New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): bundling directory access permission is too restrictive #8767
Conversation
@jogold can you take a look at this please? |
@@ -144,6 +144,9 @@ export class AssetStaging extends Construct { | |||
|
|||
// Create temp directory for bundling inside the temp staging directory | |||
const bundleDir = path.resolve(fs.mkdtempSync(path.join(stagingTmp, 'asset-bundle-'))); | |||
// Chmod the bundleDir to full access after applying the process the umask. | |||
// tslint:disable-next-line:no-bitwise | |||
fs.chmodSync(bundleDir, 0o777 & (~process.umask())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like calling process.umask()
with no argument is now deprecated in Node.js v14: https://nodejs.org/docs/latest-v14.x/api/process.html#process_process_umask
What would be the alternative? What about using only 0o777
, would it be OK?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another alternative is to set a new umask (to get the return value), then restore the original umask. I've seen a getumask manpage that describes this approach. But, mode 0o777
alone would certainly satisfy my use case. I can't think of any major downsides. What's your preference?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But, mode
0o777
alone would certainly satisfy my use case. I can't think of any major downsides.
OK, let's go for this.
@eladb LGTM, maybe change the PR title to something like |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
The new bundler uses
mkdtempSync
to pre-create uniquely named directories for asset staging. But,mkdtempSync
creates the staging directories with a restrictive0700 & ~umask
mode, rather thanmkdir
's usual0777 & ~umask
mode.In Bitbucket Pipelines, these restrictive permissions prevent the bundler from accessing its
/asset-output
volume. And, if the bundler can't access/asset-output
, bundling fails.This fix chmods the asset staging directory to 0777. This change fixes my Bitbucket Pipelines issue.
Closes #8757
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license