From fe74270e99dbca6bae9161b3cadd8f5c6edcba6b Mon Sep 17 00:00:00 2001
From: Nick Anderson <nick@cmdln.org>
Date: Mon, 17 Nov 2025 10:14:46 -0600
Subject: [PATCH] Made default_directory_create_mode configurable via Augments

This change allows default_directory_creation_mode to be configured for the main
and or update policy for both all components (common control), or cf-agent
specifically (agent control).

Ticket: CFE-4590
Changelog: Title
---
 MPF.md                    | 56 +++++++++++++++++++++++++++++++++++++++
 controls/cf_agent.cf      |  4 +++
 controls/def.cf           |  6 +++++
 controls/update_def.cf.in |  5 ++++
 update.cf.in              |  3 +++
 5 files changed, 74 insertions(+)

diff --git a/MPF.md b/MPF.md
index 4e109083d8..27cbb26606 100644
--- a/MPF.md
+++ b/MPF.md
@@ -677,6 +677,33 @@ This [augments file][Augments] is a way to specify that `cf-monitord` should be
 }
 ```
 
+### Configure default directory creation permissions for update policy
+The `default_directory_create_mode` attribute in `body agent control` enables
+users to specify custom permissions (e.g., 0755) for automatically created
+directories, avoiding the need for explicit perms promises on each parent
+directory when deeper paths are required.
+
+The mode string may be symbolic (`a+rx`, `a=rx`) or numerical, like `chmod`.
+
+To override the default for **cf-agent** configure `default:update_def.control_agent_default_directory_create_mode`, for example:
+
+```json
+{
+    "variables": {
+        "default:update_def.control_agent_default_directory_create_mode": {
+            "value": "755"
+        }
+    }
+}
+```
+
+**See also:** [`default_directory_create_mode` in `body agent control`][cf-agent#default_directory_create_mode]
+
+**History:**
+
+- Added in CFEngine 3.27.0
+
+
 ## Main policy (promises.cf)
 
 The following settings are defined in `controls/def.cf` can be set from an
@@ -2813,6 +2840,35 @@ Maximum time between automatic WAL checkpoints. If this value is specified witho
 
 * Added in 3.20.0, 3.18.2
 
+### Configure default directory creation permissions for main policy
+
+The `default_directory_create_mode` attribute in `body agent control` enables
+users to specify custom permissions (e.g., 0755) for automatically created
+directories, avoiding the need for explicit perms promises on each parent
+directory when deeper paths are required.
+
+The mode string may be symbolic (`a+rx`, `a=rx`) or numerical, like `chmod`.
+
+The default permissions can be overridden via Augments, for example:
+
+To override the default for **cf-agent** configure `default:def.control_agent_default_directory_create_mode`, for example:
+
+```json
+{
+    "variables": {
+        "default:def.control_agent_default_directory_create_mode": {
+            "value": "755"
+        }
+    }
+}
+```
+
+**See also:** [`default_directory_create_mode` in `body common control`][Components#default_directory_create_mode], [`default_directory_create_mode` in `body agent control`][cf-agent#default_directory_create_mode]
+
+**History:**
+
+- Added in CFEngine 3.27.0
+
 ## Recommendations
 
 The MPF includes policy that inspects the system and makes recommendations about
diff --git a/controls/cf_agent.cf b/controls/cf_agent.cf
index 195778b8da..4607f82a18 100644
--- a/controls/cf_agent.cf
+++ b/controls/cf_agent.cf
@@ -45,6 +45,10 @@ body agent control
       # EMPTY list is not valid for environment attribute Ref: CFE-3927. So, we
       # do some validation on it so we can apply it selectively.
 
+@if minimum_version(3.27.0)
+      default_directory_create_mode => "$(def.control_agent_default_directory_create_mode)";
+@endif
+
    _control_agent_environment_vars_validated::
 
       environment => { @(def.control_agent_environment_vars) };
diff --git a/controls/def.cf b/controls/def.cf
index 46a885f716..39aa684b95 100644
--- a/controls/def.cf
+++ b/controls/def.cf
@@ -344,6 +344,12 @@ bundle common def
                            " the binary default of 10080 minutes (1 week)" );
 
       # Agent controls
+
+      "control_agent_default_directory_create_mode" -> { "CFE-4590" }
+        string => ifelse( isvariable("control_agent_default_directory_create_mode"),
+                          "$(control_agent_default_directory_create_mode)",
+                          "700");
+
 @if minimum_version(3.18.0)
       # TODO When 3.18 is the oldest supported LTS, redact this macro and associated protections
       "control_agent_files_single_copy" -> { "CFE-3622" }
diff --git a/controls/update_def.cf.in b/controls/update_def.cf.in
index 4d4a2f6002..f3d9900f60 100644
--- a/controls/update_def.cf.in
+++ b/controls/update_def.cf.in
@@ -156,6 +156,11 @@ bundle common update_def
         if => and( "mpf_update_control_agent_default_repository",
                    not( isvariable( "control_agent_default_repository" ) ) );
 
+      "control_agent_default_directory_create_mode" -> { "CFE-4590" }
+        string => ifelse( isvariable("control_agent_default_directory_create_mode"),
+                          "$(control_agent_default_directory_create_mode)",
+                          "700");
+
     enable_cfengine_enterprise_hub_ha::
       "standby_servers" slist => filter("$(sys.policy_hub)", "ha_def.ips", false, true, 10);
       "policy_servers" slist => { "$(sys.policy_hub)", "@(standby_servers)" };
diff --git a/update.cf.in b/update.cf.in
index a6adcf12c2..9f47a60c22 100644
--- a/update.cf.in
+++ b/update.cf.in
@@ -193,6 +193,9 @@ body agent control
 @if minimum_version(3.27.0)
       # The order in which promises are evaluated (top_down|classic)
         evaluation_order => "$(default:def.control_agent_update_evaluation_order)";
+
+      # The permissions automatically created directories should have
+        default_directory_create_mode => "$(default:update_def.control_agent_default_directory_create_mode)";
 @endif
 
     control_agent_agentfacility_configured::