Closed
Bug 1186256
Opened 6 years ago
Closed 6 years ago
Normalize repository permissions on hgweb machines
Categories
(Developer Services :: Mercurial: hg.mozilla.org, defect)
Developer Services
Mercurial: hg.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gps, Assigned: gps)
References
Details
Attachments
(2 files)
The permissions are all over the place. Let's inject some sanity. This is a prerequisite to rolling out our chroot-based moz.build evaluation since we don't want "rogue" Python to have write access to files.
|
Assignee | |
Comment 1•6 years ago
|
||
scripts: add a script to adjust repository permissions (bug 1186256); r?fubar Inspection of repositories on production machines reveals incredible inconsistency in filesystem permissions. Sanity injection is needed. This script is roughly equivalent to: $ find repo -type f -exec chmod XXX {} \; $ find repo -type d -exec chmod XXXX {} \; Although the file modes are configurable and it prints a summary of what all changed. The summary is important: we can install this as a CRON and it will only whine if permissions were adjusted. This will give insight to server processes that are improperly adjusting permissions.
Attachment #8636863 -
Flags: review?(klibby)
|
|
Assignee | |
Comment 2•6 years ago
|
||
ansible/hgweb: install CRON to normalize repository permissions (bug 1186256); r?fubar The repository permissions on the hgweb machines are all over the place. While repositories are all likely read-write by the "hg" user, group permissions are inconsistent. Permissions for others is also inconsistent. This commit creates a short shell script for iterating over repositories in a base directory and adjusting permissions on them. We install a CRON on the hgweb machines to perform this iteration daily. We select permissions of 2775 for directories and 664 for files.
Attachment #8636864 -
Flags: review?(klibby)
|
||
Comment 3•6 years ago
|
||
Comment on attachment 8636863 [details] MozReview Request: scripts: add a script to adjust repository permissions (bug 1186256); r?fubar https://reviewboard.mozilla.org/r/13737/#review12401 Ship It!
Attachment #8636863 -
Flags: review?(klibby) → review+
|
|
||
Comment 4•6 years ago
|
||
Comment on attachment 8636864 [details] MozReview Request: ansible/hgweb: install CRON to normalize repository permissions (bug 1186256); r?fubar https://reviewboard.mozilla.org/r/13739/#review12403 Ship It!
Attachment #8636864 -
Flags: review?(klibby) → review+
|
|
Assignee | |
Comment 5•6 years ago
|
||
url: https://hg.mozilla.org/hgcustom/version-control-tools/rev/fc1c07f18570def20ab35e52622d8f92331c26a1 changeset: fc1c07f18570def20ab35e52622d8f92331c26a1 user: Gregory Szorc <gps@mozilla.com> date: Wed Jul 22 11:16:11 2015 -0700 description: scripts: add a script to adjust repository permissions (bug 1186256); r=fubar Inspection of repositories on production machines reveals incredible inconsistency in filesystem permissions. Sanity injection is needed. This script is roughly equivalent to: $ find repo -type f -exec chmod XXX {} \; $ find repo -type d -exec chmod XXXX {} \; Although the file modes are configurable and it prints a summary of what all changed. The summary is important: we can install this as a CRON and it will only whine if permissions were adjusted. This will give insight to server processes that are improperly adjusting permissions. url: https://hg.mozilla.org/hgcustom/version-control-tools/rev/8e86cbe99820973530d701321801f9d9f941e846 changeset: 8e86cbe99820973530d701321801f9d9f941e846 user: Gregory Szorc <gps@mozilla.com> date: Wed Jul 22 11:16:24 2015 -0700 description: ansible/hg-web: install CRON to normalize repository permissions (bug 1186256); r=fubar The repository permissions on the hgweb machines are all over the place. While repositories are all likely read-write by the "hg" user, group permissions are inconsistent. Permissions for others is also inconsistent. This commit creates a short shell script for iterating over repositories in a base directory and adjusting permissions on them. We install a CRON on the hgweb machines to perform this iteration daily. We select permissions of 2775 for directories and 664 for files.
|
|
Assignee | |
Comment 6•6 years ago
|
||
This is deploying as we speak. Expect some CRON emails tonight.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•