Bug: Wrong 0777 permission on web/app folder on every deploy

[cfaria]

Terms

• I have read the guidelines for Contributing to Roots Projects
• This request is not a duplicate of an existing issue
• I have read the docs and followed them (if applicable)
• I have seached the Roots Discourse for answers and followed them (if applicable)
• This is not a personal support request that should be posted on the Roots Discourse community

Description

What's wrong?

Every time I deploy, either to Kinsta, custom server or Trellis managed server, the web/app folder from bedrock gets permissions 0777.

If I override the project_shared_children var in my trellis/group_vars/production/main.yml file to share some files and folders across deploys, then I get the web/app folder chmod 0777 and the web folder also with 0777.

Maybe I'm wrong, but I think applying 0777 to a folder is too permisive and this should be changed to 0755

This is the disourse topic related to this issue I've opened almost a year ago. I don't know how no one have seen this before. Maybe I'm the only one that has the problem.

https://discourse.roots.io/t/deploy-places-web-and-app-folder-777/21087

What have you tried?

I think this line is the culprit, as if I change it in my trellis install then the web and web/app folders get 0755 as I think they should...

trellis/roles/deploy/tasks/share.yml

Line 43 in e497cfe

mode: '0777'

If I don't override the project_shared_children var then only the web/app folder has 0777.
If I override the project_shared_children var then web and web/app folder both two have 0777.

Using the mode option in project_shared_children doesn't work as this is related to the parent folder:

trellis/roles/deploy/defaults/main.yml

Line 32 in e497cfe

# mode: '0755' // <- optional, use an octal number starting with 0 or quote it, defaults to `'0755'` if `directory` or `'0644'` if `file`

What insights have you gained?

Maybe all our websites are a bit exposed to attackers.

Possible solutions

Change this line

trellis/roles/deploy/tasks/share.yml

Line 43 in e497cfe

mode: '0777'

to 0755

Temporary workarounds

Change this line

trellis/roles/deploy/tasks/share.yml

Line 43 in e497cfe

mode: '0777'

to 0755

Steps To Reproduce

Just deploy using trellis and see the permissions of web/app on bedrock.

I you override the project_shared_children var in your trellis/group_vars/production/main.yml file with something like this:

project_shared_children:
  - path: web/app/uploads
    src: uploads
  - path: web/robots.txt
    src: robots.txt

...then you'll get web and web/app folder with 0777.

Expected Behavior

web/app folder to be 0755

Actual Behavior

web/app folder is 0777

Relevant Log Output

No response

Versions

Trellis v1.15.0 - OSX 10.15.7

[cfaria]

I've found this is the commit that places the 0777 mode to shared folders (Trellis v1.6.0):

aff51a5

I have some sites with Trellis v1.4.0 (I know...) and the deploys don't have that problem, so I guess a revert or setting that line to 0755 would do the fix.

[swalkinshaw]

Thanks for tracking down that commit @cfaria. Judging from the permissions on the actual release dir, I think this should match and be 0755 as well. I'll do a PR.