set setuid/setgid bits in fix-permissions

ensures files have the right owner:group unfortunately, not enough to get group-writable permissions (need acl or umask for that), so we still need to run it after each install
2025-10-12 12:32:58 +00:00 · 2017-08-19 11:32:08 +02:00
parent c6c1ce4cb0
commit 2df9c49a74
2 changed files with 17 additions and 12 deletions
--- a/base-notebook/Dockerfile
+++ b/base-notebook/Dockerfile
@@ -37,8 +37,7 @@ ENV CONDA_DIR=/opt/conda \
    SHELL=/bin/bash \
    NB_USER=jovyan \
    NB_UID=1000 \
-    NB_OWNER_GROUP=user-writable \
-    NB_OWNER_GID=10000 \
+    NB_GID=100 \
    LC_ALL=en_US.UTF-8 \
    LANG=en_US.UTF-8 \
    LANGUAGE=en_US.UTF-8
@@ -51,10 +50,9 @@ ADD fix-permissions /usr/local/bin/fix-permissions
 # files we want users to write (/home/jovyan, packages)
 RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
    mkdir -p $CONDA_DIR && \
-    chown $NB_USER $CONDA_DIR && \
-    groupadd -g $NB_OWNER_GID $NB_OWNER_GROUP && \
-    usermod -G $NB_OWNER_GROUP $NB_USER && \
-    fix-permissions /home/$NB_USER
+    chown $NB_USER:$NB_GID $CONDA_DIR && \
+    fix-permissions $HOME && \
+    fix-permissions $CONDA_DIR

 USER $NB_USER

@@ -65,7 +63,6 @@ RUN mkdir /home/$NB_USER/work && \
 # Install conda as jovyan and check the md5 sum provided on the download site
 ENV MINICONDA_VERSION 4.3.21
 RUN cd /tmp && \
-    mkdir -p $CONDA_DIR && \
    wget --quiet https://repo.continuum.io/miniconda/Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh && \
    echo "c1c15d3baba15bf50293ae963abef853 *Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh" | md5sum -c - && \
    /bin/bash Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh -f -b -p $CONDA_DIR && \
@@ -73,7 +70,7 @@ RUN cd /tmp && \
    $CONDA_DIR/bin/conda config --system --prepend channels conda-forge && \
    $CONDA_DIR/bin/conda config --system --set auto_update_conda false && \
    $CONDA_DIR/bin/conda config --system --set show_channel_urls true && \
-    $CONDA_DIR/bin/conda update --all && \
+    $CONDA_DIR/bin/conda update --all --quiet --yes && \
    conda clean -tipsy && \
    fix-permissions $CONDA_DIR

--- a/base-notebook/fix-permissions
+++ b/base-notebook/fix-permissions
@@ -2,7 +2,7 @@
 # set permissions on a directory
 # after any installation, if a directory needs to be (human) user-writable,
 # run this script on it.
-# It will make everything in the directory owned by the group $NB_OWNER_GROUP
+# It will make everything in the directory owned by the group $NB_GID
 # and writable by that group.
 # Deployments that want to set a specific user id can preserve permissions
 # by adding the `--group-add user-writable` line to `docker run`.
@@ -11,17 +11,25 @@
 # which would cause massive image explosion

 # right permissions are:
-# group=$NB_OWNER_GROUP
+# group=$NB_GID
 # AND permissions include group rwX (directory-execute)
+# AND directories have setuid,setgid bits set

 set -e

 for d in $@; do
  find "$d" \
    ! \( \
-      -group $NB_OWNER_GROUP \
+      -group $NB_GID \
      -a -perm -g+rwX  \
    \) \
-    -exec chgrp $NB_OWNER_GROUP {} \; \
+    -exec chgrp $NB_GID {} \; \
    -exec chmod g+rwX {} \;
+  # setuid,setgid *on directories only*
+  find "$d" \
+    \( \
+        -type d \
+        -a ! -perm -6000  \
+    \) \
+    -exec chmod +6000 {} \;
 done