Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

permissions: worldWritable not working for unprivileged users #44

Closed
nganivet opened this issue Aug 27, 2016 · 4 comments
Closed

permissions: worldWritable not working for unprivileged users #44

nganivet opened this issue Aug 27, 2016 · 4 comments

Comments

@nganivet
Copy link

In file: app/defaults/services.yml, shouldn't we have:

  • [setDirCommand, ['write', 'sudo chmod 1777 {DIR}']]

Otherwise amp is only usable if you are root.
@totten
Copy link
Collaborator

totten commented Aug 29, 2016

In my experience with typical Linux/OSX/Solaris systems, it should be acceptable for an unprivileged Unix user to run chmod 1777 {DIR} as long as they own {DIR}.

If that's not working, then probably something else in the build process is running as a different user. (Example: maybe someone ran git clone or git checkout as root when it should have run as the unprivileged user.) This type of interaction is problematic with any permission strategy (chmod 1777 or setfacl or none).

I think it's better policy to avoid sudo if we can -- so that the user remains truly unprivileged. (AFAIK, granting permission to directly run sudo chmod 1777 essentially lets the user own the entire system.)

Suggestions:

  • Make sure that the folders are getting initialized with the intended, unprivileged user.
  • Do consider linuxAcl or osxAcl if at all possible. I've never seen a world-writeable policy that actually works well.
  • If you really do need use a sudo-world-writeable policy, try amp config:set --perm_type=custom --perm_custom_command='sudo chmod 1777 {DIR}'

@nganivet
Copy link
Author

Thanks, I understand your point and must have botched something in the process.

Rather than worldWritable I am trying to implement a policy that uses the owner set to the current user and the group set to apache. This way I can remove the 'other' permissions and have something slightly more secure. Will report when completed.

@totten
Copy link
Collaborator

totten commented Aug 29, 2016

Ah, nice idea. If you can get it to work, then it could be more reliable than 'worldWriteable' and more portable than linuxAcl or osxAcl. OTOH, there may be external fiddly bits (like umask) to deal with. For purposes of a Vagrantbox (where it uses a special filesystem and where you can edit the provisioning scripts), it could work well (even if it's just --perm_type=custom --perm_custom_command="chgrp ... {DIR}; chown ... {DIR}").

@nganivet
Copy link
Author

That's what I thought. I'll give it a try and report back - probably
next week-end as I am slammed this week.

------ Original Message ------
From: "Tim Otten" notifications@github.com
To: "amp-cli/amp" amp@noreply.github.com
Cc: "nganivet" nicolas@cividesk.com; "State change"
state_change@noreply.github.com
Sent: 8/29/2016 5:45:04 PM
Subject: Re: [amp-cli/amp] permissions: worldWritable not working for
unprivileged users (#44)

Ah, nice idea. If you can get it to work, then it could be more
reliable than 'worldWriteable' and more portable than linuxAcl or
osxAcl. OTOH, there may be external fiddly bits (like umask) to deal
with. For purposes of a Vagrantbox (where it uses a special filesystem
and where you can edit the provisioning scripts), it could work well
(even if it's just --perm_type=custom --perm_custom_command="chgrp ...
{DIR}; chown ... {DIR}").


You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@totten @nganivet