Error Permission on git runner config on RHEL

[abinet]

I am following runner configuration instructions for RHEL 7 and on config step

./config.sh --url https://github.com/<myorg> --token <token>

getting following error:

An error occurred: Permission to read the directory contents is required for '/home/1corp.org/myuser/actions-runner' and each directory up the hierarchy. Access to the path '/home/1corp.org' is denied.

Please note that the home directory of my user is not /home/myuser but /home/1corp.org/myuser and myuser does not have permissions to access /home/1corp.org indeed.

I am able to procced by changing the owner for parent folder but that is ugly workaround imho.

[nikola-jokic]

Hi @abinet, I guess that just allowing other users to read permissions to your /home/1corp.org would maybe also work?

This issue is not strictly related to the runner as I understand, but let's go over this so I might be missing something. Could you write your permissions of /home/1corp.org. While configuring, Runner goes backwards through the directory structure and tries to read from each level. I think that if you give the user read permission, that might solve your problem.

[abinet]

HI @nikola-jokic thank you for the response. As I mentioned already, adjusting permissions solves the problem. However my point is that it should not be required to allow runner to read all the directories in the tree just to run properly.

[nikola-jokic]

Hi @abinet,

We will investigate this further if we need read permissions to those sub-folders and why. I will get back to you as soon as possible!

[thboop]

Hey @abinet sorry for the frustration this is causing you.

This check is done to help us run node actions. Essentially, when you require() a package in node, it has an order to check for that package. It starts at the current directory, then keeps checking one directory up until it finds a node_module folder. This resulted in the node process blowing up if it didn't have the correct permissions ( most notably this typically occurred to users installing the runner in the MyDocuments folder on windows). I understand the frustration here in requiring these permissions, but we feel it makes the user experience better then the letting the node process throw.

With that in mind, I'm going to close out this issue, as I don't envision us making any changes here, but I do appreciate you taking the time to report this.

[chebee7i]

Hey @thboop, can we revisit this?

It seems like we're requiring people to compromise their security models in the name of searching for paths that they likely don't care about.

I tried this recently (linux, node v14.16.0...not even that recent):

mkdir -p  nodejs_test/no_read_access/read_access/
echo "require('which')" > nodejs_test/no_read_access/read_access/demo.js
chmod -R ugo-r nodejs_test
chmod -R u+r nodejs_test/no_read_access/read_access
cd nodejs_test/no_read_access/read_access
NODE_DEBUG=module node demo.js

The lack of read access was not a problem for node. If there was any readable parent path (or global path) that had which available, it used it just fine. If which was not available, then it complained about Error: Cannot find module 'which', as expected, after searching through the entire list of search paths (parent and global).

I'm wondering if the "node process blowing up" is no longer a thing, or if it is OS dependent. If the latter, it would be great if this check could be relaxed a bit. It seems like:

• the runner is demanding stricter permissions than necessary (in principle, leaving aside nodejs behavior)
• these stricter permissions must be done at the expense of security considerations
• nodejs doesn't actually seem to have problems (on linux)

[kdkavanagh]

Figured I'd bump this as well, as I'm not able to work around this (i.e get read access to root dirs) at my company