Harden archive directory permissions

[ItsMatti4]

Summary

This hardens archive and install filesystem permission handling:

• preserve the computed directory mode when retrying archive directory creation after creating missing parents
• keep buffered and streaming tarball extraction behavior consistent
• create temporary lockfiles with their final permissions instead of briefly using 0o777
• add a POSIX regression test for directory extraction with missing parents

Why

The fallback path for directory extraction retried mkdirat with 0o777 after creating missing parent directories. That could make an extracted directory more permissive than the mode declared in the archive. The streaming installer had the same fallback behavior.

The lockfile writer also created temporary lockfiles with 0o777 and only normalized permissions afterward. Creating them with the final mode avoids that unnecessary permission window.

Test Plan

• git diff --check
• Not run: Bun/Rust test suite, because this Windows environment does not have bun, cargo, or the Bun build toolchain available in PATH.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b491c7fa-b866-4c33-ad54-e9335c316dc0

📥 Commits

Reviewing files that changed from the base of the PR and between cb4647e and 17691e9.

📒 Files selected for processing (4)

• src/install/TarballStream.rs
• src/install/lockfile.rs
• src/libarchive/lib.rs
• test/js/bun/archive.test.ts

---

Walkthrough

Compute and reuse permission modes for non-Windows directory creation and lockfile temp files instead of defaulting to 0o777; add tests to ensure tar-extracted directories preserve their entry-specified modes.

Changes

Permission preservation in tar extraction and lockfile creation

Layer / File(s)	Summary
Tar directory extraction with computed permissions src/install/TarballStream.rs, src/libarchive/lib.rs	Non-Windows directory creation from tar entries now converts permission bits to Mode once and reuses that value in both initial mkdirat_z calls and error-recovery retries, replacing the previous hardcoded 0o777 fallback.
Test infrastructure and tar extraction validation test/js/bun/archive.test.ts	Test tar-header builder helpers are extended to accept optional mode and type parameters; a new regression test constructs a tarball with a directory entry of specific mode (0o700) and validates the extracted directory preserves those permission bits.
Lockfile temp-file creation with computed permissions src/install/lockfile.rs	Temporary lockfile is now created with precomputed filemode based on save format (0o644 for text, 0o755 for binary) instead of always 0o777; subsequent Unix fchmod reuses the precomputed mode, removing local mode branching in the #[cfg(unix)] block.

Possibly related PRs:

• oven-sh/bun#31175: Overlapping changes to extraction permission handling in src/libarchive/lib.rs and related tar extraction logic.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Harden archive directory permissions' clearly and specifically summarizes the main change: improving filesystem permission handling in archive extraction and installation.
Description check	✅ Passed	The description covers both required sections with substantive detail: 'Summary' explains what the PR does (multiple behavioral improvements), and 'Why' provides clear motivation. 'Test Plan' is included as additional context.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}