Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid chown data_dir during the upgrade process #711

Merged
merged 8 commits into from
Aug 1, 2024
Merged

Conversation

kay0u
Copy link
Member

@kay0u kay0u commented Jul 30, 2024

Problem

  • chown the world

Solution

  • don't chown/chmod data_dir and his content during the upgrade
  • add a button in the config panel to launch the corresponding chown/chmod command (this my fix issue in some case I guess?)

PR Status

  • Code finished and ready to be reviewed/tested
  • The fix/enhancement were manually tested (if applicable)

Automatic tests

Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

Copy link
Member Author

@kay0u kay0u left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can also try like that, I'm not sure why we should chown the data_dir

scripts/upgrade Outdated Show resolved Hide resolved
scripts/upgrade Outdated Show resolved Hide resolved
scripts/upgrade Outdated Show resolved Hide resolved
@kay0u
Copy link
Member Author

kay0u commented Jul 30, 2024

!testme

@yunohost-bot
Copy link
Contributor

🎠
Test Badge

@yunohost-bot
Copy link
Contributor

🪱
Test Badge

@kay0u
Copy link
Member Author

kay0u commented Jul 30, 2024

!testme

@yunohost-bot
Copy link
Contributor

🌻
Test Badge

@yunohost-bot
Copy link
Contributor

🪱
Test Badge

@kay0u
Copy link
Member Author

kay0u commented Jul 31, 2024

!testme

@yunohost-bot
Copy link
Contributor

🚀
Test Badge

@yunohost-bot
Copy link
Contributor

📚 🪱
Test Badge

@kay0u kay0u changed the title find files before chown them Avoid chown data_dir during the upgrade process Jul 31, 2024
@kay0u
Copy link
Member Author

kay0u commented Jul 31, 2024

!testme

@yunohost-bot
Copy link
Contributor

😜
Test Badge

@yunohost-bot
Copy link
Contributor

🪱
Test Badge

@CodeShakingSheep
Copy link
Member

Thanks for working on that. Upgrading my nextcloud from 29.0.2 to 29.0.4 ran into a Gateway timeout (HTTP 504).
image

Although chown command is still running (for almost 2 hours).
image

Comment on lines +67 to +68
chown -R $app:www-data "$install_dir"
chown -R $app: "$data_dir"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
chown -R $app:www-data "$install_dir"
chown -R $app: "$data_dir"
chown -R $app:www-data "$install_dir"
chmod og-rwx "$install_dir/config"
chown -R $app: "$data_dir"

(me being paranoid about compromission of www-data that would result in leaking secrets etc)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Idk, do you think it's not enough?

chmod 640 "$install_dir/config/config.php"

chmod 640 "$install_dir/config/config.php"

chmod 640 "$install_dir/config/config.php"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eeeh chmod 640 will still allow www-data to read the file, so in the event that www-data gets compromised (or some funky path traversal issue is discovered or whatever) it still allows to access secrets

@@ -207,7 +207,7 @@ then
mv "$tmpdir" "$install_dir"

# Set write access for the following commands
chown -R $app: "$install_dir" "$data_dir"
chown -R $app:www-data "$install_dir"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
chown -R $app:www-data "$install_dir"
chown -R $app:www-data "$install_dir"
chmod og-rwx "$install_dir/config"

(me being paranoid about compromission of www-data that would result in leaking secrets etc)

@kay0u
Copy link
Member Author

kay0u commented Jul 31, 2024

@CodeShakingSheep (? with these changes or with the new stable version?) Then just wait, and don't try to restart your server or yunohost-api, the api timed-out but the upgrade is still running

@CodeShakingSheep
Copy link
Member

@CodeShakingSheep (? with these changes or with the new stable version?) Then just wait, and don't try to restart your server or yunohost-api, the api timed-out but the upgrade is still running

With the stable version. I didn't restart anything but my whole server just went down because of this. So, I have to restart it now.

@kay0u
Copy link
Member Author

kay0u commented Jul 31, 2024

!testme

@yunohost-bot
Copy link
Contributor

📖
Test Badge

@yunohost-bot
Copy link
Contributor

Alrighty!
Test Badge

@kay0u
Copy link
Member Author

kay0u commented Aug 1, 2024

!testme

@yunohost-bot
Copy link
Contributor

🚀
Test Badge

@kay0u kay0u merged commit 4372e3d into testing Aug 1, 2024
1 check passed
@kay0u kay0u mentioned this pull request Aug 1, 2024
@kay0u kay0u deleted the speedup-chown branch August 2, 2024 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants