Stop leaking host GIDs into VM via rsync -a
Replace 'rsync -az' with 'rsync -rlptDz' (archive minus owner/group preservation). Running as a non-root user on the VM, rsync can't preserve UID anyway, but it was successfully preserving GID whenever the numeric GID happened to exist on the target. That caused synced dirs (~/.aws, ~/.config/opencode, ~/.config/nvim, ~/.agents/skills, ~/.ssh) to end up with group 1001 on the VM, which was confusing and, for group-writable mode, potentially insecure. With -o and -g dropped, received files get the receiving user's UID:GID (devbox:devbox), which is what you want.
This commit is contained in:
@@ -113,9 +113,13 @@ for entry in "${MOUNT_PATTERNS[@]}"; do
|
|||||||
ssh_cmd "mkdir -p ${remote_path}"
|
ssh_cmd "mkdir -p ${remote_path}"
|
||||||
|
|
||||||
# Sync with rsync (fall back to scp if rsync unavailable)
|
# Sync with rsync (fall back to scp if rsync unavailable)
|
||||||
# Exclude generated/cached content that gets recreated on the remote
|
# Exclude generated/cached content that gets recreated on the remote.
|
||||||
|
# Use -rlptD (archive minus -o -g) so ownership on the remote is set
|
||||||
|
# by the receiving user (devbox). Preserving host UID/GID with -a
|
||||||
|
# tagged files with the pusher's numeric GID, which leaked through
|
||||||
|
# whenever the VM happened to have a matching group (see #group-1001).
|
||||||
if command -v rsync &>/dev/null; then
|
if command -v rsync &>/dev/null; then
|
||||||
rsync -az --progress \
|
rsync -rlptDz --progress \
|
||||||
--exclude='node_modules' \
|
--exclude='node_modules' \
|
||||||
--exclude='__pycache__' \
|
--exclude='__pycache__' \
|
||||||
--exclude='.venv' \
|
--exclude='.venv' \
|
||||||
|
|||||||
Reference in New Issue
Block a user