Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSFS | Unset supplemental groups of the endpoint & tests improvements #7256

Merged
merged 1 commit into from
Apr 23, 2023
Merged

NSFS | Unset supplemental groups of the endpoint & tests improvements #7256

merged 1 commit into from
Apr 23, 2023

Conversation

romayalon
Copy link
Contributor

@romayalon romayalon commented Apr 2, 2023
edited

Explain the changes

  1. Unset supplemental groups of the endpoint when switching user in fs_napi threads. (Opened a gap in order to support user's supplemental groups). This change was needed only in os_linux and was not needed in os_darwin. According to https://www.unix.com/man-page/osx/2/pthread_setugid_np/ the library call that was used to switch the uid & gid also clears the supplementary groups
  2. Root permissions tests - Added root user flag and moved it to makefile instead of running it using docker run command.
  3. Added new test_nsfs_access.js file unit tests
  4. Closed unclosed fd in tests and some other test cleanups

More details about the issue caused this to happen -

  1. a user in linux, besides having uid and gid, has also “supplemental groups”,
    gid is the user’s primary group but he can be a part of other groups.
  2. So we started seeing that every user can access folders/files created by gid 0,
    the reason for it is that in switch user we switched only the uid and gid, but we also needed to unset the supplemental groups (which was always 0). Since we didn’t do it we started seeing other users can access root’s folders

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

  • Doc added/updated
  • Tests added

@romayalon romayalon force-pushed the romy-nsfs-ver-refactor1 branch 3 times, most recently from 7ec3b30 to 0283449 Compare April 20, 2023 15:28
@romayalon romayalon marked this pull request as ready for review April 20, 2023 15:34
@romayalon romayalon changed the title Draft | tests improvements NSFS | Unset supplemental groups of the endpoint & tests improvements Apr 20, 2023
@romayalon romayalon force-pushed the romy-nsfs-ver-refactor1 branch 2 times, most recently from ec21d1b to 6562f28 Compare April 23, 2023 08:20
@romayalon
tests improvements
3d038d4 
Signed-off-by: Romy <romy2232@gmail.com>
@romayalon romayalon merged commit d3091b6 into noobaa:master Apr 23, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackyalbo jackyalbo jackyalbo approved these changes

@guymguym guymguym Awaiting requested review from guymguym

Assignees
No one assigned
Labels
size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@romayalon @jackyalbo