Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the execute permission from the directory #3992

Merged
merged 1 commit into from
Aug 24, 2023
Merged

Remove the execute permission from the directory #3992

merged 1 commit into from
Aug 24, 2023

Conversation

zishen
Copy link
Member

@zishen zishen commented Aug 24, 2023
edited

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Reduce permissions for directories created by karmada itself.
From 755 to 700. Prevent unauthorized users from modifying content.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

@RainbowMango @whitewindmills @XiShanYongYe-Chang

@karmada-bot karmada-bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Aug 24, 2023
@karmada-bot karmada-bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Aug 24, 2023
@RainbowMango
Copy link
Member

RainbowMango commented Aug 24, 2023
edited

CI is failing:
https://github.com/karmada-io/karmada/actions/runs/5961906734/job/16172031967?pr=3992

I0824 09:28:14.555201   18831 deploy.go:184] kubeconfig file: /home/runner/.kube/karmada-host.config, kubernetes: https://172.18.0.5:6443/
I0824 09:28:14.63[56](https://github.com/karmada-io/karmada/actions/runs/5961906734/job/16172031967?pr=3992#step:5:57)89   18831 deploy.go:204] karmada apiserver ip: [172.18.0.5]
error: certificate generation failed.unable to write private key to file mkdir /home/runner/karmada/pki: permission denied

@zishen
Copy link
Member Author

zishen commented Aug 24, 2023

CI is failing: https://github.com/karmada-io/karmada/actions/runs/5961906734/job/16172031967?pr=3992

I0824 09:28:14.555201   18831 deploy.go:184] kubeconfig file: /home/runner/.kube/karmada-host.config, kubernetes: https://172.18.0.5:6443/
I0824 09:28:14.63[56](https://github.com/karmada-io/karmada/actions/runs/5961906734/job/16172031967?pr=3992#step:5:57)89   18831 deploy.go:204] karmada apiserver ip: [172.18.0.5]
error: certificate generation failed.unable to write private key to file mkdir /home/runner/karmada/pki: permission denied

yea, Directory requires execute permission, otherwise files cannot be created.
so, I changed the permission to 700.

@chaosi-zju
Copy link
Member 

runner@fv-az454-559:~$ pwd
/home/runner
runner@fv-az454-559:~$ mkdir /home/runner/karmada
runner@fv-az454-559:~$ chmod -R 640 /home/runner/karmada
runner@fv-az454-559:~$ mkdir /home/runner/karmada/pki
mkdir: cannot create directory ‘/home/runner/karmada/pki’: Permission denied

As you see, if you chmod 640 to one directory, the directory equal to readonly, the mod of directory should be at lease 700~

more example as follows:

runner@fv-az454-559:~$ mkdir /home/runner/karmada
runner@fv-az454-559:~$ chmod -R 700 /home/runner/karmada
runner@fv-az454-559:~$ mkdir /home/runner/karmada/pki
runner@fv-az454-559:~$ chmod -R 700 /home/runner/karmada/pki
runner@fv-az454-559:~$ touch /home/runner/karmada/pki/xx.txt 
runner@fv-az454-559:~$ ls /home/runner/karmada/pki/xx.txt
/home/runner/karmada/pki/xx.txt
runner@fv-az454-559:~$ mkdir /home/runner/karmada
runner@fv-az454-559:~$ chmod -R 700 /home/runner/karmada
runner@fv-az454-559:~$ mkdir /home/runner/karmada/pki
runner@fv-az454-559:~$ chmod -R 640 /home/runner/karmada/pki
runner@fv-az454-559:~$ touch /home/runner/karmada/pki/xx.txt 
touch: cannot touch '/home/runner/karmada/pki/xx.txt': Permission denied

700 is enough in our case, while, directory usually chmod to 750 in general.

@chaosi-zju
Copy link
Member

image

I think you may not changed completed~

@zishen
Remove the execute permission from the directory
9607b9e 
Signed-off-by: Tanggui Bian <softwarebtg@163.com>
@karmada-bot karmada-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 24, 2023
@zishen
Copy link
Member Author

zishen commented Aug 24, 2023

image

I think you may not changed completed~

yea, thanks a lot.

vincentgoat
vincentgoat approved these changes Aug 24, 2023
View reviewed changes
Copy link

@vincentgoat vincentgoat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

RainbowMango
RainbowMango approved these changes Aug 24, 2023
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 24, 2023
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango, vincentgoat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 24, 2023
@karmada-bot karmada-bot merged commit 9f00dd2 into karmada-io:master Aug 24, 2023
12 checks passed
@zishen zishen mentioned this pull request Aug 28, 2023
Closed
8 tasks
@chaosi-zju chaosi-zju mentioned this pull request Aug 28, 2023
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RainbowMango RainbowMango RainbowMango approved these changes

@vincentgoat vincentgoat vincentgoat approved these changes

@Poor12 Poor12 Awaiting requested review from Poor12

@prodanlabs prodanlabs Awaiting requested review from prodanlabs

Assignees

@RainbowMango RainbowMango

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@zishen @RainbowMango @chaosi-zju @karmada-bot @vincentgoat