908bca3687
NamedTemporaryFile creates the script file at mode 0600 owned by the left4me web user. The sandbox runs as l4d2-sandbox and bwrap bind-mounts the file read-only at /script.sh, but the kernel still enforces the underlying file's permissions — l4d2-sandbox can't read 0600 left4me files, so /bin/bash /script.sh fails with "Permission denied". Script content is not a secret (it's stored in the DB and editable by the user), so 0644 is appropriate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| host_commands.py | ||
| job_worker.py | ||
| l4d2_facade.py | ||
| overlay_builders.py | ||
| overlay_creation.py | ||
| security.py | ||
| spec_yaml.py | ||
| status.py | ||
| steam_workshop.py | ||
| workshop_paths.py | ||