Closed Bug 1186256 Opened 6 years ago Closed 6 years ago

Normalize repository permissions on hgweb machines

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gps, Assigned: gps)

References

Details

Attachments

(2 files)

The permissions are all over the place. Let's inject some sanity.

This is a prerequisite to rolling out our chroot-based moz.build evaluation since we don't want "rogue" Python to have write access to files.
scripts: add a script to adjust repository permissions (bug 1186256); r?fubar

Inspection of repositories on production machines reveals incredible
inconsistency in filesystem permissions. Sanity injection is needed.

This script is roughly equivalent to:

  $ find repo -type f -exec chmod XXX {} \;
  $ find repo -type d -exec chmod XXXX {} \;

Although the file modes are configurable and it prints a summary of what
all changed. The summary is important: we can install this as a CRON and
it will only whine if permissions were adjusted. This will give insight
to server processes that are improperly adjusting permissions.
Attachment #8636863 - Flags: review?(klibby)
ansible/hgweb: install CRON to normalize repository permissions (bug 1186256); r?fubar

The repository permissions on the hgweb machines are all over the place.
While repositories are all likely read-write by the "hg" user, group
permissions are inconsistent. Permissions for others is also
inconsistent.

This commit creates a short shell script for iterating over repositories
in a base directory and adjusting permissions on them. We install a CRON
on the hgweb machines to perform this iteration daily.

We select permissions of 2775 for directories and 664 for files.
Attachment #8636864 - Flags: review?(klibby)
Comment on attachment 8636863 [details]
MozReview Request: scripts: add a script to adjust repository permissions (bug 1186256); r?fubar

https://reviewboard.mozilla.org/r/13737/#review12401

Ship It!
Attachment #8636863 - Flags: review?(klibby) → review+
Comment on attachment 8636864 [details]
MozReview Request: ansible/hgweb: install CRON to normalize repository permissions (bug 1186256); r?fubar

https://reviewboard.mozilla.org/r/13739/#review12403

Ship It!
Attachment #8636864 - Flags: review?(klibby) → review+
url:        https://hg.mozilla.org/hgcustom/version-control-tools/rev/fc1c07f18570def20ab35e52622d8f92331c26a1
changeset:  fc1c07f18570def20ab35e52622d8f92331c26a1
user:       Gregory Szorc <gps@mozilla.com>
date:       Wed Jul 22 11:16:11 2015 -0700
description:
scripts: add a script to adjust repository permissions (bug 1186256); r=fubar

Inspection of repositories on production machines reveals incredible
inconsistency in filesystem permissions. Sanity injection is needed.

This script is roughly equivalent to:

  $ find repo -type f -exec chmod XXX {} \;
  $ find repo -type d -exec chmod XXXX {} \;

Although the file modes are configurable and it prints a summary of what
all changed. The summary is important: we can install this as a CRON and
it will only whine if permissions were adjusted. This will give insight
to server processes that are improperly adjusting permissions.

url:        https://hg.mozilla.org/hgcustom/version-control-tools/rev/8e86cbe99820973530d701321801f9d9f941e846
changeset:  8e86cbe99820973530d701321801f9d9f941e846
user:       Gregory Szorc <gps@mozilla.com>
date:       Wed Jul 22 11:16:24 2015 -0700
description:
ansible/hg-web: install CRON to normalize repository permissions (bug 1186256); r=fubar

The repository permissions on the hgweb machines are all over the place.
While repositories are all likely read-write by the "hg" user, group
permissions are inconsistent. Permissions for others is also
inconsistent.

This commit creates a short shell script for iterating over repositories
in a base directory and adjusting permissions on them. We install a CRON
on the hgweb machines to perform this iteration daily.

We select permissions of 2775 for directories and 664 for files.
This is deploying as we speak. Expect some CRON emails tonight.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Blocks: 1186992
You need to log in before you can comment on or make changes to this bug.