MegaLinter applying fixes sets root:root as the file owner #1975
Comments
|
I recommend running Docker in rootless mode if possible. See ScribeMD/rootless-docker for a GitHub Action that does this. |
This might work for running in GitHub, however, most of us work locally in an Ubuntu 20 WSL development environment. I've tried rootless mode there and had no success. Also, bespoke developer environment tweaks to Docker to get a linter tool to work seem difficult to support long term. Any other less invasive suggestions? |
|
Yeah, I haven't had any luck with rootless mode in WSL either. I would see if there is an existing issue on either WSL or Docker that you can upvote for rootless mode support. (Feel free to link it here if you find it, and I'll happily upvote it as well.) I'm not sure why, but I haven't encountered the issue with file permissions being modified when running MegaLinter as a pre-commit hook. Otherwise, I think reviving #1485 is the next best option? Not that this is relevant to this problem, but why Ubuntu 20.04 WSL as opposed to Ubuntu 22.04 WSL? |
Ubuntu 20.04 WSL only for the reason that we haven't moved to 22.x yet. |
|
hmmm I'm no linux expert, but what about if we add a config param that would change back updated files ? Something like:
And if such config is found, we do |
|
I wouldn't be surprised if there are some security concerns with chowning to an arbitrary string, but regardless it seems unlikely that all developers on a project would share a username in the case where they are running MegaLinter locally? |
|
Work in progress, but I've added these Pre and Post commands to .mega-linter.yml
---
...
PRE_COMMANDS:
- command: |-
echo $(ls -lah .gitignore | sed 's/\s\+/ /g' | cut -d ' ' -f3,4 | sed 's/ /\:/') > perms.txt
cwd: "workspace"
POST_COMMANDS:
- command: |-
find . -user root -group root -exec chown $(cat perms.txt) {} \;
rm perms.txt
cwd: "workspace"
... |
|
If it works that could be a nice workaround, but having such behavior directly embedded within megalinter would feel more optimal ^^ |
Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.
|
There are some test failures associated with my PR that will require some debugging, but I believe it is conceptually correct to simply instruct Docker not to run as root on the command line. #1485 is also conceptually correct, and ideally we would do both, but I suspect that will require significantly more work to iron out all the details and get the tests passing. This doesn't relate to the permissions problem directly, but folks who are using WSL may be interested in the "clone of clones" development technique we use to boost local MegaLinter performance while retaining access to Windows-only tools. |
|
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
github-actions
bot
added
the
O: stale 🤖
Kurt-von-Laven
removed
the
O: stale 🤖
|
This issue has been automatically marked as stale because it has not had recent activity. If you think this issue should stay open, please remove the |
github-actions
bot
added
the
O: stale 🤖
Kurt-von-Laven
added
nostale
|
Please leave this open, having a better fix is important for the ability of formatting to work. |
|
Docker's Best practices for writing Dockerfiles recommend using a non-root user in the Dockerfile. If I'm not mistaken that's what #1485 was trying to get fixed. As a (temporary) workaround you can run any container image with the docker run --rm -u $UID:$(id -g $UID) -v $PWD:/tmp/lint oxsecurity/megalinterThis will "usually" work, because your UID will be 1000 on most personal systems. (You may try to replace |
Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.
|
I have reproduced the current test failure below. We create certain directories, such as |
Is What if we change (Following the FHS is likely a good idea. Unfortunately, violating it has become a wide-spread bad habit by container image developers, that's why directories like |
|
No, the |
|
@echoix, do you have an opinion regarding my comment above? My instinct is to try switching to root as needed first and seeing how much work that ends up being, but there could be a far better path I'm ignorant of. |
|
@Kurt-von-Laven I'd need to take a really deep look to understand correctly what is going on and search a bit on what are rootless images particularities and if it's a fit for this problem. And maybe refresh myself a bit more on Linux user handling/permissions, I might understand way more now than when I learned about it. My quick instinct is that trying to change whether we use root or not dynamicly is that we've got the solution wrong, a path for unexpected bugs... the solution shouldn't look like that I'm sure.. So it's not a real opinion yet, if you need me to really work on it I might need a couple weekends to get to it.. |
Create megalinter user and group in Docker image, both with ID 1000, and activate this user after dependencies have been installed. Run Docker container as current user via mega-linter-runner. The change to mega-linter-runner only affects POSIX platforms, because process.getuid and process.getgid are only available there. Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user when upgrading MegaLinter.
Create megalinter user and group in Docker image, both with ID 1000, and activate this user after dependencies have been installed. Run Docker container as current user via mega-linter-runner. The change to mega-linter-runner only affects POSIX platforms, because process.getuid and process.getgid are only available there. Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user when upgrading MegaLinter.
Create megalinter user and group in Docker image, both with ID 1000, and activate this user after dependencies have been installed. Run Docker container as current user via mega-linter-runner. The change to mega-linter-runner only affects POSIX platforms, because process.getuid and process.getgid are only available there. Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user when upgrading MegaLinter.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
|
Can you use the setgid bit on directories you create? You would then require chowns in fewer cases. See https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits. |
unfortunately, this doesn't work on wsl |
|
There is a huge problem with self-hosted agents on the Azure pipelines. Azure pipelines use AzureDevOps user and cannot reuse the same VM because mounted files are owned by root, and We can't change it because we cannot use sudo and escalate privileges for it |
|
I recommend setting |
|
@Kurt-von-Laven, good tip. Thank you! We figured out how to work around it. I left example: - script: |
mkdir $(Agent.WorkFolder)/report
docker run -v $(System.DefaultWorkingDirectory):/tmp/lint \
-v $(Agent.WorkFolder)/report:/tmp/report \
--env-file <(env | grep -e SYSTEM_ -e BUILD_ -e TF_ -e AGENT_) \
-e SYSTEM_ACCESSTOKEN=$(System.AccessToken) \
-e GIT_AUTHORIZATION_BEARER=$(System.AccessToken) \
oxsecurity/megalinter:v7
- task: PublishPipelineArtifact@1
condition: succeededOrFailed()
displayName: Upload MegaLinter reports
inputs:
targetPath: $(Agent.WorkFolder)/report"
artifactName: MegaLinterReportand on the linter config.yaml We set this: |
|
Clever; thanks for sharing your solution with the community. |
When running MegaLinter in "fix" mode, it will
chownthe fixed files toroot:rootas the file owner. This causes permission issues later when I attempt to make changes to the file through my IDE. Is there a way to have MegaLinter maintain the file user and group ownership when it "fixes" the linting issues?The text was updated successfully, but these errors were encountered: