From a06c77784468f071508ee432c0b0f6d58accbc21 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 28 Apr 2025 17:40:39 +0200
Subject: Set and restore umask to ensure lockfiles are atomically created with
 mode 0664.

Using the default 0022 yields lock files with g-w, so trying to flock(2)
from a different user failed.
---
 webmap-download | 11 ++++++++---
 webmap-import   |  2 ++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/webmap-download b/webmap-download
index 087e7fc..fcbbd16 100755
--- a/webmap-download
+++ b/webmap-download
@@ -310,10 +310,15 @@ def main() -> NoReturn:
             # place an exclusive lock on a lockfile as the destination can be used by other layers
             # hence might be updated in parallel
             if lockdir_fd is not None:
+                umask = os.umask(0o002)
                 lockfile = getSourcePathLockFileName(dest)
-                # use O_TRUNC to bump lockfile's mtime
-                lock_fd = os.open(lockfile, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, mode=0o664,
-                                  dir_fd=lockdir_fd)
+                try:
+                    # use O_TRUNC to bump lockfile's mtime
+                    lock_fd = os.open(lockfile, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, mode=0o664,
+                                      dir_fd=lockdir_fd)
+                finally:
+                    os.umask(umask)
+
             try:
                 if lockdir_fd is not None:
                     logging.debug('flock("%s", LOCK_EX)', lockfile)
diff --git a/webmap-import b/webmap-import
index 1d3f4ec..80f918e 100755
--- a/webmap-import
+++ b/webmap-import
@@ -518,6 +518,7 @@ def lockSourcePaths(layerdefs : dict[str,Any], lockdir: str) -> dict[str,int]:
     time) to reduce the time during which the sources prevented from being
     updated/downloaded, but their is some value in having consistency across the
     whole import process."""
+    umask = os.umask(0o002)
     lockdir_fd = os.open(lockdir, O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY)
     try:
         ret = {}
@@ -537,6 +538,7 @@ def lockSourcePaths(layerdefs : dict[str,Any], lockdir: str) -> dict[str,int]:
             os.close(lockdir_fd)
         except (OSError, ValueError):
             logging.exception('Could not close lockdir')
+        os.umask(umask)
 
 def releaseSourcePathLocks(lock_fds : dict[str,int]) -> None:
     """Release shared locks on the source paths.  Closed FDs are removed from
-- 
cgit v1.2.3