Giter Site home page Giter Site logo

Comments (4)

totten avatar totten commented on July 21, 2024

In my experience with typical Linux/OSX/Solaris systems, it should be acceptable for an unprivileged Unix user to run chmod 1777 {DIR} as long as they own {DIR}.

If that's not working, then probably something else in the build process is running as a different user. (Example: maybe someone ran git clone or git checkout as root when it should have run as the unprivileged user.) This type of interaction is problematic with any permission strategy (chmod 1777 or setfacl or none).

I think it's better policy to avoid sudo if we can -- so that the user remains truly unprivileged. (AFAIK, granting permission to directly run sudo chmod 1777 essentially lets the user own the entire system.)

Suggestions:

  • Make sure that the folders are getting initialized with the intended, unprivileged user.
  • Do consider linuxAcl or osxAcl if at all possible. I've never seen a world-writeable policy that actually works well.
  • If you really do need use a sudo-world-writeable policy, try amp config:set --perm_type=custom --perm_custom_command='sudo chmod 1777 {DIR}'

from amp.

nganivet avatar nganivet commented on July 21, 2024

Thanks, I understand your point and must have botched something in the process.

Rather than worldWritable I am trying to implement a policy that uses the owner set to the current user and the group set to apache. This way I can remove the 'other' permissions and have something slightly more secure. Will report when completed.

from amp.

totten avatar totten commented on July 21, 2024

Ah, nice idea. If you can get it to work, then it could be more reliable than 'worldWriteable' and more portable than linuxAcl or osxAcl. OTOH, there may be external fiddly bits (like umask) to deal with. For purposes of a Vagrantbox (where it uses a special filesystem and where you can edit the provisioning scripts), it could work well (even if it's just --perm_type=custom --perm_custom_command="chgrp ... {DIR}; chown ... {DIR}").

from amp.

nganivet avatar nganivet commented on July 21, 2024

That's what I thought. I'll give it a try and report back - probably
next week-end as I am slammed this week.

------ Original Message ------
From: "Tim Otten" [email protected]
To: "amp-cli/amp" [email protected]
Cc: "nganivet" [email protected]; "State change"
[email protected]
Sent: 8/29/2016 5:45:04 PM
Subject: Re: [amp-cli/amp] permissions: worldWritable not working for
unprivileged users (#44)

Ah, nice idea. If you can get it to work, then it could be more
reliable than 'worldWriteable' and more portable than linuxAcl or
osxAcl. OTOH, there may be external fiddly bits (like umask) to deal
with. For purposes of a Vagrantbox (where it uses a special filesystem
and where you can edit the provisioning scripts), it could work well
(even if it's just --perm_type=custom --perm_custom_command="chgrp ...
{DIR}; chown ... {DIR}").


You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.

from amp.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.