-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set permission for network logging files and dirs #1214
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good, great job!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Files and directories which are writable by everybody? I don't think that is a good idea.
Are permissions really relevant for the use case security-wise? How about |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The file and directory permissions are okay now, thank you.
I did not review the rest of the code.
I don't think 774 and 664 solve the problem. Idea is the following: The log-files are created by root, e.g. when in the docker-image creation ocrd-resources are downloaded or any other ocrd command is executed which involves logging. Later the image is used by another user with different permissions. Then ocrd is used within this container, the logfiles exist and the ocrd-process with the user's permissions tries to write to them which will in this case not work with 664 for example. The permissions are only set for the logfiles and its directories which are created by ocrd and only if they do not exist previously. As far as I see it, in the worst case the logfiles could be lost. But maybe I there are other problem with the permissions I am not aware of? What are the possible problems with these permissions? |
That is why I did not see any issues with the previous permission settings although they are considered problematic in a general sense. @stweil, do you maybe have a better idea than going back to 777 and 666? |
I really don't see the problem with |
This reverts commit 2c4a3fd.
Would it be possible to have different permissions for Docker and non-Docker installations? |
We could make this configurable via an |
This might be a solution. Ideally the right configuration should be used for different use cases without the need for manual user settings. |
@joschrew any idea how we might best determine this automatically? |
The problem is this: When the images are created the logfiles might be created as well. For example when a processor's image extends core and then calls ocrd core for loading resources. Then the logfiles are created. Then a user creates a container of this processor and the logs are root-owned which cause problems when the user of the container is not root. So I don't think a variable can really help here. This PR is like a quick fix for this problem. But other fixes are possible as well. So if we don't want this world permission logfiles it is not that big problem. Therefore my suggestion is to close and not merge this PR and go with something like OCR-D/ocrd_all#429 and do the same in the processor-images which also have those logfiles created. We have to touch the images anyway when setting the core version. Sry for being late with this suggestion, I forgot to mention this issue in our last meetings. |
OK, then let's not include this PR in the next release and focus on fixing the permission error during image build. |
All logfiles and folder used by ocrd-network are created with 777 (dirs) and 666 (files) so that logging should be possible regardlessly of permission.
This is a suggestion for fixing OCR-D/ocrd_all#426. I'm not sure if we want this but imo this PR is a possible solution.