forge
/
build.sh
3
2
Fork 1
Code Issues 6 Pull Requests Releases Wiki Activity

Run from another user #19

New Issue
Open
opened 2020-11-23 17:59:41 +00:00 by southerntofu · 2 comments
southerntofu commented 2020-11-23 17:59:41 +00:00
Owner
Copy Link

It should be supported to run forgebuild from another user when running as an unprivileged script. Typical usecase is PHP (running as www-data) will run my forgebuild as myself.

However, setuid bit doesn't work with interpreted script for security reasons (unless you patch the kernel).

So either we give full write permissions to others to ~/.forgebuild and all side-effects folders... or we figure out a way for PHP to start forgebuild as myself.

It should be supported to run forgebuild from another user when running as an unprivileged script. Typical usecase is PHP (running as www-data) will run my forgebuild as myself. However, setuid bit doesn't work with interpreted script for security reasons (unless you patch the kernel). So either we give full write permissions to others to ~/.forgebuild and all side-effects folders... or we figure out a way for PHP to start forgebuild as myself.
southerntofu commented 2020-11-23 18:17:12 +00:00
Author
Owner
Copy Link

Or just document that forgebuild.sh can only be run as the user calling the script, which is only a problem when calling from another user's process (such as PHP running as www-data)

Or just document that forgebuild.sh can only be run as the user calling the script, which is only a problem when calling from another user's process (such as PHP running as www-data)
southerntofu commented 2022-01-09 14:36:49 +00:00
Author
Owner
Copy Link

Even when running with suid on the rust version, the permissions aren't passed by git (bug report) to its subprocesses so stuff fails with submodule when doing git clone --recursive.

It seems the only way to run from another user is with /etc/sudoers rules. This should be documented

Even when running with suid on the rust version, the permissions aren't passed by git ([bug report](https://public-inbox.org/git/X%2FSq38YKmLjY4KmD@thunix.net/)) to its subprocesses so stuff fails with submodule when doing `git clone --recursive`. It seems the only way to run from another user is with `/etc/sudoers` rules. This should be documented
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: forge/build.sh#19
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?