From 57701e3ed0d23ed45b65a9fbdbe7301a9898fb18 Mon Sep 17 00:00:00 2001
From: Michael Prokop <mprokop@sipwise.com>
Date: Tue, 15 May 2018 16:06:58 +0200
Subject: [PATCH] TT#36827 Do not set permissions on output files of type
 symlink
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the output file has been replaced by a symlink then the
permissions of the symlink's target are adjusted. This is clearly
unwanted and unexpected behavior.

This can happen e.g. when masking a service via systemd's systemctl,
demonstration:

| sipwise@sp1:~$ sudo rm /etc/systemd/system/ntp.service
| sipwise@sp1:~$ sudo systemctl mask ntp
| Created symlink /etc/systemd/system/ntp.service → /dev/null.
| sipwise@sp1:~$ ls -la /dev/null
| crw-rw-rw- 1 root root 1, 3 May 12 01:54 /dev/null
| sipwise@sp1:~$ sudo ngcpcfg build /etc/systemd/system/ntp.service
| 2018-05-15 16:06:47: Checking state of local storage:
| 2018-05-15 16:06:47: OK:   nothing to pull
| 2018-05-15 16:06:47: configs were checked successfuly
| 2018-05-15 16:06:47: No patchtt files found, nothing to patch.
| Loading /etc/ngcp-config/config.yml in memory: OK
| Loading /etc/ngcp-config/network.yml in memory: OK
| Loading /etc/ngcp-config/constants.yml in memory: OK
| 2018-05-15 16:06:48: Generating /etc/systemd/system/ntp.service: OK
| sipwise@sp1:~$ ls -la /dev/null
| cr--r--r-- 1 root root 1, 3 May 12 01:54 /dev/null

Instead check whether the expected output file is a symlink and
if so don't modify permissions at all, but warn instead.

Change-Id: I1c1bb0941a8a2f599652b7c089efd63ff33ca455
---
 helper/build_config | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/helper/build_config b/helper/build_config
index dd276994..10628bbe 100755
--- a/helper/build_config
+++ b/helper/build_config
@@ -93,10 +93,14 @@ else
 
 fi
 
-# set permissions for generated config based on the ones of the template
-chmod --reference="${input_file}" "${output_file}"
-# finally drop all write permissions
-chmod a-w "${output_file}"
+if [ -L "$output_file" ] ; then
+  log_warn "File $output_file is a symlink - NOT adjusting permissions"
+else
+  # set permissions for generated config based on the ones of the template
+  chmod --reference="${input_file}" "${output_file}"
+  # finally drop all write permissions
+  chmod a-w "${output_file}"
+fi
 
 # post-execution script in template store:
 if [ -r "${NGCPCTL_MAIN}/templates/${output_file}.postbuild" ] ; then