generic-worker icon indicating copy to clipboard operation
generic-worker copied to clipboard
verified publisher icon taskcluster

Read-only signingKeyLocation file

Open SimonSapin opened this issue 7 years ago • 1 comments

On a macOS worker, in an attempt to reduce unneeded permissions given to tasks, I tried to make as many configuration files as possible owned by root with the user running generic-worker only granted read accoss through a Unix group.

This fails, I assume because generic-worker tries to take ownership of the file configured through signingKeyLocation:

https://github.com/taskcluster/generic-worker/blob/2b70c93b13e56ff4c31e197904da38c23e0fa09e/chain_of_trust_all-unix-style.go#L42-L46

2018/11/12 14:12:50  *********** PANIC occurred! *********** 
2018/11/12 14:12:50 chown /etc/generic-worker/key: operation not permitted

Would it be acceptable to not try to take ownership and only check that the file is not world-readable?

SimonSapin avatar Nov 12 '18 22:11 SimonSapin

@SimonSapin I think the solution for this will be to use the multiuser engine for macOS, which finally has been created. This works just like the Windows releases, and creates task users on the fly for the tasks, but the generic-worker runs as root. There are some setup/installation instructions here. Let me know if you'd like any assistance/guidance etc.

petemoore avatar Jul 17 '19 19:07 petemoore