-
-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix] permissions on install #4695
Conversation
tests failures related to #4694 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could the formatting and the actual fix be splitt into two separate PRs? Also there are two POM files where the version is still not updated (I created a separate PR #4696 for this issue)
exist-core/src/main/java/org/exist/security/AbstractUnixStylePermission.java
Outdated
Show resolved
Hide resolved
836d238
to
523be46
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea :-=) 😵💫
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not totally sure if this is the needed solution, but the test coverage will improve here.
This method will add the executable flag to the given mode for - the owner - the group, if the group has read or write access - others, if they have read or write access
Reformatted code (with intelliJ defaults), removed unused variables.
Deployment.setPermissions now calls UnixStylePermission.safeSetExecutable instead of setting them always to world executable.
9efc399
to
ea72991
Compare
We really should not do this. This sets things executable that it is the responsibility of the user or package maintainer to do. We cannot and should not assume that things should just be set executable for convenience. |
@adamretter What do you mean by "we should not do this"? Keep it as it is? |
No my preference would be to remove the security problem that was added where it should never have been added, i.e. this comment of mine: mode = mode | 0111; //TODO(AR) Whoever did this - this is a really bad idea. You are circumventing the security of the system |
Kudos, SonarCloud Quality Gate passed! |
Sorry, I could not find a solution there. I provide one which might not be your preferred solution but removing this line will break more than it solves. |
@adamretter how would you remove this security problem in your opinion? Remove that line completely in the next major version and document as such? |
That is not a viable solution @adamretter @reinhapa |
@line-o What exactly is not a viable solution? Do not touch any access settings? From the discussion in the last community talk I thought, that this code is only executed on installation time... So from that point of view, that change would only have an impact if you install new XARs that have improper security definitions. Or do I not get the point here? |
There is no other way to set collections as executable on installation by default. The same is true for XQuery scripts. |
So you mean there is no way to define the according access definition with a XAR file? Is this what you are trying to say? In that case I would propose to extend the XAR API in order to support the access settings and only using the existing fallback method if no explicit definition is available to support backwards compatibility then... |
@reinhapa let me reiterate: case 1: a XAR without any application specific permissions set in repo.xml case 2: a XAR with a permission element in repo.xml Having both collections and xquery scripts executable for database users who can also read or write the same resource is reasonable. It must be possible in a straightforward way for the vast majority of users of our platform to end up with a working application. Any other solution must provide this path. |
I agree, having fine-grained control over permissions at installation time is the way forward. But this will take time to introduce as we have not even started yet discussing it and is clearly out of scope of this PR. This fallback should still then use If we keep this preferably declarative permissions setting logic within repo.xml this can be done without having to change the expath packaging standard. I can open a feature-request in the following days so that we do not forget about it again. |
During last week and this week's Community Call, we discussed eXist's current behavior and what this PR changes. We understand that this PR is very narrow in focus. It does not break existing packages. It only gives package creators a new ability to control the "executable" flag on collections and XQuery files via the repo.xml. If packages don't specify this (i.e., any existing package), permissions will fall back on the defaults specified in conf.xml. These defaults align with what's hardcoded for package installation now. So effectively this doesn't change the current defaults. We concluded that the PR is acceptable. The only thing remaining is that the existing documentation should be surveyed for necessary edits / expansion. |
Description:
Xquery modules and collections have to be set as executable on installation if the mode set in conf.xml or in the permission element in repo.xml does not set it. With this PR applied this will be limited to the owner if the group or others cannot read or write the resource or collection.
Reference:
refs #4686
Completes a TODO in the code.
Type of tests:
Junit-Tests