Skip to content

Commit

Permalink
Ensure www-data owns repo structure and permissions are correct (#821)
Browse files Browse the repository at this point in the history
  • Loading branch information
myieye authored May 28, 2024
1 parent b4e4061 commit fb43c1c
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 20 deletions.
1 change: 1 addition & 0 deletions backend/LexBoxApi/LexBoxKernel.cs
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ public static void AddLexBoxApi(this IServiceCollection services,
services.AddScoped<TusService>();
services.AddScoped<TurnstileService>();
services.AddScoped<IHgService, HgService>();
services.AddHostedService<HgService>();
services.AddTransient<HgWebHealthCheck>();
services.AddScoped<IIsLanguageForgeProjectDataLoader, IsLanguageForgeProjectDataLoader>();
services.AddScoped<ILexProxyService, LexProxyService>();
Expand Down
27 changes: 25 additions & 2 deletions backend/LexBoxApi/Services/HgService.cs
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

namespace LexBoxApi.Services;

public partial class HgService : IHgService
public partial class HgService : IHgService, IHostedService
{
private const string DELETED_REPO_FOLDER = "_____deleted_____";
private const string TEMP_REPO_FOLDER = "_____temp_____";
Expand Down Expand Up @@ -292,7 +292,8 @@ private async Task<HttpContent> ExecuteHgCommandServerCommand(string code, strin
return response.Content;
}

private static readonly string[] InvalidRepoNames = { DELETED_REPO_FOLDER, TEMP_REPO_FOLDER, "api" };
private static readonly string[] SpecialDirectoryNames = [DELETED_REPO_FOLDER, TEMP_REPO_FOLDER];
private static readonly HashSet<string> InvalidRepoNames = [.. SpecialDirectoryNames, "api"];

private void AssertIsSafeRepoName(string name)
{
Expand Down Expand Up @@ -366,6 +367,28 @@ public static string DetermineProjectUrlPrefix(HgType type, HgConfig hgConfig)
$"Unknown request, HG request type: {type}")
};
}

public Task StartAsync(CancellationToken cancellationToken)
{
var repoContainerDirectories = SpecialDirectoryNames
.Concat(Enumerable.Range('a', 'z' - 'a' + 1).Select(c => ((char)c).ToString()))
.Concat(Enumerable.Range(0, 10).Select(c => c.ToString()));

foreach (var directory in repoContainerDirectories)
{
var path = Path.Combine(_options.Value.RepoPath, directory);
var dirInfo = Directory.CreateDirectory(path);
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
dirInfo.UnixFileMode = Permissions;
}

return Task.CompletedTask;
}

public Task StopAsync(CancellationToken cancellationToken)
{
return Task.CompletedTask;
}
}

public class LogResponse
Expand Down
18 changes: 0 additions & 18 deletions deployment/base/hg-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -170,21 +170,3 @@ spec:
items:
- key: hgweb.hgrc
path: hgweb.hgrc

initContainers:
- name: init-repo-structure
securityContext:
runAsUser: 33
runAsGroup: 33 # www-data
runAsNonRoot: true
image: busybox:1.36.1
command:
- 'sh'
- '-c'
- |
cd /repos
mkdir -p a b c d e f g h i j k l m n o p q r s t u v w x y z
mkdir -p 0 1 2 3 4 5 6 7 8 9
volumeMounts:
- name: repos
mountPath: /repos
18 changes: 18 additions & 0 deletions deployment/base/lexbox-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -261,3 +261,21 @@ spec:
configMapKeyRef:
name: app-config
key: environment-name
- name: set-repo-structure-owner-to-www-data
securityContext:
# Make sure we're authorized to set ownership
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
image: busybox:1.36.1
command:
- 'sh'
- '-c'
- |
cd /repos
chown www-data:www-data .
# Only necessary if directories already exist with the wrong ownership
find . -maxdepth 1 -type d ! -name lost+found -exec chown www-data:www-data {} +
volumeMounts:
- name: repos
mountPath: /repos

0 comments on commit fb43c1c

Please sign in to comment.