[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any reason why user action hooks have to be +x?



----- Original Message -----
> From: "Luke Meyer" <lmeyer redhat com>
> To: "Michael McGrath" <mmcgrath redhat com>
> Cc: dev lists openshift redhat com
> Sent: Tuesday, September 3, 2013 2:35:31 PM
> Subject: Re: Any reason why user action hooks have to be +x?
> 
> 
> 
> ----- Original Message -----
> > From: "Michael McGrath" <mmcgrath redhat com>
> > To: "Clayton Coleman" <ccoleman redhat com>
> > Cc: dev lists openshift redhat com
> > Sent: Tuesday, September 3, 2013 2:31:50 PM
> > Subject: Re: Any reason why user action hooks have to be +x?
> > 
> > ----- Original Message -----
> > > From: "Clayton Coleman" <ccoleman redhat com>
> > > To: "Michael McGrath" <mmcgrath redhat com>
> > > Cc: "Dan Mace" <dmace redhat com>, dev lists openshift redhat com
> > > Sent: Tuesday, September 3, 2013 1:27:11 PM
> > > Subject: Re: Any reason why user action hooks have to be +x?
> > > 
> > > So hooks have a pretty specific meaning - we say "put these files
> > > in these
> > > locations and run them".  If someone provides the file, and it
> > > isn't
> > > runnable, what value does that have for anyone (including us)?
> > > 
> > > Definitely setting something as not executable is a choice - but
> > > here, in
> > > many cases, these are developers adding files based on
> > > documentation for the
> > > first time and they are *not* making the choice to make the file
> > > non-executable.  Also, as noted before windows makes it very
> > > difficult to
> > > set permissions correctly.
> > > 
> > > Putting the effort into displaying a giant warning, where the only
> > > reasonable
> > > outcome is that a user is going to make the file executable, is
> > > missing the
> > > point.  If the only realistic choice for a user in this situation
> > > is to make
> > > the file executable, we should do it for them.  And by do it for
> > > them I mean
> > > it's something that should happen during the deployment on disk of
> > > the new
> > > git files.
> > > 
> > > If we could come up with a reason why this is a security problem -
> > > I might
> > > buy not setting it.  But for a choice to be meaningful for a
> > > developer
> > > (executable or not) there has to be some scenario under which their
> > > decision
> > > is meaningful.  In this case it appears it isn't meaningful.
> > > 
> > 
> > I should point out I do this all the time while doing cartridge
> > writing debugging.
> 
> Could just as easily just mv foo{,.bak} eh?
> 
> > Also, how are you planning on executing this
> > non-executable file?  Just sh ./path/to/file?  What about if it's
> > not a bash script?
> 
> Make it executable while instantiating the cartridge in the gear.
> 

I think we're just talking about .openshift/action_hooks in the app Git repository; might make sense to just change the modes in the OpenShift-controlled Git post-receive hook.

Also, I also feel just moving the file out of the way for debugging would work just as well as a mode change for debugging.


> > 
> > 
> > > ----- Original Message -----
> > > > ----- Original Message -----
> > > > > From: "Clayton Coleman" <ccoleman redhat com>
> > > > > To: "Michael McGrath" <mmcgrath redhat com>
> > > > > Cc: "Dan Mace" <dmace redhat com>,
> > > > > dev lists openshift redhat com
> > > > > Sent: Tuesday, September 3, 2013 1:08:14 PM
> > > > > Subject: Re: Any reason why user action hooks have to be +x?
> > > > > 
> > > > > But why?  What possible problem is there from executing those
> > > > > scripts
> > > > > (the
> > > > > point of this thread is to tease that out).  All I know is that
> > > > > this is a
> > > > > problem for real users, and I don't see any value in us having
> > > > > this
> > > > > restriction.  I guess I'd like to see an argument about WHY
> > > > > this is a bad
> > > > > idea to make these specific scripts executable in this
> > > > > particular case,
> > > > > vs.
> > > > > that in general in the linux world scripts don't make other
> > > > > scripts
> > > > > executable.
> > > > > 
> > > > 
> > > > It's really as simple as when I set something to not be
> > > > executable, I
> > > > expect
> > > > it to not execute.
> > > > 
> > > > Also, if it is set unexecutable, how will you be calling it?  If
> > > > someone
> > > > writes a python start script, you can't call "sh ./start"
> > > > 
> > > > --
> > > > Mike McGrath | mmcgrath redhat com | (312) 660-3547
> > > > OpenShift | Red Hat Chicago | http://openshift.com/
> > > > 
> > > > 
> > > > > ----- Original Message -----
> > > > > > ----- Original Message -----
> > > > > > > From: "Dan Mace" <dmace redhat com>
> > > > > > > To: "Clayton Coleman" <ccoleman redhat com>
> > > > > > > Cc: dev lists openshift redhat com
> > > > > > > Sent: Tuesday, September 3, 2013 9:26:35 AM
> > > > > > > Subject: Re: Any reason why user action hooks have to be
> > > > > > > +x?
> > > > > > > 
> > > > > > > I can't remember the arguments against setting the modes on
> > > > > > > the
> > > > > > > user's
> > > > > > > behalf
> > > > > > > (or working around the modes another way to make them
> > > > > > > irrelevant)
> > > > > > > when
> > > > > > > this
> > > > > > > came up in the past leading to the current
> > > > > > > design/documentation. I'm
> > > > > > > in
> > > > > > > favor of finding some way to eliminate the mode
> > > > > > > requirement. I can't
> > > > > > > think
> > > > > > > of any reason we should support a case where the user
> > > > > > > commits a
> > > > > > > non-executable script to the hooks directory that they
> > > > > > > intend to be
> > > > > > > ignored
> > > > > > > simply due to the mode (e.g. if you want to commit but
> > > > > > > disable the
> > > > > > > hook,
> > > > > > > rename or move it).
> > > > > > > 
> > > > > > 
> > > > > > As a general rule, we shouldn't be executing scripts that are
> > > > > > not set
> > > > > > executable.  I get that this is confusing to new users, but
> > > > > > the current
> > > > > > setup is behaving as expected.  I think I would prefer a
> > > > > > louder note
> > > > > > when
> > > > > > a
> > > > > > script is found that is not executable.
> > > > > > 
> > > > > > =====
> > > > > > NOTE:  .openshift/action_hooks/start is not executable and so
> > > > > > OpenShift
> > > > > > has
> > > > > > skipped it.
> > > > > > Please chmod +x .openshift/action_hooks/start to start it
> > > > > > =====
> > > > > > 
> > > > > > Or something to that effect.  It's just a common convention
> > > > > > and one
> > > > > > worth
> > > > > > observing.
> > > > > > 
> > > > > >     -Mike
> > > > > > 
> > > > > > 
> > > > > > > --
> > > > > > > Dan Mace
> > > > > > > Sr. Software Engineer, Red Hat
> > > > > > > 
> > > > > > > 
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Clayton Coleman" <ccoleman redhat com>
> > > > > > > > To: dev lists openshift redhat com
> > > > > > > > Sent: Tuesday, September 3, 2013 10:22:12 AM
> > > > > > > > Subject: Any reason why user action hooks have to be +x?
> > > > > > > > 
> > > > > > > > Thinking through this... we've had a number of folks who
> > > > > > > > hit the
> > > > > > > > old
> > > > > > > > "oops,
> > > > > > > > my action hooks aren't +x".  Since we are no longer
> > > > > > > > including the
> > > > > > > > hooks
> > > > > > > > in
> > > > > > > > cart templates, it makes it more likely a new user is
> > > > > > > > going to end
> > > > > > > > up
> > > > > > > > wasting their time trying to fix an arbitrary problem
> > > > > > > > (it's burned
> > > > > > > > even
> > > > > > > > experienced developers).  Also, windows developers can't
> > > > > > > > even
> > > > > > > > easily
> > > > > > > > fix
> > > > > > > > modes - requires some git knowledge.
> > > > > > > > 
> > > > > > > > Is there a good reason we can't just "/bin/sh" each hook
> > > > > > > > directly
> > > > > > > > or
> > > > > > > > auto
> > > > > > > > +x
> > > > > > > > it?  Or auto +x during deployment?
> > > > > > > > 
> > > > > > > > I vaguely remember discussions, would like to have a
> > > > > > > > discussion on
> > > > > > > > it.
> > > > > > > > 
> > > > > > > > _______________________________________________
> > > > > > > > dev mailing list
> > > > > > > > dev lists openshift redhat com
> > > > > > > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > > > > > > > 
> > > > > > > 
> > > > > > > _______________________________________________
> > > > > > > dev mailing list
> > > > > > > dev lists openshift redhat com
> > > > > > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> > _______________________________________________
> > dev mailing list
> > dev lists openshift redhat com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > 
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]