set setuid/setgid bits in fix-permissions

ensures files have the right owner:group unfortunately, not enough to get group-writable permissions (need acl or umask for that), so we still need to run it after each install
jupyter · Aug 26, 2017 · 2df9c49 · 2df9c49
1 parent c6c1ce4
commit 2df9c49
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 12 deletions.
diff --git a/base-notebook/Dockerfile b/base-notebook/Dockerfile
@@ -37,8 +37,7 @@ ENV CONDA_DIR=/opt/conda \
     SHELL=/bin/bash \
     NB_USER=jovyan \
     NB_UID=1000 \
-    NB_OWNER_GROUP=user-writable \
-    NB_OWNER_GID=10000 \
+    NB_GID=100 \
     LC_ALL=en_US.UTF-8 \
     LANG=en_US.UTF-8 \
     LANGUAGE=en_US.UTF-8
@@ -51,10 +50,9 @@ ADD fix-permissions /usr/local/bin/fix-permissions
 # files we want users to write (/home/jovyan, packages)
 RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
     mkdir -p $CONDA_DIR && \
-    chown $NB_USER $CONDA_DIR && \
-    groupadd -g $NB_OWNER_GID $NB_OWNER_GROUP && \
-    usermod -G $NB_OWNER_GROUP $NB_USER && \
-    fix-permissions /home/$NB_USER
+    chown $NB_USER:$NB_GID $CONDA_DIR && \
+    fix-permissions $HOME && \
+    fix-permissions $CONDA_DIR
 
 USER $NB_USER
 
@@ -65,15 +63,14 @@ RUN mkdir /home/$NB_USER/work && \
 # Install conda as jovyan and check the md5 sum provided on the download site
 ENV MINICONDA_VERSION 4.3.21
 RUN cd /tmp && \
-    mkdir -p $CONDA_DIR && \
     wget --quiet https://repo.continuum.io/miniconda/Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh && \
     echo "c1c15d3baba15bf50293ae963abef853 *Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh" | md5sum -c - && \
     /bin/bash Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh -f -b -p $CONDA_DIR && \
     rm Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh && \
     $CONDA_DIR/bin/conda config --system --prepend channels conda-forge && \
     $CONDA_DIR/bin/conda config --system --set auto_update_conda false && \
     $CONDA_DIR/bin/conda config --system --set show_channel_urls true && \
-    $CONDA_DIR/bin/conda update --all && \
+    $CONDA_DIR/bin/conda update --all --quiet --yes && \
     conda clean -tipsy && \
     fix-permissions $CONDA_DIR
 

diff --git a/base-notebook/fix-permissions b/base-notebook/fix-permissions
@@ -2,7 +2,7 @@
 # set permissions on a directory
 # after any installation, if a directory needs to be (human) user-writable,
 # run this script on it.
-# It will make everything in the directory owned by the group $NB_OWNER_GROUP
+# It will make everything in the directory owned by the group $NB_GID
 # and writable by that group.
 # Deployments that want to set a specific user id can preserve permissions
 # by adding the `--group-add user-writable` line to `docker run`.
@@ -11,17 +11,25 @@
 # which would cause massive image explosion
 
 # right permissions are:
-# group=$NB_OWNER_GROUP
+# group=$NB_GID
 # AND permissions include group rwX (directory-execute)
+# AND directories have setuid,setgid bits set
 
 set -e
 
 for d in $@; do
   find "$d" \
     ! \( \
-      -group $NB_OWNER_GROUP \
+      -group $NB_GID \
       -a -perm -g+rwX  \
     \) \
-    -exec chgrp $NB_OWNER_GROUP {} \; \
+    -exec chgrp $NB_GID {} \; \
     -exec chmod g+rwX {} \;
+  # setuid,setgid *on directories only*
+  find "$d" \
+    \( \
+        -type d \
+        -a ! -perm -6000  \
+    \) \
+    -exec chmod +6000 {} \;
 done