From fff9a165707178fc6ad664ec5c77df6f629e6d19 Mon Sep 17 00:00:00 2001
From: Harald Wilhelmi <harald.wilhelmi@uni-heidelberg.de>
Date: Tue, 23 Jul 2024 13:22:19 +0200
Subject: [PATCH] Fixing permissions (#116)

---
 docker/app_container/Dockerfile           |  2 +-
 docker/app_container/files/entry_point.py |  4 +++
 docker/scripts/__create_local_folders.py  | 10 +------
 docker/scripts/create_local_folders.sh    |  2 +-
 server/src/scimodom/services/file.py      | 32 +++++++++++++----------
 5 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/docker/app_container/Dockerfile b/docker/app_container/Dockerfile
index 2397a3fc..441a22e2 100644
--- a/docker/app_container/Dockerfile
+++ b/docker/app_container/Dockerfile
@@ -8,7 +8,7 @@ COPY docker/app_container/files/. /app/
 
 RUN apt-get update \
     && apt-get install -y bedtools findutils \
-    && useradd app \
+    && useradd -g 0 app \
     && mkdir -p /uploads /app/venv \
     && chown -R app /uploads /install /app/venv \
     && cp -r /install/migrations /install/alembic.ini /app
diff --git a/docker/app_container/files/entry_point.py b/docker/app_container/files/entry_point.py
index cdd80e06..484e8d69 100755
--- a/docker/app_container/files/entry_point.py
+++ b/docker/app_container/files/entry_point.py
@@ -44,6 +44,10 @@ def get_secret(path):
 
 write_env_file()
 system("cd /app && /app/mini_cron.sh &")
+system("find /uploads /import /data -exec chown app {} \\;")
+system("find /uploads /import /data -exec chgrp 0 {} \\;")
+system("find /uploads /import /data -exec chmod g+wr {} \\;")
+system("find /uploads /import /data -type d -exec chmod g+xs {} \\;")
 system(
     f"exec su - app /app/run_flask.sh {environ.get('HTTP_WORKER_PROCESSES')} {environ.get('HTTP_WORKER_TIMEOUT', 30)}"
     f" {environ.get('HTTP_REVERSE_PROXY_IPS', '')}"
diff --git a/docker/scripts/__create_local_folders.py b/docker/scripts/__create_local_folders.py
index dc126598..2a93b9a6 100755
--- a/docker/scripts/__create_local_folders.py
+++ b/docker/scripts/__create_local_folders.py
@@ -18,13 +18,6 @@
     HOST_CONFIG_DIR,
     HOST_DB_DATA_DIR,
     HOST_IMPORT_DIR,
-    HOST_DATA_DIR,
-    Path(HOST_DATA_DIR, "metadata"),
-    Path(HOST_DATA_DIR, "metadata", "project_requests"),
-    Path(HOST_DATA_DIR, "annotation"),
-    Path(HOST_DATA_DIR, "assembly"),
-    Path(HOST_DATA_DIR, "cache", "gene", "selection"),
-    Path(HOST_DATA_DIR, "bam_files"),
 ]
 SECRET_FILES = ["mariadb-root", "mariadb-scimodom", "flask-secret"]
 
@@ -65,10 +58,9 @@ def write_client_config():
     chmod(path, 0o644)
 
 
-umask(0o77)
+umask(0o7)
 for folder in HOST_FOLDERS:
     Path(folder).mkdir(parents=True, exist_ok=True)
 for name in SECRET_FILES:
     write_password_file(name)
 write_client_config()
-Path(HOST_IMPORT_DIR).chmod(0o755)
diff --git a/docker/scripts/create_local_folders.sh b/docker/scripts/create_local_folders.sh
index 6b2f4eac..a2e38fac 100755
--- a/docker/scripts/create_local_folders.sh
+++ b/docker/scripts/create_local_folders.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# We don't want to bother container user sto install Python packages.
+# We don't want to bother the container user to install Python packages.
 # So we simulate here the dotenv package by a shell wrapper.
 
 set -eu
diff --git a/server/src/scimodom/services/file.py b/server/src/scimodom/services/file.py
index 308488d8..fe0401ed 100644
--- a/server/src/scimodom/services/file.py
+++ b/server/src/scimodom/services/file.py
@@ -3,7 +3,7 @@
 from enum import Enum
 from fcntl import flock, LOCK_SH, LOCK_EX, LOCK_UN
 from functools import cache
-from os import unlink, rename, makedirs, stat, close
+from os import unlink, rename, makedirs, stat, close, umask
 from os.path import join, exists, dirname, basename, isfile
 from pathlib import Path
 from shutil import rmtree
@@ -59,19 +59,23 @@ def __init__(
         self._upload_path = upload_path
         self._import_path = import_path
 
-        for path in [
-            data_path,
-            temp_path,
-            upload_path,
-            import_path,
-            self._get_project_metadata_dir(),
-            self._get_project_request_dir(),
-            self.get_annotation_parent_dir(),
-            self._get_assembly_parent_dir(),
-            self._get_gene_cache_dir(),
-            self._get_bam_files_parent_dir(),
-        ]:
-            makedirs(path, exist_ok=True)
+        old_umask = umask(0o07)
+        try:
+            for path in [
+                data_path,
+                temp_path,
+                upload_path,
+                import_path,
+                self._get_project_metadata_dir(),
+                self._get_project_request_dir(),
+                self.get_annotation_parent_dir(),
+                self._get_assembly_parent_dir(),
+                self._get_gene_cache_dir(),
+                self._get_bam_files_parent_dir(),
+            ]:
+                makedirs(path, mode=0o2770, exist_ok=True)
+        finally:
+            umask(old_umask)
 
     # General