Commit d173a88
committed
docs(runtime-fix): record chmod_modify.sh enforcement convention
Add a third mandatory script-only convention to the runtime-fix
execution log, alongside the existing rm_tmp_file.sh (AI memory
81725399) and kill_process.sh (AI memory 90098233) rules:
- chmod_modify.sh enforcement (AI memory 21626578): all permission
changes must go through /data/workspace/chmod_modify.sh <mode> <path>
…; direct chmod / install -m / setfacl invocations are forbidden
with zero tolerance.
The /data/workspace/chmod_modify.sh script itself was expanded from a
two-line placeholder into a full implementation that mirrors the
rm_tmp_file.sh / kill_process.sh style: chmod(1)-compatible modes
(octal and symbolic), high-risk path blacklist
(/, /etc, /usr, /var, /home, /root, /data, /data/workspace top-level
plus /etc/passwd /shadow /sudoers /group), pre-change permission
snapshot under /data/workspace/.trash/<UTC-ts>/, full audit trail in
/data/workspace/.chmod_audit.log, and an explicit warning for
setuid/setgid bits without blocking them.1 parent 747da45 commit d173a88
1 file changed
Lines changed: 2 additions & 1 deletion
Lines changed: 2 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
41 | 41 | | |
42 | 42 | | |
43 | 43 | | |
44 | | - | |
| 44 | + | |
| 45 | + | |
45 | 46 | | |
46 | 47 | | |
47 | 48 | | |
| |||
0 commit comments