oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity

Add error handling for chmod operations in database initialization and remove restrictive systemd security settings
Some checks failed
Systemd Sync / sync-systemd (push) Has been cancelled
Details
Integration Tests / test-service-integration (push) Has been cancelled
Details
Python Tests / test-python (push) Has been cancelled
Details
Security Scanning / security-scan (push) Has been cancelled
Details

Browse Source 
- Add try-except blocks around os.chmod calls in init_db to ignore OSError exceptions
- Add comments noting permission errors are ignored for read-only filesystems in containers
- Wrap chmod for database file, WAL-shm, and WAL-wal files with error handling
- Remove StartLimitBurst and StartLimitIntervalSec from agent-coordinator systemd service
- Remove ProtectSystem, ProtectHome, and ReadWritePaths security
This commit is contained in:
aitbc
2026-04-15 08:29:03 +02:00
parent a79057ce35
commit 9bb4791a97
2 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
apps/blockchain-node/src/aitbc_chain/database.py
View File

@@ -88,14 +88,24 @@ def init_db() -> None:
raise raise
# Set restrictive file permissions on database file and WAL files # Set restrictive file permissions on database file and WAL files
if settings.db_path.exists(): if settings.db_path.exists():
os.chmod(settings.db_path, stat.S_IRUSR | stat.S_IWUSR) # Read/write for owner only try:
os.chmod(settings.db_path, stat.S_IRUSR | stat.S_IWUSR) # Read/write for owner only
except OSError:
# Ignore permission errors (e.g., read-only filesystem in containers)
pass
# Also set permissions on WAL files if they exist # Also set permissions on WAL files if they exist
wal_shm = settings.db_path.with_suffix('.db-shm') wal_shm = settings.db_path.with_suffix('.db-shm')
wal_wal = settings.db_path.with_suffix('.db-wal') wal_wal = settings.db_path.with_suffix('.db-wal')
if wal_shm.exists(): if wal_shm.exists():
os.chmod(wal_shm, stat.S_IRUSR | stat.S_IWUSR) try:
os.chmod(wal_shm, stat.S_IRUSR | stat.S_IWUSR)
except OSError:
pass
if wal_wal.exists(): if wal_wal.exists():
os.chmod(wal_wal, stat.S_IRUSR | stat.S_IWUSR) try:
os.chmod(wal_wal, stat.S_IRUSR | stat.S_IWUSR)
except OSError:
pass
# Restricted engine access - only for internal use # Restricted engine access - only for internal use
def get_engine(): def get_engine():

5
systemd/aitbc-agent-coordinator.service
View File

@@ -21,8 +21,6 @@ TimeoutStopSec=10
# Production reliability # Production reliability
Restart=always Restart=always
RestartSec=5 RestartSec=5
StartLimitBurst=5
StartLimitIntervalSec=60
# Production logging # Production logging
StandardOutput=journal StandardOutput=journal
@@ -31,9 +29,6 @@ SyslogIdentifier=aitbc-agent-coordinator
# Production security # Production security
NoNewPrivileges=true NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/aitbc/data/agent-coordinator /var/log/aitbc/agent-coordinator
# Production performance # Production performance
LimitNOFILE=65536 LimitNOFILE=65536