Bug 1391476 - Ensure version control repository have proper permissions; r?chmanchester
Before, we only set the owner of the root directory of the repo. If
subsequent tasks on the same worker used a different uid/gid, this
could lead to filesystem permissions problems.
We recursively chown all version control files as a mitigation against
permissions failures.
This will add overhead to run-task. But it is necessary to eliminate
permissions problems, especially on Try.
MozReview-Commit-ID: DmS7WWEgrGZ
--- a/taskcluster/docker/recipes/run-task
+++ b/taskcluster/docker/recipes/run-task
@@ -282,34 +282,34 @@ def main(args):
# Ensure the directory for the source checkout exists.
try:
os.makedirs(os.path.dirname(checkout))
except OSError as e:
if e.errno != errno.EEXIST:
raise
# And that it is owned by the appropriate user/group.
- if running_as_root:
- os.chown(os.path.dirname(checkout), uid, gid)
+ if running_as_root and os.path.exists(checkout):
+ chown_recursive(checkout, user.pw_name, group.gr_name, uid, gid)
def prepare_hg_store_path():
# And ensure the shared store path exists and has proper permissions.
if 'HG_STORE_PATH' not in os.environ:
print('error: HG_STORE_PATH environment variable not set')
sys.exit(1)
store_path = os.environ['HG_STORE_PATH']
try:
os.makedirs(store_path)
except OSError as e:
if e.errno != errno.EEXIST:
raise
if running_as_root:
- os.chown(store_path, uid, gid)
+ chown_recursive(store_path, user.pw_name, group.gr_name, uid, gid)
prepare_checkout_dir(args.vcs_checkout)
prepare_checkout_dir(args.tools_checkout)
prepare_hg_store_path()
if running_as_root:
# Drop permissions to requested user.
# This code is modeled after what `sudo` was observed to do in a Docker