Monday, 2024-11-25

« Friday, 2024-11-22 Index Tuesday, 2024-11-26 »
opendevreviewJoel Capitao proposed openstack/diskimage-builder master: DNM Testing on KVM  https://review.opendev.org/c/openstack/diskimage-builder/+/93602414:44
JayFThis has 3x +1, including from another gentoo expert, would very much appreciate if we could land it: https://review.opendev.org/c/openstack/diskimage-builder/+/92398521:59
clarkbJayF: I have two concerns/questions (in the bits of the change that affect more than gentoo potentially)22:13
clarkbcan you take a look and sanity check them to make sure there aren't any obvious issues?22:13
JayFclarkb: responded; tldr it's all fine22:15
JayFclarkb: I was also WTF when I saw the config gentoo (and upstream) puts in /etc/sudoers wants a directory that doesn't exist22:16
clarkbok any concern about permissions? as noted it should noop everywhere else22:16
JayFyou are right about perms on /etc/sudoers.d, I suepct, though22:16
JayFcan I just follow it up?22:16
clarkbbut you might end up being able to add extra sudoers content to that dir if it is 777 or whatever22:16
JayFwould rather avoid another round-trip on this patch as I'm waiting on it for something else: )22:17
JayFwill push said followup right now if you agree22:17
clarkbyes, I think a followup is fine since as noted mkdir -p should noop  if it already exists. I'll quickly test it doesn't change permissions or anything first then approve22:17
JayFif mkdir -p changed permissions ... whooo boy that would break a lot of folks :)22:17
JayFnot in this case, but in a bunch of em22:18
clarkbya manpage even says it will ignore the -m perms setting22:18
clarkbbut since this is security related i want to be sure22:18
JayFinteresting; you can't chown something to root that you own as your own user22:19
JayFnot sure I can wrap my head around why that's a bad idea22:19
clarkbI've approved it mkdir -p seems to noop in all cases where there dir already exists that I threw at it22:21
JayFI'm glad I'm following this up22:21
JayFthere are similarly flavored permissions issues in this element22:22
JayFe.g. the sudoers file we put in is getting default umask22:22
clarkbthat one gets chowned though22:22
clarkbsorry chmod'd22:22
JayFoh, you're eright22:22
JayFI kept reading EOF as fi22:22
clarkbthe bigger concern is that if the dir is writable anyone could add new sudoers content I think22:23
JayFinteresting that /etc/sudoers is not even writable by root on this machine22:23
clarkbthough maybe suod will only respect files that are properly owned and permed22:23
JayFsudo will 100% do ^ that22:24
JayFbecause that's part of why you use visudo22:24
JayFbad syntax or bad perms can lock you completely outta a system22:24
JayFwe should still fix this, to be clear, but I think it's more of a cleanup than a sec risk22:24
clarkback22:24
JayFso something weird about this22:39
JayFin the devuser element22:39
JayFwe're not sudo'ing to add the file in /etc/sudoers.d/22:39
* JayF looks up docs on if there's something special about install.d/22:40
JayFit's documented as running in-chroot but does not indicate you have root perms22:41
JayFso how does that work/22:41
JayFso weird, it works in the build without sudo for any of it22:52
JayFwhich means we must be effective UID 0 for that part of the build but I can't tell how22:52
opendevreviewJay Faulkner proposed openstack/diskimage-builder master: Followup: Ensure devuser-created dir has sane perms  https://review.opendev.org/c/openstack/diskimage-builder/+/93620622:54
opendevreviewMerged openstack/diskimage-builder master: [gentoo] Fix+Update CI for 23.0 profile  https://review.opendev.org/c/openstack/diskimage-builder/+/92398523:17
opendevreviewJay Faulkner proposed openstack/diskimage-builder master: Update default Ubuntu to noble (latest LTS)  https://review.opendev.org/c/openstack/diskimage-builder/+/93620923:36
« Friday, 2024-11-22 Index Tuesday, 2024-11-26 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!