Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppDir should be marked as readonly in export.go #1350

Open
gcemaj opened this issue May 3, 2024 · 6 comments
Open

AppDir should be marked as readonly in export.go #1350

gcemaj opened this issue May 3, 2024 · 6 comments
Labels
status/discussion-needed type/enhancement New feature or request

Comments

@gcemaj
Copy link

gcemaj commented May 3, 2024

Summary

I believe it used to be the case that the working directory got marked as read only (0755 at least) at export time. Currently /workspace is has mode 777 which i believe is not intentional

Proposal

I believe we can mark the app directory to read only (or at least 755) here

lifecycle/phase/exporter.go

Line 163 in 44b7041

e.Logger.Debugf("Setting WORKDIR: '%s'", opts.AppDir)

Related

RFC #___

Context

If this is reasonable I am happy to put up a PR to address this
@gcemaj gcemaj added status/triage type/enhancement New feature or request labels May 3, 2024
@natalieparellano
Copy link
Member

I could be wrong, but I think we are relying on the platform here to mount the workspace directory with the expected permissions. This came up awhile back when pack was doing something strange with workspace permissions.

@gcemaj
Copy link
Author

gcemaj commented May 3, 2024

I could be wrong, but I think we are relying on the platform here to mount the workspace directory with the expected permissions. This came up awhile back when pack was doing something strange with workspace permissions.

When i build an image with either pack or kpack i see that my working directory is set to be writable, i would have thought that this should not be the case? (I think it used to not be?)

Would this still be the platforms responsibility? Not sure i am following

@natalieparellano
Copy link
Member

Pack does set the write permission, see buildpacks/pack#1800 for discussion around this.

@tomkennedy513 @chenbh do you have insight into how kpack handles workspace permissions?

@gcemaj
Copy link
Author

gcemaj commented May 3, 2024

Pack does set the write permission, see buildpacks/pack#1800 for discussion around this.

@tomkennedy513 @chenbh do you have insight into how kpack handles workspace permissions?

Wondering if we can make this configurable?
I guess i would have to request to each platform to expose a

applicationLayerIsWritable flag?

We have use cases where we do not want the application directory to be writable

@gcemaj gcemaj mentioned this issue May 6, 2024
Open
@natalieparellano
Copy link
Member

You could make an argument for pulling this into the lifecycle, but right now it is up to the platforms to manage. We should check how this is done in kpack and how easy it would be to change.

@natalieparellano
Copy link
Member

I can't remember where we landed with this. I think @AidanDelaney was going to ask around about what is desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/discussion-needed type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@natalieparellano @gcemaj