Skip to content

Commit

Permalink
github-runner: replace mkdir -p -m with umask
Browse files Browse the repository at this point in the history 
`mkdir -p -m` only applies the mode on the deepest directory which could
be a security issue so we use umask to be more careful.
  • Loading branch information
@Enzime
Enzime committed Nov 7, 2024
1 parent cf130aa commit 3b738c7
Showing 1 changed file with 14 additions and 8 deletions.
22 changes: 14 additions & 8 deletions modules/services/github-runner/service.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,20 @@ in
text = mkBefore (''
echo >&2 "setting up GitHub Runner '${cfg.name}'..."
${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkStateDir cfg)}
${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkStateDir cfg)}
${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkLogDir cfg)}
${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)}
'' + optionalString (cfg.workDir == null) ''
${pkgs.coreutils}/bin/mkdir -p -m 0750 ${escapeShellArg (mkWorkDir cfg)}
${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)}
(
umask -S u=rwx,g=rx,o=
${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkStateDir cfg)}
${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkStateDir cfg)}
${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkLogDir cfg)}
${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkLogDir cfg)}
${optionalString (cfg.workDir == null) ''
${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg (mkWorkDir cfg)}
${pkgs.coreutils}/bin/chown ${user}:${group} ${escapeShellArg (mkWorkDir cfg)}
''}
)
'');
};
}));
Expand Down

0 comments on commit 3b738c7

Please sign in to comment.