We found a problem with the permissions of the /data/mender/scripts directory. In our setup, we have an integrity check on the /data partition to detect unwanted changes to file metadata. In particular, we check that the permissions for /data/mender/scripts are 755 (this is what they are set to in Mender Yocto recipe).
We found that the directory is recreated whenever a new artifact is installed. It seems in that case, the permissions are also 755 (I don’t know if this is enforced by Mender client, or if these permissions are extracted from the artifact).
But there is one case where the permissions end up being different: we have set umask to 027 by default to avoid newly created files and directories having unnecessary permissions. When we install an invalid artifact (for example, one that was modified so that its signature is not valid anymore), it seems Mender will recreate the scripts directory with a mkdir. The umask is then applied, and so the directory ends up with permissions 750 instead of 755.
I don’t see how we can fix this without a patch to Mender client to ensure the permissions are always preserved. But I’m happy to hear if you have any suggestions.