set setuid/setgid bits in fix-permissions

ensures files have the right owner:group

unfortunately, not enough to get group-writable permissions (need acl or umask for that),
so we still need to run it after each install

base-notebook/fix-permissions

@@ -2,7 +2,7 @@
 # set permissions on a directory
 # after any installation, if a directory needs to be (human) user-writable,
 # run this script on it.
-# It will make everything in the directory owned by the group $NB_OWNER_GROUP
+# It will make everything in the directory owned by the group $NB_GID
 # and writable by that group.
 # Deployments that want to set a specific user id can preserve permissions
 # by adding the `--group-add user-writable` line to `docker run`.
@@ -11,17 +11,25 @@
 # which would cause massive image explosion
 
 # right permissions are:
-# group=$NB_OWNER_GROUP
+# group=$NB_GID
 # AND permissions include group rwX (directory-execute)
+# AND directories have setuid,setgid bits set
 
 set -e
 
 for d in $@; do
   find "$d" \
     ! \( \
-      -group $NB_OWNER_GROUP \
+      -group $NB_GID \
       -a -perm -g+rwX  \
     \) \
-    -exec chgrp $NB_OWNER_GROUP {} \; \
+    -exec chgrp $NB_GID {} \; \
     -exec chmod g+rwX {} \;
+  # setuid,setgid *on directories only*
+  find "$d" \
+    \( \
+        -type d \
+        -a ! -perm -6000  \
+    \) \
+    -exec chmod +6000 {} \;
 done