From 5bf2b1bb0a9bace5b3d30690051467c77185c82a Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 30 Jan 2019 16:42:35 +0100
Subject: [PATCH] Run fix-permissions on each install command

ensures files have the right permissions

conda and pip may not guarantee installed files are not world-writeable
---
 tljh/conda.py | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/tljh/conda.py b/tljh/conda.py
index ad66735..2a30a2b 100644
--- a/tljh/conda.py
+++ b/tljh/conda.py
@@ -58,6 +58,21 @@ def download_miniconda_installer(version, md5sum):
         yield f.name
 
 
+def fix_permissions(prefix):
+    """Fix permissions in the install prefix
+
+    For all files in the prefix, ensure that:
+    - everything is owned by current user:group
+    - nothing is world-writeable
+
+    Run after each install command.
+    """
+    subprocess.check_call(
+        ["chown", "-R", "{}:{}".format(os.getuid(), os.getgid()), prefix]
+    )
+    subprocess.check_call(["chmod", "-R", "o-w", prefix])
+
+
 def install_miniconda(installer_path, prefix):
     """
     Install miniconda with installer at installer_path under prefix
@@ -71,10 +86,7 @@ def install_miniconda(installer_path, prefix):
     # fix permissions on initial install
     # a few files have the wrong ownership and permissions initially
     # when the installer is run as root
-    subprocess.check_call(
-        ["chown", "-R", "{}:{}".format(os.getuid(), os.getgid()), prefix]
-    )
-    subprocess.check_call(["chmod", "-R", "o-w", prefix])
+    fix_permissions(prefix)
 
 
 def ensure_conda_packages(prefix, packages):
@@ -105,6 +117,7 @@ def ensure_conda_packages(prefix, packages):
     output = json.loads(filtered_output.lstrip('\x00'))
     if 'success' in output and output['success'] == True:
         return
+    fix_permissions(prefix)
 
 
 def ensure_pip_packages(prefix, packages):
@@ -118,6 +131,7 @@ def ensure_pip_packages(prefix, packages):
         'install',
         '--no-cache-dir',
     ] + packages, stderr=subprocess.STDOUT)
+    fix_permissions(prefix)
 
 
 def ensure_pip_requirements(prefix, requirements_path):
@@ -134,3 +148,4 @@ def ensure_pip_requirements(prefix, requirements_path):
         '-r',
         requirements_path
     ], stderr=subprocess.STDOUT)
+    fix_permissions(prefix)