fix: make cache files in base/ (*.mo) not executable (#3282)

The Motoko base library files in the cache don't need to be, and shouldn't be, executable.
dfinity · Aug 6, 2023 · 77093ff · 77093ff
1 parent 8d3bc7f
commit 77093ff
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,8 @@ Use `dfx deploy --playground` to deploy simple projects to a canister borrowed f
 
 For example, `dfx deploy --ic` rather than `dfx deploy --network ic`.
 
+### fix: Motoko base library files in cache are no longer executable
+
 ## Dependencies
 
 ### Frontend canister

diff --git a/e2e/tests-dfx/dfx_install.bash b/e2e/tests-dfx/dfx_install.bash
@@ -54,6 +54,16 @@ teardown() {
     assert_command dfx cache install
 }
 
+@test "Motoko base library files are not executable" {
+    assert_command dfx cache install
+    for file in "$(dfx cache show)"/base/*.mo; do
+        assert_command_fail test -x "$file"
+        assert_command_fail "$file"
+        assert_contains "Permission denied"
+    done
+}
+
+
 @test "forced install overwrites a cached version" {
     assert_command dfx cache install
     test -f "$(dfx cache show)"/dfx

diff --git a/src/dfx/src/config/cache.rs b/src/dfx/src/config/cache.rs
@@ -20,6 +20,8 @@ use std::path::PathBuf;
 // POSIX permissions for files in the cache.
 #[cfg(unix)]
 const EXEC_READ_USER_ONLY_PERMISSION: u32 = 0o500;
+#[cfg(unix)]
+const READ_USER_ONLY_PERMISSION: u32 = 0o400;
 
 pub struct DiskBasedCache {
     version: Version,
@@ -113,10 +115,15 @@ pub fn install_version(v: &str, force: bool) -> Result<PathBuf, CacheError> {
             #[cfg(unix)]
             {
                 let archive_path = dfx_core::fs::get_archive_path(&file)?;
+                let mode = if archive_path.starts_with("base/") {
+                    READ_USER_ONLY_PERMISSION
+                } else {
+                    EXEC_READ_USER_ONLY_PERMISSION
+                };
                 let full_path = temp_p.join(archive_path);
                 let mut perms = dfx_core::fs::read_permissions(full_path.as_path())
                     .map_err(UnifiedIoError::from)?;
-                perms.set_mode(EXEC_READ_USER_ONLY_PERMISSION);
+                perms.set_mode(mode);
                 dfx_core::fs::set_permissions(full_path.as_path(), perms)
                     .map_err(UnifiedIoError::from)?;
             }