Trying to properly restrict access to repo checkouts.
Describe the Solution You Would Like
Please add a mode attributes that correctly sets the permissions on the repo basedir. The Git provider already provides the umask attribute, but if the directory already exists, it does not impact that.
vcsrepo { $title:
...
owner => 'root',
group => 'somegroup',
mode => '0750', # permit somegroup to read but not write content.
}
Describe Alternatives You've Considered
An exec resource after the vcsrepo means a small window when the newly created directory has incorrect permissions, which may present a security risk, or cause other apps to break. The umask option only affects new files/dirs, and doesn't change the existing dir.
Additional Context
Open question:
should the chmod be applied recursively to existing repos, or just the toplevel directory?
Use Case
Trying to properly restrict access to repo checkouts.
Describe the Solution You Would Like
Please add a
mode
attributes that correctly sets the permissions on the repo basedir. The Git provider already provides theumask
attribute, but if the directory already exists, it does not impact that.Describe Alternatives You've Considered
An
exec
resource after thevcsrepo
means a small window when the newly created directory has incorrect permissions, which may present a security risk, or cause other apps to break. Theumask
option only affects new files/dirs, and doesn't change the existing dir.Additional Context
Open question: should the
chmod
be applied recursively to existing repos, or just the toplevel directory?