src-cli icon indicating copy to clipboard operation
src-cli copied to clipboard
verified publisher icon sourcegraph

Remove ro for locally mounted folders

Open atishpatel opened this issue 1 year ago • 3 comments

https://github.com/sourcegraph/src-cli/issues/1055

Remove read-only config from locally mounted folders. This gives more flexibility to locally run Batch Changes since more files can be shared as output for any step where the folder is mounted. Security should be fine since mount already has to be a sub director of the batch spec file.

atishpatel avatar Jul 17 '24 21:07 atishpatel

Thank you for the contribution, @atishpatel!

As was mentioned in #1055, there could be some security concerns mounting volumes read-write, so we should pull in @sourcegraph/security-code-review and some domain experts like @eseliger and @BolajiOlajide to get their input.

peterguy avatar Jul 22 '24 23:07 peterguy

Thanks Peter!

I am curious what security vector the team is concerned about. I would think security should be fine since mount already has to be a sub director of the batch spec file and the container + code being run is also determined by the user. What are the the sourcegraph security team's concerns?

atishpatel avatar Jul 30 '24 19:07 atishpatel

Any updates on this PR or something like this PR? My company is using rw local mounting as a core part of tooling we're building around sourcegraph batch changes

atishpatel avatar Sep 16 '24 14:09 atishpatel