From c38987e04a953bcb8161eef31ec20906bffa37fc Mon Sep 17 00:00:00 2001
From: Philip Taron <philip.taron@gmail.com>
Date: Wed, 23 Jul 2025 10:59:04 -0700
Subject: [PATCH] libstore: always canonicalize directory permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prior to this patch, mode 0444 is not updated to 0555 for directories.
That means for instance 0554 is canonicalized, but not 0444.

We don't believe this has any implications for backwards compatibility,
because directories do not have permissions in NAR format and so are
always 0555 after deserialization, and store paths with wrong
permissions can’t be copied to another host.

Co-authored-by: Robert Hensing <robert@roberthensing.nl>
---
 src/libstore/posix-fs-canonicalise.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/libstore/posix-fs-canonicalise.cc b/src/libstore/posix-fs-canonicalise.cc
index 2484d51a6..a889938c9 100644
--- a/src/libstore/posix-fs-canonicalise.cc
+++ b/src/libstore/posix-fs-canonicalise.cc
@@ -21,9 +21,9 @@ static void canonicaliseTimestampAndPermissions(const Path & path, const struct
 
         /* Mask out all type related bits. */
         mode_t mode = st.st_mode & ~S_IFMT;
-
-        if (mode != 0444 && mode != 0555) {
-            mode = (st.st_mode & S_IFMT) | 0444 | (st.st_mode & S_IXUSR ? 0111 : 0);
+        bool isDir = S_ISDIR(st.st_mode);
+        if ((mode != 0444 || isDir) && mode != 0555) {
+            mode = (st.st_mode & S_IFMT) | 0444 | (st.st_mode & S_IXUSR || isDir ? 0111 : 0);
             if (chmod(path.c_str(), mode) == -1)
                 throw SysError("changing mode of '%1%' to %2$o", path, mode);
         }