Allow the configuration of filesystem permissions.

cenkalti · Jul 13, 2022 · 9e6543a · 9e6543a
1 parent 2da41d4
commit 9e6543a
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 12 deletions.
diff --git a/internal/storage/filestorage/filestorage.go b/internal/storage/filestorage/filestorage.go
@@ -2,6 +2,7 @@
 package filestorage
 
 import (
+ "io/fs"
  "os"
  "path/filepath"
 
@@ -11,16 +12,17 @@ import (
 // FileStorage implements Storage interface for saving files on disk.
 type FileStorage struct {
  dest string
+ perm fs.FileMode
 }
 
 // New returns a new FileStorage at the destination.
-func New(dest string) (*FileStorage, error) {
+func New(dest string, perm fs.FileMode) (*FileStorage, error) {
  var err error
  dest, err = filepath.Abs(dest)
  if err != nil {
  return nil, err
  }
- return &FileStorage{dest: dest}, nil
+ return &FileStorage{dest: dest, perm: perm}, nil
 }
 
 var _ storage.Storage = (*FileStorage)(nil)
@@ -33,7 +35,7 @@ func (s *FileStorage) Open(name string, size int64) (f storage.File, exists bool
  name = filepath.Join(s.dest, name)
 
  // Create containing dir if not exists.
- err = os.MkdirAll(filepath.Dir(name), os.ModeDir|0o750)
+ err = os.MkdirAll(filepath.Dir(name), os.ModeDir|s.perm)
  if err != nil {
  return
  }
@@ -52,7 +54,7 @@ func (s *FileStorage) Open(name string, size int64) (f storage.File, exists bool
  }()
 
  // Open OS file.
- const mode = 0o640
+ var mode = s.perm &^ 0111
  openFlags := os.O_RDWR | os.O_SYNC
  openFlags = applyNoAtimeFlag(openFlags)
  of, err = os.OpenFile(name, openFlags, mode)

diff --git a/torrent/config.go b/torrent/config.go
@@ -1,6 +1,7 @@
 package torrent
 
 import (
+ "io/fs"
  "time"
 
  "github.com/cenkalti/rain/internal/metainfo"
@@ -75,6 +76,8 @@ type Config struct {
  HealthCheckInterval time.Duration
  // If torrent loop is stuck for more than this duration. Program crashes with stacktrace.
  HealthCheckTimeout time.Duration
+ // The unix permission of created files, execute bit is removed for files
+ FilePermissions fs.FileMode
 
  // Enable RPC server
  RPCEnabled bool
@@ -220,6 +223,7 @@ var DefaultConfig = Config{
  ResumeOnStartup: true,
  HealthCheckInterval: 10 * time.Second,
  HealthCheckTimeout: 60 * time.Second,
+ FilePermissions: 0o750,
 
  // RPC Server
  RPCEnabled: true,

diff --git a/torrent/session.go b/torrent/session.go
@@ -95,12 +95,12 @@ func NewSession(cfg Config) (*Session, error) {
  if err != nil {
  return nil, err
  }
- err = os.MkdirAll(filepath.Dir(cfg.Database), 0750)
+ err = os.MkdirAll(filepath.Dir(cfg.Database), os.ModeDir|cfg.FilePermissions)
  if err != nil {
  return nil, err
  }
  l := logger.New("session")
- db, err := bbolt.Open(cfg.Database, 0640, &bbolt.Options{Timeout: time.Second})
+ db, err := bbolt.Open(cfg.Database, cfg.FilePermissions&^0111, &bbolt.Options{Timeout: time.Second})
  if err == bbolt.ErrTimeout {
  return nil, errors.New("resume database is locked by another process")
  } else if err != nil {

diff --git a/torrent/session_add.go b/torrent/session_add.go
@@ -266,7 +266,7 @@ func (s *Session) add(opt *AddTorrentOptions) (id string, port int, sto *filesto
  }
  id = base64.RawURLEncoding.EncodeToString(u1[:])
  }
- sto, err = filestorage.New(s.getDataDir(id))
+ sto, err = filestorage.New(s.getDataDir(id), s.config.FilePermissions)
  if err != nil {
  return
  }

diff --git a/torrent/session_load.go b/torrent/session_load.go
@@ -73,7 +73,7 @@ func (s *Session) loadExistingTorrent(id string) (tt *Torrent, hasStarted bool,
  bf = bf3
  }
  }
- sto, err := filestorage.New(s.getDataDir(id))
+ sto, err := filestorage.New(s.getDataDir(id), s.config.FilePermissions)
  if err != nil {
  return
  }

diff --git a/torrent/session_rpc_handler.go b/torrent/session_rpc_handler.go
@@ -7,6 +7,7 @@ import (
  "encoding/json"
  "errors"
  "io"
+ "io/fs"
  "io/ioutil"
  "net/http"
  "os"
@@ -514,7 +515,7 @@ func (h *rpcHandler) handleMoveTorrent(w http.ResponseWriter, r *http.Request) {
  http.Error(w, "data expected in multipart form", http.StatusBadRequest)
  return
  }
- err = readData(p, h.session.getDataDir(id))
+ err = readData(p, h.session.getDataDir(id), h.session.config.FilePermissions)
  if err != nil {
  h.session.log.Error(err)
  http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -543,7 +544,7 @@ func (h *rpcHandler) handleMoveTorrent(w http.ResponseWriter, r *http.Request) {
  success = true
 }
 
-func readData(r io.Reader, dir string) error {
+func readData(r io.Reader, dir string, perm fs.FileMode) error {
  tr := tar.NewReader(r)
  for {
  hdr, err := tr.Next()
@@ -554,7 +555,7 @@ func readData(r io.Reader, dir string) error {
  return err
  }
  name := filepath.Join(dir, hdr.Name)
- err = os.MkdirAll(filepath.Dir(name), os.ModeDir|0750)
+ err = os.MkdirAll(filepath.Dir(name), os.ModeDir|perm)
  if err != nil {
  return err
  }

diff --git a/torrent/torrent_test.go b/torrent/torrent_test.go
@@ -74,7 +74,7 @@ func seeder(t *testing.T, clearTrackers bool) (addr string, c func()) {
  }
  src := filepath.Join(torrentDataDir, torrentName)
  dst := filepath.Join(s.config.DataDir, tor.ID(), torrentName)
- err = os.Mkdir(filepath.Join(s.config.DataDir, tor.ID()), os.ModeDir|0750)
+ err = os.Mkdir(filepath.Join(s.config.DataDir, tor.ID()), os.ModeDir|s.config.FilePermissions)
  if err != nil {
  t.Fatal(err)
  }