nsscash: remove write permissions of created files

diff --git a/README b/README
index d9c255fbefd3b14c9aa95ff17290475ecda62929..ee1088a4391d6f358ba4664e19bd546fa86b9932 100644 (file)
--- a/README
+++ b/README
@@ -28,7 +28,8 @@ Nsscash is very careful when deploying the changes:
   when all operations were successful.
 - To prevent unexpected permissions, `nsscash` does not create new files. The
   user must create them first and `nsscash` will then re-use the permissions
-  and owner/group when updating the file (see examples below).
+  (without the write bits) and owner/group when updating the file (see
+  examples below).
 - To prevent misconfigurations, empty files (no users/groups) are not
   permitted and will not be written to disk. This is designed to prevent the
   accidental loss of all users/groups on a system.

diff --git a/file.go b/file.go
index 0857dd50f14dde2fa1d0a7507fbe9e3ac17ad499..2ecab66ee85e1aeac6c4cf76c34eef3ecdefdf45 100644 (file)
--- a/file.go
+++ b/file.go
@@ -171,15 +171,16 @@ func deployFile(file *File) error {
        defer os.Remove(f.Name())
        defer f.Close()
 
-       // Apply permissions/user/group from the target file, use Stat instead
-       // of Lstat as only the target's permissions are relevant
+       // Apply permissions/user/group from the target file but remove the
+       // write permissions to discourage manual modifications, use Stat
+       // instead of Lstat as only the target's permissions are relevant
        stat, err := os.Stat(file.Path)
        if err != nil {
                // We do not create the path if it doesn't exist, because we
                // do not know the proper permissions
                return errors.Wrapf(err, "file.path %q must exist", file.Path)
        }
-       err = f.Chmod(stat.Mode())
+       err = f.Chmod(stat.Mode() & ^os.FileMode(0222)) // remove write perms
        if err != nil {
                return err
        }

diff --git a/file_test.go b/file_test.go
index 59cb169f8abf66f51cbb7b30a178d6bfbe14a096..f192d7af981a88eedaba9daa79b963c4ac795b5d 100644 (file)
--- a/file_test.go
+++ b/file_test.go
@@ -45,7 +45,7 @@ func TestDeployFile(t *testing.T) {
        }{
                {
                        0644,
-                       0644,
+                       0444,
                },
                {
                        0400,
@@ -53,15 +53,15 @@ func TestDeployFile(t *testing.T) {
                },
                {
                        0600,
-                       0600,
+                       0400,
                },
                {
                        0777,
-                       0777,
+                       0555,
                },
                {
                        0666,
-                       0666,
+                       0444,
                },
                {
                        0000,