plugin_unsafe_dir_world_writable

Diagnostic `nanook::plugin::unsafe_dir_world_writable`

Summary

plugin dir `{0}` is world-writable (mode {1:o})

Help

chmod o-w {0}, or set [plugins].strict = false to disable the check

Details

When this fires

safety::DirCheck saw a plugin dir with the world-write bit set (mode & 0o002 != 0). Same threat model as the owner check: any user on the box could swap in a hostile .so. Default posture refuses to start in that situation. The error prints the octal mode and underlines the dir entry in your config. Hits at agent startup before discovery.

What to check

Drop the world-write bit. Group-write is fine if the group is trusted. /tmp-ish locations and shared scratch dirs are rarely safe for plugins. Dev escape hatch: [plugins].strict = false disables both perm checks, don't ship that to prod.

chmod o-w /etc/nanook/plugins