Remove world writable files from OOD packaged gems

treydock · treydock · commit d543bc193309 · 2025-10-23T15:51:18.000-04:00
Fixes #4712
diff --git a/packaging/rpm/ondemand.spec b/packaging/rpm/ondemand.spec
@@ -341,6 +341,7 @@ touch %{_localstatedir}/www/ood/apps/sys/myjobs/tmp/restart.txt
 %{_tmpfilesdir}/ondemand-nginx.conf
 
 %files -n %{gems_name}
+%defattr(644, root, root, 755)
 %{gem_home}/*
 
 %files -n ondemand-gems
diff --git a/spec/e2e/00_package_spec.rb b/spec/e2e/00_package_spec.rb
@@ -107,4 +107,8 @@
     it { is_expected.to be_owned_by('root') }
     it { is_expected.to be_grouped_into('root') }
   end
+
+  describe command("find #{ood_gems_path} -perm /002") do
+    its(:stdout) { is_expected.to be_empty }
+  end
 end
diff --git a/spec/e2e/e2e_helper.rb b/spec/e2e/e2e_helper.rb
@@ -103,6 +103,15 @@ def apache_log_dir
   "/var/log/#{apache_service.split('-').first}"
 end
 
+def ood_gems_path
+  case host_inventory['platform']
+  when 'redhat'
+    return '/opt/ood/ondemand/root/usr/share/gems'
+  when 'ubuntu', 'debian'
+    return '/opt/ood/gems'
+  end
+end
+
 def install_packages(packages)
   on hosts, "#{packager} install -y #{packages.join(' ')}"
 end
