* [PATCH] ci: make vm_start logs readable by all users
@ 2021-12-23 5:57 Uladzimir Bely
2022-01-04 19:58 ` Henning Schild
0 siblings, 1 reply; 5+ messages in thread
From: Uladzimir Bely @ 2021-12-23 5:57 UTC (permalink / raw)
To: isar-users
This changes permissions for ${BUILD_DIR}/vm_start_.*_log.txt from 600
to 644 to make them readable not only for jenkins user.
Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
---
testsuite/vm_boot_test/vm_boot_test.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/testsuite/vm_boot_test/vm_boot_test.py b/testsuite/vm_boot_test/vm_boot_test.py
index 01623c5c..69e7f4ae 100644
--- a/testsuite/vm_boot_test/vm_boot_test.py
+++ b/testsuite/vm_boot_test/vm_boot_test.py
@@ -46,6 +46,7 @@ class VmBase(Test):
fd, output_file = tempfile.mkstemp(suffix='_log.txt',
prefix='vm_start_' + distro + '_' +
arch + '_', dir=build_dir, text=True)
+ os.chmod(output_file, 0o644)
cmdline = start_vm.format_qemu_cmdline(arch, build_dir, distro,
output_file, None)
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] ci: make vm_start logs readable by all users
2021-12-23 5:57 [PATCH] ci: make vm_start logs readable by all users Uladzimir Bely
@ 2022-01-04 19:58 ` Henning Schild
2022-01-10 12:50 ` Uladzimir Bely
0 siblings, 1 reply; 5+ messages in thread
From: Henning Schild @ 2022-01-04 19:58 UTC (permalink / raw)
To: Uladzimir Bely; +Cc: isar-users
Am Thu, 23 Dec 2021 06:57:20 +0100
schrieb Uladzimir Bely <ubely@ilbers.de>:
> This changes permissions for ${BUILD_DIR}/vm_start_.*_log.txt from 600
> to 644 to make them readable not only for jenkins user.
not everybody uses jenkins ... make it "CI user"
> Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
> ---
> testsuite/vm_boot_test/vm_boot_test.py | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/testsuite/vm_boot_test/vm_boot_test.py
> b/testsuite/vm_boot_test/vm_boot_test.py index 01623c5c..69e7f4ae
> 100644 --- a/testsuite/vm_boot_test/vm_boot_test.py
> +++ b/testsuite/vm_boot_test/vm_boot_test.py
> @@ -46,6 +46,7 @@ class VmBase(Test):
> fd, output_file = tempfile.mkstemp(suffix='_log.txt',
> prefix='vm_start_' +
> distro + '_' + arch + '_', dir=build_dir, text=True)
> + os.chmod(output_file, 0o644)
This smells like other output files could also have wrong permissions
while being relevant.
If that might be the case, maybe centrally adjust umask for all of the
testsuite.
Henning
> cmdline = start_vm.format_qemu_cmdline(arch, build_dir,
> distro, output_file, None)
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] ci: make vm_start logs readable by all users
2022-01-04 19:58 ` Henning Schild
@ 2022-01-10 12:50 ` Uladzimir Bely
2022-01-10 13:32 ` Henning Schild
0 siblings, 1 reply; 5+ messages in thread
From: Uladzimir Bely @ 2022-01-10 12:50 UTC (permalink / raw)
To: Henning Schild; +Cc: isar-users
In mail from вторник, 4 января 2022 г. 22:58:39 +03 user Henning Schild wrote:
> Am Thu, 23 Dec 2021 06:57:20 +0100
>
> schrieb Uladzimir Bely <ubely@ilbers.de>:
> > This changes permissions for ${BUILD_DIR}/vm_start_.*_log.txt from 600
> > to 644 to make them readable not only for jenkins user.
>
> not everybody uses jenkins ... make it "CI user"
>
OK.
> > Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
> > ---
> >
> > testsuite/vm_boot_test/vm_boot_test.py | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/testsuite/vm_boot_test/vm_boot_test.py
> > b/testsuite/vm_boot_test/vm_boot_test.py index 01623c5c..69e7f4ae
> > 100644 --- a/testsuite/vm_boot_test/vm_boot_test.py
> > +++ b/testsuite/vm_boot_test/vm_boot_test.py
> >
> > @@ -46,6 +46,7 @@ class VmBase(Test):
> > fd, output_file = tempfile.mkstemp(suffix='_log.txt',
> >
> > prefix='vm_start_' +
> >
> > distro + '_' + arch + '_', dir=build_dir, text=True)
> > + os.chmod(output_file, 0o644)
>
> This smells like other output files could also have wrong permissions
> while being relevant.
It looks like a specific behaviour of tempfile.mkstemp() function, that always
creates file readable/writable only by the user ID. So, only vm logs are
affected.
> If that might be the case, maybe centrally adjust umask for all of the
> testsuite.
I've just played a bit with umask and it seems to work nice with something
like 'touch', but python's tempfile.mkstemp() still always creates files with
0600 permissions, regardless of umask set for the same directory.
>
> Henning
>
> > cmdline = start_vm.format_qemu_cmdline(arch, build_dir,
> >
> > distro, output_file, None)
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] ci: make vm_start logs readable by all users
2022-01-10 12:50 ` Uladzimir Bely
@ 2022-01-10 13:32 ` Henning Schild
2022-01-10 14:19 ` Uladzimir Bely
0 siblings, 1 reply; 5+ messages in thread
From: Henning Schild @ 2022-01-10 13:32 UTC (permalink / raw)
To: Uladzimir Bely; +Cc: isar-users
Am Mon, 10 Jan 2022 15:50:00 +0300
schrieb Uladzimir Bely <ubely@ilbers.de>:
> In mail from вторник, 4 января 2022 г. 22:58:39 +03 user Henning
> Schild wrote:
> > Am Thu, 23 Dec 2021 06:57:20 +0100
> >
> > schrieb Uladzimir Bely <ubely@ilbers.de>:
> > > This changes permissions for ${BUILD_DIR}/vm_start_.*_log.txt
> > > from 600 to 644 to make them readable not only for jenkins user.
> >
> > not everybody uses jenkins ... make it "CI user"
> >
>
> OK.
>
> > > Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
> > > ---
> > >
> > > testsuite/vm_boot_test/vm_boot_test.py | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/testsuite/vm_boot_test/vm_boot_test.py
> > > b/testsuite/vm_boot_test/vm_boot_test.py index 01623c5c..69e7f4ae
> > > 100644 --- a/testsuite/vm_boot_test/vm_boot_test.py
> > > +++ b/testsuite/vm_boot_test/vm_boot_test.py
> > >
> > > @@ -46,6 +46,7 @@ class VmBase(Test):
> > > fd, output_file = tempfile.mkstemp(suffix='_log.txt',
> > >
> > > prefix='vm_start_' +
> > >
> > > distro + '_' + arch + '_', dir=build_dir, text=True)
> > > + os.chmod(output_file, 0o644)
> >
> > This smells like other output files could also have wrong
> > permissions while being relevant.
>
> It looks like a specific behaviour of tempfile.mkstemp() function,
> that always creates file readable/writable only by the user ID. So,
> only vm logs are affected.
Yes, apparently that one is trying especially hard to make things
"secure". You could also switch to
with tempfile.TemporaryFile() as fp
in which case you should not have such problems.
Henning
> > If that might be the case, maybe centrally adjust umask for all of
> > the testsuite.
>
> I've just played a bit with umask and it seems to work nice with
> something like 'touch', but python's tempfile.mkstemp() still always
> creates files with 0600 permissions, regardless of umask set for the
> same directory.
>
> >
> > Henning
> >
> > > cmdline = start_vm.format_qemu_cmdline(arch, build_dir,
> > >
> > > distro, output_file, None)
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] ci: make vm_start logs readable by all users
2022-01-10 13:32 ` Henning Schild
@ 2022-01-10 14:19 ` Uladzimir Bely
0 siblings, 0 replies; 5+ messages in thread
From: Uladzimir Bely @ 2022-01-10 14:19 UTC (permalink / raw)
To: Henning Schild; +Cc: isar-users
In mail from понедельник, 10 января 2022 г. 16:32:46 +03 user Henning Schild
wrote:
> Am Mon, 10 Jan 2022 15:50:00 +0300
>
> schrieb Uladzimir Bely <ubely@ilbers.de>:
> > In mail from вторник, 4 января 2022 г. 22:58:39 +03 user Henning
> >
> > Schild wrote:
> > > Am Thu, 23 Dec 2021 06:57:20 +0100
> > >
> > > schrieb Uladzimir Bely <ubely@ilbers.de>:
> > > > This changes permissions for ${BUILD_DIR}/vm_start_.*_log.txt
> > > > from 600 to 644 to make them readable not only for jenkins user.
> > >
> > > not everybody uses jenkins ... make it "CI user"
> >
> > OK.
> >
> > > > Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
> > > > ---
> > > >
> > > > testsuite/vm_boot_test/vm_boot_test.py | 1 +
> > > > 1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/testsuite/vm_boot_test/vm_boot_test.py
> > > > b/testsuite/vm_boot_test/vm_boot_test.py index 01623c5c..69e7f4ae
> > > > 100644 --- a/testsuite/vm_boot_test/vm_boot_test.py
> > > > +++ b/testsuite/vm_boot_test/vm_boot_test.py
> > > >
> > > > @@ -46,6 +46,7 @@ class VmBase(Test):
> > > > fd, output_file = tempfile.mkstemp(suffix='_log.txt',
> > > >
> > > > prefix='vm_start_' +
> > > >
> > > > distro + '_' + arch + '_', dir=build_dir, text=True)
> > > > + os.chmod(output_file, 0o644)
> > >
> > > This smells like other output files could also have wrong
> > > permissions while being relevant.
> >
> > It looks like a specific behaviour of tempfile.mkstemp() function,
> > that always creates file readable/writable only by the user ID. So,
> > only vm logs are affected.
>
> Yes, apparently that one is trying especially hard to make things
> "secure". You could also switch to
>
> with tempfile.TemporaryFile() as fp
>
> in which case you should not have such problems.
>
> Henning
>
Yes, I looked for some alternatives. Probably, we could use
tempfile.NamedTemporaryFile() instead, because it allows to keep temporary
file in the system (if argument delete=False).
> > > If that might be the case, maybe centrally adjust umask for all of
> > > the testsuite.
> >
> > I've just played a bit with umask and it seems to work nice with
> > something like 'touch', but python's tempfile.mkstemp() still always
> > creates files with 0600 permissions, regardless of umask set for the
> > same directory.
> >
> > > Henning
> > >
> > > > cmdline = start_vm.format_qemu_cmdline(arch, build_dir,
> > > >
> > > > distro, output_file, None)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-01-10 14:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-23 5:57 [PATCH] ci: make vm_start logs readable by all users Uladzimir Bely
2022-01-04 19:58 ` Henning Schild
2022-01-10 12:50 ` Uladzimir Bely
2022-01-10 13:32 ` Henning Schild
2022-01-10 14:19 ` Uladzimir Bely
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox