Improve permissions for files in workspace directories

[jamesaoverton]

DROID is primarily designed to run commands using the Workflow buttons on the web pages, but I also want developers like me and @beckyjackson to be able to log in to the DROID server do work on branches.

With the current system, I usually

• log in as james
• resume my tmux session
• start a new tmux window
• cd to a branch directory, e.g. /var/www/droid.ontodev.com/projects/ONTIE/workspace/master
• split my tmux window vertically
  1. sudo su then start my editor
  2. sudo docker exec -it ONTIE-master bash to run stuff inside the container

I'm not happy about the sudo su then editor step. I think that I should be able to just create/delete/edit files as james but I invariably mess up permissions, and then Becky can't work with the files I create without sudo, or vice versa. I also have trouble working with git: if I run git as me then there are permission problems with the .git/ directory; if I run git as root then I don't have my GitHub credentials.

I think there should be some combination of setgid and/or sticky bits that would make this work smoothly.

(Alternatively, I could install my preferred tools and configuration into the Docker container, but I worry that would leak secrets such as my GitHub credentials.)

The upshot is that we should be able to install our preferred tools and configuration in our user accounts and just do our work. This should include things like our own GitHub credentials. And it should also support remote editing tools for GUI editors such as Sublime and VSCode.

[jamesaoverton]

@lmcmicu Please try to replicate something like the following using SGID. Starting as a non-root user (e.g. james) who belongs to the wheel group:

cd /var/www/droid.ontodev.com/projects/curatron/workspace/main
sudo mkdir test
sudo chown root:wheel test
sudo chmod 2770 test
touch test/james
sudo touch test/root
sudo docker exec -it curatron-main touch /workspace/test/docker
ls -lah test

The "2" in "2770" should mean SGID, so new files created under test/ directory have the same group as the test/ directory, in this case wheel. I see something like:

drwxrws--- 2 root  wheel 4.0K Dec 13 16:08 .                                                   
drwxr-xr-x 8 root  root  4.0K Dec 13 16:07 ..
-rw-r--r-- 1 root  wheel    0 Dec 13 16:08 docker                                              
-rw-r--r-- 1 james wheel    0 Dec 13 16:08 james                                               
-rw-r--r-- 1 root  wheel    0 Dec 13 16:08 root 

I think this is what I want: root and james can both work with the files, and Docker is respecting the SGID from the mounted filesystem. The next thing to try would be git inside a SGID directory like this.

I found this page helpful: https://www.redhat.com/sysadmin/suid-sgid-sticky-bit

[jamesaoverton]

We worked on this some more. To make git work, it looks like we also need SUID to keep the user as root and umask to add group write on file creation. The umask would be required for both the DROID process and also the user's process.

It seems like it might be simpler to james> sudo -E (--preserve-env), or maybe sudoedit.