From f9e34b1e95c0666e1f080b638dbf9fe1d689a7e7 Mon Sep 17 00:00:00 2001
From: Cyrill Troxler <cyrilltroxler@gmail.com>
Date: Tue, 31 Mar 2026 21:06:58 +0200
Subject: [PATCH] fix: dir/file permissions on extract

---
 manager/node/service.go | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/manager/node/service.go b/manager/node/service.go
index 50f5bc2..2c22744 100644
--- a/manager/node/service.go
+++ b/manager/node/service.go
@@ -2,6 +2,7 @@
 package node
 
 import (
+	"archive/tar"
 	"context"
 	"crypto/tls"
 	"errors"
@@ -496,24 +497,44 @@ func extract(ctx context.Context, id string, reader io.ReadCloser) error {
 	}
 	return format.Extract(ctx, reader, func(ctx context.Context, f archives.FileInfo) error {
 		name := filepath.Join(baseDir, filepath.Clean(f.NameInArchive))
+		header, ok := f.Sys().(*tar.Header)
 		if f.IsDir() {
-			return os.MkdirAll(name, f.Mode())
+			if err := os.MkdirAll(name, f.Mode()); err != nil {
+				return err
+			}
+			if err := os.Chmod(name, f.Mode()); err != nil {
+				return err
+			}
+			if !ok {
+				return nil
+			}
+			return os.Chown(name, int(header.Uid), int(header.Gid))
 		}
 
 		rc, err := f.Open()
 		if err != nil {
 			return err
 		}
+		defer rc.Close()
 
-		file, err := os.Create(name)
+		file, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, f.Mode())
 		if err != nil {
 			return err
 		}
+		defer file.Close()
 
 		if _, err := io.Copy(file, rc); err != nil {
 			return err
 		}
-		return nil
+
+		if err := os.Chmod(name, f.Mode()); err != nil {
+			return err
+		}
+
+		if !ok {
+			return nil
+		}
+		return os.Chown(name, int(header.Uid), int(header.Gid))
 	})
 }