From 556b762924017684a070fa9dba0e8a8b3f58b365 Mon Sep 17 00:00:00 2001
From: Ofek Lev <ofekmeister@gmail.com>
Date: Thu, 18 Jun 2026 20:13:52 -0400
Subject: [PATCH] Improve default artifact permissions

---
 src/util/chmodx.rs            |  2 +-
 tests/dotslash_tests.rs       | 30 ++++++++++++++++++++++++++++++
 website/docs/dotslash-file.md |  3 +++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/util/chmodx.rs b/src/util/chmodx.rs
index d8ee133..ef53357 100644
--- a/src/util/chmodx.rs
+++ b/src/util/chmodx.rs
@@ -16,7 +16,7 @@ use std::path::Path;
 
 use crate::util::fs_ctx;
 
-const DEFAULT_FILE_PERMISSIONS: u32 = 0o500;
+const DEFAULT_FILE_PERMISSIONS: u32 = 0o555;
 
 pub fn chmodx<P: AsRef<Path>>(path: P) -> io::Result<()> {
     fn inner(path: &Path) -> io::Result<()> {
diff --git a/tests/dotslash_tests.rs b/tests/dotslash_tests.rs
index 403b357..909dae4 100644
--- a/tests/dotslash_tests.rs
+++ b/tests/dotslash_tests.rs
@@ -14,6 +14,8 @@ mod common;
 
 use std::ffi::OsString;
 use std::fs;
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt as _;
 use std::str;
 
 use tempfile::NamedTempFile;
@@ -907,6 +909,34 @@ fn fetch_simple() -> anyhow::Result<()> {
     Ok(())
 }
 
+#[cfg(unix)]
+#[test]
+fn fetch_plain_sets_default_executable_permissions() -> anyhow::Result<()> {
+    let mut test_env = DotslashTestEnv::try_new()?;
+    test_env.path_redaction(
+        "[ARTIFACT_EXE]",
+        "[DOTSLASH_CACHE_DIR]/[PACK_PLAIN_HTTP_ARCHIVE_CACHE_DIR]/subdir/[PRINT_ARGV_EXECUTABLE]",
+    );
+
+    let assert = test_env
+        .dotslash_command()
+        .arg("--")
+        .arg("fetch")
+        .arg("tests/fixtures/http__plain__print_argv")
+        .assert()
+        .code(0)
+        .stderr_eq("")
+        .stdout_eq("[ARTIFACT_EXE]\n");
+
+    let artifact = str::from_utf8(&assert.get_output().stdout)?.trim_end();
+
+    let metadata = fs::metadata(artifact)?;
+    assert!(metadata.is_file());
+    assert_eq!(metadata.permissions().mode() & 0o777, 0o555);
+
+    Ok(())
+}
+
 //
 // "get-extracted-cache-path" Command
 //
diff --git a/website/docs/dotslash-file.md b/website/docs/dotslash-file.md
index b6a7b75..5813d79 100644
--- a/website/docs/dotslash-file.md
+++ b/website/docs/dotslash-file.md
@@ -475,6 +475,9 @@ At Meta, we have found compression to be a win, but if for some reason you
 prefer to fetch your executable as an uncompressed single file, you can omit the
 `"format"` field, but `"path"` is still required.
 
+For single-file artifacts on Unix, if the fetched file has no executable bits,
+DotSlash makes the cached file executable with mode `0555` (`r-xr-xr-x`).
+
 ## Arg0
 
 There is an optional `arg0` field on an artifact entry. It defaults to