Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

campaigns: widen permissions on mounted paths #366

Merged
merged 4 commits into from
Nov 5, 2020
Merged

campaigns: widen permissions on mounted paths #366

merged 4 commits into from
Nov 5, 2020

Conversation

LawnGnome
Copy link
Contributor

This fixes #365 by ensuring that files and workspaces mounted into campaign containers are world readable, writable, and executable as appropriate.

@LawnGnome
campaigns: widen permissions on mounted paths
8aa78cf 
This fixes #365 by ensuring that files and workspaces mounted into
campaign containers are world readable, writable, and executable as
appropriate.
@LawnGnome LawnGnome requested a review from a team November 4, 2020 21:22
eseliger
eseliger approved these changes Nov 4, 2020
View reviewed changes
Copy link
Member

@eseliger eseliger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

internal/campaigns/archive_fetcher.go Show resolved Hide resolved
internal/campaigns/archive_fetcher.go
// that the file is globally writable. If the execute bit is normally
// set on the zipped up file, let's ensure we propagate that to the
// group and other permission bits too.
if f.Mode()&0111 != 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch

internal/campaigns/run_steps.go Outdated
@@ -97,6 +97,12 @@ func runSteps(ctx context.Context, wc *WorkspaceCreator, repo *graphql.Repositor
}
defer os.Remove(runScriptFile.Name())

// This file needs to be readable within the container regardless of
// the user the container is running as.
if err := runScriptFile.Chmod(0644); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does it not need to be executable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Counter intuitively, no! The Docker command basically boils down to this:

docker run --entrypoint /bin/bash -- sha256:CONTAINER_ID /tmp/some-horrible-script-name

Since the shell is the entrypoint, only that needs to be executable, and the script being run is just a regular old command line parameter.

@LawnGnome
Copy link
Contributor Author

OK, it looks like we have some Windows issues, so please hold while I figure out how much they matter. (My suspicion is: not much, given the different Docker execution model on Windows.)

chrispine
chrispine approved these changes Nov 4, 2020
View reviewed changes
Copy link
Contributor

@chrispine chrispine left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for getting to this so quickly!

eseliger
eseliger reviewed Nov 4, 2020
View reviewed changes
internal/campaigns/archive_fetcher_windows_test.go

have := mustGetPerm(t, path)

// Go maps Windows file attributes onto Unix permissions in a fairly trivial
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤯
Thanks for finding this!

@mrnugget
Copy link
Contributor

mrnugget commented Nov 5, 2020

Good stuff!

@LawnGnome LawnGnome merged commit 58838e8 into main Nov 5, 2020
@LawnGnome LawnGnome deleted the aharvey/fix-permissions branch November 5, 2020 17:53
@LawnGnome LawnGnome mentioned this pull request Nov 13, 2020
Closed
scjohns pushed a commit that referenced this pull request Apr 24, 2023
@LawnGnome
campaigns: widen permissions on mounted paths (#366)
19306bd 
This fixes #365 by ensuring that files and workspaces mounted into
campaign containers are world readable, writable, and executable as
appropriate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eseliger eseliger eseliger approved these changes

@mrnugget mrnugget mrnugget approved these changes

@chrispine chrispine chrispine approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

campaigns: create files/directories that might be mounted into the container with global permissions
4 participants
@LawnGnome @mrnugget @chrispine @eseliger