Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
interfaces/{default,account-control}: Use username/group instead of uid/gid #3805
Conversation
jdstrand
added some commits
Aug 24, 2017
| @@ -60,8 +60,8 @@ capability fsetid, | ||
| const accountControlConnectedPlugSecComp = ` | ||
| # useradd requires chowning to 'shadow' | ||
| # TODO: dynamically determine the shadow gid to support alternate cores | ||
| -fchown - 0 42 | ||
| -fchown32 - 0 42 | ||
| +fchown - root shadow |
zyga
Aug 25, 2017
Contributor
Interestingly this will start failing unless user lookup is done inside the mount namespace with /etc/group from the core snap. On my suse box I see this:
cat /etc/group | grep shadow
shadow:x:15:
But compare with:
cat /snap/core/current/etc/group | grep shadow
shadow:x:42:
So -1 unless we ensure this is done correctly.
jdstrand
Aug 25, 2017
•
Contributor
But on classic /etc is the /etc from the host, not the core snap, so we should always have the same uid/gid (in fact, this change is precisely to address the issue with suse and us hardcoding 42).
That said, I'll need to look at the testsuite to fix TestCompile on suse.
zyga
Aug 25, 2017
Contributor
At runtime, a strictly confined snap will fail to chown shdow ... because shadow will resolve to 42 but the generated seccomp profile, compiled from the "outside" will allow 15. What am I missing in my reasoning?
zyga
dismissed
their
stale review
Aug 25, 2017
I'm re-considering my review after discussion on IRC
jdstrand
referenced this pull request
Aug 25, 2017
Merged
cmd/snap-seccomp: support parsing 'u:' and 'g:' for username and groups #3804
mvo5
and others
added some commits
Aug 25, 2017
codecov-io
commented
Aug 25, 2017
•
Codecov Report
@@ Coverage Diff @@
## master #3805 +/- ##
==========================================
- Coverage 75.81% 75.69% -0.13%
==========================================
Files 402 407 +5
Lines 34793 35185 +392
==========================================
+ Hits 26380 26634 +254
- Misses 6540 6668 +128
- Partials 1873 1883 +10
Continue to review full report at Codecov.
|
jdstrand
added some commits
Aug 25, 2017
mvo5
approved these changes
Aug 28, 2017
Nice work! One question inline but only because I'm curious, no blocker in any sense.
| @@ -135,6 +136,11 @@ package main | ||
| // return htobe64(val); | ||
| //} | ||
| // | ||
| +//static int mygetgrnam_r(const char *name, struct group *grp,char *buf, |
mvo5
Aug 28, 2017
Collaborator
Curious, why do we need this wrapper? Doesn't cgo find getgrnam_r without it? From a quick test (on amd64/zesty only) it seems there is no harm when I remove it.
jdstrand
Aug 29, 2017
•
Contributor
@mvo5 - again, I literally copied this from upstream's golang code. I did not analyze it extensively or try to improve it cause I felt it important to have it operate exactly like upstream when we switch over. If people want me to reimplement this, I can, but I'm not sure I see the benefit because we'll lose all that when we switch over. user.Lookup already exists, user.LookupGroup does not yet, but it will.
mvo5
Aug 29, 2017
Collaborator
Thanks for this explanation. Sorry, I was not aware that you answered this already :)
jdstrand
Aug 29, 2017
Contributor
@mvo5 - well, the 'again' wasn't so much for this portion, but for other parts-- but the rationale was the same in my head. Plus that happened in 3804 (which this is based off of), so easy to miss. :)
niemeyer
changed the title from
interfaces/default,account-control: don't hardcode uid and gid. Use username and group instead
to
interfaces/{default,account-control}: Use username/group instead of uid/gid
Aug 28, 2017
chipaca
approved these changes
Aug 29, 2017
generally LGTM; a couple of nits and a wrongly-named (and placed) testing function.
| + | ||
| +func findUid(username string) (uint64, error) { | ||
| + if !userGroupNamePattern.MatchString(username) { | ||
| + return 0, fmt.Errorf("\"%s\" must be a valid username", username) |
| + | ||
| +func findGid(group string) (uint64, error) { | ||
| + if !userGroupNamePattern.MatchString(group) { | ||
| + return 0, fmt.Errorf("\"%s\" must be a valid group name", group) |
| + return strconv.ParseUint(group, 10, 64) | ||
| +} | ||
| + | ||
| +func MockFindGid(group string) (uint64, error) { |
jdstrand
Aug 29, 2017
Contributor
Discussed on IRC. I was having trouble with accessing findGid from the tests bug I've fixed that. Thanks for the review! :)
jdstrand
added some commits
Aug 29, 2017
mvo5
merged commit 43f6287
into
snapcore:master
Aug 30, 2017
4 of 7 checks passed
|
Thanks for the reviews! :) |
jdstrand commentedAug 24, 2017
This is branched off #3804.