osutil: more create-user fixes #1651

Merged
merged 9 commits into from Aug 10, 2016

Conversation

Projects
None yet
4 participants
Contributor

mwhudson commented Aug 9, 2016

Plans meet reality etc.

mwhudson added some commits Aug 9, 2016

Contributor

snappy-m-o commented Aug 9, 2016

Can one of the admins verify this patch?

Contributor

snappy-m-o commented Aug 9, 2016

Can one of the admins verify this patch?

Collaborator

mvo5 commented Aug 9, 2016

whitelist this please

osutil/user.go
@@ -66,6 +70,11 @@ func AddExtraSudoUser(name string, sshKeys []string, gecos string) error {
return fmt.Errorf("cannot write %s: %s", authKeys, err)
}
+ cmd = exec.Command("chown", "-R", u.Uid+":"+u.Gid, sshDir)
@mvo5

mvo5 Aug 9, 2016

Collaborator

Thanks, good catch!

@niemeyer

niemeyer Aug 9, 2016

Contributor

We have MkdirAllChown in this package.

@niemeyer

niemeyer Aug 9, 2016

Contributor

Can we use MkdirAllChown and AtomicWriteFileChown instead?

@mwhudson

mwhudson Aug 10, 2016

Contributor

Yeah, probably better.

@@ -46,12 +46,16 @@ func AddExtraSudoUser(name string, sshKeys []string, gecos string) error {
"--gecos", gecos,
"--extrausers",
"--disabled-password",
- "--add_extra_groups", "sudo",
@mvo5

mvo5 Aug 9, 2016

Collaborator

adduser is a bit disappointing here. Thanks for fixing it.

Collaborator

mvo5 commented Aug 9, 2016

👍

Collaborator

mvo5 commented Aug 9, 2016

add to whitelist

Contributor

mwhudson commented Aug 9, 2016

The test is failing because adduser --extrausers $user $group doesn't actually take any notice of the --extrausers flag, and I don't see an obvious way of doing that command. The alternative is to drop a file in /etc/sudoers.d I guess...

osutil/user.go
name)
if output, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf("adduser failed with %s: %s", err, output)
}
+ cmd = exec.Command("adduser", "--extrausers", name, "sudo")
@niemeyer

niemeyer Aug 9, 2016

Contributor

usermod -a -G sudo <name>

@mwhudson

mwhudson Aug 9, 2016

Contributor

Nope, that doesn't work either.

Contributor

mwhudson commented Aug 9, 2016

I think it's possible that libnss-extrausers just doesn't support supplementary groups. But I'm hardly sure of that at this point.

Contributor

niemeyer commented Aug 9, 2016

Tests are failing because the code has --extrausers and the mock doesn't.

Can we have a spread tests for this as well? Given the amount of blind fiddling with options going on there it'd be nice to have an actual test that ensure this is working.

Contributor

mwhudson commented Aug 9, 2016

There is an integration test for this, but I guess a spread test would be better. But I can't make this work by hand locally so I don't know what to put in the code at this point...

Contributor

niemeyer commented Aug 9, 2016

What's the issue?

Contributor

niemeyer commented Aug 9, 2016

Or rather, what specifically is not working?

@niemeyer niemeyer changed the title from More create-user fixes to osutil: more create-user fixes Aug 9, 2016

Contributor

mwhudson commented Aug 9, 2016

Ah (on stopping to think a bit about how the files work), the issue is that there is no way for an user only present in /var/lib/extrausers to be added to a group that's present in /etc/group without editing the /etc/group file, which we can't do. So I think the only thing we can do is dropping a file in /etc/sudoers.d.

mwhudson added some commits Aug 9, 2016

osutil/user.go
name)
if output, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf("adduser failed with %s: %s", err, output)
}
+ sudoersFile := filepath.Join(sudoersDotD, "create-user-"+name)
@niemeyer

niemeyer Aug 9, 2016

Contributor
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
@mwhudson

mwhudson Aug 10, 2016

Contributor

Ah good point. ~ is not permitted anyway but . is. I could replace . with some other character but it would have to not be one of the permitted characters or we could get collisions. : or , or something I guess...

osutil/user.go
name)
if output, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf("adduser failed with %s: %s", err, output)
}
+ sudoersFile := filepath.Join(sudoersDotD, "create-user-"+name)
+ if err := AtomicWriteFile(sudoersFile, []byte(fmt.Sprintf(sudoersTemplate, name)), 0400, 0); err != nil {
+ return fmt.Errorf("creating sudoers fragment failed with %s", err)
@niemeyer

niemeyer Aug 9, 2016

Contributor

"cannot create file under sudoers.d: %s"

Contributor

niemeyer commented Aug 9, 2016

LGTM with these details fixed.

@niemeyer niemeyer added the Reviewed label Aug 9, 2016

mwhudson added some commits Aug 10, 2016

@@ -60,30 +60,35 @@ func AddExtraSudoUser(name string, sshKeys []string, gecos string) error {
return fmt.Errorf("adduser failed with %s: %s", err, output)
}
- sudoersFile := filepath.Join(sudoersDotD, "create-user-"+name)
+ sudoersFile := filepath.Join(sudoersDotD, "create-user-"+strings.Replace(name, ".", ",", -1))
@niemeyer

niemeyer Aug 10, 2016

Contributor

Comma reads incorrectly for me. It feels like two independent things, rather than an escaping sequence.

Let's please use %2E to escape the dot, which should work fine since % is disallowed too.

This also gives us a good pattern to fix further cases, if we find them.

@niemeyer

niemeyer Aug 10, 2016

Contributor

(s/46/2E/.. should be hex)

@niemeyer

niemeyer Aug 10, 2016

Contributor

s/2e/2E/ too.. both should work, but the uppercasing creates a nice visual distinction since we're only allowing lowercase letters in the username.

@niemeyer niemeyer merged commit ebb0355 into snapcore:master Aug 10, 2016

3 checks passed

Integration tests Success
Details
autopkgtest Success
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment