Check file permissions

[aidanheerdegen]

There should be regular automated checks of correct file permissions, e.g. that ACLs are correctly set on restricted deployment directories (UM licensing) and that other important files are read-only, e.g. ACCESS-NRI/ACCESS-OM2#72

[CodeGat]

@aidanheerdegen, I can make this an automated check for build-cd. We should come up with a structure of what files need to be checked and what they are being checked for, eg:

• vk83(/prerelease)?/apps/spack/.*/restricted/.* should have <insert long string of permissions>
• <whereever the inputs are, as regex> should have <something else>

[CodeGat]

From a meeting with @aidanheerdegen :

• These shall be callable scripts in vk83/admin
• These should be on.workflow_dispatch and on.schedule
• Look into options for nice input for getfacl (-t)
• In terms of what should be checked:
  • restricted folder, enforce existing acls
  • inputs:
    • access-om2, JRA-55: no w for anyone. Look into just setting the mask.
    • Rest g:r-X
  • apps: g:r-X for all
    • spack/* should be g:r-X
  • modules/payu should be as set
  • Everything else require g:r-X