node-installer: write kata config with less perms

cli/cmd/generate.go

@@ -321,7 +321,7 @@ func patchTargets(paths []string, imageReplacementsFile, runtimeHandler string,
 		if err != nil {
 			return err
 		}
-		if err := os.WriteFile(path, resource, os.ModePerm); err != nil {
+		if err := os.WriteFile(path, resource, 0o666); err != nil {
 			return fmt.Errorf("write %s: %w", path, err)
 		}
 	}

cli/genpolicy/genpolicy.go

@@ -34,7 +34,7 @@ func New(rulesPath, settingsPath, cachePath string, bin []byte) (*Runner, error)
 	if err != nil {
 		return nil, fmt.Errorf("installing genpolicy: %w", err)
 	}
-	if err := os.MkdirAll(filepath.Dir(cachePath), os.ModePerm); err != nil {
+	if err := os.MkdirAll(filepath.Dir(cachePath), 0o777); err != nil {
 		return nil, fmt.Errorf("creating cache file: %w", err)
 	}
 

internal/embedbin/regular.go

@@ -4,8 +4,6 @@
 package embedbin
 
 import (
-	"os"
-
 	"github.com/spf13/afero"
 )
 
@@ -19,7 +17,7 @@ type RegularInstaller struct {
 // If prefix is empty, a temporary directory will be used.
 func (r *RegularInstaller) Install(prefix string, contents []byte) (Installed, error) {
 	if prefix != "" {
-		if err := r.fs.MkdirAll(prefix, os.ModePerm); err != nil {
+		if err := r.fs.MkdirAll(prefix, 0o777); err != nil {
 			return nil, err
 		}
 	}

internal/fsstore/fsstore.go

@@ -45,7 +45,7 @@ func (s *Store) Get(key string) ([]byte, bool) {
 
 // Set sets the value for the given key.
 func (s *Store) Set(key string, value []byte) {
-	if err := s.fs.MkdirAll("/", 0o755); err != nil {
+	if err := s.fs.MkdirAll("/", 0o777); err != nil {
 		s.logger.Error("failed to create dir")
 		return
 	}

nodeinstaller/node-installer.go

@@ -76,7 +76,7 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 
 		fmt.Printf("Fetching %q to %q\n", file.URL, targetPath)
 
-		if err := os.MkdirAll(filepath.Dir(filepath.Join(hostMount, targetPath)), os.ModePerm); err != nil {
+		if err := os.MkdirAll(filepath.Dir(filepath.Join(hostMount, targetPath)), 0o777); err != nil {
 			return fmt.Errorf("creating directory %q: %w", filepath.Dir(targetPath), err)
 		}
 
@@ -99,7 +99,7 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 
 	runtimeBase := filepath.Join("/opt", "edgeless", runtimeHandlerName)
 	kataConfigPath := filepath.Join(hostMount, runtimeBase, "etc")
-	if err := os.MkdirAll(kataConfigPath, os.ModePerm); err != nil {
+	if err := os.MkdirAll(kataConfigPath, 0o777); err != nil {
 		return fmt.Errorf("creating directory %q: %w", kataConfigPath, err)
 	}
 	var containerdConfigPath string
@@ -180,7 +180,7 @@ func containerdRuntimeConfig(basePath, configPath string, platform platforms.Pla
 	if err != nil {
 		return fmt.Errorf("marshaling kata runtime config: %w", err)
 	}
-	return os.WriteFile(configPath, rawConfig, os.ModePerm)
+	return os.WriteFile(configPath, rawConfig, 0o666)
 }
 
 func patchContainerdConfig(runtimeHandler, basePath, configPath string, platform platforms.Platform, debugRuntime bool) error {
@@ -241,7 +241,7 @@ func patchContainerdConfig(runtimeHandler, basePath, configPath string, platform
 	}
 
 	fmt.Printf("Patching containerd config at %s\n", configPath)
-	return os.WriteFile(configPath, rawConfig, os.ModePerm)
+	return os.WriteFile(configPath, rawConfig, 0o666)
 }
 
 func parseExistingContainerdConfig(path string) ([]byte, config.ContainerdConfig, error) {