[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any reason why user action hooks have to be +x?




----- Original Message -----
> From: "Michael McGrath" <mmcgrath redhat com>
> To: "Clayton Coleman" <ccoleman redhat com>
> Cc: dev lists openshift redhat com
> Sent: Tuesday, September 3, 2013 2:31:50 PM
> Subject: Re: Any reason why user action hooks have to be +x?
> 
> ----- Original Message -----
> > From: "Clayton Coleman" <ccoleman redhat com>
> > To: "Michael McGrath" <mmcgrath redhat com>
> > Cc: "Dan Mace" <dmace redhat com>, dev lists openshift redhat com
> > Sent: Tuesday, September 3, 2013 1:27:11 PM
> > Subject: Re: Any reason why user action hooks have to be +x?
> > 
> > So hooks have a pretty specific meaning - we say "put these files
> > in these
> > locations and run them".  If someone provides the file, and it
> > isn't
> > runnable, what value does that have for anyone (including us)?
> > 
> > Definitely setting something as not executable is a choice - but
> > here, in
> > many cases, these are developers adding files based on
> > documentation for the
> > first time and they are *not* making the choice to make the file
> > non-executable.  Also, as noted before windows makes it very
> > difficult to
> > set permissions correctly.
> > 
> > Putting the effort into displaying a giant warning, where the only
> > reasonable
> > outcome is that a user is going to make the file executable, is
> > missing the
> > point.  If the only realistic choice for a user in this situation
> > is to make
> > the file executable, we should do it for them.  And by do it for
> > them I mean
> > it's something that should happen during the deployment on disk of
> > the new
> > git files.
> > 
> > If we could come up with a reason why this is a security problem -
> > I might
> > buy not setting it.  But for a choice to be meaningful for a
> > developer
> > (executable or not) there has to be some scenario under which their
> > decision
> > is meaningful.  In this case it appears it isn't meaningful.
> > 
> 
> I should point out I do this all the time while doing cartridge
> writing debugging.

Could just as easily just mv foo{,.bak} eh?

> Also, how are you planning on executing this
> non-executable file?  Just sh ./path/to/file?  What about if it's
> not a bash script?

Make it executable while instantiating the cartridge in the gear.

> 
> 
> > ----- Original Message -----
> > > ----- Original Message -----
> > > > From: "Clayton Coleman" <ccoleman redhat com>
> > > > To: "Michael McGrath" <mmcgrath redhat com>
> > > > Cc: "Dan Mace" <dmace redhat com>,
> > > > dev lists openshift redhat com
> > > > Sent: Tuesday, September 3, 2013 1:08:14 PM
> > > > Subject: Re: Any reason why user action hooks have to be +x?
> > > > 
> > > > But why?  What possible problem is there from executing those
> > > > scripts
> > > > (the
> > > > point of this thread is to tease that out).  All I know is that
> > > > this is a
> > > > problem for real users, and I don't see any value in us having
> > > > this
> > > > restriction.  I guess I'd like to see an argument about WHY
> > > > this is a bad
> > > > idea to make these specific scripts executable in this
> > > > particular case,
> > > > vs.
> > > > that in general in the linux world scripts don't make other
> > > > scripts
> > > > executable.
> > > > 
> > > 
> > > It's really as simple as when I set something to not be
> > > executable, I
> > > expect
> > > it to not execute.
> > > 
> > > Also, if it is set unexecutable, how will you be calling it?  If
> > > someone
> > > writes a python start script, you can't call "sh ./start"
> > > 
> > > --
> > > Mike McGrath | mmcgrath redhat com | (312) 660-3547
> > > OpenShift | Red Hat Chicago | http://openshift.com/
> > > 
> > > 
> > > > ----- Original Message -----
> > > > > ----- Original Message -----
> > > > > > From: "Dan Mace" <dmace redhat com>
> > > > > > To: "Clayton Coleman" <ccoleman redhat com>
> > > > > > Cc: dev lists openshift redhat com
> > > > > > Sent: Tuesday, September 3, 2013 9:26:35 AM
> > > > > > Subject: Re: Any reason why user action hooks have to be
> > > > > > +x?
> > > > > > 
> > > > > > I can't remember the arguments against setting the modes on
> > > > > > the
> > > > > > user's
> > > > > > behalf
> > > > > > (or working around the modes another way to make them
> > > > > > irrelevant)
> > > > > > when
> > > > > > this
> > > > > > came up in the past leading to the current
> > > > > > design/documentation. I'm
> > > > > > in
> > > > > > favor of finding some way to eliminate the mode
> > > > > > requirement. I can't
> > > > > > think
> > > > > > of any reason we should support a case where the user
> > > > > > commits a
> > > > > > non-executable script to the hooks directory that they
> > > > > > intend to be
> > > > > > ignored
> > > > > > simply due to the mode (e.g. if you want to commit but
> > > > > > disable the
> > > > > > hook,
> > > > > > rename or move it).
> > > > > > 
> > > > > 
> > > > > As a general rule, we shouldn't be executing scripts that are
> > > > > not set
> > > > > executable.  I get that this is confusing to new users, but
> > > > > the current
> > > > > setup is behaving as expected.  I think I would prefer a
> > > > > louder note
> > > > > when
> > > > > a
> > > > > script is found that is not executable.
> > > > > 
> > > > > =====
> > > > > NOTE:  .openshift/action_hooks/start is not executable and so
> > > > > OpenShift
> > > > > has
> > > > > skipped it.
> > > > > Please chmod +x .openshift/action_hooks/start to start it
> > > > > =====
> > > > > 
> > > > > Or something to that effect.  It's just a common convention
> > > > > and one
> > > > > worth
> > > > > observing.
> > > > > 
> > > > >     -Mike
> > > > > 
> > > > > 
> > > > > > --
> > > > > > Dan Mace
> > > > > > Sr. Software Engineer, Red Hat
> > > > > > 
> > > > > > 
> > > > > > ----- Original Message -----
> > > > > > > From: "Clayton Coleman" <ccoleman redhat com>
> > > > > > > To: dev lists openshift redhat com
> > > > > > > Sent: Tuesday, September 3, 2013 10:22:12 AM
> > > > > > > Subject: Any reason why user action hooks have to be +x?
> > > > > > > 
> > > > > > > Thinking through this... we've had a number of folks who
> > > > > > > hit the
> > > > > > > old
> > > > > > > "oops,
> > > > > > > my action hooks aren't +x".  Since we are no longer
> > > > > > > including the
> > > > > > > hooks
> > > > > > > in
> > > > > > > cart templates, it makes it more likely a new user is
> > > > > > > going to end
> > > > > > > up
> > > > > > > wasting their time trying to fix an arbitrary problem
> > > > > > > (it's burned
> > > > > > > even
> > > > > > > experienced developers).  Also, windows developers can't
> > > > > > > even
> > > > > > > easily
> > > > > > > fix
> > > > > > > modes - requires some git knowledge.
> > > > > > > 
> > > > > > > Is there a good reason we can't just "/bin/sh" each hook
> > > > > > > directly
> > > > > > > or
> > > > > > > auto
> > > > > > > +x
> > > > > > > it?  Or auto +x during deployment?
> > > > > > > 
> > > > > > > I vaguely remember discussions, would like to have a
> > > > > > > discussion on
> > > > > > > it.
> > > > > > > 
> > > > > > > _______________________________________________
> > > > > > > dev mailing list
> > > > > > > dev lists openshift redhat com
> > > > > > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > dev mailing list
> > > > > > dev lists openshift redhat com
> > > > > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]