[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any reason why user action hooks have to be +x?



----- Original Message -----
> From: "Clayton Coleman" <ccoleman redhat com>
> To: "Michael McGrath" <mmcgrath redhat com>
> Cc: "Dan Mace" <dmace redhat com>, dev lists openshift redhat com
> Sent: Tuesday, September 3, 2013 1:27:11 PM
> Subject: Re: Any reason why user action hooks have to be +x?
> 
> So hooks have a pretty specific meaning - we say "put these files in these
> locations and run them".  If someone provides the file, and it isn't
> runnable, what value does that have for anyone (including us)?
> 
> Definitely setting something as not executable is a choice - but here, in
> many cases, these are developers adding files based on documentation for the
> first time and they are *not* making the choice to make the file
> non-executable.  Also, as noted before windows makes it very difficult to
> set permissions correctly.
> 
> Putting the effort into displaying a giant warning, where the only reasonable
> outcome is that a user is going to make the file executable, is missing the
> point.  If the only realistic choice for a user in this situation is to make
> the file executable, we should do it for them.  And by do it for them I mean
> it's something that should happen during the deployment on disk of the new
> git files.
> 
> If we could come up with a reason why this is a security problem - I might
> buy not setting it.  But for a choice to be meaningful for a developer
> (executable or not) there has to be some scenario under which their decision
> is meaningful.  In this case it appears it isn't meaningful.
> 

I should point out I do this all the time while doing cartridge writing debugging.  Also, how are you planning on executing this non-executable file?  Just sh ./path/to/file?  What about if it's not a bash script?

    -Mike


> ----- Original Message -----
> > ----- Original Message -----
> > > From: "Clayton Coleman" <ccoleman redhat com>
> > > To: "Michael McGrath" <mmcgrath redhat com>
> > > Cc: "Dan Mace" <dmace redhat com>, dev lists openshift redhat com
> > > Sent: Tuesday, September 3, 2013 1:08:14 PM
> > > Subject: Re: Any reason why user action hooks have to be +x?
> > > 
> > > But why?  What possible problem is there from executing those scripts
> > > (the
> > > point of this thread is to tease that out).  All I know is that this is a
> > > problem for real users, and I don't see any value in us having this
> > > restriction.  I guess I'd like to see an argument about WHY this is a bad
> > > idea to make these specific scripts executable in this particular case,
> > > vs.
> > > that in general in the linux world scripts don't make other scripts
> > > executable.
> > > 
> > 
> > It's really as simple as when I set something to not be executable, I
> > expect
> > it to not execute.
> > 
> > Also, if it is set unexecutable, how will you be calling it?  If someone
> > writes a python start script, you can't call "sh ./start"
> > 
> > --
> > Mike McGrath | mmcgrath redhat com | (312) 660-3547
> > OpenShift | Red Hat Chicago | http://openshift.com/
> > 
> > 
> > > ----- Original Message -----
> > > > ----- Original Message -----
> > > > > From: "Dan Mace" <dmace redhat com>
> > > > > To: "Clayton Coleman" <ccoleman redhat com>
> > > > > Cc: dev lists openshift redhat com
> > > > > Sent: Tuesday, September 3, 2013 9:26:35 AM
> > > > > Subject: Re: Any reason why user action hooks have to be +x?
> > > > > 
> > > > > I can't remember the arguments against setting the modes on the
> > > > > user's
> > > > > behalf
> > > > > (or working around the modes another way to make them irrelevant)
> > > > > when
> > > > > this
> > > > > came up in the past leading to the current design/documentation. I'm
> > > > > in
> > > > > favor of finding some way to eliminate the mode requirement. I can't
> > > > > think
> > > > > of any reason we should support a case where the user commits a
> > > > > non-executable script to the hooks directory that they intend to be
> > > > > ignored
> > > > > simply due to the mode (e.g. if you want to commit but disable the
> > > > > hook,
> > > > > rename or move it).
> > > > > 
> > > > 
> > > > As a general rule, we shouldn't be executing scripts that are not set
> > > > executable.  I get that this is confusing to new users, but the current
> > > > setup is behaving as expected.  I think I would prefer a louder note
> > > > when
> > > > a
> > > > script is found that is not executable.
> > > > 
> > > > =====
> > > > NOTE:  .openshift/action_hooks/start is not executable and so OpenShift
> > > > has
> > > > skipped it.
> > > > Please chmod +x .openshift/action_hooks/start to start it
> > > > =====
> > > > 
> > > > Or something to that effect.  It's just a common convention and one
> > > > worth
> > > > observing.
> > > > 
> > > >     -Mike
> > > > 
> > > > 
> > > > > --
> > > > > Dan Mace
> > > > > Sr. Software Engineer, Red Hat
> > > > > 
> > > > > 
> > > > > ----- Original Message -----
> > > > > > From: "Clayton Coleman" <ccoleman redhat com>
> > > > > > To: dev lists openshift redhat com
> > > > > > Sent: Tuesday, September 3, 2013 10:22:12 AM
> > > > > > Subject: Any reason why user action hooks have to be +x?
> > > > > > 
> > > > > > Thinking through this... we've had a number of folks who hit the
> > > > > > old
> > > > > > "oops,
> > > > > > my action hooks aren't +x".  Since we are no longer including the
> > > > > > hooks
> > > > > > in
> > > > > > cart templates, it makes it more likely a new user is going to end
> > > > > > up
> > > > > > wasting their time trying to fix an arbitrary problem (it's burned
> > > > > > even
> > > > > > experienced developers).  Also, windows developers can't even
> > > > > > easily
> > > > > > fix
> > > > > > modes - requires some git knowledge.
> > > > > > 
> > > > > > Is there a good reason we can't just "/bin/sh" each hook directly
> > > > > > or
> > > > > > auto
> > > > > > +x
> > > > > > it?  Or auto +x during deployment?
> > > > > > 
> > > > > > I vaguely remember discussions, would like to have a discussion on
> > > > > > it.
> > > > > > 
> > > > > > _______________________________________________
> > > > > > dev mailing list
> > > > > > dev lists openshift redhat com
> > > > > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > dev mailing list
> > > > > dev lists openshift redhat com
> > > > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > > > > 
> > > > 
> > > 
> > 
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]