-
-
Notifications
You must be signed in to change notification settings - Fork 7.7k
-
-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Production installer fails with umask 077 #2373
Comments
Sounds good; I think we just need to add that line near the top of scripts/lib/install and then test it to make sure we did it right :) |
@timabbott I would like to work on this. |
Cool. Basically you'll just want to do a series of production installs on a VM, using |
A quick test looks like that solves the problem. I'll do a more thorough one creating tarballs to confirm. Without any changes, using umask 077 I get this error on a new install:
|
Cool! Just submit a PR with the change once you've confirmed. Yay, it'll be nice to close this out. |
Follow-on from zulip#2373/ PR zulip#4316, to set an appropriate umask also when upgrading. From experimentation, it seems `create-production-venv` is the only part that needs this. If that's not correct, then any other `subprocess.check_call` can have the same preexec_fn added. The permissions do propagate down child subprocesses, but in this case we can't take advantage of that and use it in `lib/upgrade-zulip`, because that isn't updated before being used like `upgrade-zulip-stage-2` is. If in the future it matters, preexec_fn doesn't work for Windows. Also, the lambda is because normally it won't accept a function with arguments. I've tested this by starting from a clean install, deleting /srv/* so new files are downloaded, and then doing an upgrade. It would be nice if someone else can also test this in a production environment to verify I've not missed anything.
Follow-on from zulip#2373/ PR zulip#4316, to set an appropriate umask also when upgrading. From experimentation, it seems `create-production-venv` is the only part that needs this. If that's not correct, then any other `subprocess.check_call` can have the same preexec_fn added. The permissions do propagate down child subprocesses, but in this case we can't take advantage of that and use it in `lib/upgrade-zulip`, because that isn't updated before being used like `upgrade-zulip-stage-2` is. If in the future it matters, preexec_fn doesn't work for Windows. Also, the lambda is because normally it won't accept a function with arguments. I've tested this by starting from a clean install, deleting /srv/* so new files are downloaded, and then doing an upgrade. It would be nice if someone else can also test this in a production environment to verify I've not missed anything.
Follow-on from zulip#2373/ PR zulip#4316, to set an appropriate umask also when upgrading. From experimentation, it seems `create-production-venv` is the only part that needs this. If that's not correct, then any other `subprocess.check_call` can have the same preexec_fn added. The permissions do propagate down child subprocesses, but in this case we can't take advantage of that and use it in `lib/upgrade-zulip`, because that isn't updated before being used like `upgrade-zulip-stage-2` is. If in the future it matters, preexec_fn doesn't work for Windows. Also, the lambda is because normally it won't accept a function with arguments. I've tested this by starting from a clean install, deleting /srv/* so new files are downloaded, and then doing an upgrade. It would be nice if someone else can also test this in a production environment to verify I've not missed anything.
Follow-on from zulip#2373/ PR zulip#4316, to set an appropriate umask also when upgrading. From experimentation, it seems create-production-venv is the only part that needs this. If that's not correct, then any other subprocess.check_call can have the same preexec_fn added. The permissions do propagate down child subprocesses, but in this case we can't take advantage of that and use it in lib/upgrade-zulip, because that isn't updated before being used like upgrade-zulip-stage-2 is. If in the future it matters, preexec_fn doesn't work for Windows. Also, the lambda is because normally it won't accept a function with arguments. I've tested this by starting from a clean install, deleting /srv/* so new files are downloaded, and then doing an upgrade. It would be nice if someone else can also test this in a production environment to verify I've not missed anything.
Follow-on from zulip#2373/ PR zulip#4316, to set an appropriate umask also when upgrading. From experimentation, it seems create-production-venv is the only part that needs this. If that's not correct, then any other subprocess.check_call can have the same preexec_fn added. The permissions do propagate down child subprocesses, but in this case we can't take advantage of that and use it in lib/upgrade-zulip, because that isn't updated before being used like upgrade-zulip-stage-2 is. If in the future it matters, preexec_fn doesn't work for Windows. Also, the lambda is because normally it won't accept a function with arguments. I've tested this by starting from a clean install, deleting /srv/* so new files are downloaded, and then doing an upgrade. It would be nice if someone else can also test this in a production environment to verify I've not missed anything.
Follow-on from zulip#2373/ PR zulip#4316, to set an appropriate umask also when upgrading so files have appropriate permissions. I've tested this by starting from a clean install, deleting /srv/* so new files are downloaded, and then doing an upgrade. It worked starting with both a current version from master and an older release installed with a less restrictive umask and then the umask changed. Fixes zulip#2373
Follow-on from zulip#2373/ PR zulip#4316, to set an appropriate umask also when upgrading so files have appropriate permissions. I've tested this by starting from a clean install, deleting /srv/* so new files are downloaded, and then doing an upgrade. It worked starting with both a current version from master and an older release installed with a less restrictive umask and then the umask changed. Fixes zulip#2373.
Running the production installer under
umask 077
fails with permission errors, because, e.g., /srv/zulip-venv-cache becomes readable only by root. It should probablyumask 022
near the top.The text was updated successfully, but these errors were encountered: