Investigate file permissions

[ckunki]

After updating OS from ubuntu 20 to 22 and all apt packages @tomuben observed failing tests. In joint analysis with @ckunki we could not find any explanation why these tests could have been successful before.

The tests are examining files in /home/jupyter and obviously some of the files can only be read by user jupyter, which is OK from product-perspective IMHO. Though, we could think about relaxing the permissions.

In order to make these tests succeed, we changed the tests to user jupyter, especially in docker exec.

• ansible/ai_lab_docker_playbook.yml creates user ubuntu with role ansible_access.
• Task "Setup AI-Lab Docker Container" uses this user to call general_setup_tasks.yml
• general_setup_tasks.yml assigns the current ansible user to fact docker_user.
• create_image.py sets the user ubuntu as the default user for the Docker image.

Modified tests and accessed files:

• test_import_notebook_connector: /home/jupyter/jupyterenv/bin/python
• test_install_notebooks: /home/jupyter/notebooks
• test_docker_socket_access: docker ps

This only applies for the examination within the tests - the creation of the files (production code) remains unchanged.

The current ticket requests to

• Document the different user accounts used during creating and modifying these files
• Examine and document the permissions before and after the ubuntu update mentioned above

Owners and permissions for exasol/ai-lab:2.0.0

drwxr-xr-x jupyter jupyter /home/jupyter/jupyterenv/bin
lrwxrwxrwx jupyter jupyter /home/jupyter/jupyterenv/bin/python -> /usr/bin/python3

drwxr-xr-x root root /home
drwxr-xr-x jupyter jupyter /home/jupyter
drwxr-xr-x jupyter jupyter /home/jupyter/jupyterenv
drwxr-xr-x jupyter jupyter /home/jupyter/jupyterenv/lib
drwxr-xr-x jupyter jupyter /home/jupyter/jupyterenv/lib/python3.8
drwxr-xr-x jupyter jupyter /home/jupyter/jupyterenv/lib/python3.8/site-packages
drwxr-xr-x jupyter jupyter /home/.../site-packages/exasol
drwxr-xr-x jupyter jupyter /home/.../exasol/nb_connector
-rw-r--r-- jupyter jupyter /home/.../exasol/nb_connector/secret_store.py

Result

Apparently from version 20 to 22 ubuntu changed the default permissions for home directories:

docker run -it ubuntu:20.04 bash
useradd -m jupyter;  ls -ld /home/jupyter/
drwxr-xr-x 2 jupyter jupyter 4096 Jun 17 11:42 /home/jupyter/

docker run -it ubuntu:22.04 bash
useradd -m jupyter; ls -ld /home/jupyter/
drwxr-x--- 2 jupyter jupyter 4096 Jun 17 11:42 /home/jupyter/

See also

• https://www.omgubuntu.co.uk/2021/01/private-home-directory-in-ubuntu-21-04
• https://news.itsfoss.com/private-home-directory-ubuntu-21-04/

Note: This deviates from official documentation.

Rating

This perfectly explains our observations and tests results.

[kaklakariada]

Review approved ✅