deploy/cli: fix /etc/pipekit permissions so non-root group members can write secrets
- deploy.sh: set /etc/pipekit to root:pipekit 0775 and secrets.env to pipekit:pipekit 0640 so group members can run 'pipekit secrets set' without sudo - cli.py secrets set: drop os.chown() on temp file — non-root users can't chown to the pipekit service user, and os.replace() preserves the target file's ownership anyway Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
31135cf5be
commit
f8490a2d4f
@ -129,11 +129,12 @@ echo " $LAUNCHER -> $REPO_DIR/bin/pipekit"
|
|||||||
|
|
||||||
# ── 6. Secrets file ───────────────────────────────────────────────────────────
|
# ── 6. Secrets file ───────────────────────────────────────────────────────────
|
||||||
step "Secrets file"
|
step "Secrets file"
|
||||||
install -d -m 0755 "$CONFIG_DIR"
|
install -d -m 0775 "$CONFIG_DIR"
|
||||||
|
chown "root:$SERVICE_NAME" "$CONFIG_DIR"
|
||||||
if [ ! -f "$SECRETS_FILE" ]; then
|
if [ ! -f "$SECRETS_FILE" ]; then
|
||||||
echo " Creating $SECRETS_FILE (mode 0640, group $SERVICE_NAME)"
|
echo " Creating $SECRETS_FILE (mode 0640, group $SERVICE_NAME)"
|
||||||
install -m 0640 /dev/null "$SECRETS_FILE"
|
install -m 0640 /dev/null "$SECRETS_FILE"
|
||||||
chown "root:$SERVICE_NAME" "$SECRETS_FILE"
|
chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE"
|
||||||
cat > "$SECRETS_FILE" <<'EOF'
|
cat > "$SECRETS_FILE" <<'EOF'
|
||||||
# pipekit secrets — loaded by the systemd unit as EnvironmentFile.
|
# pipekit secrets — loaded by the systemd unit as EnvironmentFile.
|
||||||
# Connection passwords are stored as $KEY references in the DB.
|
# Connection passwords are stored as $KEY references in the DB.
|
||||||
@ -141,9 +142,9 @@ if [ ! -f "$SECRETS_FILE" ]; then
|
|||||||
EOF
|
EOF
|
||||||
else
|
else
|
||||||
echo " $SECRETS_FILE already exists — keeping contents."
|
echo " $SECRETS_FILE already exists — keeping contents."
|
||||||
chown "root:$SERVICE_NAME" "$SECRETS_FILE"
|
chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE"
|
||||||
chmod 0640 "$SECRETS_FILE"
|
chmod 0640 "$SECRETS_FILE"
|
||||||
echo " Permissions ensured: 0640 group $SERVICE_NAME."
|
echo " Permissions ensured: 0640 owner $SERVICE_NAME."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ── 7. Schema init ────────────────────────────────────────────────────────────
|
# ── 7. Schema init ────────────────────────────────────────────────────────────
|
||||||
|
|||||||
@ -226,7 +226,6 @@ def cmd_secrets_set(args) -> int:
|
|||||||
if os.path.exists(path):
|
if os.path.exists(path):
|
||||||
st = os.stat(path)
|
st = os.stat(path)
|
||||||
os.chmod(tmp, stat.S_IMODE(st.st_mode))
|
os.chmod(tmp, stat.S_IMODE(st.st_mode))
|
||||||
os.chown(tmp, st.st_uid, st.st_gid)
|
|
||||||
else:
|
else:
|
||||||
os.chmod(tmp, 0o640)
|
os.chmod(tmp, 0o640)
|
||||||
os.replace(tmp, path)
|
os.replace(tmp, path)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user