Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure all file permissions are set to specified unprivileged user #1175

Merged
merged 2 commits into from
Mar 28, 2024
Merged

Ensure all file permissions are set to specified unprivileged user #1175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e9232af
fix: ensure all file permissions are set to specified unprivileged user
josegonzalez Mar 28, 2024
fa8df04
fix: correct lint issue
josegonzalez Mar 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions include/buildpack.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,9 @@ buildpack-setup() {
# shellcheck disable=SC2154
usermod --home "$HOME" "$unprivileged_user" >/dev/null 2>&1

# shellcheck disable=SC2154
chown "$unprivileged_user:$unprivileged_group" "$HOME"

# Prepare permissions quicker for slower filesystems
# vars defined in outer scope
# shellcheck disable=SC2154
Expand Down Expand Up @@ -191,16 +194,18 @@ buildpack-execute() {
cd "$build_path" || return 1
unprivileged "$selected_path/bin/compile" "$build_path" "$cache_path" "$env_path"
if [[ -f "$selected_path/bin/release" ]]; then
unprivileged "$selected_path/bin/release" "$build_path" "$cache_path" >"$build_path/.release"
unprivileged "$selected_path/bin/release" "$build_path" "$cache_path" | unprivileged tee "$build_path/.release" >/dev/null
fi
if [[ -f "$build_path/.release" ]]; then
config_vars="$(cat "$build_path/.release" | yaml-get config_vars)"
unprivileged touch "$build_path/.profile.d/00_config_vars.sh"
if [[ "$config_vars" ]]; then
mkdir -p "$build_path/.profile.d"
chown "$unprivileged_user:$unprivileged_group" "$build_path/.profile.d"
OIFS=$IFS
IFS=$'\n'
for var in $config_vars; do
echo "export $(echo "$var" | sed -e 's/=/="/' -e 's/$/"/')" >>"$build_path/.profile.d/00_config_vars.sh"
echo "export $(echo "$var" | sed -e 's/=/="/' -e 's/$/"/')" | unprivileged tee -a "$build_path/.profile.d/00_config_vars.sh" >/dev/null
done
IFS=$OIFS
fi
Expand Down
8 changes: 7 additions & 1 deletion include/procfile.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ procfile-types() {
# shellcheck disable=SC2154
[[ "$default_types" ]] && echo "Default types for $selected_name -> ${default_types// /, }"
for type in $default_types; do
echo "$type: $(cat "$app_path/.release" | yaml-get default_process_types "$type")" >>"$app_path/Procfile"
unprivileged touch "$app_path/Procfile"
echo "$type: $(cat "$app_path/.release" | yaml-get default_process_types "$type")" | unprivileged tee -a "$app_path/Procfile" >/dev/null
done
return
fi
Expand All @@ -102,6 +103,8 @@ procfile-load-profile() {
source "$file"
done
mkdir -p "$app_path/.profile.d"
# shellcheck disable=SC2154
chown "$unprivileged_user:$unprivileged_group" "$app_path/.profile.d"
for file in "$app_path/.profile.d"/*.sh; do
# shellcheck disable=SC1090
source "$file"
Expand All @@ -116,7 +119,10 @@ procfile-load-profile() {

procfile-setup-home() {
export HOME="$app_path"
# shellcheck disable=SC2154
usermod --home "$app_path" "$unprivileged_user" >/dev/null 2>&1
# shellcheck disable=SC2154
chown "$unprivileged_user:$unprivileged_group" "$app_path"
if [[ "$HEROKUISH_DISABLE_CHOWN" == "true" ]]; then
# unprivileged_user & unprivileged_group are defined in outer scope
# shellcheck disable=SC2154
Expand Down
Loading