ubuntu-bugcontrol team mailing list archive

Thread
Date

Re: [Merge] ~jslarraz/ubuntu-qa-tools:fix-acl into ubuntu-qa-tools:master

To: mp+464752@xxxxxxxxxxxxxxxxxx
From: Steve Beattie <mp+464752@xxxxxxxxxxxxxxxxxx>
Date: Mon, 22 Apr 2024 19:21:14 -0000
In-reply-to: <171378788093.2229241.17584184245018163361.launchpad@juju-98d295-prod-launchpad-17>
Reply-to: mp+464752@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

On Mon, Apr 22, 2024 at 12:11:21PM -0000, Jorge Sancho Larraz wrote:
> When using acl, the `mask` attribute sets the maximum permissions a non-owner user may have. Thus, this field also needs to be check to ensure the `libvirt-qemu` has effective search permissions on the required directories
> -- 
> You are subscribed to branch ubuntu-qa-tools:master.

> diff --git a/vm-tools/uvt b/vm-tools/uvt
> index 2f6eca3..36a3c31 100755
> --- a/vm-tools/uvt
> +++ b/vm-tools/uvt
> @@ -3626,7 +3626,9 @@ def load_uvt_config():
>          path = config[d]
>          while path != "/":
>              rc, out = runcmd(["getfacl", "-e", path])
> -            if (not os.stat(path).st_mode & 0o001) and (re.search("user:libvirt-qemu:..x", out) is None):
> +            if (not os.stat(path).st_mode & 0o001) and \
> +                    ((re.search("user:libvirt-qemu:..x", out) is None) or
> +                     (re.search("mask::..x", out) is None)):

Oh, I hadn't noticed we'd started using ACLs here as a fallback, yay!

This has already been merged, so treat this as a possible suggestion
for a future improvement, but rather than trying to parse the
output of the getfacl command (and making sure that things like the
LANG environment variable are set), would it make sense to use the
python3-pylibacl library to query acl status directly instead? It's
available in all the currently supported Ubuntu releases.

That said, it's not exactly the easiest interface to use, being a python
wrapper around libacl:

>>> import posix1e
>>> import pwd
>>> acls = posix1e.ACL(file="testimage-focal-amd64.qcow2")
>>> for acl in acls:
...     print(acl)
...     if acl.tag_type == posix1e.ACL_USER:
...             print(f"--> username = {pwd.getpwuid(acl.qualifier).pw_name}")
...     if acl.tag_type in (posix1e.ACL_MASK, posix1e.ACL_USER):
...             print(f"--> read = {acl.permset.read}")
...             print(f"--> write = {acl.permset.write}")
...             print(f"--> execute = {acl.permset.execute}")
...
ACL entry for the owner
ACL entry for user with uid 64055
--> username = libvirt-qemu
--> read = True
--> write = False
--> execute = True
ACL entry for the group
ACL entry for the mask
--> read = True
--> write = False
--> execute = True
ACL entry for the others


-- 
Steve Beattie
<sbeattie@xxxxxxxxxx>

https://code.launchpad.net/~jslarraz/ubuntu-qa-tools/+git/ubuntu-qa-tools/+merge/464752
Your team Ubuntu Bug Control is subscribed to branch ubuntu-qa-tools:master.

References

[Merge] ~jslarraz/ubuntu-qa-tools:fix-acl into ubuntu-qa-tools:master
From: Jorge Sancho Larraz, 2024-04-22