Fix etc permissions

[liranmauda]

Explain the Changes

1. Fix etc permissions

Issues: Fixed #xxx / Gap #xxx

1. https://issues.redhat.com/browse/DFBUGS-4986

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Updated file system permissions for improved security and system reliability.

• Chores

  • Enhanced platform compatibility with OpenShift environments.
  • Configured explicit runtime directory structure and access controls.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The setup script modifies permission configurations to replace broad group-owned permissions with more restrictive group-writable permissions, removes setuid practices for rsyslogd and crond, and adds explicit directory creation for runtime components to improve OpenShift compatibility.

Changes

Cohort / File(s)	Summary
Permission scheme migration src/deploy/NVA_build/setup_platform.sh	Replaces broad group-owned permissions (g=u) with more restrictive group-write permissions (g+rwX) for user home, supervisor binaries, data/log directories, and node_modules. Sets /etc to read-only for group (g+rX).
Runtime directory initialization src/deploy/NVA_build/setup_platform.sh	Adds explicit directory creation and permission setup for /var/log/supervisor, /var/lib/logrotate, /data, and /log as group-writable.
Privileged operation removal src/deploy/NVA_build/setup_platform.sh	Removes setuid configuration for rsyslogd and crond to align with OpenShift security requirements.
Node modules permissions src/deploy/NVA_build/setup_platform.sh	Adds explicit group-writable permissions for /root/node_modules and /root/node_modules/noobaa-core with appropriate read+write/execute per-path.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'Fix etc permissions' is too narrow and vague—it mentions only /etc but the changeset modifies permissions across multiple critical paths including /root, /var/log, /data, /log, node_modules, and supervisor binaries.	Consider a more descriptive title that reflects the broader scope, such as 'Refactor platform permissions for OpenShift compatibility' or 'Adjust platform permissions to use group-write instead of group-mirror'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 39ddd99 and 2253ce5.

📒 Files selected for processing (1)

• src/deploy/NVA_build/setup_platform.sh

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9196
File: tools/ibm_runner_helpers/run_containerized_warp_on_cloud_runner.sh:3-3
Timestamp: 2025-09-18T07:11:55.053Z
Learning: In the NooBaa project's IBM Cloud Warp testing infrastructure, `/etc/warp.env` is created by cloud-init during VM provisioning with permissions 0600 (owner read/write only). This file contains environment variables and secrets passed from GitHub Actions. The file creation is part of a controlled internal flow with proper permissions set automatically by cloud-init, so additional permission checks before sourcing are not necessary in this context.

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9196
File: tools/ibm_runner_helpers/run_containerized_warp_on_cloud_runner.sh:3-3
Timestamp: 2025-09-18T07:11:55.053Z
Learning: In the NooBaa project's IBM Cloud Warp testing infrastructure, `/etc/warp.env` is created by cloud-init during VM provisioning with mode 0600 (owner read/write only). This file contains environment variables and secrets passed from GitHub Actions. The file creation is part of a controlled internal flow with proper permissions set automatically, so additional permission checks before sourcing are not necessary in this context.

📚 Learning: 2025-09-18T07:11:55.053Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9196
File: tools/ibm_runner_helpers/run_containerized_warp_on_cloud_runner.sh:3-3
Timestamp: 2025-09-18T07:11:55.053Z
Learning: In the NooBaa project's IBM Cloud Warp testing infrastructure, `/etc/warp.env` is created by cloud-init during VM provisioning with permissions 0600 (owner read/write only). This file contains environment variables and secrets passed from GitHub Actions. The file creation is part of a controlled internal flow with proper permissions set automatically by cloud-init, so additional permission checks before sourcing are not necessary in this context.

Applied to files:

• src/deploy/NVA_build/setup_platform.sh

📚 Learning: 2025-09-18T07:11:55.053Z

Learnt from: Neon-White
Repo: noobaa/noobaa-core PR: 9196
File: tools/ibm_runner_helpers/run_containerized_warp_on_cloud_runner.sh:3-3
Timestamp: 2025-09-18T07:11:55.053Z
Learning: In the NooBaa project's IBM Cloud Warp testing infrastructure, `/etc/warp.env` is created by cloud-init during VM provisioning with mode 0600 (owner read/write only). This file contains environment variables and secrets passed from GitHub Actions. The file creation is part of a controlled internal flow with proper permissions set automatically, so additional permission checks before sourcing are not necessary in this context.

Applied to files:

• src/deploy/NVA_build/setup_platform.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

🔇 Additional comments (3)

src/deploy/NVA_build/setup_platform.sh (3)

96-97: LGTM: More explicit permission model.

Changing from g=u to g+rwX is clearer and avoids copying special bits (setuid/setgid) to the group. The X flag correctly adds execute permission only for directories and already-executable files.

---

99-102: LGTM: Appropriate read-only permissions for binaries.

Setting supervisord binaries to read+execute only (g+rX) is the correct approach for executable files that should not be modified by the group.

---

104-106: LGTM: Proper runtime directory setup.

Creating /var/log/supervisor before setting permissions is correct, and the group-writable permissions (g+rwX) are necessary for supervisor to write sockets, PID files, and logs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Ensure directories exist before setting permissions.

Lines 112 and 118 set permissions on /data, /log, and /var/lib/logrotate without first ensuring they exist. If these directories are missing, the chmod commands will fail and the script will exit due to set -e (line 123).

🔎 Proposed fix to create directories before setting permissions

 # node modules (needs write)
 chgrp -R 0 /root/node_modules && chmod -R g+rwX /root/node_modules
 
 # data volumes
+mkdir -p /data /log
 chgrp -R 0 /data /log && chmod -R g+rwX /data /log
 
 # /etc — READ ONLY
 chgrp -R 0 /etc && chmod -R g+rX /etc
 
 # logrotate state (needs write)
+mkdir -p /var/lib/logrotate
 chgrp -R 0 /var/lib/logrotate && chmod -R g+rwX /var/lib/logrotate

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# node modules (needs write)
	chgrp -R 0 /root/node_modules && chmod -R g+rwX /root/node_modules
	# give access for logrotate
	chgrp -R 0 /var/lib/logrotate && chmod -R g=u /var/lib/logrotate
	# data volumes
	chgrp -R 0 /data /log && chmod -R g+rwX /data /log
	# setuid for rsyslog so it can run as root
	chmod u+s /sbin/rsyslogd
	# setuid for crond so it can run as root
	chmod u+s /sbin/crond
	# /etc — READ ONLY
	chgrp -R 0 /etc && chmod -R g+rX /etc
	# logrotate state (needs write)
	chgrp -R 0 /var/lib/logrotate && chmod -R g+rwX /var/lib/logrotate
	# node modules (needs write)
	chgrp -R 0 /root/node_modules && chmod -R g+rwX /root/node_modules
	# data volumes
	mkdir -p /data /log
	chgrp -R 0 /data /log && chmod -R g+rwX /data /log
	# /etc — READ ONLY
	chgrp -R 0 /etc && chmod -R g+rX /etc
	# logrotate state (needs write)
	mkdir -p /var/lib/logrotate
	chgrp -R 0 /var/lib/logrotate && chmod -R g+rwX /var/lib/logrotate

🤖 Prompt for AI Agents

In src/deploy/NVA_build/setup_platform.sh around lines 108 to 118, the script
changes group/permissions on /data, /log, and /var/lib/logrotate without
ensuring those directories exist, causing chmod/chgrp to fail under set -e;
before each chgrp/chmod pair (or once before the groups of related changes)
create the directories with mkdir -p (and set correct ownership if needed) so
the subsequent chgrp -R and chmod -R commands succeed even when directories are
absent.