ipn, paths: unconditionally attempt to set state dir perms, but only if the state dir is ours

We unconditionally set appropriate perms on the statefile dir. We look at the basename of the statefile dir, and if it is "tailscale", then we set perms as appropriate. Fixes #2925 Updates #2856 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2025-08-13 06:07:34 +00:00 · 2021-09-24 15:24:16 -06:00
parent 82117f7a63
commit 21e9f98fc1
3 changed files with 15 additions and 8 deletions
--- a/ipn/store.go
+++ b/ipn/store.go
@@ -170,6 +170,11 @@ func (s *FileStore) String() string { return fmt.Sprintf("FileStore(%q)", s.path

 // NewFileStore returns a new file store that persists to path.
 func NewFileStore(path string) (*FileStore, error) {
+	// We unconditionally call this to ensure that our perms are correct
+	if err := paths.MkStateDir(filepath.Dir(path)); err != nil {
+		return nil, fmt.Errorf("creating state directory: %w", err)
+	}
+
 	bs, err := ioutil.ReadFile(path)

 	// Treat an empty file as a missing file.
@@ -183,9 +188,6 @@ func NewFileStore(path string) (*FileStore, error) {
 		if os.IsNotExist(err) {
 			// Write out an initial file, to verify that we can write
 			// to the path.
-			if err := paths.MkStateDir(filepath.Dir(path)); err != nil {
-				return nil, fmt.Errorf("creating state directory: %w", err)
-			}
 			if err = atomicfile.WriteFile(path, []byte("{}"), 0600); err != nil {
 				return nil, err
 			}