Merge pull request #4732 from OSC/rm-world-write-4.0

johrstrom · web-flow · commit 3014bc3abf03 · 2025-10-28T10:56:59.000-04:00
Remove world writable from files in OOD packaged gems (release 4.0)
diff --git a/packaging/deb/rules b/packaging/deb/rules
@@ -48,6 +48,7 @@ override_dh_auto_install:
 	# install gems
 	mkdir -p $(DESTDIR)/opt/ood/gems
 	mv $(GEM_HOME)/* $(DESTDIR)/opt/ood/gems
+	chmod -R o-w $(DESTDIR)/opt/ood/gems
 
 	# make some directories
 	mkdir -p "$(APACHE_DIR)/public/maintenance"
diff --git a/packaging/rpm/ondemand.spec b/packaging/rpm/ondemand.spec
@@ -338,6 +338,7 @@ touch %{_localstatedir}/www/ood/apps/sys/myjobs/tmp/restart.txt
 %{_tmpfilesdir}/ondemand-nginx.conf
 
 %files -n %{gems_name}
+%defattr(644, root, root, 755)
 %{gem_home}/*
 
 %files -n ondemand-gems
diff --git a/spec/e2e/00_package_spec.rb b/spec/e2e/00_package_spec.rb
@@ -107,4 +107,8 @@
     it { is_expected.to be_owned_by('root') }
     it { is_expected.to be_grouped_into('root') }
   end
+
+  describe command("find #{ood_gems_path} -perm /002 ! -type l -exec ls -la {} \\;") do
+    its(:stdout) { is_expected.to be_empty }
+  end
 end
diff --git a/spec/e2e/e2e_helper.rb b/spec/e2e/e2e_helper.rb
@@ -105,6 +105,15 @@ def apache_log_dir
   "/var/log/#{apache_service.split('-').first}"
 end
 
+def ood_gems_path
+  case host_inventory['platform']
+  when 'redhat'
+    return '/opt/ood/ondemand/root/usr/share/gems'
+  when 'ubuntu', 'debian'
+    return '/opt/ood/gems'
+  end
+end
+
 def install_packages(packages)
   on hosts, "#{packager} install -y #{packages.join(' ')}"
 end
diff --git a/spec/e2e/nodesets/amzn2023.yml b/spec/e2e/nodesets/amzn2023.yml
@@ -4,7 +4,7 @@ HOSTS:
       - agent
     platform: el-9-x86_64
     hypervisor: docker
-    image: amazonlinux:2023
+    image: amazonlinux:2023.8.20250908.0
     docker_preserve_image: true
     docker_cmd:
       - '/usr/sbin/init'
