Skip to content

CFE-4590, ENT-13239: Added documentation on overriding default directory permissions #3542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
larsewi merged 1 commit into from
Nov 18, 2025
Merged

CFE-4590, ENT-13239: Added documentation on overriding default directory permissions #3542

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions content/reference/components/cf-agent.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1072,6 +1072,47 @@ body agent control

**See also:** [`default:control_agent.nonalphanumfiles`](/reference/special-variables/control_agent/#defaultcontrol_agentnonalphanumfiles)

### default_directory_create_mode

**Description:** Override the default 0700 permissions when `cf-agent` creates
parent directories during file promise repairs.

The `default_directory_create_mode` attribute in body agent control enables
users to specify custom permissions (e.g., 0755) for automatically created
directories, avoiding the need for explicit perms promises on each parent
directory when deeper paths are required.

This addresses cases where files need broader access permissions but
their auto-created parent directories would otherwise default to 0700,
making the files inaccessible despite having correct permissions.

The mode string may be symbolic or numerical, like `chmod`.

**Type:** `string`

**Default value:** `0700`

**Example:**

```cf3
body agent control {
# Override the default directory create mode to 0755 (it defaults to 0700 if
# not specified)
default_directory_create_mode => "a+rx"; # Can also use octets 0755
}
```

**History:**

- Added in 3.27.0

**Notes:**

Please note that modifying this value will affect your entire policy and can
lead to security vulnerabilities.

**See also:** `filestat()`, [`body perms mode`](/reference/promise-types/files#mode), [`default:control_agent.default_directory_create_mode`](/reference/special-variables/control_agent/#defaultcontrol_agentdefault_directory_create_mode), [`default:update_def.control_agent_default_directory_create_mode` in the standard library](/reference/masterfiles-policy-framework#configure-default-directory-creation-permissions-for-update-policy)

### refresh_processes

**Description:** The `refresh_processes` slist contains bundles to reload
Expand Down
6 changes: 6 additions & 0 deletions content/reference/special-variables/control_agent.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,12 @@ Determines whether to warn about filenames with no alphanumeric content. This te

**See also:** [`nonalphanumfiles` in `body agent control`][cf-agent#nonalphanumfiles]

### default:control_agent.default_directory_create_mode

Determines the default directory permissions when `cf-agent` creates parent directories during `files` promise repairs.

**See also:** [`default_directory_create_mode` in `body agent control`][cf-agent#default_directory_create_mode], [`default:update_def.control_agent_default_directory_create_mode` in the standard library](/reference/masterfiles-policy-framework#configure-default-directory-creation-permissions-for-update-policy)

### default:control_agent.refresh_processes

Contains bundles to reload the process table before verifying the bundles named in this list (lazy evaluation).
Expand Down