From 8e30fc811afc50bfdb00e366cb1ac00e186b0511 Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Mon, 17 Jun 2019 21:17:03 +0200
Subject: [PATCH] nsscash: remove write permissions of created files

---
 README       | 3 ++-
 file.go      | 7 ++++---
 file_test.go | 8 ++++----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/README b/README
index d9c255f..ee1088a 100644
--- a/README
+++ b/README
@@ -28,7 +28,8 @@ Nsscash is very careful when deploying the changes:
   when all operations were successful.
 - To prevent unexpected permissions, `nsscash` does not create new files. The
   user must create them first and `nsscash` will then re-use the permissions
-  and owner/group when updating the file (see examples below).
+  (without the write bits) and owner/group when updating the file (see
+  examples below).
 - To prevent misconfigurations, empty files (no users/groups) are not
   permitted and will not be written to disk. This is designed to prevent the
   accidental loss of all users/groups on a system.
diff --git a/file.go b/file.go
index 0857dd5..2ecab66 100644
--- a/file.go
+++ b/file.go
@@ -171,15 +171,16 @@ func deployFile(file *File) error {
 	defer os.Remove(f.Name())
 	defer f.Close()
 
-	// Apply permissions/user/group from the target file, use Stat instead
-	// of Lstat as only the target's permissions are relevant
+	// Apply permissions/user/group from the target file but remove the
+	// write permissions to discourage manual modifications, use Stat
+	// instead of Lstat as only the target's permissions are relevant
 	stat, err := os.Stat(file.Path)
 	if err != nil {
 		// We do not create the path if it doesn't exist, because we
 		// do not know the proper permissions
 		return errors.Wrapf(err, "file.path %q must exist", file.Path)
 	}
-	err = f.Chmod(stat.Mode())
+	err = f.Chmod(stat.Mode() & ^os.FileMode(0222)) // remove write perms
 	if err != nil {
 		return err
 	}
diff --git a/file_test.go b/file_test.go
index 59cb169..f192d7a 100644
--- a/file_test.go
+++ b/file_test.go
@@ -45,7 +45,7 @@ func TestDeployFile(t *testing.T) {
 	}{
 		{
 			0644,
-			0644,
+			0444,
 		},
 		{
 			0400,
@@ -53,15 +53,15 @@ func TestDeployFile(t *testing.T) {
 		},
 		{
 			0600,
-			0600,
+			0400,
 		},
 		{
 			0777,
-			0777,
+			0555,
 		},
 		{
 			0666,
-			0666,
+			0444,
 		},
 		{
 			0000,
-- 
2.43.2