### Terraform Version ```shell % TF_CLI_CONFIG_FILE=../.tf-control.tfrc terraform_1.4.2 version Terraform v1.4.2 on linux_amd64 + provider registry.terraform.io/hashicorp/aws v4.48.0 + provider registry.terraform.io/hashicorp/external v2.2.3 + provider registry.terraform.io/hashicorp/local v2.2.3 + provider registry.terraform.io/hashicorp/null v3.2.1 + provider registry.terraform.io/hashicorp/random v3.4.3 + provider registry.terraform.io/hashicorp/template v2.2.0 + provider registry.terraform.io/hashicorp/time v0.9.1 + provider registry.terraform.io/trevex/ldap v0.5.4 ``` ### Terraform Configuration Files ```terraform # .tf-control.tfrc plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache" provider_installation { filesystem_mirror { path = "/data/terraform/terraform.d/providers" include = [ "*/*/*" ] } direct { include = [ "*/*/*" ] } } ``` ### Debug Output Successful init upgrade (1.3.9) ```script % TF_CLI_CONFIG_FILE=../.tf-control.tfrc terraform_1.3.9 init -upgrade Initializing the backend... Initializing provider plugins... - terraform.io/builtin/terraform is built in to Terraform - Finding hashicorp/template versions matching ">= 1.0.0, >= 2.0.0"... - Finding hashicorp/aws versions matching ">= 3.0.0, >= 3.66.0"... - Finding hashicorp/external versions matching ">= 1.0.0, >= 1.1.0, >= 2.2.0"... - Finding hashicorp/null versions matching ">= 1.0.0, >= 3.0.0"... - Finding trevex/ldap versions matching ">= 0.5.4"... - Finding latest version of hashicorp/time... - Finding hashicorp/random versions matching ">= 1.0.0, >= 3.0.0"... - Finding hashicorp/local versions matching ">= 1.0.0"... - Using previously-installed hashicorp/external v2.3.1 - Using previously-installed hashicorp/null v3.2.1 - Using previously-installed trevex/ldap v0.5.4 - Using previously-installed hashicorp/time v0.9.1 - Using previously-installed hashicorp/random v3.4.3 - Using previously-installed hashicorp/local v2.4.0 - Using previously-installed hashicorp/template v2.2.0 - Using previously-installed hashicorp/aws v4.59.0 Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. ``` Failed init upgrade (1.4.0+) ```script % TF_CLI_CONFIG_FILE=../.tf-control.tfrc terraform_1.4.2 init -upgrade Initializing the backend... Upgrading modules... Downloading ... # removed Initializing provider plugins... - terraform.io/builtin/terraform is built in to Terraform - Finding hashicorp/external versions matching ">= 1.0.0, >= 1.1.0, >= 2.2.0"... - Finding trevex/ldap versions matching ">= 0.5.4"... - Finding hashicorp/null versions matching ">= 1.0.0, >= 3.0.0"... - Finding hashicorp/local versions matching ">= 1.0.0"... - Finding hashicorp/random versions matching ">= 1.0.0, >= 3.0.0"... - Finding latest version of hashicorp/time... - Finding hashicorp/template versions matching ">= 1.0.0, >= 2.0.0"... - Finding hashicorp/aws versions matching ">= 3.0.0, >= 3.66.0"... - Using previously-installed trevex/ldap v0.5.4 - Using previously-installed hashicorp/null v3.2.1 - Installing hashicorp/local v2.4.0... - Using previously-installed hashicorp/random v3.4.3 - Using previously-installed hashicorp/time v0.9.1 - Using previously-installed hashicorp/template v2.2.0 - Installing hashicorp/aws v4.59.0... - Installing hashicorp/external v2.3.1... ╷ │ Error: Failed to install provider │ │ Error while installing hashicorp/local v2.4.0: chmod /data/terraform/terraform.d/plugin-cache/registry.terraform.io/hashicorp/local/2.4.0/linux_amd64/terraform-provider-local_v2.4.0_x5: operation not permitted ╵ ╷ │ Error: Failed to install provider │ │ Error while installing hashicorp/aws v4.59.0: open /data/terraform/terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.59.0/linux_amd64/terraform-provider-aws_v4.59.0_x5: permission denied ``` The first file has a different owner than the user running this script. The second file, the user running the script does not have write access to the file. However, the umask is 002 and write access should have been set so the ACL can offer the write capability. ### Expected Behavior Provider should install and continue. ### Actual Behavior Provider install fails, and we cannot continue. ### Steps to Reproduce 1. `terraform init -upgrade` ### Additional Context We used a shared plugin cache and provider tree. We have permissions set and ACLS on the files and directories to allow all our users (who belong to a specific group) to write into this directory. Beginning with 1.4.0 (still present it 1.4.2), we get a failure on `chmod()` of the file, because the user writing the file is not the owner. It appears the umask is not being honored on create. An `strace` shows it setting the mode to 0755 (vs 775, which is what I would expect for an executable & the umask). This will fail if the owner of the file is not the user running it. If the owner IS the user, I would expect a 775 permission vs 755. ```script 275964 12:13:48 fchmodat(AT_FDCWD, "/data/terraform/terraform.d/plugin-cache/registry.terraform.io/hashicorp/local/2.4.0/linux_amd64/terraform-provider-local_v2.4.0_x5", 0755 275961 12:13:48 NULL) = 0 275961 12:13:48 nanosleep({tv_sec=0, tv_nsec=20000}, 275964 12:13:48 ) = -1 EPERM (Operation not permitted) ``` So, two issues, it seems: 1. chmod() on installing provider files not using umask 2. chmod on files not owned ### References _No response_