Open jamesaoverton opened 2 years ago
@lmcmicu Please try to replicate something like the following using SGID. Starting as a non-root user (e.g. james
) who belongs to the wheel
group:
cd /var/www/droid.ontodev.com/projects/curatron/workspace/main
sudo mkdir test
sudo chown root:wheel test
sudo chmod 2770 test
touch test/james
sudo touch test/root
sudo docker exec -it curatron-main touch /workspace/test/docker
ls -lah test
The "2" in "2770" should mean SGID, so new files created under test/
directory have the same group as the test/
directory, in this case wheel
. I see something like:
drwxrws--- 2 root wheel 4.0K Dec 13 16:08 .
drwxr-xr-x 8 root root 4.0K Dec 13 16:07 ..
-rw-r--r-- 1 root wheel 0 Dec 13 16:08 docker
-rw-r--r-- 1 james wheel 0 Dec 13 16:08 james
-rw-r--r-- 1 root wheel 0 Dec 13 16:08 root
I think this is what I want: root
and james
can both work with the files, and Docker is respecting the SGID from the mounted filesystem. The next thing to try would be git
inside a SGID directory like this.
I found this page helpful: https://www.redhat.com/sysadmin/suid-sgid-sticky-bit
We worked on this some more. To make git
work, it looks like we also need SUID to keep the user as root
and umask
to add group write on file creation. The umask
would be required for both the DROID process and also the user's process.
It seems like it might be simpler to james> sudo -E
(--preserve-env
), or maybe sudoedit
.
DROID is primarily designed to run commands using the Workflow buttons on the web pages, but I also want developers like me and @beckyjackson to be able to log in to the DROID server do work on branches.
With the current system, I usually
james
tmux
sessioncd
to a branch directory, e.g. /var/www/droid.ontodev.com/projects/ONTIE/workspace/mastersudo su
then start my editorsudo docker exec -it ONTIE-master bash
to run stuff inside the containerI'm not happy about the
sudo su
then editor step. I think that I should be able to just create/delete/edit files asjames
but I invariably mess up permissions, and then Becky can't work with the files I create withoutsudo
, or vice versa. I also have trouble working withgit
: if I rungit
as me then there are permission problems with the.git/
directory; if I rungit
asroot
then I don't have my GitHub credentials.I think there should be some combination of
setgid
and/or sticky bits that would make this work smoothly.(Alternatively, I could install my preferred tools and configuration into the Docker container, but I worry that would leak secrets such as my GitHub credentials.)
The upshot is that we should be able to install our preferred tools and configuration in our user accounts and just do our work. This should include things like our own GitHub credentials. And it should also support remote editing tools for GUI editors such as Sublime and VSCode.