ungleich-public/cdist
ungleich-public/cdist
7
4
Fork 10
Code Issues 58 Pull requests 15 Projects Releases Wiki Activity

ACL type does not converge if permissions include capital X #98

New issue
Closed
opened 2021-11-20 13:23:52 +00:00 by ungleich-gitea · 10 comments
ungleich-gitea commented 2021-11-20 13:23:52 +00:00
Owner
Copy link

Created by: jimis

__acl /path/to/dir/ --default --user username:r-X

Note the capital X in the permisisons part. No matter how many times I execute this, the type re-sets the ACL every time.

From setfacl manual:

The perms field is a combination of characters that indicate the read (r), write (w), execute (x) permissions. Dash characters in the perms field (-) are ignored. The character X stands for the execute permission if the file is a directory or already has execute permission for some user.

The problem lies in the gencode-remote script, that expects to find the string "r-X" in the output of getfacl (explorer acl_is). Apparently getfacl will never return a capital X. From the end of gencode-remote (the comment is mine):

for acl in $acl_should
do
    ### NOTE $acl_is might contain capital X but $acl_should never does, since
    ###     it comes from getfacl
    if ! echo "$acl_is" | grep -Eq "^$acl"
    then echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
    fi
done

Fixing it properly is complicated, it would require logic while comparing $acl_is and $acl_should, expecting "x" if it is a directory or if it is a file with the executable permissions bit set.

My workaround is to add -i to that grep command line. Apparently this has drawbacks.

*Created by: jimis* ```__acl /path/to/dir/ --default --user username:r-X``` Note the capital X in the permisisons part. No matter how many times I execute this, the type re-sets the ACL every time. From setfacl manual: > The perms field is a combination of characters that indicate the read (r), write (w), execute (x) permissions. Dash characters in the perms field (-) are ignored. The character X stands for the execute permission if the file is a directory or already has execute permission for some user. The problem lies in the `gencode-remote` script, that expects to find the string "r-X" in the output of `getfacl` (explorer `acl_is`). Apparently `getfacl` will never return a capital X. From the end of `gencode-remote` (the comment is mine): ``` for acl in $acl_should do ### NOTE $acl_is might contain capital X but $acl_should never does, since ### it comes from getfacl if ! echo "$acl_is" | grep -Eq "^$acl" then echo "$setfacl_exec -m \"$acl\" \"$acl_path\"" fi done ``` Fixing it properly is complicated, it would require logic while comparing `$acl_is` and `$acl_should`, expecting "x" if it is a directory or if it is a file with the executable permissions bit set. My workaround is to add `-i` to that grep command line. Apparently this has drawbacks.
ungleich-gitea commented 2021-11-20 15:38:37 +00:00
Author
Owner
Copy link

Created by: jimis

Yes it is solved, thank you!

*Created by: jimis* Yes it is solved, thank you!
ungleich-gitea commented 2021-11-20 15:38:39 +00:00
Author
Owner
Copy link

Created by: 4nd3r

this should be closed if #760 solved an issue

*Created by: 4nd3r* this should be closed if #760 solved an issue
ungleich-gitea commented 2021-11-20 15:38:40 +00:00
Author
Owner
Copy link

Created by: jimis

if that is the case, then we could just do simple test and sed 's/x/X/ on wanted line in acl_is output...

Sounds good! :-) But also skip the test entirely if it's a file and the "x" bit is not set for any user.

*Created by: jimis* > if that is the case, then we could just do simple test and sed 's/x/X/ on wanted line in acl_is output... Sounds good! :-) But also skip the test entirely if it's a file and the "x" bit is not set for any user.
ungleich-gitea commented 2021-11-20 15:38:41 +00:00
Author
Owner
Copy link

Created by: 4nd3r

wait... non-recursive test on path?
you don't know whether path, you are defining for __acl, is directory or file?
i'm confused.

if that is the case, then we could just do simple test and sed 's/x/X/ on wanted line in acl_is output...

*Created by: 4nd3r* wait... non-recursive test on path? you don't know whether path, you are defining for `__acl`, is directory or file? i'm confused. if that is the case, then we could just do simple test and `sed 's/x/X/` on wanted line in acl_is output...
ungleich-gitea commented 2021-11-20 15:38:43 +00:00
Author
Owner
Copy link

Created by: 4nd3r

separate explorer(s) with find -perms -type if X is used?

*Created by: 4nd3r* separate explorer(s) with `find -perms -type` if `X` is used?
ungleich-gitea commented 2021-11-20 15:38:44 +00:00
Author
Owner
Copy link

Created by: jimis

maybe we still should revisit that idea. if --recursive is set then get current state of entire directory contents and comapre it against wanted state with file type check? this way we could solve issue with X. but i can already imagine the complexity of this kind of type...

I definitely do not want recursive comparisons, the way it is now is fine regarding recursion, I agree that the overhead would be too big otherwise.

Non-recursive test for capital X permission is what I was thinking of:

  • Is it a directory and the ACL x bit is set? Then the ACL is correct.
  • Is it a file and the x mode bit is set, and the x ACL bit is set? Then the ACL is correct.
  • Otherwise the ACL is incorrect and needs to be set using "setfacl" .
*Created by: jimis* > maybe we still should revisit that idea. if --recursive is set then get current state of entire directory contents and comapre it against wanted state with file type check? this way we could solve issue with X. but i can already imagine the complexity of this kind of type... I definitely do not want recursive comparisons, the way it is now is fine regarding recursion, I agree that the overhead would be too big otherwise. Non-recursive test for capital X permission is what I was thinking of: * Is it a directory and the ACL `x` bit is set? Then the ACL is correct. * Is it a file and the `x` mode bit is set, and the `x` ACL bit is set? Then the ACL is correct. * Otherwise the ACL is incorrect and needs to be set using "setfacl" .
ungleich-gitea commented 2021-11-20 15:38:45 +00:00
Author
Owner
Copy link

Created by: 4nd3r

I use find with -type and -exec 😄

jokes a side, how do you know if some perms inside deep directory needs a change? I personally don't like types which do something even when there's no need to, but that's may personal belief 👼

the thing with recursive operations is that they are hard. when i wrote __acl, i gave it a lot of thought. for example, getting recursively state of entire directory content and comparing that against wanted state is somewhat difficult, but doable. and when you have directory with 100k files then it doesn't scale.

since I only use __acl to set up new directories and only care about acl of parent, i just made it this way and forgot it. now your situation gets my attention again and... maybe we still should revisit that idea. if --recursive is set then get current state of entire directory contents and comapre it against wanted state with file type check? this way we could solve issue with X. but i can already imagine the complexity of this kind of type...

also, it's sorta admin choice - if you are going to use that type on directory with 100k files, then you maybe have very bad times...

*Created by: 4nd3r* I use `find` with `-type` and ` -exec` :smile: jokes a side, how do you know if some perms inside deep directory needs a change? I personally don't like types which do something even when there's no need to, but that's may personal belief :angel: the thing with recursive operations is that they are hard. when i wrote `__acl`, i gave it a lot of thought. for example, getting recursively state of entire directory content and comparing that against wanted state is somewhat difficult, but doable. and when you have directory with 100k files then it doesn't scale. since I only use `__acl` to set up new directories and only care about acl of parent, i just made it this way and forgot it. now your situation gets my attention again and... maybe we still should revisit that idea. if `--recursive` is set then get current state of entire directory contents and comapre it against wanted state with file type check? this way we could solve issue with `X`. but i can already imagine the complexity of this kind of type... also, it's sorta admin choice - if you are going to use that type on directory with 100k files, then you maybe have very bad times...
ungleich-gitea commented 2021-11-20 15:38:47 +00:00
Author
Owner
Copy link

Created by: jimis

@4nd3r I find it really useful. Otherwise how do you set recursively the ACL to "r-x" for directories but to "r--" for files?

*Created by: jimis* @4nd3r I find it really useful. Otherwise how do you set recursively the ACL to "r-x" for directories but to "r--" for files?
ungleich-gitea commented 2021-11-20 15:38:48 +00:00
Author
Owner
Copy link

Created by: 4nd3r

this is though one. i, myself, would never use such ambiguous feature, but I can't think of good solution for those, who would like to use it. at least we should add note about that in man.rst.

*Created by: 4nd3r* this is though one. i, myself, would never use such ambiguous feature, but I can't think of good solution for those, who would like to use it. at least we should add note about that in man.rst.
ungleich-gitea commented 2021-11-20 15:38:49 +00:00
Author
Owner
Copy link

Created by: jimis

@4nd3r maybe you have an opinion on this one?

*Created by: jimis* @4nd3r maybe you have an opinion on this one?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
7.0
6.9
py3.10
ander/__package_apt_update_index
haproxy-dualstack
ander/__sed
beta
ander/os_version_debian_sid
evilham-compatibility-fixes
ander/__rsync
__snakeoil_cert
ander/update_readme
__download_improvements
feature/onchange
cleanup/string-formatting
feature/type-relationship-graph
cleanup/ssh-auth-keys-types
__letsencrypt_cert-fix-hooks
bugfix/preos-debug
bugfix/in-script-import
6.8
bugfix/sphinx-docs-build
6.7
cherry-pick-2f433a14
bugfix/make-code-consistent
6.6
regain-py3.2-support
6.5
bugfix/multiple-log-lines
matterbridge
coturn
alpinefix
matrix
new-type/network-interface
feature/process
6.4
feature/info-command
feature/libexec
6.3
preos-plugins-dir-opt
gitlab-ci
6.2
order-dep-fix
6.1
6.0
build/support-pip-from-git
feature/shell-lib
5.1
feature/support-type-deprecation
5.0
feature/python-types
4.11
4.10
shellcheck
4.9
4.8
freebsd-improvements
new-prometheus
key_value-onchange
feature/output_streams
AnotherKamila-patch-1
__letsencrypt_cert-fixes
letsencrypt-cron-fix
4.7
newtype-__letsencrypt_cert
os_explorer_devuan_fix
prometheus-exporter-fixes
daemontools-for-fbsd
type-prometheus-exporter-from-master
prometheus-more-fixes
4.6
4.5
fix-j
steven-backport
4.4
prometheus-fixes
grafana_dashboard
prometheus
daemontools
consul_improvements
feature/trigger
4.3
4.0-pre-not-stable
4.2
4.1
4.0
feature_install_and_preos
3.1
no-dot-cdist
random_dot_cdist
feature_yum_url
feature_files_export
3.0
2.3
2.2
2.1
ssh_callback
2.0
archive_shell_function_approach
1.7
1.6
1.5
1.4
1.3
1.2
1.1
1.0
7.0.0
6.9.8
6.9.7
6.9.6
6.9.5
6.9.4
6.9.3
6.9.2
6.9.1
6.9.0
6.8.0
6.7.0
6.6.0
6.5.6
6.5.5
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.0
6.3.0
6.2.0
6.1.1
6.1.0
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.1.3
5.1.2
5.1.1
5.1.0
5.0.2
5.0.1
5.0.0
4.11.1
4.11.0
4.10.11
4.10.10
4.10.9
4.10.8
4.10.7
4.10.6
4.10.5
4.10.4
4.10.3
4.10.2
4.10.1
4.10.0
4.9.1
4.9.0
4.8.4
4.8.3
4.8.2
4.8.1
4.8.0
4.7.3
4.7.2
4.7.1
4.7.0
4.6.1
4.6.0
4.5.0
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.3.2
4.3.1
4.3.0
4.2.2
4.2.1
4.2.0
4.1.0
4.0.0
3.1.13
tn1
3.1.12
3.1.11
3.1.10
3.1.9
3.1.8
3.1.7
3.1.6
4.0.0pre3
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
4.0.0pre2
3.0.9
3.0.8
3.0.7
3.0.6
3.0.5
3.0.4
3.0.3
4.0.0pre1
3.0.2
3.0.1
3.0.0
2.3.7
2.3.6
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.2.0
2.1.2
2.1.1
2.1.0
2.1.0pre8
2.1.0pre7
2.1.0pre6
2.0.15
2.1.0pre5
2.1.0pre4
2.1.0pre3
2.1.0pre2
2.1.0pre1
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.7.1
1.7.0
1.6.2
1.6.1
1.6.0
1.5.0
1.4.1
1.4.0
1.3.2
1.3.1
1.3.0
1.2.0
1.1.0
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
0.9.9
0.9.8
0.9.7
0.9.6
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Labels
Clear labels   
bugfix

   
cleanup

   
discussion

   
documentation

   
doing

   
done

   
feature

   
improvement

   
packaging

   
Stale

   
testing

   
TODO
No labels
bugfix
cleanup
discussion
documentation
doing
done
feature
improvement
packaging
Stale
testing
TODO
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: ungleich-public/cdist#98
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?