Multiple user permissions on a directory

Jason.nix · 04-23-2024, 07:30 AM

Hello,
I changed the docker storage to another location:

Code:

{
"data-root": "/mnt/newlocation/"
}

The root user has access to this directory:

Code:

# ls -l /mnt/newlocation/
total 20
drwxr-xr-x 5 root root  4096 Apr 22 09:22 containers
drwx------ 2 root root 16384 Apr  9 16:50 lost+found

I have installed GitLab Runner and want it to have full access to this directory. I did the following command:

Code:

# chown -R gitlab-runner /mnt/newlocation/

The permissions were changed as follows:

Code:

# ls -l /mnt/newlocation/
total 20
drwxr-xr-x 5 gitlab-runner root  4096 Apr 22 09:22 containers
drwx------ 2 gitlab-runner root 16384 Apr  9 16:50 lost+found

The GitLab Runner problem is fixed, but what problems might this cause for Docker and others? Can I make both the root user and the gitlab-runner user have full access to this directory?

I found solutions on the internet that were about creating a group, then adding users to that group, and finally giving that group full permission for that directory. Is this OK?

Thank you.

sundialsvcs · 04-23-2024, 07:33 AM

Yes, this would be the correct solution, versus changing the "owner." I recommend that you [immediately ...] change the owner back, define a group, add "gitlab-runner" to that group, and change the group of that directory and its contents appropriately. Assign the desired permissions to the group.

FYI: There is also an entirely-parallel permissions system known as ACLs = Access Control Lists. Which are much more flexible, and which can coexist. I encourage you to research this option also.

Jason.nix · 04-25-2024, 06:29 AM

Quote:

Originally Posted by sundialsvcs

Yes, this would be the correct solution, versus changing the "owner." I recommend that you [immediately ...] change the owner back, define a group, add "gitlab-runner" to that group, and change the group of that directory and its contents appropriately. Assign the desired permissions to the group.

FYI: There is also an entirely-parallel permissions system known as ACLs = Access Control Lists. Which are much more flexible, and which can coexist. I encourage you to research this option also.

Hello,
Thank you so much for your reply.
So I create a group and add the root and gitlab-runner users to it and then give permission to this group for that directory. I did:

Code:

# chown -R root data/
# groupadd runner
# /sbin/usermod -a -G runner gitlab-runner
# /sbin/usermod -a -G runner root
# chgrp -R runner data/
# chmod -R g+rwx data/

And result is:

Code:

# ls -l
total 20
drwxrwxr-x 5 root runner  4096 Apr 22 09:22 containers
drwxrwx--- 2 root runner 16384 Apr  9 16:50 lost+found

Now, root and gitlab-runner users have full access to the directories. Right?

Jason.nix · 04-26-2024, 08:24 AM

Hello,
I have a problem. When I ran the runner, I got the following error message:

Code:

$ rm -rf /mnt/data/containers/
rm: cannot remove '/mnt/data/containers/.gitlab-ci.yml': Permission denied
rm: cannot remove '/mnt/data/containers/CHANGELOG.md': Permission denied
rm: cannot remove '/mnt/data/containers/README.md': Permission denied

MadeInGermany · 04-26-2024, 09:58 AM

/mnt and /mnt/data/ must have an x bit (access) set, otherwise all access is denied.
/mnt/data/containers/ looks ok, gives write access for the group members. (Note that a modified group is recognized at the next login.)

A remaining problem is that a directory created by one user is not writable by the other, unless the one user does a chgrp and chmod. The traditional fix is

a g+s bit on all the directories that make new items inherit the group from its directory
the users use a umask 002 that sets the g+w bit on new items.

Regarding the ACL alternative, I posted a solution that worked in Linux and Solaris
https://community.unix.com/t/tip-gro...rectory/383754