search

easybuilders / easybuild-framework

EasyBuild is a software installation framework in Python that allows you to install software in a structured and robust way.
https://easybuild.io
GNU General Public License v2.0
148 stars 200 forks source link

inconsistent and wrong permissions on resulting software installations #1351

Open dominikborkowski opened 9 years ago

dominikborkowski commented 9 years ago

When using EasyBuild to create shared repository of software, we came across a problem with permissions set on the installed software dirs and files. Everything else, including modules, eb files, even downloaded sources matched the permissions set via EasyBuild's options. However, the actual software installs had missing permissions for 'other': they lacked read access, and executable bits (wherever applicable).

What follows is a sample session. You may notice that we start with umask that is restrictive, but we change it to match the one set in EasyBuild's options. Umask 002 is set via /etc/profile.local; however, to rule out that being the culprit, we removed it. The problem persisted. 

~> umask
0027
~> module load site/shadowfax/easybuild/hpcadmin
~> newgrp hpcadmin
~> umask 002
~> module load EasyBuild

~> umask
0002

~> env | egrep 'EASYBUILD_SET_GID_BIT|EASYBUILD_STICKY_BIT|EASYBUILD_UMASK|EASYBUILD_GROUP'
EASYBUILD_STICKY_BIT=1
EASYBUILD_SET_GID_BIT=1
EASYBUILD_UMASK=002
EASYBUILD_GROUP=hpcadmin

# install any sample software
~> eb the_silver_searcher-0.30.0-goolf-1.4.10.eb --robot --force
[...]

# verify permissions on the resulting modules. they are OK.
~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_MODULES/all/the_silver_searcher/
drwxrwsr-t 3775 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_MODULES/all/the_silver_searcher/0.30.0-goolf-1.4.10
-rw-rw-r-- 664 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/
drwxrwsr-t 3775 dom hpcadmin

# verify resulting files and dirs in the easybuild_repo destination. they're OK.
~> stat -c '%A %a %U %G' $EASYBUILD_REPOSITORYPATH/the_silver_searcher
drwxrwsr-t 3775 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_REPOSITORYPATH/the_silver_searcher/the_silver_searcher-0.30.0-goolf-1.4.10.eb
-rw-rw-r-- 664 dom hpcadmin
# correct
~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher
drwxrwsr-t 3775 dom hpcadmin

# and incorrect further down
~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/0.30.0-goolf-1.4.10
drwxr-s--T 3750 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/0.30.0-goolf-1.4.10/bin
drwxr-s--- 2750 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/0.30.0-goolf-1.4.10/easybuild
drwxr-s--T 3750 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/0.30.0-goolf-1.4.10/bin/ag
-rwxr-x--- 750 dom hpcadmin

Using --group-writable-installdir results in expected addition of group writeable permission, but it still doesn't match the umask nor give others read/exec permissions:

~> eb the_silver_searcher-0.30.0-goolf-1.4.10.eb --robot --force --debug --group-writable-installdir

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher
drwxrwsr-t 3775 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/0.30.0-goolf-1.4.10/bin
drwxrws--- 2770 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/0.30.0-goolf-1.4.10
drwxrws--T 3770 dom hpcadmin

~> stat -c '%A %a %U %G' $EASYBUILD_INSTALLPATH_SOFTWARE/the_silver_searcher/0.30.0-goolf-1.4.10/bin/ag
-rwxrwx--- 770 dom hpcadmin
ocaisa commented 9 years ago

You've set the group variable EASYBUILD_GROUP, which restricts access to only those within that specific group. Typically you would only use that for particular software (like licenced software), not site-wide.

On 13 Aug 2015 04:11, "Dominik L. Borkowski" notifications@github.com<mailto:notifications@github.com> wrote:

Sorry about the fonts. I forgot that github will automagically parse things as markdown

— Reply to this email directly or view it on GitHubhttps://github.com/hpcugent/easybuild-framework/issues/1351#issuecomment-130508209.

Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,

Prof. Dr. Sebastian M. Schmidt

boegel commented 9 years ago

@ocaisa is spot on, it's doing what you told it to do ;-)

dominikborkowski commented 9 years ago

Aha! Indeed, seems to be doing exactly that. After removing that option, and setting 'EASYBUILD_GROUP_WRITABLE_INSTALLDIR' we get the exact result we needed. Thanks and sorry about the false alarm!

On a side note, perhaps it would be worth making this functionality a bit more clear, with regards to the resulting permissions, so others won't make the same mistake I have.

EasyBuild's built-in help implies group ownership, but the permissions are not obvious:

~> eb --confighelp | grep -B1 '^#group='
# Group to be used for software installations (only verified, not set)
#group=

~> eb --help | grep -A1 'group='
    --group=GROUP       Group to be used for software installations (only
                        verified, not set)

The only other place I've been able to find that mentions this option is slightly more descriptive, but it's not something I've stumbled on before:

http://easybuild.readthedocs.org/en/latest/eb_a.html

"group: Name of the user group for which the software should be available (default: None)"