From f8490a2d4f7d0fb80cd395d8237af8d6f1f67449 Mon Sep 17 00:00:00 2001 From: Paul Trowbridge Date: Thu, 4 Jun 2026 13:35:06 -0400 Subject: [PATCH] deploy/cli: fix /etc/pipekit permissions so non-root group members can write secrets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - deploy.sh: set /etc/pipekit to root:pipekit 0775 and secrets.env to pipekit:pipekit 0640 so group members can run 'pipekit secrets set' without sudo - cli.py secrets set: drop os.chown() on temp file — non-root users can't chown to the pipekit service user, and os.replace() preserves the target file's ownership anyway Co-Authored-By: Claude Sonnet 4.6 (1M context) --- deploy.sh | 9 +++++---- pipekit/cli.py | 1 - 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/deploy.sh b/deploy.sh index 2e1005a..848f60c 100755 --- a/deploy.sh +++ b/deploy.sh @@ -129,11 +129,12 @@ echo " $LAUNCHER -> $REPO_DIR/bin/pipekit" # ── 6. Secrets file ─────────────────────────────────────────────────────────── step "Secrets file" -install -d -m 0755 "$CONFIG_DIR" +install -d -m 0775 "$CONFIG_DIR" +chown "root:$SERVICE_NAME" "$CONFIG_DIR" if [ ! -f "$SECRETS_FILE" ]; then echo " Creating $SECRETS_FILE (mode 0640, group $SERVICE_NAME)" install -m 0640 /dev/null "$SECRETS_FILE" - chown "root:$SERVICE_NAME" "$SECRETS_FILE" + chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE" cat > "$SECRETS_FILE" <<'EOF' # pipekit secrets — loaded by the systemd unit as EnvironmentFile. # Connection passwords are stored as $KEY references in the DB. @@ -141,9 +142,9 @@ if [ ! -f "$SECRETS_FILE" ]; then EOF else echo " $SECRETS_FILE already exists — keeping contents." - chown "root:$SERVICE_NAME" "$SECRETS_FILE" + chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE" chmod 0640 "$SECRETS_FILE" - echo " Permissions ensured: 0640 group $SERVICE_NAME." + echo " Permissions ensured: 0640 owner $SERVICE_NAME." fi # ── 7. Schema init ──────────────────────────────────────────────────────────── diff --git a/pipekit/cli.py b/pipekit/cli.py index 5dcea57..b7ec900 100644 --- a/pipekit/cli.py +++ b/pipekit/cli.py @@ -226,7 +226,6 @@ def cmd_secrets_set(args) -> int: if os.path.exists(path): st = os.stat(path) os.chmod(tmp, stat.S_IMODE(st.st_mode)) - os.chown(tmp, st.st_uid, st.st_gid) else: os.chmod(tmp, 0o640) os.replace(tmp, path)