Storage permissions regression: recursive chmod clears setgid on calibration/export dirs #19
Description
Our image scripts set up ~/.pioreactor/storage for shared write between pioreactor and www-data by applying setgid on subdirs
in workspace/scripts/06-install-pioreactor.sh. Later, workspace/scripts/10-install-db.sh runs chmod -R 770 $STORAGE_DIR and
only re-applies chmod g+s on the storage root, stripping setgid from subdirectories like storage/calibrations/* and storage/
exportable_datasets.
Impact:
- Files created afterwards inside those dirs inherit the creator’s primary group (pioreactor or www-data), breaking shared access.
- Example: a pioreactor job writes storage/calibrations/od/foo.json → pioreactor:pioreactor 660; UI (www-data) can’t modify it.
Conversely, exports created by UI become www-data:www-data and CLI as pioreactor loses write.
Suggested fix:
- Avoid blanket chmod -R 770, or
- After chmod, reapply setgid recursively to the shared dirs (e.g., find "$STORAGE_DIR"/calibrations "$STORAGE_DIR"/
exportable_datasets -type d -exec chmod g+s {} +), or - Narrow the chmod to just the files that need it and leave setgid intact.