From 1c5eeafe4dc12d672b299c94dc9b924d0466cd12 Mon Sep 17 00:00:00 2001
From: Chris Guest <chrisguest75@users.noreply.github.com>
Date: Tue, 12 Nov 2024 20:18:38 +0000
Subject: [PATCH 1/3] feat(permissions): :sparkles: Start a simple file system
 permissions test.

---
 A6_filesystem_permissions/.gitignore          |  1 +
 .../Dockerfile.bindmount                      | 35 +++++++++++++
 A6_filesystem_permissions/README.md           | 51 +++++++++++++++++++
 A6_filesystem_permissions/justfile            | 28 ++++++++++
 4 files changed, 115 insertions(+)
 create mode 100644 A6_filesystem_permissions/.gitignore
 create mode 100644 A6_filesystem_permissions/Dockerfile.bindmount
 create mode 100644 A6_filesystem_permissions/README.md
 create mode 100644 A6_filesystem_permissions/justfile

diff --git a/A6_filesystem_permissions/.gitignore b/A6_filesystem_permissions/.gitignore
new file mode 100644
index 0000000..fde6477
--- /dev/null
+++ b/A6_filesystem_permissions/.gitignore
@@ -0,0 +1 @@
+mount
diff --git a/A6_filesystem_permissions/Dockerfile.bindmount b/A6_filesystem_permissions/Dockerfile.bindmount
new file mode 100644
index 0000000..d1ed2ea
--- /dev/null
+++ b/A6_filesystem_permissions/Dockerfile.bindmount
@@ -0,0 +1,35 @@
+# syntax=docker/dockerfile:1.11.0
+FROM ubuntu:24.10 AS base
+
+#### ROOT
+USER root
+
+ARG USERID=10000
+ARG GROUPID=10000
+ARG APPUSER=appuser
+RUN groupadd --system --gid $GROUPID appuser
+RUN useradd --system --uid $USERID --gid $GROUPID $APPUSER
+
+WORKDIR /scratch/root
+
+COPY --chmod=755 <<EOF /scratch/root/test.sh
+EOF
+
+WORKDIR /scratch/appuser
+
+COPY --chmod=755 <<EOF /scratch/appuser/test.sh
+EOF
+
+COPY --chmod=755 <<EOF /bin/copy.sh
+echo $(whoami)
+id 
+cat /etc/group
+cp /scratch/root/test.sh /mnt/writable/root_test.sh
+cp /scratch/appuser/test.sh /mnt/writable/appuser_test.sh
+
+ls -l /mnt/writable/
+EOF
+
+#USER appuser
+
+CMD ["bash"]
\ No newline at end of file
diff --git a/A6_filesystem_permissions/README.md b/A6_filesystem_permissions/README.md
new file mode 100644
index 0000000..649f32f
--- /dev/null
+++ b/A6_filesystem_permissions/README.md
@@ -0,0 +1,51 @@
+# FILESYSTEM PERMISSIONS
+
+TODO:
+
+* Installing and copying as root then accessing as normal user
+* chown and chgrp
+* Ensuring files are accessible to a non-root user
+* Copying files to bindmounts and how it impacts owners etc
+* 
+
+NOTES:
+
+* Docker recommends using the `--mount` syntax instead of `-v`
+
+## Test
+
+```sh
+just start
+
+ls /mnt/readonly/
+
+echo "test" > /mnt/readonly/test.txt
+echo "test" > /mnt/writable/test.txt
+
+ls -l /mnt/readonly
+ls -l /mnt/writable
+
+/bin/copy.sh
+
+ls -l /mnt/writable/
+```
+
+## Volume
+
+```sh
+docker volume create filesystempermissions_volume
+
+just start_volume
+
+# permissions don't work
+echo "test" > /mnt/readonly_volume/test.txt
+echo "test" > /mnt/writable_volume/test.txt
+
+ls -l /mnt/readonly_volume
+ls -l /mnt/writable_volume
+```
+
+## Resources
+
+* https://docs.docker.com/get-started/docker-concepts/running-containers/sharing-local-files
+* https://docs.docker.com/engine/storage/volumes/
\ No newline at end of file
diff --git a/A6_filesystem_permissions/justfile b/A6_filesystem_permissions/justfile
new file mode 100644
index 0000000..697910d
--- /dev/null
+++ b/A6_filesystem_permissions/justfile
@@ -0,0 +1,28 @@
+#!/usr/bin/env just --justfile
+# ^ A shebang isn't required, but allows a justfile to be executed
+#   like a script, with `./justfile test`, for example.
+
+set dotenv-load := true
+
+# default lists actions
+default:
+  @just -f justfile --list
+
+
+build:
+  #!/usr/bin/env bash
+  set -eufo pipefail
+  docker build -f Dockerfile.bindmount -t filesystempermissions . 
+  
+start: build
+  #!/usr/bin/env bash
+  set -eufo pipefail  
+  mkdir -p ./mount/readonly
+  mkdir -p ./mount/writable
+  docker run -it --rm --mount type=bind,source=./mount/readonly,target=/mnt/readonly,readonly --mount type=bind,source=./mount/writable,target=/mnt/writable --name filesystempermissions filesystempermissions
+
+start_volume: build
+  #!/usr/bin/env bash
+  set -eufo pipefail  
+  docker run -it --rm --mount type=volume,source=filesystempermissions_volume,target=/mnt/readonly_volume,readonly --mount type=volume,source=filesystempermissions_volume,target=/mnt/writable_volume --name filesystempermissions filesystempermissions
+

From 3e7f02564c6852d631c1ce32e6e598be0bc33e42 Mon Sep 17 00:00:00 2001
From: Chris Guest <chrisguest75@users.noreply.github.com>
Date: Tue, 12 Nov 2024 20:28:30 +0000
Subject: [PATCH 2/3] fix(permissions): :bug: Fix users and improve docs

---
 A6_filesystem_permissions/Dockerfile.bindmount |  2 +-
 A6_filesystem_permissions/README.md            | 11 +++++++++++
 A6_filesystem_permissions/justfile             |  2 ++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/A6_filesystem_permissions/Dockerfile.bindmount b/A6_filesystem_permissions/Dockerfile.bindmount
index d1ed2ea..b5b36d0 100644
--- a/A6_filesystem_permissions/Dockerfile.bindmount
+++ b/A6_filesystem_permissions/Dockerfile.bindmount
@@ -30,6 +30,6 @@ cp /scratch/appuser/test.sh /mnt/writable/appuser_test.sh
 ls -l /mnt/writable/
 EOF
 
-#USER appuser
+USER appuser
 
 CMD ["bash"]
\ No newline at end of file
diff --git a/A6_filesystem_permissions/README.md b/A6_filesystem_permissions/README.md
index 649f32f..67f2c09 100644
--- a/A6_filesystem_permissions/README.md
+++ b/A6_filesystem_permissions/README.md
@@ -11,12 +11,17 @@ TODO:
 NOTES:
 
 * Docker recommends using the `--mount` syntax instead of `-v`
+* When docker creates folder inside a container for mounts it creates them with root ownership.  
 
 ## Test
 
 ```sh
+# start with bindmounts
 just start
 
+# CONTAINER TERMINAL
+whoami
+
 ls /mnt/readonly/
 
 echo "test" > /mnt/readonly/test.txt
@@ -33,14 +38,20 @@ ls -l /mnt/writable/
 ## Volume
 
 ```sh
+# create volume
 docker volume create filesystempermissions_volume
 
+# start with volume
 just start_volume
 
+# CONTAINER TERMINAL
+whoami
+
 # permissions don't work
 echo "test" > /mnt/readonly_volume/test.txt
 echo "test" > /mnt/writable_volume/test.txt
 
+ls -l /mnt
 ls -l /mnt/readonly_volume
 ls -l /mnt/writable_volume
 ```
diff --git a/A6_filesystem_permissions/justfile b/A6_filesystem_permissions/justfile
index 697910d..8ac1c05 100644
--- a/A6_filesystem_permissions/justfile
+++ b/A6_filesystem_permissions/justfile
@@ -26,3 +26,5 @@ start_volume: build
   set -eufo pipefail  
   docker run -it --rm --mount type=volume,source=filesystempermissions_volume,target=/mnt/readonly_volume,readonly --mount type=volume,source=filesystempermissions_volume,target=/mnt/writable_volume --name filesystempermissions filesystempermissions
 
+dive:
+  dive filesystempermissions
\ No newline at end of file

From d0b163f26f86f253677800008f863e11b585ead7 Mon Sep 17 00:00:00 2001
From: Chris Guest <chrisguest75@users.noreply.github.com>
Date: Sun, 1 Dec 2024 23:02:47 +0000
Subject: [PATCH 3/3] feat(permissions): :sparkles: Add more details and
 examples with volumes.

---
 05_root_user/README.md                        |  3 +-
 13_users_and_permissions/README.md            |  3 +-
 .../Dockerfile.bindmount                      | 15 +++++-
 .../Dockerfile.volumemount                    | 46 ++++++++++++++++++
 A6_filesystem_permissions/README.md           | 48 ++++++++++++++-----
 A6_filesystem_permissions/justfile            | 20 ++++++--
 6 files changed, 115 insertions(+), 20 deletions(-)
 create mode 100644 A6_filesystem_permissions/Dockerfile.volumemount

diff --git a/05_root_user/README.md b/05_root_user/README.md
index 2be2d4e..2a01d59 100644
--- a/05_root_user/README.md
+++ b/05_root_user/README.md
@@ -7,7 +7,8 @@ TODO:
 * try and nsenter into the host
 * try and list all the host processes from inside the container.
 
-Refer to [../13_users_and_permissions/README.md](../13_users_and_permissions/README.md) for more examples.  
+REF: [13_users_and_permissions/README.md](../13_users_and_permissions/README.md)  
+REF: [chrisguest75/sysadmin_examples/10_file_permissions/README.md](https://github.com/chrisguest75/sysadmin_examples/blob/master/10_file_permissions/README.md)
 
 ## 📋 Script to follow
 
diff --git a/13_users_and_permissions/README.md b/13_users_and_permissions/README.md
index cf95a8e..8006d1c 100644
--- a/13_users_and_permissions/README.md
+++ b/13_users_and_permissions/README.md
@@ -2,7 +2,8 @@
 
 Demonstrates how users work within a container.  
 
-Refer to [../05_root_user/README.md](../05_root_user/README.md) for more examples.  
+REF: [05_root_user/README.md](../05_root_user/README.md)  
+REF: [chrisguest75/sysadmin_examples/10_file_permissions/README.md](https://github.com/chrisguest75/sysadmin_examples/blob/master/10_file_permissions/README.md)
 
 ## 🏠 Script to follow
 
diff --git a/A6_filesystem_permissions/Dockerfile.bindmount b/A6_filesystem_permissions/Dockerfile.bindmount
index b5b36d0..624a158 100644
--- a/A6_filesystem_permissions/Dockerfile.bindmount
+++ b/A6_filesystem_permissions/Dockerfile.bindmount
@@ -12,15 +12,20 @@ RUN useradd --system --uid $USERID --gid $GROUPID $APPUSER
 
 WORKDIR /scratch/root
 
-COPY --chmod=755 <<EOF /scratch/root/test.sh
+COPY --chmod=750 <<EOF /scratch/root/test.sh
+#!/usr/bin/env bash
+echo "Hello bindmount from test.sh"
 EOF
 
 WORKDIR /scratch/appuser
 
-COPY --chmod=755 <<EOF /scratch/appuser/test.sh
+COPY --chmod=750 <<EOF /scratch/appuser/testroot.sh
+#!/usr/bin/env bash
+echo "Hello bindmount from testroot.sh"
 EOF
 
 COPY --chmod=755 <<EOF /bin/copy.sh
+#!/usr/bin/env bash
 echo $(whoami)
 id 
 cat /etc/group
@@ -32,4 +37,10 @@ EOF
 
 USER appuser
 
+# copy with ownership
+COPY --chmod=755 --chown=appuser:appuser <<EOF /scratch/appuser/testuser.sh
+#!/usr/bin/env bash
+echo "Hello bindmount from testuser.sh"
+EOF
+
 CMD ["bash"]
\ No newline at end of file
diff --git a/A6_filesystem_permissions/Dockerfile.volumemount b/A6_filesystem_permissions/Dockerfile.volumemount
new file mode 100644
index 0000000..1549fe1
--- /dev/null
+++ b/A6_filesystem_permissions/Dockerfile.volumemount
@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1.11.0
+FROM ubuntu:24.10 AS base
+
+#### ROOT
+USER root
+
+ARG USERID=10000
+ARG GROUPID=10000
+ARG APPUSER=appuser
+RUN groupadd --system --gid $GROUPID appuser
+RUN useradd --system --uid $USERID --gid $GROUPID $APPUSER
+
+WORKDIR /scratch/root
+
+COPY --chmod=750 <<EOF /scratch/root/test.sh
+#!/usr/bin/env bash
+echo "Hello volumemount from test.sh"
+EOF
+
+WORKDIR /scratch/appuser
+
+COPY --chmod=750 <<EOF /scratch/appuser/testroot.sh
+#!/usr/bin/env bash
+echo "Hello volumemount from testroot.sh"
+EOF
+
+# COPY --chmod=755 <<EOF /bin/copy.sh
+# #!/usr/bin/env bash
+# echo $(whoami)
+# id 
+# cat /etc/group
+# cp /scratch/root/test.sh /mnt/writable/root_test.sh
+# cp /scratch/appuser/test.sh /mnt/writable/appuser_test.sh
+
+# ls -l /mnt/writable/
+# EOF
+
+# USER appuser
+
+# # copy with ownership
+# COPY --chmod=755 --chown=appuser:appuser <<EOF /scratch/appuser/testuser.sh
+# #!/usr/bin/env bash
+# echo "Hello from testuser.sh"
+# EOF
+
+CMD ["bash"]
\ No newline at end of file
diff --git a/A6_filesystem_permissions/README.md b/A6_filesystem_permissions/README.md
index 67f2c09..30cdea9 100644
--- a/A6_filesystem_permissions/README.md
+++ b/A6_filesystem_permissions/README.md
@@ -1,26 +1,46 @@
 # FILESYSTEM PERMISSIONS
 
+Work with filepermissions.  
+
+REF: [05_root_user/README.md](../05_root_user/README.md)  
+REF: [13_users_and_permissions/README.md](../13_users_and_permissions/README.md)  
+REF: [chrisguest75/sysadmin_examples/10_file_permissions/README.md](https://github.com/chrisguest75/sysadmin_examples/blob/master/10_file_permissions/README.md)
+
+## Contents
+
+- [FILESYSTEM PERMISSIONS](#filesystem-permissions)
+  - [Contents](#contents)
+  - [Test](#test)
+  - [Volume](#volume)
+  - [Resources](#resources)
+
 TODO:
 
 * Installing and copying as root then accessing as normal user
-* chown and chgrp
-* Ensuring files are accessible to a non-root user
 * Copying files to bindmounts and how it impacts owners etc
-* 
+* New volumes as a non root user seem to prevent writing.
 
 NOTES:
 
 * Docker recommends using the `--mount` syntax instead of `-v`
-* When docker creates folder inside a container for mounts it creates them with root ownership.  
+* When docker creates a file or folder inside a container for mounts it creates them with root ownership. You can use `--chown user:group`  
 
 ## Test
 
+Test readable and writeable file mounts.  Also test different types of file permissions for file created in the docker build.  
+
 ```sh
 # start with bindmounts
-just start
+just start bindmount
 
 # CONTAINER TERMINAL
+ll -l
+
 whoami
+id
+
+./testuser.sh 
+./testroot.sh 
 
 ls /mnt/readonly/
 
@@ -37,12 +57,11 @@ ls -l /mnt/writable/
 
 ## Volume
 
-```sh
-# create volume
-docker volume create filesystempermissions_volume
+Create and attach volumes to containers.  
 
+```sh
 # start with volume
-just start_volume
+just start_volume 
 
 # CONTAINER TERMINAL
 whoami
@@ -56,7 +75,14 @@ ls -l /mnt/readonly_volume
 ls -l /mnt/writable_volume
 ```
 
+Cleanup the volumes.  
+
+```sh
+just clean_volume 
+```
+
 ## Resources
 
-* https://docs.docker.com/get-started/docker-concepts/running-containers/sharing-local-files
-* https://docs.docker.com/engine/storage/volumes/
\ No newline at end of file
+* Sharing local files with containers [here](https://docs.docker.com/get-started/docker-concepts/running-containers/sharing-local-files)
+* Docker Volumes [here](https://docs.docker.com/engine/storage/volumes/)
+* Really good breakdown of meaning of permissions [here](https://mason.gmu.edu/~montecin/UNIXpermiss.htm)  
diff --git a/A6_filesystem_permissions/justfile b/A6_filesystem_permissions/justfile
index 8ac1c05..edc0cd4 100644
--- a/A6_filesystem_permissions/justfile
+++ b/A6_filesystem_permissions/justfile
@@ -9,22 +9,32 @@ default:
   @just -f justfile --list
 
 
-build:
+build dockerfile="bindmount":
   #!/usr/bin/env bash
   set -eufo pipefail
-  docker build -f Dockerfile.bindmount -t filesystempermissions . 
+  docker build -f Dockerfile.{{ dockerfile }} -t filesystempermissions . 
   
-start: build
+start dockerfile="bindmount": (build dockerfile)
   #!/usr/bin/env bash
   set -eufo pipefail  
   mkdir -p ./mount/readonly
   mkdir -p ./mount/writable
   docker run -it --rm --mount type=bind,source=./mount/readonly,target=/mnt/readonly,readonly --mount type=bind,source=./mount/writable,target=/mnt/writable --name filesystempermissions filesystempermissions
 
-start_volume: build
+start_volume dockerfile="volumemount": (build dockerfile)
   #!/usr/bin/env bash
   set -eufo pipefail  
-  docker run -it --rm --mount type=volume,source=filesystempermissions_volume,target=/mnt/readonly_volume,readonly --mount type=volume,source=filesystempermissions_volume,target=/mnt/writable_volume --name filesystempermissions filesystempermissions
+  # Create a volume (can be called twice)
+  docker volume create filesystempermissions_readonly_volume
+  docker volume create filesystempermissions_writeable_volume
+  docker run -it --rm --mount type=volume,source=filesystempermissions_readonly_volume,target=/mnt/readonly_volume,readonly --mount type=volume,source=filesystempermissions_writeable_volume,target=/mnt/writable_volume filesystempermissions
+
+clean_volume:
+  #!/usr/bin/env bash
+  set -eufo pipefail
+  docker volume rm filesystempermissions_readonly_volume
+  docker volume rm filesystempermissions_writeable_volume
+
 
 dive:
   dive filesystempermissions
\ No newline at end of file