with the unix permissions policy for files created by the agent, which are generally created with relatively permissive permissions (usually 777), to be reduced by the umask. Given that job logs can be somewhat sensitive, I've chosen to have an explicitly lower permission set than usual for this specific file.

Context

PS-276

Testing

  • Tests have run locally (with go test ./...). Buildkite employees may check this if the pipeline has run automatically.
  • Code is formatted (with go fmt ./...)

@moskyb moskyb requested review from DrJosh9000 and catkins June 3, 2025 23:44
DrJosh9000
DrJosh9000 approved these changes Jun 3, 2025
View reviewed changes
Copy link
Contributor

@DrJosh9000 DrJosh9000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for updating all the other octal literals!

catkins
catkins reviewed Jun 3, 2025
View reviewed changes
agent/job_runner.go
@@ -265,6 +265,12 @@ func NewJobRunner(ctx context.Context, l logger.Logger, apiClient APIClient, con
if err != nil {
return nil, err
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

os.CreateTemp ah cool, I see in the godocs the default perms

The file is created with mode 0o600 (before umask)

catkins
catkins approved these changes Jun 3, 2025
View reviewed changes
Copy link
Contributor

@catkins catkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks @moskyb.

Also, good opportunistic tidyup on the modern octal notation 👏

@moskyb moskyb merged commit ffe229b into main Jun 3, 2025
1 check passed
@moskyb moskyb deleted the job-log-tempfile-644 branch June 3, 2025 23:57
@DrJosh9000 DrJosh9000 mentioned this pull request Jun 4, 2025
Merged
@jeremybumsted jeremybumsted mentioned this pull request Jun 5, 2025
Merged
@moskyb moskyb mentioned this pull request Jun 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catkins catkins catkins approved these changes

@DrJosh9000 DrJosh9000 DrJosh9000 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@moskyb @catkins @DrJosh9000