Improve permissions for files in workspace directories
Opened this issue · 2 comments
DROID is primarily designed to run commands using the Workflow buttons on the web pages, but I also want developers like me and @beckyjackson to be able to log in to the DROID server do work on branches.
With the current system, I usually
- log in as
james
- resume my
tmux
session - start a new tmux window
cd
to a branch directory, e.g. /var/www/droid.ontodev.com/projects/ONTIE/workspace/master- split my tmux window vertically
sudo su
then start my editorsudo docker exec -it ONTIE-master bash
to run stuff inside the container
I'm not happy about the sudo su
then editor step. I think that I should be able to just create/delete/edit files as james
but I invariably mess up permissions, and then Becky can't work with the files I create without sudo
, or vice versa. I also have trouble working with git
: if I run git
as me then there are permission problems with the .git/
directory; if I run git
as root
then I don't have my GitHub credentials.
I think there should be some combination of setgid
and/or sticky bits that would make this work smoothly.
(Alternatively, I could install my preferred tools and configuration into the Docker container, but I worry that would leak secrets such as my GitHub credentials.)
The upshot is that we should be able to install our preferred tools and configuration in our user accounts and just do our work. This should include things like our own GitHub credentials. And it should also support remote editing tools for GUI editors such as Sublime and VSCode.
@lmcmicu Please try to replicate something like the following using SGID. Starting as a non-root user (e.g. james
) who belongs to the wheel
group:
cd /var/www/droid.ontodev.com/projects/curatron/workspace/main
sudo mkdir test
sudo chown root:wheel test
sudo chmod 2770 test
touch test/james
sudo touch test/root
sudo docker exec -it curatron-main touch /workspace/test/docker
ls -lah test
The "2" in "2770" should mean SGID, so new files created under test/
directory have the same group as the test/
directory, in this case wheel
. I see something like:
drwxrws--- 2 root wheel 4.0K Dec 13 16:08 .
drwxr-xr-x 8 root root 4.0K Dec 13 16:07 ..
-rw-r--r-- 1 root wheel 0 Dec 13 16:08 docker
-rw-r--r-- 1 james wheel 0 Dec 13 16:08 james
-rw-r--r-- 1 root wheel 0 Dec 13 16:08 root
I think this is what I want: root
and james
can both work with the files, and Docker is respecting the SGID from the mounted filesystem. The next thing to try would be git
inside a SGID directory like this.
I found this page helpful: https://www.redhat.com/sysadmin/suid-sgid-sticky-bit
We worked on this some more. To make git
work, it looks like we also need SUID to keep the user as root
and umask
to add group write on file creation. The umask
would be required for both the DROID process and also the user's process.
It seems like it might be simpler to james> sudo -E
(--preserve-env
), or maybe sudoedit
.