deploy/cli: fix /etc/pipekit permissions so non-root group members can write secrets

- deploy.sh: set /etc/pipekit to root:pipekit 0775 and secrets.env to
  pipekit:pipekit 0640 so group members can run 'pipekit secrets set'
  without sudo
- cli.py secrets set: drop os.chown() on temp file — non-root users
  can't chown to the pipekit service user, and os.replace() preserves
  the target file's ownership anyway

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Paul Trowbridge 2026-06-04 13:35:06 -04:00
parent 31135cf5be
commit f8490a2d4f
2 changed files with 5 additions and 5 deletions

View File

@ -129,11 +129,12 @@ echo " $LAUNCHER -> $REPO_DIR/bin/pipekit"
# ── 6. Secrets file ───────────────────────────────────────────────────────────
step "Secrets file"
install -d -m 0755 "$CONFIG_DIR"
install -d -m 0775 "$CONFIG_DIR"
chown "root:$SERVICE_NAME" "$CONFIG_DIR"
if [ ! -f "$SECRETS_FILE" ]; then
echo " Creating $SECRETS_FILE (mode 0640, group $SERVICE_NAME)"
install -m 0640 /dev/null "$SECRETS_FILE"
chown "root:$SERVICE_NAME" "$SECRETS_FILE"
chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE"
cat > "$SECRETS_FILE" <<'EOF'
# pipekit secrets — loaded by the systemd unit as EnvironmentFile.
# Connection passwords are stored as $KEY references in the DB.
@ -141,9 +142,9 @@ if [ ! -f "$SECRETS_FILE" ]; then
EOF
else
echo " $SECRETS_FILE already exists — keeping contents."
chown "root:$SERVICE_NAME" "$SECRETS_FILE"
chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE"
chmod 0640 "$SECRETS_FILE"
echo " Permissions ensured: 0640 group $SERVICE_NAME."
echo " Permissions ensured: 0640 owner $SERVICE_NAME."
fi
# ── 7. Schema init ────────────────────────────────────────────────────────────

View File

@ -226,7 +226,6 @@ def cmd_secrets_set(args) -> int:
if os.path.exists(path):
st = os.stat(path)
os.chmod(tmp, stat.S_IMODE(st.st_mode))
os.chown(tmp, st.st_uid, st.st_gid)
else:
os.chmod(tmp, 0o640)
os.replace(tmp, path)