Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure files on USB have read permissions, not just enclosing directory. #1917

Merged
merged 1 commit into from Mar 15, 2024
Merged

Ensure files on USB have read permissions, not just enclosing directory. #1917

merged 1 commit into from Mar 15, 2024

Conversation

rocodes
Copy link
Contributor

@rocodes rocodes commented Mar 15, 2024
edited by legoktm

Status

Ready for review

Description

Fixes file permissions on USB export drive (ref #1726 and adds test case. The initial change (in #1777) correctly changed the permission on the export directory, but not on the files being copied into that directory.

Test Plan

  • CI passing (looks like there are some issues to iron out, for tomorrow..)
  • visual review makes sense
  • Export succeeds and files have desired permissions (For quick testing that avoids building a deb, this can also be tested at the commandline. Check out this branch, activate venv, open a terminal, attach a supported USB drive to the VM and unlock it).
$ mkdir -p /tmp/export/export_data/
$ echo "foo" > /tmp/export/export_data/test.txt
$ python3
>> from securedrop_export.disk.cli import CLI
>> cli = CLI()
>> usb = cli.get_volume()  # will show you have a MountedVolume object attached
>> cli.write_data_to_device(usb, "/tmp/export", "test")
>> # Command succeeds, usb is locked/unmounted, and contains a folder called "test" with `export_data/test.txt` in it, with 644 permissions

Checklist

If these changes modify code paths involving cryptography, the opening of files in VMs or network (via the RPC service) traffic, Qubes testing in the staging environment is required. For fine tuning of the graphical user interface, testing in any environment in Qubes is required. Please check as applicable:

  • I have tested these changes in the appropriate Qubes environment
  • I do not have an appropriate Qubes OS workstation set up (the reviewer will need to test these changes)
  • These changes should not need testing in Qubes

If these changes add or remove files other than client code, the AppArmor profile may need to be updated. Please check as applicable:

  • I have updated the AppArmor profile
  • No update to the AppArmor profile is required for these changes
  • I don't know and would appreciate guidance

If these changes modify the database schema, you should include a database migration. Please check as applicable:

  • I have written a migration and upgraded a test database based on main and confirmed that the migration is self-contained and applies cleanly
  • I have written a migration but have not upgraded a test database based on main and would like the reviewer to do so
  • I need help writing a database migration
  • No database schema changes are needed

@rocodes rocodes requested a review from a team as a code owner March 15, 2024 00:37
@rocodes rocodes mentioned this pull request Mar 15, 2024
Closed
15 tasks
@rocodes rocodes force-pushed the export-permissions-on-files branch from 7bff14b to 060604e Compare March 15, 2024 00:52
@rocodes
Copy link
Contributor Author

rocodes commented Mar 15, 2024
edited

locally (the export component tests):

(securedrop-export-py3.9) user@sd-dev:~/projects/securedrop-client/export$ git show --name-only
commit 060604e02803495b152db9c89d1fe75f76823b36 (HEAD -> export-permissions-on-files, origin/export-permissions-on-files)
Author: Ro <ro@freedom.press>
Date:   Thu Mar 14 20:19:20 2024 -0400

    Ensure files on USB have read permissions, not just enclosing directory.

export/securedrop_export/disk/cli.py
export/tests/disk/test_cli.py
(securedrop-export-py3.9) user@sd-dev:~/projects/securedrop-client/export$ make test && make check && echo "OK" || echo "Tests failed"
[... snip ]
======================================= 126 passed, 1 skipped in 6.68s ========================================
OK

@rocodes rocodes force-pushed the export-permissions-on-files branch from 060604e to 6f9d1e8 Compare March 15, 2024 14:48
@rocodes rocodes force-pushed the export-permissions-on-files branch from 6f9d1e8 to 0a6714c Compare March 15, 2024 15:43
@rocodes rocodes force-pushed the export-permissions-on-files branch from 0a6714c to 5856f67 Compare March 15, 2024 16:10
@rocodes rocodes requested a review from legoktm March 15, 2024 16:27
legoktm
legoktm approved these changes Mar 15, 2024
View reviewed changes
Copy link
Member

@legoktm legoktm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@legoktm legoktm merged commit 4aed67a into main Mar 15, 2024
94 checks passed
@legoktm legoktm deleted the export-permissions-on-files branch March 15, 2024 16:37
@legoktm legoktm mentioned this pull request Mar 15, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legoktm legoktm legoktm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rocodes @legoktm