New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ostree commit: Add option --use-bare-user-xattrs #1678
base: main
Are you sure you want to change the base?
Conversation
Yeah. For gnome-continuous I basically ended up maintaining the set of non-root or setuid things out of band. What happens with rpm-ostree is pretty similar; the canonical permissions are maintained in the RPM spec Did you evaluate just how many packages/components/sources have non-root-owned files or setuid files? I suspect it's similar. Anyways, let me see if I understand this bug correctly - your patched version of Offhand...I feel like we could probably just make this the default - if we detect a |
I've not looked into this explicitly. I'm installing stock Ubuntu 14.04 and 16.04 using
Exactly
I can't think of any use-case, I implemented it this way because I thought the change of behaviour would be more acceptable if it we're behind an explicit option. I'd be happy to make it the default. One open question then would be how to deal with files that don't have I've just pushed two more commits that:
I'm not sure what you think of these ideas? |
We perform usrmerge on a package-by-package basis. We check the package out, merge `bin`, `lib` and `sbin` into `usr` and setup symlinks and then check it back in again. We use `--devino-canonical` so the permissions and ownership of the files are not modified when checking back in. The same doesn't apply to the directories which would be set to be owned by the UID/GID of the current user. This commit fixes that resetting the ownership of all directories to root:root. This isn't the ideal, but fixing that will require merging ostreedev/ostree#1678 .
☔ The latest upstream changes (presumably 1c0933b) made this pull request unmergeable. Please resolve the merge conflicts. |
27ae866
to
1f508e3
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wmanley The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Rather than static. This way I can use it from `ostree-repo-commit.c`.
This speeds up iterating on fixing code.
1f508e3
to
9018800
Compare
For our build-system we have a [patched version of `fakeroot`][1] which understands the `user.ostreemeta` xattr. It's intended for use with `ostree checkout --user-mode --require-hardlinks`. When programs are run with `LD_PRELOAD=libfakeroot...` they see the ownership and permissions that ostree understands, rather than the real ones. Our build system mostly consists of calls to: ostree checkout --user-mode --require-hardlinks $COMMIT root LD_PRELOAD=fakeroot <make some changes> ostree commit --tree=dir=root --link-checkout-speedup --devino-canonical in the past this seemed to work fine but at some point I started losing the setuid bit on `sudo`. I suspect the previous behaviour was a bug, possibly fixed in ostreedev#1170 (8fe4536). This commit makes the `ostreemeta` preserving behaviour explicit. If the user.ostreemeta xattr doesn't exist the file is given the sensible default uid/gid of 0:0. `--use-bare-user-xattrs` will currently be ignored when loading a commit from a tarball. This can be fixed in the future if there's any demand for it. [1]: https://github.com/stb-tester/fakeroot/tree/ostree
9018800
to
3e7137b
Compare
This is consistent with the files hard-link checked out in the same mode.
3e7137b
to
a9ca968
Compare
/test sanity |
@wmanley: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I've rebased this and reworked it a bit fixing the xattrs in xattrs case. It's a bit more general than before because it shares the xattr loading code with I seem to have lost the ability to get the bot to do my bidding. I guess that's related to my name being commented out in OWNERS:
@cgwalters: What is affiliation in this context?, and how does one make it public? /assign @pwithnall |
The bot needs to know you're a member of the organization. (Plus, you can think of it like collecting flair! ) |
Great, thanks. Let's give it a go: /test sanity
😄 |
I've made my affiliation public now thanks to @cgwalters: ostreedev#1678 (comment)
@wmanley: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@wmanley: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
For our build-system we have a patched version of
fakeroot
whichunderstands the
user.ostreemeta
xattr. It's intended for use withostree checkout --user-mode --require-hardlinks
. When programs are runwith
LD_PRELOAD=libfakeroot...
they see the ownership and permissionsthat ostree understands, rather than the real ones.
Our build system mostly consists of calls to:
in the past this seemed to work fine but at some point I started losing the
setuid bit on
sudo
. I suspect the previous behaviour was a bug. Thiscommit makes the
ostreemeta
preserving behaviour explicit.--use-bare-user-xattrs
will currently be ignored when loading a commitfrom a tarball. This can be fixed in the future.
I originally considered implementing this inside
_ostree_repo_commit_modifier_apply
but we don't have access to the file fd to retrieve the xattrs from in there. I considered usingg_file_info_get_attribute_data (info, "xattr::ostreemeta", ...)
but it GLib has no way of retrieving an attribute that may contain embedded NULs.This may need a little bit more work (see TODO list below) but I wanted to raise it sooner rather than later to receive feedback.
I'm not super happy with the name
TODO: