Harden browser managed policy permissions#5548
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d1aef6a0f5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
afurm
force-pushed
the
af/harden-browser-policy-perms
branch
from
d1aef6a to
5b59ea0
Compare
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Hardens browser managed policy directory permissions for Chromium/Brave so theme policy files remain admin/root-controlled, and adds a migration to repair existing installs.
Changes:
- Create managed policy directories with root ownership and
755perms (instead of user-writable). - Write
color.jsonvia privileged write (sudo tee) and enforce root-owned644perms. - Add a migration to correct directory and
color.jsonpermissions on upgrade.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| migrations/1777653181.sh | New migration to reset managed policy directory and color.json ownership/permissions, then re-apply policy. |
| migrations/1757147211.sh | Updates initial directory creation to root-owned 755 (removes world-writable). |
| install/config/theme.sh | Ensures managed policy directories are created root-owned 755 during install. |
| bin/omarchy-theme-set-browser | Centralizes policy writing and switches to privileged writes with enforced ownership/mode. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
afurm
force-pushed
the
af/harden-browser-policy-perms
branch
from
5b59ea0 to
d1e415b
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
afurm
force-pushed
the
af/harden-browser-policy-perms
branch
from
d1e415b to
86bfb30
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Summary
Fixes #5547.
This keeps Chromium and Brave managed policy directories from being writable by every local user, while preserving no-sudo theme switching.
Changes
/etc/chromium/policies/managedand/etc/brave/policies/managedasroot:rootmode755.color.jsonasroot:wheelmode664.omarchy-theme-set-browsersudo-free by only overwriting the existingcolor.json.color.jsonpaths during migration before recreating them, so old symlinks from the previous world-writable directory state are not followed.Validation
bash -n bin/omarchy-theme-set-browser install/config/theme.sh migrations/1757147211.sh migrations/1777653181.shgit diff --checkcolor.jsonsymlink removalroot:rootpolicy directoriesroot:wheelmode664policy file setup