From 292668bf496a6ca26d92c7e5ce11b2ff907d484b Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 6 Apr 2019 09:14:59 -0400 Subject: [PATCH] Make sure the wheelhouse is usable by nobody --- .circleci/prepare-image.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.circleci/prepare-image.sh b/.circleci/prepare-image.sh index cc2414c19..78d2191e7 100755 --- a/.circleci/prepare-image.sh +++ b/.circleci/prepare-image.sh @@ -18,12 +18,20 @@ shift PROJECT_ROOT="$1" shift +# Most stuff is going to run as nobody. Here's a helper to make sure nobody +# can access necessary files. +CHOWN_NOBODY="chown --recursive nobody:$(id --group nobody)" + # Avoid the /nonexistent home directory in nobody's /etc/passwd entry. usermod --home /tmp/nobody nobody # Grant read access to nobody, the user which will eventually try to test this # checkout. -chown --recursive nobody:$(id --group nobody) "${PROJECT_ROOT}" +${CHOWN_NOBODY} "${PROJECT_ROOT}" + +# Create a place for some wheels to live. +mkdir "${WHEELHOUSE_PATH}" +${CHOWN_NOBODY} "${WHEELHOUSE_PATH}" sudo --set-home -u nobody "${PROJECT_ROOT}"/.circleci/create-virtualenv.sh "${WHEELHOUSE_PATH}" "${BOOTSTRAP_VENV}" sudo --set-home -u nobody "${PROJECT_ROOT}"/.circleci/populate-wheelhouse.sh "${WHEELHOUSE_PATH}" "${BOOTSTRAP_VENV}" "${PROJECT_ROOT}"