From ccf1eec088352d3cd8255b64e6ad0a7f59a51cb2 Mon Sep 17 00:00:00 2001 From: steiler Date: Mon, 6 Nov 2023 15:20:58 +0100 Subject: [PATCH 1/7] adjust labdir acls --- cmd/deploy.go | 10 ++++++++++ go.mod | 1 + go.sum | 2 ++ utils/file.go | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 64 insertions(+) diff --git a/cmd/deploy.go b/cmd/deploy.go index fded27c1a..353b5720b 100644 --- a/cmd/deploy.go +++ b/cmd/deploy.go @@ -156,6 +156,11 @@ func deployFn(_ *cobra.Command, _ []string) error { log.Info("Creating lab directory: ", c.TopoPaths.TopologyLabDir()) utils.CreateDirectory(c.TopoPaths.TopologyLabDir(), 0755) + err = utils.AdjustACL(c.TopoPaths.TopologyLabDir()) + if err != nil { + return err + } + // create an empty ansible inventory file that will get populated later // we create it here first, so that bind mounts of ansible-inventory.yml file could work ansibleInvFPath := c.TopoPaths.AnsibleInventoryFileAbsPath() @@ -306,6 +311,11 @@ func deployFn(_ *cobra.Command, _ []string) error { // log new version availability info if ready newVerNotification(vCh) + // err = utils.AdjustACL(c.TopoPaths.TopologyLabDir()) + // if err != nil { + // return err + // } + // print table summary return printContainerInspect(containers, deployFormat) } diff --git a/go.mod b/go.mod index 4559a3b39..1dfe58138 100644 --- a/go.mod +++ b/go.mod @@ -34,6 +34,7 @@ require ( github.com/scrapli/scrapligo v1.2.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 + github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793 github.com/stretchr/testify v1.8.4 github.com/tklauser/numcpus v0.6.1 github.com/vishvananda/netlink v1.2.1-beta.2 diff --git a/go.sum b/go.sum index b2227e95b..74174b585 100644 --- a/go.sum +++ b/go.sum @@ -2678,6 +2678,8 @@ github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5q github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 h1:lIOOHPEbXzO3vnmx2gok1Tfs31Q8GQqKLc8vVqyQq/I= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= +github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793 h1:lY8SggLL0JyttzcNEIRzbywKiKcIlVlF7ZPwTthG9eA= +github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793/go.mod h1:kS9/GuHDS4t2YmY2ijbaK3m1iU4+BgRZS7GoDTC9BfY= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= diff --git a/utils/file.go b/utils/file.go index 82e466d4d..beb4c41fa 100644 --- a/utils/file.go +++ b/utils/file.go @@ -18,8 +18,11 @@ import ( "os/exec" "os/user" "path/filepath" + "strconv" "strings" + "github.com/steiler/acls" + log "github.com/sirupsen/logrus" ) @@ -345,3 +348,51 @@ func NewHTTPClient() *http.Client { return &http.Client{Transport: tr} } + +func AdjustACL(fsPath string) error { + + userId, isSet := os.LookupEnv("SUDO_UID") + if !isSet { + return fmt.Errorf("unable to adjust UID and GUI for %q. SUDO_UID not set", fsPath) + } + groupId, isSet := os.LookupEnv("SUDO_GID") + if !isSet { + return fmt.Errorf("unable to retrieve GID. will only adjust UID for %q", fsPath) + } + + intUserId, err := strconv.Atoi(userId) + if err != nil { + return fmt.Errorf("unable to convert SUDO_UID %q to int", userId) + } + intGroupId, err := strconv.Atoi(groupId) + if err != nil { + return fmt.Errorf("unable to convert SUDO_GID %q to int", groupId) + } + + // create a new ACL instance + a := &acls.ACL{} + // load the existing ACL entries of the PosixACLAccess type + err = a.Load(fsPath, acls.PosixACLAccess) + if err != nil { + return err + } + + // add an entry for the group + err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_GROUP, uint32(intGroupId), 7)) + if err != nil { + return err + } + + // add an entry for the User + err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_USER, uint32(intUserId), 7)) + if err != nil { + return err + } + // apply the ACL and return the error result + err = a.Apply(fsPath, acls.PosixACLAccess) + if err != nil { + return err + } + return a.Apply(fsPath, acls.PosixACLDefault) + +} From cb7a68b6a9ccdeb2e10ae0cb21200d0e0cce612c Mon Sep 17 00:00:00 2001 From: steiler Date: Mon, 6 Nov 2023 15:29:10 +0100 Subject: [PATCH 2/7] do not fail, but report error on ACL issues --- cmd/deploy.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/cmd/deploy.go b/cmd/deploy.go index 353b5720b..cd732d30b 100644 --- a/cmd/deploy.go +++ b/cmd/deploy.go @@ -158,7 +158,7 @@ func deployFn(_ *cobra.Command, _ []string) error { err = utils.AdjustACL(c.TopoPaths.TopologyLabDir()) if err != nil { - return err + log.Errorf("error adjusting Labdir ACLs: %v", err) } // create an empty ansible inventory file that will get populated later @@ -311,11 +311,6 @@ func deployFn(_ *cobra.Command, _ []string) error { // log new version availability info if ready newVerNotification(vCh) - // err = utils.AdjustACL(c.TopoPaths.TopologyLabDir()) - // if err != nil { - // return err - // } - // print table summary return printContainerInspect(containers, deployFormat) } From aacf8d3721bf4957dcf5778ed764be2720540db2 Mon Sep 17 00:00:00 2001 From: steiler Date: Mon, 6 Nov 2023 15:35:18 +0100 Subject: [PATCH 3/7] improve comments --- cmd/deploy.go | 5 +++-- utils/file.go | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/cmd/deploy.go b/cmd/deploy.go index cd732d30b..bc0da10e6 100644 --- a/cmd/deploy.go +++ b/cmd/deploy.go @@ -155,10 +155,11 @@ func deployFn(_ *cobra.Command, _ []string) error { log.Info("Creating lab directory: ", c.TopoPaths.TopologyLabDir()) utils.CreateDirectory(c.TopoPaths.TopologyLabDir(), 0755) - + // adjust ACL for Labdir such that SUDO_UID Users will + // also have access to lab directory files err = utils.AdjustACL(c.TopoPaths.TopologyLabDir()) if err != nil { - log.Errorf("error adjusting Labdir ACLs: %v", err) + log.Infof("unable to adjusting Labdir ACLs: %v", err) } // create an empty ansible inventory file that will get populated later diff --git a/utils/file.go b/utils/file.go index beb4c41fa..1e0073258 100644 --- a/utils/file.go +++ b/utils/file.go @@ -349,8 +349,11 @@ func NewHTTPClient() *http.Client { return &http.Client{Transport: tr} } +// AdjustACL takes the given fs path, tries to load +// the access acl of that path and adjusts it by adding +// rwx for the SUDO_UID and r-x for the SUDO_GID group. func AdjustACL(fsPath string) error { - + // load UID and GID from the env vars userId, isSet := os.LookupEnv("SUDO_UID") if !isSet { return fmt.Errorf("unable to adjust UID and GUI for %q. SUDO_UID not set", fsPath) @@ -360,6 +363,7 @@ func AdjustACL(fsPath string) error { return fmt.Errorf("unable to retrieve GID. will only adjust UID for %q", fsPath) } + // convert string IDs to ints intUserId, err := strconv.Atoi(userId) if err != nil { return fmt.Errorf("unable to convert SUDO_UID %q to int", userId) @@ -378,7 +382,7 @@ func AdjustACL(fsPath string) error { } // add an entry for the group - err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_GROUP, uint32(intGroupId), 7)) + err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_GROUP, uint32(intGroupId), 5)) if err != nil { return err } From 572289f43085c88f9f08346f9afed323eec5a571 Mon Sep 17 00:00:00 2001 From: steiler Date: Mon, 6 Nov 2023 16:29:42 +0100 Subject: [PATCH 4/7] update acls dependency --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 1dfe58138..dfc3ebc8e 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( github.com/scrapli/scrapligo v1.2.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 - github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793 + github.com/steiler/acls v0.0.0-20231106152733-bb3d5d7b05c8 github.com/stretchr/testify v1.8.4 github.com/tklauser/numcpus v0.6.1 github.com/vishvananda/netlink v1.2.1-beta.2 diff --git a/go.sum b/go.sum index 74174b585..25a1071d4 100644 --- a/go.sum +++ b/go.sum @@ -2680,6 +2680,8 @@ github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 h1:lIOOH github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793 h1:lY8SggLL0JyttzcNEIRzbywKiKcIlVlF7ZPwTthG9eA= github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793/go.mod h1:kS9/GuHDS4t2YmY2ijbaK3m1iU4+BgRZS7GoDTC9BfY= +github.com/steiler/acls v0.0.0-20231106152733-bb3d5d7b05c8 h1:RqP82h2DREJxj7AJbT0k7z2Jye6lweij5s14PUHic1o= +github.com/steiler/acls v0.0.0-20231106152733-bb3d5d7b05c8/go.mod h1:kS9/GuHDS4t2YmY2ijbaK3m1iU4+BgRZS7GoDTC9BfY= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= From db2d8462916d9854852d3bf8846bc7e40bdd313a Mon Sep 17 00:00:00 2001 From: steiler Date: Mon, 6 Nov 2023 16:58:39 +0100 Subject: [PATCH 5/7] version github.com/steiler/acls --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index dfc3ebc8e..7b4e9136a 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( github.com/scrapli/scrapligo v1.2.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 - github.com/steiler/acls v0.0.0-20231106152733-bb3d5d7b05c8 + github.com/steiler/acls v0.1.0 github.com/stretchr/testify v1.8.4 github.com/tklauser/numcpus v0.6.1 github.com/vishvananda/netlink v1.2.1-beta.2 diff --git a/go.sum b/go.sum index 25a1071d4..ab1797247 100644 --- a/go.sum +++ b/go.sum @@ -2682,6 +2682,8 @@ github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793 h1:lY8SggLL0JyttzcNEI github.com/steiler/acls v0.0.0-20231106135104-9c34ae82c793/go.mod h1:kS9/GuHDS4t2YmY2ijbaK3m1iU4+BgRZS7GoDTC9BfY= github.com/steiler/acls v0.0.0-20231106152733-bb3d5d7b05c8 h1:RqP82h2DREJxj7AJbT0k7z2Jye6lweij5s14PUHic1o= github.com/steiler/acls v0.0.0-20231106152733-bb3d5d7b05c8/go.mod h1:kS9/GuHDS4t2YmY2ijbaK3m1iU4+BgRZS7GoDTC9BfY= +github.com/steiler/acls v0.1.0 h1:fKVnEJ7ebghq2Ed5N1cU9fZrCCRj4xVRPrP7OswaRX8= +github.com/steiler/acls v0.1.0/go.mod h1:kS9/GuHDS4t2YmY2ijbaK3m1iU4+BgRZS7GoDTC9BfY= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= From a3e28b99486f579730d5f906738d00a0972216ab Mon Sep 17 00:00:00 2001 From: Roman Dodin Date: Tue, 7 Nov 2023 19:34:16 +0200 Subject: [PATCH 6/7] var renaming :D --- cmd/deploy.go | 2 +- utils/file.go | 37 ++++++++++++++++++++++--------------- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/cmd/deploy.go b/cmd/deploy.go index bc0da10e6..551e7c06e 100644 --- a/cmd/deploy.go +++ b/cmd/deploy.go @@ -157,7 +157,7 @@ func deployFn(_ *cobra.Command, _ []string) error { utils.CreateDirectory(c.TopoPaths.TopologyLabDir(), 0755) // adjust ACL for Labdir such that SUDO_UID Users will // also have access to lab directory files - err = utils.AdjustACL(c.TopoPaths.TopologyLabDir()) + err = utils.AdjustFileACLs(c.TopoPaths.TopologyLabDir()) if err != nil { log.Infof("unable to adjusting Labdir ACLs: %v", err) } diff --git a/utils/file.go b/utils/file.go index 1e0073258..9f29c6291 100644 --- a/utils/file.go +++ b/utils/file.go @@ -336,6 +336,8 @@ func FileLines(path, commentStr string) ([]string, error) { return lines, nil } +// NewHTTPClient creates a new HTTP client with +// insecure skip verify set to true and min TLS version set to 1.2. func NewHTTPClient() *http.Client { // set InsecureSkipVerify to true to allow fetching // files form servers with self-signed certificates @@ -349,28 +351,32 @@ func NewHTTPClient() *http.Client { return &http.Client{Transport: tr} } -// AdjustACL takes the given fs path, tries to load -// the access acl of that path and adjusts it by adding +// AdjustFileACLs takes the given fs path, tries to load +// the access file acl of that path and adds ACL rules // rwx for the SUDO_UID and r-x for the SUDO_GID group. -func AdjustACL(fsPath string) error { - // load UID and GID from the env vars - userId, isSet := os.LookupEnv("SUDO_UID") +func AdjustFileACLs(fsPath string) error { + /// here we trust sudo to set up env variables + // a missing SUDO_UID env var indicates the root user + // runs clab without sudo + uid, isSet := os.LookupEnv("SUDO_UID") if !isSet { - return fmt.Errorf("unable to adjust UID and GUI for %q. SUDO_UID not set", fsPath) + // nothing to do, already running as root + return nil } - groupId, isSet := os.LookupEnv("SUDO_GID") + + gid, isSet := os.LookupEnv("SUDO_GID") if !isSet { return fmt.Errorf("unable to retrieve GID. will only adjust UID for %q", fsPath) } - // convert string IDs to ints - intUserId, err := strconv.Atoi(userId) + iUID, err := strconv.Atoi(uid) if err != nil { - return fmt.Errorf("unable to convert SUDO_UID %q to int", userId) + return fmt.Errorf("unable to convert SUDO_UID %q to int", uid) } - intGroupId, err := strconv.Atoi(groupId) + + iGID, err := strconv.Atoi(gid) if err != nil { - return fmt.Errorf("unable to convert SUDO_GID %q to int", groupId) + return fmt.Errorf("unable to convert SUDO_GID %q to int", gid) } // create a new ACL instance @@ -382,21 +388,22 @@ func AdjustACL(fsPath string) error { } // add an entry for the group - err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_GROUP, uint32(intGroupId), 5)) + err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_GROUP, uint32(iGID), 5)) if err != nil { return err } // add an entry for the User - err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_USER, uint32(intUserId), 7)) + err = a.AddEntry(acls.NewEntry(acls.TAG_ACL_USER, uint32(iUID), 7)) if err != nil { return err } + // apply the ACL and return the error result err = a.Apply(fsPath, acls.PosixACLAccess) if err != nil { return err } - return a.Apply(fsPath, acls.PosixACLDefault) + return a.Apply(fsPath, acls.PosixACLDefault) } From 3df5ccf53f274bb532c30fcf4785cba0db6ac9c2 Mon Sep 17 00:00:00 2001 From: Roman Dodin Date: Tue, 7 Nov 2023 19:36:29 +0200 Subject: [PATCH 7/7] fix comment --- cmd/deploy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/deploy.go b/cmd/deploy.go index 551e7c06e..4936b6d87 100644 --- a/cmd/deploy.go +++ b/cmd/deploy.go @@ -159,7 +159,7 @@ func deployFn(_ *cobra.Command, _ []string) error { // also have access to lab directory files err = utils.AdjustFileACLs(c.TopoPaths.TopologyLabDir()) if err != nil { - log.Infof("unable to adjusting Labdir ACLs: %v", err) + log.Infof("unable to adjust Labdir file ACLs: %v", err) } // create an empty ansible inventory file that will get populated later