From 68078fd6202f0e17874eac7eb040056e44fec4e7 Mon Sep 17 00:00:00 2001 From: George Kalpakas Date: Sat, 23 Sep 2017 15:24:41 +0300 Subject: [PATCH] build(aio): run the upload server as a non-previleged user closes #19352 Previously, the upload server (for PR previews) was run as root and "downleveled" to a non-privileged user from inside the node script. Now, with the latest version of `pm2` (which is used to run the upload server scripts), we can get rid of that workaround and set the desired UID directly through `pm2`. --- .../dockerbuild/scripts-js/lib/upload-server/index.ts | 2 -- .../dockerbuild/scripts-sh/upload-server-prod.sh | 3 +-- .../dockerbuild/scripts-sh/upload-server-test.sh | 3 +-- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/aio/aio-builds-setup/dockerbuild/scripts-js/lib/upload-server/index.ts b/aio/aio-builds-setup/dockerbuild/scripts-js/lib/upload-server/index.ts index 2fa8275695..e7b705c0c2 100644 --- a/aio/aio-builds-setup/dockerbuild/scripts-js/lib/upload-server/index.ts +++ b/aio/aio-builds-setup/dockerbuild/scripts-js/lib/upload-server/index.ts @@ -13,10 +13,8 @@ const AIO_REPO_SLUG = getEnvVar('AIO_REPO_SLUG'); const AIO_TRUSTED_PR_LABEL = getEnvVar('AIO_TRUSTED_PR_LABEL'); const AIO_UPLOAD_HOSTNAME = getEnvVar('AIO_UPLOAD_HOSTNAME'); const AIO_UPLOAD_PORT = +getEnvVar('AIO_UPLOAD_PORT'); -const AIO_WWW_USER = getEnvVar('AIO_WWW_USER'); // Run -process.setuid(AIO_WWW_USER); // TODO(gkalpak): Find more suitable way to run as `www-data`. _main(); // Functions diff --git a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh index d061ce9439..3e31be22c6 100755 --- a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh +++ b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh @@ -6,10 +6,9 @@ export AIO_GITHUB_TOKEN=$(head -c -1 /aio-secrets/GITHUB_TOKEN 2>/dev/null || ec export AIO_PREVIEW_DEPLOYMENT_TOKEN=$(head -c -1 /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN 2>/dev/null || echo "MISSING_PREVIEW_DEPLOYMENT_TOKEN") # Start the upload-server instance -# TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user. -# (Currently, there doesn't seem to be a straight forward way.) action=$([ "$1" == "stop" ] && echo "stop" || echo "start") pm2 $action $AIO_SCRIPTS_JS_DIR/dist/lib/upload-server \ + --uid $AIO_WWW_USER \ --log /var/log/aio/upload-server-prod.log \ --name aio-upload-server-prod \ ${@:2} diff --git a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh index 469e01c532..1aeb4e2fa0 100644 --- a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh +++ b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh @@ -15,13 +15,12 @@ export AIO_GITHUB_TOKEN=$(head -c -1 /aio-secrets/TEST_GITHUB_TOKEN 2>/dev/null export AIO_PREVIEW_DEPLOYMENT_TOKEN=$(head -c -1 /aio-secrets/TEST_PREVIEW_DEPLOYMENT_TOKEN 2>/dev/null || echo "TEST_PREVIEW_DEPLOYMENT_TOKEN") # Start the upload-server instance -# TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user. -# (Currently, there doesn't seem to be a straight forward way.) appName=aio-upload-server-test if [[ "$1" == "stop" ]]; then pm2 delete $appName else pm2 start $AIO_SCRIPTS_JS_DIR/dist/lib/verify-setup/start-test-upload-server.js \ + --uid $AIO_WWW_USER \ --log /var/log/aio/upload-server-test.log \ --name $appName \ --no-autorestart \