diff --git a/cmd/thanos/downsample.go b/cmd/thanos/downsample.go index c9187c78c2..1093860b4b 100644 --- a/cmd/thanos/downsample.go +++ b/cmd/thanos/downsample.go @@ -162,7 +162,7 @@ func downsampleBucket( dir string, hashFunc metadata.HashFunc, ) (rerr error) { - if err := os.MkdirAll(dir, 0777); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return errors.Wrap(err, "create dir") } diff --git a/cmd/thanos/receive.go b/cmd/thanos/receive.go index b67fd8f1f9..f0c4bbad66 100644 --- a/cmd/thanos/receive.go +++ b/cmd/thanos/receive.go @@ -652,7 +652,7 @@ func migrateLegacyStorage(logger log.Logger, dataDir, defaultTenantID string) er return errors.Wrapf(err, "read legacy data dir: %v", dataDir) } - if err := os.MkdirAll(defaultTenantDataDir, 0777); err != nil { + if err := os.MkdirAll(defaultTenantDataDir, 0750); err != nil { return errors.Wrapf(err, "create default tenant data dir: %v", defaultTenantDataDir) } diff --git a/pkg/block/block.go b/pkg/block/block.go index c77f8792f5..3f17271ff0 100644 --- a/pkg/block/block.go +++ b/pkg/block/block.go @@ -47,7 +47,7 @@ const ( // have a hash calculated in the meta file and it matches with what is in the destination path then // we do not download it. We always re-download the meta file. func Download(ctx context.Context, logger log.Logger, bucket objstore.Bucket, id ulid.ULID, dst string) error { - if err := os.MkdirAll(dst, 0777); err != nil { + if err := os.MkdirAll(dst, 0750); err != nil { return errors.Wrap(err, "create dir") } diff --git a/pkg/block/indexheader/binary_reader.go b/pkg/block/indexheader/binary_reader.go index 0acd2352b8..e12a9405ad 100644 --- a/pkg/block/indexheader/binary_reader.go +++ b/pkg/block/indexheader/binary_reader.go @@ -295,7 +295,7 @@ type FileWriter struct { // TODO(bwplotka): Added size to method, upstream this. func NewFileWriter(name string, size int) (*FileWriter, error) { - f, err := os.OpenFile(filepath.Clean(name), os.O_CREATE|os.O_RDWR, 0666) + f, err := os.OpenFile(filepath.Clean(name), os.O_CREATE|os.O_RDWR, 0600) if err != nil { return nil, err } diff --git a/pkg/block/writer.go b/pkg/block/writer.go index 995d8f72ae..38455e3e9f 100644 --- a/pkg/block/writer.go +++ b/pkg/block/writer.go @@ -78,7 +78,7 @@ func NewDiskWriter(ctx context.Context, logger log.Logger, bDir string) (_ *Disk if err = os.RemoveAll(bTmp); err != nil { return nil, err } - if err = os.MkdirAll(bTmp, 0777); err != nil { + if err = os.MkdirAll(bTmp, 0750); err != nil { return nil, err } diff --git a/pkg/compact/compact.go b/pkg/compact/compact.go index 4801ca640d..58388a652f 100644 --- a/pkg/compact/compact.go +++ b/pkg/compact/compact.go @@ -501,7 +501,7 @@ func (cg *Group) Compact(ctx context.Context, dir string, planner Planner, comp } }() - if err := os.MkdirAll(subDir, 0777); err != nil { + if err := os.MkdirAll(subDir, 0750); err != nil { return false, ulid.ULID{}, errors.Wrap(err, "create compaction group dir") } diff --git a/pkg/compact/downsample/downsample.go b/pkg/compact/downsample/downsample.go index 8d271b3ee6..eb666f9b1f 100644 --- a/pkg/compact/downsample/downsample.go +++ b/pkg/compact/downsample/downsample.go @@ -66,7 +66,7 @@ func Downsample( // Create block directory to populate with chunks, meta and index files into. blockDir := filepath.Join(dir, uid.String()) - if err := os.MkdirAll(blockDir, 0777); err != nil { + if err := os.MkdirAll(blockDir, 0750); err != nil { return id, errors.Wrap(err, "mkdir block dir") } diff --git a/pkg/objstore/filesystem/filesystem.go b/pkg/objstore/filesystem/filesystem.go index 17e9aad9ea..6f5ccb6f6e 100644 --- a/pkg/objstore/filesystem/filesystem.go +++ b/pkg/objstore/filesystem/filesystem.go @@ -145,7 +145,7 @@ func (b *Bucket) GetRange(_ context.Context, name string, off, length int64) (io return nil, errors.Wrapf(err, "stat %s", file) } - f, err := os.OpenFile(filepath.Clean(file), os.O_RDONLY, 0666) + f, err := os.OpenFile(filepath.Clean(file), os.O_RDONLY, 0600) if err != nil { return nil, err } diff --git a/pkg/objstore/objstore.go b/pkg/objstore/objstore.go index f9f9e10df8..c7f54f23ad 100644 --- a/pkg/objstore/objstore.go +++ b/pkg/objstore/objstore.go @@ -249,7 +249,7 @@ func DownloadFile(ctx context.Context, logger log.Logger, bkt BucketReader, src, // DownloadDir downloads all object found in the directory into the local directory. func DownloadDir(ctx context.Context, logger log.Logger, bkt BucketReader, originalSrc, src, dst string, ignoredPaths ...string) error { - if err := os.MkdirAll(dst, 0777); err != nil { + if err := os.MkdirAll(dst, 0750); err != nil { return errors.Wrap(err, "create dir") } diff --git a/pkg/receive/multitsdb.go b/pkg/receive/multitsdb.go index 13240aa9ae..5af9cfdabb 100644 --- a/pkg/receive/multitsdb.go +++ b/pkg/receive/multitsdb.go @@ -117,7 +117,7 @@ func (t *tenant) set(storeTSDB *store.TSDBStore, tenantTSDB *tsdb.DB, ship *ship } func (t *MultiTSDB) Open() error { - if err := os.MkdirAll(t.dataDir, 0777); err != nil { + if err := os.MkdirAll(t.dataDir, 0750); err != nil { return err } diff --git a/pkg/reloader/reloader.go b/pkg/reloader/reloader.go index 993b70653e..d878f5382b 100644 --- a/pkg/reloader/reloader.go +++ b/pkg/reloader/reloader.go @@ -290,7 +290,7 @@ func (r *Reloader) apply(ctx context.Context) error { defer func() { _ = os.Remove(tmpFile) }() - if err := ioutil.WriteFile(tmpFile, b, 0666); err != nil { + if err := ioutil.WriteFile(tmpFile, b, 0600); err != nil { return errors.Wrap(err, "write file") } if err := os.Rename(tmpFile, r.cfgOutputFile); err != nil { diff --git a/pkg/shipper/shipper.go b/pkg/shipper/shipper.go index 1e606fdb9b..2dac5a5cc9 100644 --- a/pkg/shipper/shipper.go +++ b/pkg/shipper/shipper.go @@ -344,7 +344,7 @@ func (s *Shipper) upload(ctx context.Context, meta *metadata.Meta) error { if err := os.RemoveAll(updir); err != nil { return errors.Wrap(err, "clean upload directory") } - if err := os.MkdirAll(updir, 0777); err != nil { + if err := os.MkdirAll(updir, 0750); err != nil { return errors.Wrap(err, "create upload dir") } defer func() { @@ -408,7 +408,7 @@ func (s *Shipper) blockMetasFromOldest() (metas []*metadata.Meta, _ error) { func hardlinkBlock(src, dst string) error { chunkDir := filepath.Join(dst, block.ChunksDirname) - if err := os.MkdirAll(chunkDir, 0777); err != nil { + if err := os.MkdirAll(chunkDir, 0750); err != nil { return errors.Wrap(err, "create chunks dir") } diff --git a/pkg/store/bucket.go b/pkg/store/bucket.go index e8aaf293e1..c17ab4beb3 100644 --- a/pkg/store/bucket.go +++ b/pkg/store/bucket.go @@ -411,7 +411,7 @@ func NewBucketStore( s.indexReaderPool = indexheader.NewReaderPool(s.logger, lazyIndexReaderEnabled, lazyIndexReaderIdleTimeout, extprom.WrapRegistererWithPrefix("thanos_bucket_store_", s.reg)) s.metrics = newBucketStoreMetrics(s.reg) // TODO(metalmatze): Might be possible via Option too - if err := os.MkdirAll(dir, 0777); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return nil, errors.Wrap(err, "create dir") } diff --git a/scripts/copyright/copyright.go b/scripts/copyright/copyright.go index 706fecc910..eb2bd95e84 100644 --- a/scripts/copyright/copyright.go +++ b/scripts/copyright/copyright.go @@ -56,7 +56,7 @@ func applyLicenseToProtoAndGo() error { var bb bytes.Buffer _, _ = bb.Write(license) _, _ = bb.Write(b) - if err = ioutil.WriteFile(path, bb.Bytes(), 0666); err != nil { + if err = ioutil.WriteFile(path, bb.Bytes(), 0600); err != nil { return err } } diff --git a/test/e2e/e2ethanos/services.go b/test/e2e/e2ethanos/services.go index ab79bc6d0b..882210b127 100644 --- a/test/e2e/e2ethanos/services.go +++ b/test/e2e/e2ethanos/services.go @@ -58,11 +58,11 @@ func DefaultImage() string { func NewPrometheus(sharedDir string, name string, config, promImage string) (*e2e.HTTPService, string, error) { dir := filepath.Join(sharedDir, "data", "prometheus", name) container := filepath.Join(e2e.ContainerSharedDir, "data", "prometheus", name) - if err := os.MkdirAll(dir, 0777); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return nil, "", errors.Wrap(err, "create prometheus dir") } - if err := ioutil.WriteFile(filepath.Join(dir, "prometheus.yml"), []byte(config), 0666); err != nil { + if err := ioutil.WriteFile(filepath.Join(dir, "prometheus.yml"), []byte(config), 0600); err != nil { return nil, "", errors.Wrap(err, "creating prom config failed") } @@ -152,7 +152,7 @@ func NewQuerier(sharedDir, name string, storeAddresses, fileSDStoreAddresses, ru if len(fileSDStoreAddresses) > 0 { queryFileSDDir := filepath.Join(sharedDir, "data", "querier", name) container := filepath.Join(e2e.ContainerSharedDir, "data", "querier", name) - if err := os.MkdirAll(queryFileSDDir, 0777); err != nil { + if err := os.MkdirAll(queryFileSDDir, 0750); err != nil { return nil, errors.Wrap(err, "create query dir failed") } @@ -166,7 +166,7 @@ func NewQuerier(sharedDir, name string, storeAddresses, fileSDStoreAddresses, ru return nil, err } - if err := ioutil.WriteFile(queryFileSDDir+"/filesd.yaml", b, 0666); err != nil { + if err := ioutil.WriteFile(queryFileSDDir+"/filesd.yaml", b, 0600); err != nil { return nil, errors.Wrap(err, "creating query SD config failed") } @@ -206,7 +206,7 @@ func NewReceiver(sharedDir string, networkName string, name string, replicationF dir := filepath.Join(sharedDir, "data", "receive", name) dataDir := filepath.Join(dir, "data") container := filepath.Join(e2e.ContainerSharedDir, "data", "receive", name) - if err := os.MkdirAll(dataDir, 0777); err != nil { + if err := os.MkdirAll(dataDir, 0750); err != nil { return nil, errors.Wrap(err, "create receive dir") } b, err := json.Marshal(hashring) @@ -251,7 +251,7 @@ func NewReceiverWithConfigWatcher(sharedDir string, networkName string, name str dir := filepath.Join(sharedDir, "data", "receive", name) dataDir := filepath.Join(dir, "data") container := filepath.Join(e2e.ContainerSharedDir, "data", "receive", name) - if err := os.MkdirAll(dataDir, 0777); err != nil { + if err := os.MkdirAll(dataDir, 0750); err != nil { return nil, errors.Wrap(err, "create receive dir") } b, err := json.Marshal(hashring) @@ -259,7 +259,7 @@ func NewReceiverWithConfigWatcher(sharedDir string, networkName string, name str return nil, errors.Wrapf(err, "generate hashring file: %v", hashring) } - if err := ioutil.WriteFile(filepath.Join(dir, "hashrings.json"), b, 0666); err != nil { + if err := ioutil.WriteFile(filepath.Join(dir, "hashrings.json"), b, 0600); err != nil { return nil, errors.Wrap(err, "creating receive config") } @@ -295,7 +295,7 @@ func NewReceiverWithConfigWatcher(sharedDir string, networkName string, name str func NewRuler(sharedDir string, name string, ruleSubDir string, amCfg []alert.AlertmanagerConfig, queryCfg []query.Config) (*Service, error) { dir := filepath.Join(sharedDir, "data", "rule", name) container := filepath.Join(e2e.ContainerSharedDir, "data", "rule", name) - if err := os.MkdirAll(dir, 0777); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return nil, errors.Wrap(err, "create rule dir") } @@ -343,7 +343,7 @@ func NewRuler(sharedDir string, name string, ruleSubDir string, amCfg []alert.Al func NewAlertmanager(sharedDir string, name string) (*e2e.HTTPService, error) { dir := filepath.Join(sharedDir, "data", "am", name) container := filepath.Join(e2e.ContainerSharedDir, "data", "am", name) - if err := os.MkdirAll(dir, 0777); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return nil, errors.Wrap(err, "create am dir") } const config = ` @@ -355,7 +355,7 @@ route: receivers: - name: 'null' ` - if err := ioutil.WriteFile(filepath.Join(dir, "config.yaml"), []byte(config), 0666); err != nil { + if err := ioutil.WriteFile(filepath.Join(dir, "config.yaml"), []byte(config), 0600); err != nil { return nil, errors.Wrap(err, "creating alertmanager config file failed") } @@ -382,7 +382,7 @@ receivers: func NewStoreGW(sharedDir string, name string, bucketConfig client.BucketConfig, relabelConfig ...relabel.Config) (*Service, error) { dir := filepath.Join(sharedDir, "data", "store", name) container := filepath.Join(e2e.ContainerSharedDir, "data", "store", name) - if err := os.MkdirAll(dir, 0777); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return nil, errors.Wrap(err, "create store dir") } @@ -428,7 +428,7 @@ func NewCompactor(sharedDir string, name string, bucketConfig client.BucketConfi dir := filepath.Join(sharedDir, "data", "compact", name) container := filepath.Join(e2e.ContainerSharedDir, "data", "compact", name) - if err := os.MkdirAll(dir, 0777); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return nil, errors.Wrap(err, "create compact dir") }