vagrant: Run plinth as user plinth in development environment

Running plinth as root is causing preventable permission errors in production.
This commit makes the necessary changes to run plinth as the user plinth so that
permission errors can be caught early and prevented.

- Give ownership of all files in the mounted directory to plinth
- Add permissions in sudoers file so that plinth can run scripts in
  /vagrant/actions as superuser
- Move scripts that run on vagrant triggers to a separate directory

Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

HACKING.md

@@ -34,7 +34,7 @@ and requires about 4.5 GB of disk space.
    cycle during development.
 
     ```
-    $ sudo /vagrant/run --develop
+    $ sudo -u plinth /vagrant/run --develop
     ```
 
 Note: This virtual machine has automatic upgrades disabled by default.

Vagrantfile

@@ -19,6 +19,7 @@
 Vagrant.configure(2) do |config|
   config.vm.box = "freedombox/plinth-dev"
   config.vm.network "forwarded_port", guest: 443, host: 4430
+  config.vm.synced_folder ".", "/vagrant", owner: "plinth", group: "plinth"
   config.vm.provider "virtualbox" do |vb|
     vb.cpus = 2
     vb.memory = 2048
@@ -47,15 +48,21 @@ Vagrant.configure(2) do |config|
 for development. You can run the development version of Plinth using
 the following command.
 $ vagrant ssh
-$ sudo /vagrant/run --develop
+$ sudo -u plinth /vagrant/run --develop
 Plinth will be available at https://localhost:4430/plinth (with
 an invalid SSL certificate).
 "
 
+  config.trigger.after [:up, :resume, :reload] do |trigger|
+    trigger.info = "Set plinth user permissions for development environment"
+    trigger.run_remote = {
+      path: "vagrant-scripts/plinth-user-permissions.py"
+    }
+  end
   config.trigger.before :destroy do |trigger|
     trigger.warn = "Performing cleanup steps"
     trigger.run = {
-      path: "post-box-destroy.py"
+      path: "vagrant-scripts/post-box-destroy.py"
     }
   end
   config.vm.boot_timeout=1200

vagrant-scripts/plinth-user-permissions.py

@@ -0,0 +1,39 @@
+#!/usr/bin/python3
+# -*- mode: python -*-
+#
+# This file is part of FreedomBox.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+"""
+Set required permissions for user "plinth" to run plinth in the development
+environment.
+"""
+
+import augeas
+
+sudoers_file = '/etc/sudoers.d/plinth'
+aug = augeas.Augeas(
+    flags=augeas.Augeas.NO_LOAD + augeas.Augeas.NO_MODL_AUTOLOAD)
+
+# lens for shell-script config file
+aug.set('/augeas/load/Shellvars/lens', 'Sudoers.lns')
+aug.set('/augeas/load/Shellvars/incl[last() + 1]', sudoers_file)
+aug.load()
+
+aug.set('/files{}/spec[1]/host_group/command[2]'.format(sudoers_file),
+        '/vagrant/actions/*')
+aug.set('/files{}/spec[1]/host_group/command[1]/tag[2]'.format(sudoers_file),
+        'SETENV')
+aug.save()