Mojo: Continuous Delivery for Juju

Need to manually fix permissions after install

Bug #1412692 reported by Tom Haddon on 2015-01-20

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	Mojo: Continuous Delivery for Juju	Confirmed	Low	Unassigned

Bug Description

To be able to run Mojo in a multi-user environment we need to do the following currently (all of this as root):

MOJO_PROJECT=mojo-project-name
MOJO_USER=mojo-user
MOJO_SERIES=trusty

mojo project-new --series $MOJO_SERIES $MOJO_PROJECT

# Fix perms on the directory in the LXC that build commands will be run in
chown -R ${MOJO_USER}:${MOJO_USER} /srv/mojo/${MOJO_PROJECT}/${MOJO_SERIES}/ROOTFS/srv/mojo/${MOJO_PROJECT}/${MOJO_SERIES}

# Fix perms on the project directory
chown ${MOJO_USER}:${MOJO_USER} /srv/mojo/${MOJO_PROJECT}
chmod 750 /srv/mojo/${MOJO_PROJECT}

# Fix perms on the workspace parent directory
chown ${MOJO_USER}:${MOJO_USER} /srv/mojo/${MOJO_PROJECT}/${MOJO_SERIES}

# Fix perms on the LXC container
chmod 750 /var/lib/lxc/${MOJO_PROJECT}.${MOJO_SERIES}
chgrp ${MOJO_USER} /var/lib/lxc/${MOJO_PROJECT}.${MOJO_SERIES}

# Create secrets dir and set perms
mkdir /srv/mojo/LOCAL/${MOJO_PROJECT}
chown ${MOJO_USER}:${MOJO_USER} /srv/mojo/LOCAL/${MOJO_PROJECT}
chmod 750 /srv/mojo/LOCAL/${MOJO_PROJECT}

It would be nice if Mojo did this itself. Since the initial project-new command needs to be run as root, it might be nice to add a --user option to it that would set permissions for the right user as above.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-02-02:

Some of the guides have advice like the following:

sudo chmod 755 /var/lib/lxc/mojo-how-to.trusty && sudo chmod 755 /var/lib/lxc

Please note that changing /var/lib/lxc to 755 re-exposes https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635 -- which allows untrusted users on the system access to potentially old and insecure setuid and setgid binaries. The advice might still be fine for mojo users, but I'd like to suggest if the "chmod 755 /var/lib/lxc" advice stays around, this bug should be mentioned alongside the advice, so users are aware of what they are doing.

Thanks

Revision history for this message

Tom Haddon (mthaddon) wrote on 2015-02-03:

Thanks, I've now added references to that bug, and also mentioned that we're planning to move to non-root LXC as a longer term fix.

James Troup (elmo) on 2015-02-11

Changed in mojo:
importance:	Undecided → Low
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.