Remove world writable from files in OOD packaged gems (#4717)

treydock · treydock · commit a05c3b49a6ba · 2025-10-27T12:40:18.000-04:00
* Remove world writable files from OOD packaged gems Fixes #4712 * Also remove global write for deb packages * Add debugging * Exclude links from the check * Move debugging output into actual check
diff --git a/packaging/deb/rules b/packaging/deb/rules
@@ -48,6 +48,7 @@ override_dh_auto_install:
 	# install gems
 	mkdir -p $(DESTDIR)/opt/ood/gems
 	mv $(GEM_HOME)/* $(DESTDIR)/opt/ood/gems
+	chmod -R o-w $(DESTDIR)/opt/ood/gems
 
 	# make some directories
 	mkdir -p "$(APACHE_DIR)/public/maintenance"
diff --git a/packaging/rpm/ondemand.spec b/packaging/rpm/ondemand.spec
@@ -338,6 +338,7 @@ touch %{_localstatedir}/www/ood/apps/sys/myjobs/tmp/restart.txt
 %{_tmpfilesdir}/ondemand-nginx.conf
 
 %files -n %{gems_name}
+%defattr(644, root, root, 755)
 %{gem_home}/*
 
 %files -n ondemand-gems
diff --git a/spec/e2e/00_package_spec.rb b/spec/e2e/00_package_spec.rb
@@ -107,4 +107,8 @@
     it { is_expected.to be_owned_by('root') }
     it { is_expected.to be_grouped_into('root') }
   end
+
+  describe command("find #{ood_gems_path} -perm /002 ! -type l -exec ls -la {} \\;") do
+    its(:stdout) { is_expected.to be_empty }
+  end
 end
diff --git a/spec/e2e/e2e_helper.rb b/spec/e2e/e2e_helper.rb
@@ -105,6 +105,15 @@ def apache_log_dir
   "/var/log/#{apache_service.split('-').first}"
 end
 
+def ood_gems_path
+  case host_inventory['platform']
+  when 'redhat'
+    return '/opt/ood/ondemand/root/usr/share/gems'
+  when 'ubuntu', 'debian'
+    return '/opt/ood/gems'
+  end
+end
+
 def install_packages(packages)
   on hosts, "#{packager} install -y #{packages.join(' ')}"
 end
