[bug] go-agent ignores/lacks group mode during execution of job?

[cetanu]

Issue Type

Bug Report

Summary

gocd agent, when executing a job, can't get permission to a file unless it has user or other mode set. Group permissions, even if correct, result in Permission Denied. Not reproducible via interactive shell, only via jobs.

Example setup:

# cat /etc/group | grep grouperino
grouperino:x:490:go

# ls -l /random_file
-rw-r----- 1 root grouperino  512 Nov 21 11:11 random_file

# sudo -u go cat /random_file
secret information

If I then try to cat this file as part of a job, it will fail with Permission Denied. If I set chmod o+r /random_file, it will work, but then everybody has access to read the file.

Basic environment details

• Go Version: 16.10.0 (4131-730ff1867576754414cc632957f344d0263bc06d)
• JAVA Version: 1.8.0_65
• OS: SUSE Enterprise Linux 12 SP1, Linux 3.12.62-60.62-default

[cetanu]

Apparently fixed by restarting the agent. Seriously...

This shouldn't happen, since the agent takes user or other mode changes into account, but not group? But I cbf to even go down the rabbit hole on this.

[ketan]

@cetanu — if you've changed the membership of any linux user or group, you're expected to restart any processes owned by user and/or group.

[cetanu]

@ketan , yeah, something to keep in mind I guess. Although changing the mode for user/other seemed to have an impact. It was weird.