Fixing permissions (#116)

docker/app_container/Dockerfile

@@ -8,7 +8,7 @@ COPY docker/app_container/files/. /app/
 
 RUN apt-get update \
     && apt-get install -y bedtools findutils \
-    && useradd app \
+    && useradd -g 0 app \
     && mkdir -p /uploads /app/venv \
     && chown -R app /uploads /install /app/venv \
     && cp -r /install/migrations /install/alembic.ini /app

docker/app_container/files/entry_point.py

@@ -44,6 +44,10 @@ def get_secret(path):
 
 write_env_file()
 system("cd /app && /app/mini_cron.sh &")
+system("find /uploads /import /data -exec chown app {} \\;")
+system("find /uploads /import /data -exec chgrp 0 {} \\;")
+system("find /uploads /import /data -exec chmod g+wr {} \\;")
+system("find /uploads /import /data -type d -exec chmod g+xs {} \\;")
 system(
     f"exec su - app /app/run_flask.sh {environ.get('HTTP_WORKER_PROCESSES')} {environ.get('HTTP_WORKER_TIMEOUT', 30)}"
     f" {environ.get('HTTP_REVERSE_PROXY_IPS', '')}"

docker/scripts/__create_local_folders.py

@@ -18,13 +18,6 @@
     HOST_CONFIG_DIR,
     HOST_DB_DATA_DIR,
     HOST_IMPORT_DIR,
-    HOST_DATA_DIR,
-    Path(HOST_DATA_DIR, "metadata"),
-    Path(HOST_DATA_DIR, "metadata", "project_requests"),
-    Path(HOST_DATA_DIR, "annotation"),
-    Path(HOST_DATA_DIR, "assembly"),
-    Path(HOST_DATA_DIR, "cache", "gene", "selection"),
-    Path(HOST_DATA_DIR, "bam_files"),
 ]
 SECRET_FILES = ["mariadb-root", "mariadb-scimodom", "flask-secret"]
 
@@ -65,10 +58,9 @@ def write_client_config():
     chmod(path, 0o644)
 
 
-umask(0o77)
+umask(0o7)
 for folder in HOST_FOLDERS:
     Path(folder).mkdir(parents=True, exist_ok=True)
 for name in SECRET_FILES:
     write_password_file(name)
 write_client_config()
-Path(HOST_IMPORT_DIR).chmod(0o755)

docker/scripts/create_local_folders.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# We don't want to bother container user sto install Python packages.
+# We don't want to bother the container user to install Python packages.
 # So we simulate here the dotenv package by a shell wrapper.
 
 set -eu

server/src/scimodom/services/file.py

@@ -3,7 +3,7 @@
 from enum import Enum
 from fcntl import flock, LOCK_SH, LOCK_EX, LOCK_UN
 from functools import cache
-from os import unlink, rename, makedirs, stat, close
+from os import unlink, rename, makedirs, stat, close, umask
 from os.path import join, exists, dirname, basename, isfile
 from pathlib import Path
 from shutil import rmtree
@@ -59,19 +59,23 @@ def __init__(
         self._upload_path = upload_path
         self._import_path = import_path
 
-        for path in [
-            data_path,
-            temp_path,
-            upload_path,
-            import_path,
-            self._get_project_metadata_dir(),
-            self._get_project_request_dir(),
-            self.get_annotation_parent_dir(),
-            self._get_assembly_parent_dir(),
-            self._get_gene_cache_dir(),
-            self._get_bam_files_parent_dir(),
-        ]:
-            makedirs(path, exist_ok=True)
+        old_umask = umask(0o07)
+        try:
+            for path in [
+                data_path,
+                temp_path,
+                upload_path,
+                import_path,
+                self._get_project_metadata_dir(),
+                self._get_project_request_dir(),
+                self.get_annotation_parent_dir(),
+                self._get_assembly_parent_dir(),
+                self._get_gene_cache_dir(),
+                self._get_bam_files_parent_dir(),
+            ]:
+                makedirs(path, mode=0o2770, exist_ok=True)
+        finally:
+            umask(old_umask)
 
     # General