Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SUSTAIN-782] Fix permissions on gemfiles created with strict umask on reconfigure #1431

Merged
merged 1 commit into from
Dec 5, 2017
Merged

[SUSTAIN-782] Fix permissions on gemfiles created with strict umask on reconfigure #1431

merged 1 commit into from
Dec 5, 2017

Conversation

PrajaktaPurohit
Copy link
Contributor

@PrajaktaPurohit PrajaktaPurohit commented Nov 30, 2017
edited
Loading

Currently if a user installs gems with a umask stricter than 022, the opscode user does not have sufficient privileges to read them.

This with certain gems causes the reconfigure to fail.

This PR tries to make sure that the /opt/opscode/embedded/lib/ruby/gems permissions are lenient enough for the opscode user to be able to read.

rake and knife-tidy gems installed with 077 umask.

d---------  6 root root 4096 Nov 30 15:32 rake-12.3.0
d---------  5 root root 4096 Nov 30 15:32 knife-tidy-0.7.0
d---------  4 root root 4096 Nov 30 15:46 knife-ec-backup-2.2.3
root@api:/opt/opscode/embedded/lib/ruby/gems/2.2.0/gems# pwd
/opt/opscode/embedded/lib/ruby/gems/2.2.0/gems
root@api:/opt/opscode/embedded/lib/ruby/gems/2.2.0/gems# ls -l rake-12.3.0/
total 116
-rw-r--r-- 1 root root  1097 Nov 30 15:32 CONTRIBUTING.rdoc
-rw-r--r-- 1 root root    39 Nov 30 15:32 Gemfile
-rw-r--r-- 1 root root 69957 Nov 30 15:32 History.rdoc
-rw-r--r-- 1 root root  1051 Nov 30 15:32 MIT-LICENSE
-rw-r--r-- 1 root root  5348 Nov 30 15:32 README.rdoc
-rw-r--r-- 1 root root   934 Nov 30 15:32 Rakefile
d--------- 2 root root  4096 Nov 30 15:32 bin
d--------- 3 root root  4096 Nov 30 15:32 doc
d--------- 2 root root  4096 Nov 30 15:32 exe
d--------- 3 root root  4096 Nov 30 15:32 lib
-rw-r--r-- 1 root root  1934 Nov 30 15:32 rake.gemspec
root@api:/opt/opscode/embedded/lib/ruby/gems/2.2.0/gems# ls -l rake-12.3.0/exe/
total 4
-rwxr-xr-x 1 root root 1182 Nov 30 15:32 rake
root@api:/opt/opscode/embedded/lib/ruby/gems/2.2.0/gems# umask
0777

reconfigure

Recipe: private-chef::fix_permissions
  * execute[find /opt/opscode/embedded/lib/ruby/gems/*/gems -executable -exec chmod 755 {} \;] action run
    - execute find /opt/opscode/embedded/lib/ruby/gems/*/gems -executable -exec chmod 755 {} \;
  * execute[find /opt/opscode/embedded/lib/ruby/gems/*/gems ! -executable -exec chmod 644 {} \;] action run
    - execute find /opt/opscode/embedded/lib/ruby/gems/*/gems ! -executable -exec chmod 644 {} \;

fixed permissions:

drwxr-xr-x  5 root root 4096 Dec  1 17:14 knife-tidy-0.7.0
drwxr-xr-x  4 root root 4096 Dec  1 17:14 knife-ec-backup-2.2.3
drwxr-xr-x  6 root root 4096 Dec  1 17:14 rake-12.3.0
root@api:/vagrant# ls -ltr /opt/opscode/embedded/lib/ruby/gems/2.2.0/gems/
Display all 163 possibilities? (y or n)
root@api:/vagrant# ls -ltr /opt/opscode/embedded/lib/ruby/gems/2.2.0/gems/rake-12.3.0/
total 116
-rw-r--r-- 1 root root   934 Dec  1 17:14 Rakefile
-rw-r--r-- 1 root root  5348 Dec  1 17:14 README.rdoc
-rw-r--r-- 1 root root  1051 Dec  1 17:14 MIT-LICENSE
-rw-r--r-- 1 root root 69957 Dec  1 17:14 History.rdoc
-rw-r--r-- 1 root root    39 Dec  1 17:14 Gemfile
-rw-r--r-- 1 root root  1097 Dec  1 17:14 CONTRIBUTING.rdoc
drwxr-xr-x 3 root root  4096 Dec  1 17:14 lib
drwxr-xr-x 2 root root  4096 Dec  1 17:14 exe
drwxr-xr-x 3 root root  4096 Dec  1 17:14 doc
drwxr-xr-x 2 root root  4096 Dec  1 17:14 bin
-rw-r--r-- 1 root root  1934 Dec  1 17:14 rake.gemspec
root@api:/vagrant# ls -ltr /opt/opscode/embedded/lib/ruby/gems/2.2.0/gems/rake-12.3.0/exe/
total 4
-rwxr-xr-x 1 root root 1182 Dec  1 17:14 rake
root@api:/vagrant# ls -ltr /opt/opscode/embedded/lib/ruby/gems/2.2.0/gems/rake-12.3.0/lib/
total 8
-rw-r--r-- 1 root root 2162 Dec  1 17:14 rake.rb
drwxr-xr-x 4 root root 4096 Dec  1 17:14 rake
root@api:/vagrant# cat /opt/opscode/embedded/cookbooks/private-chef/recipes/fix_permissions.rb
LIB_PATH="/opt/opscode/embedded/lib"
# The GEM_PATH should work since we allow only one version of ruby to be installed.
GEM_PATH="#{LIB_PATH}/ruby/gems/*/gems"

execute "find #{GEM_PATH} -perm /u=x,g=x,o=x -exec chmod 755 {} \\;" do
  user "root"
end

execute "find #{GEM_PATH} -perm /u=r,g=r,o=r ! -perm /u=x -exec chmod 644 {} \\;" do
  user "root"
end

http://wilson.ci.chef.co/job/chef-server-trigger-ad_hoc/35/downstreambuildview/

Signed-off-by: Prajakta Purohit [email protected]

@PrajaktaPurohit PrajaktaPurohit requested a review from a team November 30, 2017 15:53
@PrajaktaPurohit PrajaktaPurohit force-pushed the praj/SUSTAIN-782/fix_permissions branch from 039ef07 to bf3f14f Compare November 30, 2017 15:57
markan
markan suggested changes Dec 1, 2017
View reviewed changes
Copy link
Contributor

@markan markan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This generally looks good, modulo the executable flag issue.

markan
markan reviewed Dec 1, 2017
View reviewed changes
omnibus/files/private-chef-cookbooks/private-chef/recipes/fix_permissions.rb Outdated
# The GEM_PATH should work since we allow only one version of ruby to be installed.
GEM_PATH="#{LIB_PATH}/ruby/gems/*/gems"

execute "find #{GEM_PATH} -executable -exec chmod 755 {} \\;" do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From some very brief research, it looks like the -executable flag may only appear in findutils 4.4. It looks like Centos 5 ships 4.2.27 or such, and we still are building Centos 5 images for chef-server. Perhaps find . -perm /u=x,g=x,o=x? (Actually, just u=x might be fine here)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch! and we do support el-5, got the tests to fail due to this error.

@PrajaktaPurohit PrajaktaPurohit force-pushed the praj/SUSTAIN-782/fix_permissions branch 2 times, most recently from 9c2fde0 to 6896f09 Compare December 1, 2017 19:15
@PrajaktaPurohit
[SUSTAIN-782] Fix permissions on gemfiles created with strict umask o…
e958f7d 
…n a reconfigure.

Gems installed with any umask stricter than 022 can bring in more deps
that also get installed with stricter permissions.
Once such example was with the knife-tidy / knife-ec2-backup installed with strict
permissions caused some of the gems to be inaccessible to the depsolver, causing
erchef failures that were very hard to trace.
Fixes permissions on gems installed despite a strict umask,
to avoid failures.

Signed-off-by: Prajakta Purohit <[email protected]>
@PrajaktaPurohit PrajaktaPurohit force-pushed the praj/SUSTAIN-782/fix_permissions branch from 6896f09 to e958f7d Compare December 5, 2017 18:53
nsdavidson
nsdavidson reviewed Dec 5, 2017
View reviewed changes
Copy link
Contributor

@nsdavidson nsdavidson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@PrajaktaPurohit PrajaktaPurohit merged commit 32d4fd9 into master Dec 5, 2017
@tas50 tas50 deleted the praj/SUSTAIN-782/fix_permissions branch July 1, 2021 04:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nsdavidson nsdavidson nsdavidson left review comments

@markan markan markan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PrajaktaPurohit @markan @nsdavidson