Improve permissions for files in workspace directories
Opened this issue · 2 comments
DROID is primarily designed to run commands using the Workflow buttons on the web pages, but I also want developers like me and @beckyjackson to be able to log in to the DROID server do work on branches.
With the current system, I usually
- log in as
james - resume my
tmuxsession - start a new tmux window
cdto a branch directory, e.g. /var/www/droid.ontodev.com/projects/ONTIE/workspace/master- split my tmux window vertically
sudo suthen start my editorsudo docker exec -it ONTIE-master bashto run stuff inside the container
I'm not happy about the sudo su then editor step. I think that I should be able to just create/delete/edit files as james but I invariably mess up permissions, and then Becky can't work with the files I create without sudo, or vice versa. I also have trouble working with git: if I run git as me then there are permission problems with the .git/ directory; if I run git as root then I don't have my GitHub credentials.
I think there should be some combination of setgid and/or sticky bits that would make this work smoothly.
(Alternatively, I could install my preferred tools and configuration into the Docker container, but I worry that would leak secrets such as my GitHub credentials.)
The upshot is that we should be able to install our preferred tools and configuration in our user accounts and just do our work. This should include things like our own GitHub credentials. And it should also support remote editing tools for GUI editors such as Sublime and VSCode.
@lmcmicu Please try to replicate something like the following using SGID. Starting as a non-root user (e.g. james) who belongs to the wheel group:
cd /var/www/droid.ontodev.com/projects/curatron/workspace/main
sudo mkdir test
sudo chown root:wheel test
sudo chmod 2770 test
touch test/james
sudo touch test/root
sudo docker exec -it curatron-main touch /workspace/test/docker
ls -lah test
The "2" in "2770" should mean SGID, so new files created under test/ directory have the same group as the test/ directory, in this case wheel. I see something like:
drwxrws--- 2 root wheel 4.0K Dec 13 16:08 .
drwxr-xr-x 8 root root 4.0K Dec 13 16:07 ..
-rw-r--r-- 1 root wheel 0 Dec 13 16:08 docker
-rw-r--r-- 1 james wheel 0 Dec 13 16:08 james
-rw-r--r-- 1 root wheel 0 Dec 13 16:08 root
I think this is what I want: root and james can both work with the files, and Docker is respecting the SGID from the mounted filesystem. The next thing to try would be git inside a SGID directory like this.
I found this page helpful: https://www.redhat.com/sysadmin/suid-sgid-sticky-bit
We worked on this some more. To make git work, it looks like we also need SUID to keep the user as root and umask to add group write on file creation. The umask would be required for both the DROID process and also the user's process.
It seems like it might be simpler to james> sudo -E (--preserve-env), or maybe sudoedit.