-
Notifications
You must be signed in to change notification settings - Fork 886
tests: switch to using SysProcAttr for non-root #1569
Conversation
@@ -18,7 +18,11 @@ func Start(c *exec.Cmd) (pty *os.File, err error) { | |||
c.Stdout = tty | |||
c.Stdin = tty | |||
c.Stderr = tty | |||
c.SysProcAttr = &syscall.SysProcAttr{Setctty: true, Setsid: true} | |||
if c.SysProcAttr == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting #1571 |
ff56f81
to
22bacd1
Compare
I'm really missing why the permissions aren't getting propagated correctly. |
Do you mean the BTW, we should not let the such consts scattered everywhere. |
7f5392c
to
712f57f
Compare
Ready for review. |
@jonboulle Thanks for the fix, LGTM. |
@yifan-gu go to sleep :) |
- Use umask(0) in store write operations to ensure permissions are propagated appropriately - Pass defaultPathPerm/defaultFilePerm through to disk - Remove unused const in rkt package
Evidently the LockOSThread approach is a disaster in go. However, the os/exec.Command struct does expose some ability to control the execution parameters via the SysProcAttr - and in particular the Credentials struct which (in principle) allows us to safely set the uid/gid for the execed rkt process.
|
||
// TODO(jonboulle): non-root user breaks trying to read root-written | ||
// config directories. Should be a better way to approach this. Should | ||
// config directories be readable by the rkt group too? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it should be readable by the rkt group. If we add the --auth
option mentioned in #1568 we can leave /etc/rkt/auth.d
as a place where shared credentials live and use --auth
for per-user credentials.
We can leave this here in the meantime.
LGTM except the issue mentioned aboved. Will be fixed on a follow-up |
tests: switch to using SysProcAttr for non-root
Evidently the LockOSThread approach is a disaster in go. However, the
os/exec.Command struct does expose some ability to control the execution
parameters via the SysProcAttr - and in particular the Credentials
struct which (in principle) allows us to safely set the uid/gid for the
execed rkt process.