Skip to content

fix(cortex-cli): check actual write permission for current user in debug file#134

Closed
echobt wants to merge 1 commit intomasterfrom
fix/bounty-issue-1343
Closed

fix(cortex-cli): check actual write permission for current user in debug file#134
echobt wants to merge 1 commit intomasterfrom
fix/bounty-issue-1343

Conversation

@echobt
Copy link
Contributor

@echobt echobt commented Jan 26, 2026

Summary

The cortex debug file command was incorrectly reporting Readonly: false for files like /etc/passwd that the current user cannot actually write to.

Problem

The command used meta.permissions().readonly() which only checks if the file's owner write bit is set. This doesn't account for:

  • File ownership (e.g., root-owned files)
  • Group membership
  • Access Control Lists (ACLs)

For example, /etc/passwd has permissions 644 (owner can write), but regular users cannot write to it.

Solution

Replace the permission bit check with an actual write access check by attempting to open the file for writing. This accurately reflects whether the current user can write to the file.

Changes

  • Added is_writable_by_current_user() helper function that attempts to open the file for writing
  • Updated run_file() to use this function instead of meta.permissions().readonly()

Related

Fixes PlatformNetwork/bounty-challenge#1343

…bug file

Fixes bounty issue #1343

The debug file command previously used meta.permissions().readonly() which
only checks if the file has the owner write bit set. This is incorrect
for files like /etc/passwd (owned by root with permissions 644) where
regular users cannot write despite the file having write permissions.

The fix attempts to open the file for writing to determine if the current
user actually has write access, which properly accounts for ownership,
group membership, and ACLs.
echobt pushed a commit that referenced this pull request Jan 27, 2026
This commit implements the following 10 open PRs for cortex-cli:

1. PR #155 - Prompt for tab completion setup on first run
   - Added completion_setup module for first-run completion detection
   - On first interactive run, prompts user to enable tab completion
   - Automatically detects shell (bash, zsh, fish, PowerShell, elvish)
   - Creates marker file to avoid repeated prompts

2. PR #153 - Emit valid JSONL with full event data in streaming mode
   - Already implemented in previous work

3. PR #151 - Add man page generation command
   - Added clap_mangen dependency
   - Added 'man' command with optional output directory
   - Generates roff-format man pages

4. PR #137 - Use consistent provider name casing in models output
   - Already using lowercase provider names (no changes needed)

5. PR #134 - Check actual write permission for current user in debug file
   - Added is_writable_by_current_user() helper function
   - Uses actual file open test instead of permission bits

6. PR #133 - Detect actual binary location from PATH for uninstall dry-run
   - Added 'which' dependency for PATH lookup
   - Updated collect_binary_locations() to use PATH search first

7. PR #130 - Show searched paths in debug ripgrep output
   - Added searched_paths field to RipgrepDebugOutput
   - Added get_path_directories() helper function
   - Shows PATH directories when ripgrep is not found

8. PR #129 - Output valid JSON on errors when --json flag is set
   - Updated run_servers() to handle MdnsBrowser errors as JSON
   - Move discovery banner inside conditional for non-JSON mode

9. PR #126 - Add batch export for sessions
   - Added --all (-a) flag for batch export mode
   - Added --output-dir option for batch exports
   - Each session exported to separate JSON file

10. PR #124 - Display feature descriptions in features list
    - Updated list_features() to use actual feature registry
    - Added Description column to features list output

11. PR #122 - Add debug system command for system information
    - Added System subcommand to debug CLI
    - Gathers OS, hardware, environment, and Cortex info
    - Supports JSON output for scripts/automation
echobt added a commit that referenced this pull request Jan 27, 2026
This commit implements the following 10 open PRs for cortex-cli:

1. PR #155 - Prompt for tab completion setup on first run
   - Added completion_setup module for first-run completion detection
   - On first interactive run, prompts user to enable tab completion
   - Automatically detects shell (bash, zsh, fish, PowerShell, elvish)
   - Creates marker file to avoid repeated prompts

2. PR #153 - Emit valid JSONL with full event data in streaming mode
   - Already implemented in previous work

3. PR #151 - Add man page generation command
   - Added clap_mangen dependency
   - Added 'man' command with optional output directory
   - Generates roff-format man pages

4. PR #137 - Use consistent provider name casing in models output
   - Already using lowercase provider names (no changes needed)

5. PR #134 - Check actual write permission for current user in debug file
   - Added is_writable_by_current_user() helper function
   - Uses actual file open test instead of permission bits

6. PR #133 - Detect actual binary location from PATH for uninstall dry-run
   - Added 'which' dependency for PATH lookup
   - Updated collect_binary_locations() to use PATH search first

7. PR #130 - Show searched paths in debug ripgrep output
   - Added searched_paths field to RipgrepDebugOutput
   - Added get_path_directories() helper function
   - Shows PATH directories when ripgrep is not found

8. PR #129 - Output valid JSON on errors when --json flag is set
   - Updated run_servers() to handle MdnsBrowser errors as JSON
   - Move discovery banner inside conditional for non-JSON mode

9. PR #126 - Add batch export for sessions
   - Added --all (-a) flag for batch export mode
   - Added --output-dir option for batch exports
   - Each session exported to separate JSON file

10. PR #124 - Display feature descriptions in features list
    - Updated list_features() to use actual feature registry
    - Added Description column to features list output

11. PR #122 - Add debug system command for system information
    - Added System subcommand to debug CLI
    - Gathers OS, hardware, environment, and Cortex info
    - Supports JSON output for scripts/automation

Co-authored-by: Droid Agent <droid@factory.ai>
echobt pushed a commit that referenced this pull request Jan 27, 2026
Complete the model alias feature (PR #138) by adding support to
the ACP server command. This ensures consistent model alias
resolution (e.g., 'sonnet' -> 'anthropic/claude-sonnet-4-20250514')
across all CLI entry points.

This was the only missing piece from the 10 open CLI PRs, as all
other features were already implemented in the current codebase:
- PR #155: Tab completion setup on first run
- PR #153: Valid JSONL with full event data
- PR #151: Man page generation command
- PR #138: Model alias shortcuts (now complete)
- PR #137: Consistent provider casing
- PR #135: --log-level flag
- PR #134: Actual write permission check
- PR #133: Binary location from PATH
- PR #130: Searched paths in ripgrep debug
- PR #129: Valid JSON output on errors
echobt added a commit that referenced this pull request Jan 27, 2026
Complete the model alias feature (PR #138) by adding support to
the ACP server command. This ensures consistent model alias
resolution (e.g., 'sonnet' -> 'anthropic/claude-sonnet-4-20250514')
across all CLI entry points.

This was the only missing piece from the 10 open CLI PRs, as all
other features were already implemented in the current codebase:
- PR #155: Tab completion setup on first run
- PR #153: Valid JSONL with full event data
- PR #151: Man page generation command
- PR #138: Model alias shortcuts (now complete)
- PR #137: Consistent provider casing
- PR #135: --log-level flag
- PR #134: Actual write permission check
- PR #133: Binary location from PATH
- PR #130: Searched paths in ripgrep debug
- PR #129: Valid JSON output on errors

Co-authored-by: Droid Agent <droid@factory.ai>
@echobt
Copy link
Contributor Author

echobt commented Jan 27, 2026

Closing: this feature has already been implemented in commit 6c8cccf (PR #182).

@echobt echobt closed this Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] debug file shows 'Readonly: false' for /etc/passwd which should be true

2 participants