Skip to content

Give BUILTIN/Users ReadAndExecute permission #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 28, 2017
Merged

Give BUILTIN/Users ReadAndExecute permission #319

merged 1 commit into from
Jun 28, 2017

Conversation

@sesmith177
Copy link
Contributor

@sesmith177 sesmith177 commented Jun 26, 2017

This is so an unprivileged user in a container can read and execute buildpack / lifecycle binaries from the executor_cache

The change is compatible with garden-windows 2012 and 2016 as we are only adding permissions to the cache directory

@sunjayBhatia
Give BUILTIN/Users ReadAndExecute permission
6bfbe6a 
- this is so an unprivledged user in a container can read and execute
buildpack / lifecycle binaries from the executor_cache

[#147772643]

Signed-off-by: Sam Smith <[email protected]>
@cfdreddbot
Copy link

cfdreddbot commented Jun 26, 2017

Hey sesmith177!

Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA.

@cf-gitbot
Copy link

cf-gitbot commented Jun 26, 2017

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/147885333

The labels on this github issue will be updated when the story is started.

@emalm
Copy link
Contributor

emalm commented Jun 26, 2017

Thanks, @sesmith177! Sounds reasonable, prioritizing for the Diego team to review.

Best,
Eric

@jvshahid
Copy link
Contributor

jvshahid commented Jun 28, 2017

For context, this is required since the windows bosh agent sets the permissions of /var/vcap to be readable, writable and executable only by system users and admins. this used to work on windows 2012 since bind mounts are doing a copy into the container, but 2016 have real bind mounts and which inherit the permissions of the host directory. this causes cached artifacts (e.g. lifecycle and buildpack) not to be accessible inside the container.

@jvshahid jvshahid merged commit 6bfbe6a into cloudfoundry:develop Jun 28, 2017
anoop2811 pushed a commit to anoop2811/diego-release that referenced this pull request Jul 14, 2017
bump ginkgo gomega
6f44a5b 
[finishes #142522481]

Submodule src/github.com/onsi/ginkgo c3a655f..67b9df7:
  > Remove the spec_iterator.test binary (cloudfoundry#336)
  > Shared queue implementation for parallel tests
  > Revert "Don't colorize output by default if not writing to a TTY (cloudfoundry#328)" (cloudfoundry#331)
  > Don't colorize output by default if not writing to a TTY (cloudfoundry#328)
  > Use SVG badge for build status (cloudfoundry#330)
  > Add the ability to use ./... to recursively test directories (cloudfoundry#319)
  > Include captured output from failed tests into JUnit (cloudfoundry#318)
  > Aggregate flaked specs (cloudfoundry#316)
  > Add colours for Windows in suite-runner & watch (cloudfoundry#312)
  > Fix tests for single node machine (cloudfoundry#311)
  > Add ability to specify a custom bootstrap file (cloudfoundry#302)
  > Revert "remove -i in invocations of go test.  fixes cloudfoundry#305"
  > Update .travis.yml
  > fix imports for generate command (cloudfoundry#279)
  > Merge branch 'koron-windows-colorise'
  > remove -i in invocations of go test.  fixes cloudfoundry#305
  > remove unnecessary variable
  > backfill GinkgoRandomSeed test
  > Expose the random seed via GinkgoRandomSeed() (cloudfoundry#293)
  > Include flake count in test summary (cloudfoundry#291)
  > cloudfoundry#287 Ensure Logf/Skipf insert newline characters (cloudfoundry#288)
  > Add package path prefix to compilation output path only if missing (cloudfoundry#284)
  > Redo flags again, add a bunch of pass-throughs. (cloudfoundry#282)
  > Spelling fix (cloudfoundry#283)
  > Covermode flag (and reworked pass-through flags passing) (cloudfoundry#281)
  > Make JUnit reporter include failure location in message. (cloudfoundry#262)
  > remove 1.4 from travis.yml
  > Add gcflags option (cloudfoundry#276)
  > Revert "Use the go1.5 build tag to handle vendor exceptions" (cloudfoundry#274)
  > Merge pull request cloudfoundry#272 from fsouza/fix-vendor
  > Add flaky test mitigation (cloudfoundry#261)
  > Allow units and precision in benchmark (cloudfoundry#266)
  > Add Solaris support (cloudfoundry#264)
  > Merge pull request cloudfoundry#259 from kwadrat/master
  > Merge branch 'apvail-spell-fix'
  > Fix go16 vendor
  > Merge pull request cloudfoundry#250 from james-lawrence/master
  > Merge pull request cloudfoundry#228 from jayunit100/RegexFileNameFiltering
  > Fix test flakiness
Submodule src/github.com/onsi/gomega c463cd2..334b8f4:
  > Merge pull request cloudfoundry#206 from xoebus/patch-1
  > Merge pull request cloudfoundry#205 from onsi/revert-201-json_formatting
  > Merge pull request cloudfoundry#201 from madamkiwi/json_formatting
  > Merge pull request cloudfoundry#199 from kevgo/patch-1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

accepted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@sesmith177 @cfdreddbot @cf-gitbot @emalm @jvshahid @sunjayBhatia