Habitat and Restrictive umasks


#1

My two questions are: what does habitat do with umasks, and what should it do?

I’ve been using habitat for all of two weeks now… I’m not really sure what all it can do and what it should do. It’s been really awesome for managing system packages. Stuff I just don’t want to deal with. "Oh, you need java, hab pkg install core/jdk8 && hab pkg binlink core/jdk8. job done. (Yea, you have to go manage JAVA_HOME and it’s not in any obvious location but that’s a conversation for another time) You can even manage your bootloader with habitat! I’m not suggesting hab as a replacement for yum… but I kinda am… (I may have use habitat to install wget the other day)

Since we run in a multi-user environment users need to be able to execute packages installed on the system. What I’ve run into, when Habitat is installed using the canonical install script and the system has a umask 027, users can’t execute packages because the filesystem tree seems to respect the system umask. I.e. every directory under /hab is chmod 550 (I always have to do the math so: r-xr-x--- ) therefore users have no access to /hab/pkg/core/wget/bin/wget

If it were yum/an rpm those permissions would be set appropriately… I’m not suggesting that this is the right answer of course. Perhaps the answer is that everyone who wants to use hab packages should be in the hab group? That wouldn’t resolve the issue in #4625 which as @eeyun points out in a previous post

The solution to 4625 appears to be to fix the node scaffold. That seems to be the current behavior, but I’m not so sure I’m sold that that is the correct behavior in all situations.

For instance, I don’t think that it’s up to the package maintainer to manage the permissions of /hab/pkg or /hab/svc. If the habitat supervisor is running, I think I should be able to start multiple processes as different users. The default seems to be run everything as hab but why can’t I set that at runtime? Say I want to run my webserver as webserver and my web process as rackserver and my database as dbserver, I probably don’t want all those users running in the same group.

It’s kinda like “containers without containers”…

Anyway, that’s my 2¢, I’m not sure if I’m even using Habitat right, but it seems to work well so far!


#2

I’ve seen this umask issue in places that have a STIG in place and I think the Habitat behavior is wrong.

If you look at the directories after /hab/pkgs/<origin>/<package>/<version>/ you should see the right directory permissions in place. This is because of the underlying C implementation of libarchive. Without going too far down the rabbit hole, I think habitat should default the umask under the /hab directory to 022.

Would you mind adding a vote to @mattray’s issue or adding a new issue if another one doesn’t exist that addresses your specific umask issue?