Group runner lose permissions frequently

GitLab CI/CD
,
1

Hi, i set a group runner which runs fine, but every 2 to 6 jobs it returns an error

`cp: cannot create regular file '/var/www/example.com/./.git/objects/b3/c119b92df986e7ca1cadefd50ffd84d901d1ba': Permission denied`

at this point the permission look like this

drwxrwxr-x 20 gitlab-runner www-data 4096 Jun 9 12:52 example.com

after that i set them

sudo chown -R gitlab-runner:www-data /var/www
sudo chmod -R 775 /var/www

they are exactly the same

drwxrwxr-x 20 gitlab-runner www-data 4096 Jun 9 12:52 example.com

but Job succeeded

'./.git/refs/pipelines/899806542' -> '/var/www/example.com/./.git/refs/pipelines/899806542'

What could be the issue? It is apache server on ubuntu 22

2

Hi @bgfr

have you checked permissions on all the directories in the path? Permissions/owner on /var/www does not guarantee the same on deeper levels.

3

HI @balonik,
Thanks for paying attention.
The permission of all directories in /var/www are the same of those below.

ls -l /var/www
drwxrwxr-x  17 gitlab-runner www-data  4096 Jun  8 20:06 example.com

It seems something changes the permissions.
umask of gitlab-runner is 0002, which means that the new files and directories which are created have the right permissions.

4

@balonik
i found what the problem is, but i am not sure if the fix won’t break s.t. else
So, although user gitlab-runner is member of www-data its primary group is gitlab-runner
So in some cases it changes the group of the directory where copies files.
Now the question is can i change the primary group of gitlab-runner to www-data ???

5

You can set sticky bit on the directories so group will be always www-data

chmod -R +s /var/www if I remember right, it’s been a while :slight_smile:

6

Hi @balonik that did not work out. I also found out that the sticky bit is not honored in all cases. For now I solved it temporarily by adding

    - sudo chown -R gitlab-runner:www-data /var/www
    - sudo chmod -R 775 /var/www

in the .yml

7

Hello @bgfr, I encountered a similar issue specifically when trying to copy existing files, such as those within .git. I want to mention that my gitlab-runner user has the same permissions as yours. And also Apache2 server on Ubuntu 22.04.

I was able to resolve the problem by forcefully copying the files using cp -rf into the destination directory. I’m not entirely certain if this approach would be applicable in your case as well.