search

puppetlabs / puppetlabs-vcsrepo

Support for source control repositories
http://forge.puppetlabs.com/puppetlabs/vcsrepo
GNU General Public License v2.0
223 stars 284 forks source link

vcsrepo: add mode attribute #598

Open robbat2 opened 1 year ago

robbat2 commented 1 year ago

Use Case

Trying to properly restrict access to repo checkouts.

Describe the Solution You Would Like

Please add a mode attributes that correctly sets the permissions on the repo basedir. The Git provider already provides the umask attribute, but if the directory already exists, it does not impact that.

vcsrepo { $title:
  ...
  owner => 'root',
  group => 'somegroup',
  mode => '0750', # permit somegroup to read but not write content.
}

Describe Alternatives You've Considered

An exec resource after the vcsrepo means a small window when the newly created directory has incorrect permissions, which may present a security risk, or cause other apps to break. The umask option only affects new files/dirs, and doesn't change the existing dir.

Additional Context

Open question: should the chmod be applied recursively to existing repos, or just the toplevel directory?

robbat2 commented 1 year ago

Self-decision: The permission should NOT be applied recursively, because repos should manage permissions of files inside them.