git-proxy icon indicating copy to clipboard operation
git-proxy copied to clipboard

Published 20 hours ago verified publisher icon finos

pullRemote clone dir permissions are extraneous

Open coopernetes opened this issue 1 year ago • 0 comments

When Git Proxy is running in a secure environment, the node process is likely running under some sort of user. This user should have local file permissions to create directories for the file-based DB (if used) as well as cloning repositories that are in-flight via Git Proxy. The pullRemote step expects to create a directory under .remote/{timestamp}. Currently, that directory is expected to have full rwx permissions across user, group and everyone/world.

This is generally not best practice. In certain deployment environments such as Openshift, it's explicitly disallowed.

A simple fix is to create a directory with only user permissions which is typically rwxr-xr-x (0755) for directories.

See: https://betterstack.com/community/questions/what-permissions-should-my-website-directory-have-on-linux/

Affected line: https://github.com/finos/git-proxy/blob/1f39f10e3ec4515a3684c3bf881c5edfa435554e/src/proxy/processors/push-action/pullRemote.js#L19

coopernetes avatar Aug 02 '24 15:08 coopernetes