Closed Bug 1186256 Opened 10 years ago Closed 10 years ago

Normalize repository permissions on hgweb machines

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: gps)

References

Details

Attachments

(2 files)

MozReview Request: scripts: add a script to adjust repository permissions (bug 1186256); r?fubar
40 bytes, text/x-review-board-request
fubar
: review+
Details
MozReview Request: ansible/hgweb: install CRON to normalize repository permissions (bug 1186256); r?fubar
40 bytes, text/x-review-board-request
fubar
: review+
Details
The permissions are all over the place. Let's inject some sanity. This is a prerequisite to rolling out our chroot-based moz.build evaluation since we don't want "rogue" Python to have write access to files.
scripts: add a script to adjust repository permissions (bug 1186256); r?fubar Inspection of repositories on production machines reveals incredible inconsistency in filesystem permissions. Sanity injection is needed. This script is roughly equivalent to: $ find repo -type f -exec chmod XXX {} \; $ find repo -type d -exec chmod XXXX {} \; Although the file modes are configurable and it prints a summary of what all changed. The summary is important: we can install this as a CRON and it will only whine if permissions were adjusted. This will give insight to server processes that are improperly adjusting permissions.
Attachment #8636863 - Flags: review?(klibby)
ansible/hgweb: install CRON to normalize repository permissions (bug 1186256); r?fubar The repository permissions on the hgweb machines are all over the place. While repositories are all likely read-write by the "hg" user, group permissions are inconsistent. Permissions for others is also inconsistent. This commit creates a short shell script for iterating over repositories in a base directory and adjusting permissions on them. We install a CRON on the hgweb machines to perform this iteration daily. We select permissions of 2775 for directories and 664 for files.
Attachment #8636864 - Flags: review?(klibby)
Comment on attachment 8636863 [details] MozReview Request: scripts: add a script to adjust repository permissions (bug 1186256); r?fubar https://reviewboard.mozilla.org/r/13737/#review12401 Ship It!
Attachment #8636863 - Flags: review?(klibby) → review+
Comment on attachment 8636864 [details] MozReview Request: ansible/hgweb: install CRON to normalize repository permissions (bug 1186256); r?fubar https://reviewboard.mozilla.org/r/13739/#review12403 Ship It!
Attachment #8636864 - Flags: review?(klibby) → review+
url: https://hg.mozilla.org/hgcustom/version-control-tools/rev/fc1c07f18570def20ab35e52622d8f92331c26a1 changeset: fc1c07f18570def20ab35e52622d8f92331c26a1 user: Gregory Szorc <gps@mozilla.com> date: Wed Jul 22 11:16:11 2015 -0700 description: scripts: add a script to adjust repository permissions (bug 1186256); r=fubar Inspection of repositories on production machines reveals incredible inconsistency in filesystem permissions. Sanity injection is needed. This script is roughly equivalent to: $ find repo -type f -exec chmod XXX {} \; $ find repo -type d -exec chmod XXXX {} \; Although the file modes are configurable and it prints a summary of what all changed. The summary is important: we can install this as a CRON and it will only whine if permissions were adjusted. This will give insight to server processes that are improperly adjusting permissions. url: https://hg.mozilla.org/hgcustom/version-control-tools/rev/8e86cbe99820973530d701321801f9d9f941e846 changeset: 8e86cbe99820973530d701321801f9d9f941e846 user: Gregory Szorc <gps@mozilla.com> date: Wed Jul 22 11:16:24 2015 -0700 description: ansible/hg-web: install CRON to normalize repository permissions (bug 1186256); r=fubar The repository permissions on the hgweb machines are all over the place. While repositories are all likely read-write by the "hg" user, group permissions are inconsistent. Permissions for others is also inconsistent. This commit creates a short shell script for iterating over repositories in a base directory and adjusting permissions on them. We install a CRON on the hgweb machines to perform this iteration daily. We select permissions of 2775 for directories and 664 for files.
This is deploying as we speak. Expect some CRON emails tonight.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 1186992
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: