Need to manually fix permissions after install
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mojo: Continuous Delivery for Juju |
Confirmed
|
Low
|
Unassigned |
Bug Description
To be able to run Mojo in a multi-user environment we need to do the following currently (all of this as root):
MOJO_PROJECT=
MOJO_USER=mojo-user
MOJO_SERIES=trusty
mojo project-new --series $MOJO_SERIES $MOJO_PROJECT
# Fix perms on the directory in the LXC that build commands will be run in
chown -R ${MOJO_
# Fix perms on the project directory
chown ${MOJO_
chmod 750 /srv/mojo/
# Fix perms on the workspace parent directory
chown ${MOJO_
# Fix perms on the LXC container
chmod 750 /var/lib/
chgrp ${MOJO_USER} /var/lib/
# Create secrets dir and set perms
mkdir /srv/mojo/
chown ${MOJO_
chmod 750 /srv/mojo/
It would be nice if Mojo did this itself. Since the initial project-new command needs to be run as root, it might be nice to add a --user option to it that would set permissions for the right user as above.
Changed in mojo: | |
importance: | Undecided → Low |
status: | New → Confirmed |
Some of the guides have advice like the following:
sudo chmod 755 /var/lib/ lxc/mojo- how-to. trusty && sudo chmod 755 /var/lib/lxc
Please note that changing /var/lib/lxc to 755 re-exposes https:/ /bugs.launchpad .net/ubuntu/ +source/ lxc/+bug/ 1244635 -- which allows untrusted users on the system access to potentially old and insecure setuid and setgid binaries. The advice might still be fine for mojo users, but I'd like to suggest if the "chmod 755 /var/lib/lxc" advice stays around, this bug should be mentioned alongside the advice, so users are aware of what they are doing.
Thanks