Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dist: set capabilities during make install #7292

Closed
wants to merge 2 commits into from
Closed

dist: set capabilities during make install #7292

wants to merge 2 commits into from

Conversation

sumit-bose
Copy link
Contributor

No description provided.

@sumit-bose sumit-bose marked this pull request as draft April 12, 2024 11:10
@sumit-bose sumit-bose force-pushed the make_install_capabilities branch from d34573f to 64ccc21 Compare April 12, 2024 12:52
@sumit-bose sumit-bose mentioned this pull request Apr 12, 2024
Closed
@sumit-bose sumit-bose force-pushed the make_install_capabilities branch from 64ccc21 to 570d1d8 Compare April 12, 2024 15:51
joakim-tjernlund
joakim-tjernlund reviewed Apr 13, 2024
View reviewed changes
Makefile.am Outdated Show resolved Hide resolved
@alexey-tikhonov
Copy link
Member

Btw, @justin-stephenson also hit this issue (of missing caps after 'make install') during his work.

@alexey-tikhonov
Copy link
Member

Besides file capabilities of child helpers, also ownership and/or access mode of some /var/lib/sss/... dirs changed in spec-file and wasn't reflected in 'make install', I guess.

@alexey-tikhonov
Copy link
Member

And maybe also add 'Resolves: #7284'?

@justin-stephenson justin-stephenson self-assigned this Apr 15, 2024
@alexey-tikhonov alexey-tikhonov self-assigned this Apr 15, 2024
@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Apr 22, 2024
@sumit-bose sumit-bose force-pushed the make_install_capabilities branch from 570d1d8 to dd678cc Compare April 23, 2024 07:48
@sumit-bose
Copy link
Contributor Author

Besides file capabilities of child helpers, also ownership and/or access mode of some /var/lib/sss/... dirs changed in spec-file and wasn't reflected in 'make install', I guess.

Hi,

there already is SSSD_USER_DIRS in Makefile.am which should take care of this.

bye,
Sumit

@sumit-bose
Copy link
Contributor Author

And maybe also add 'Resolves: #7284'?

Thanks, added in the latest version.

@sumit-bose
Copy link
Contributor Author

Hi,

I used make distcheck to test make install. The second patch contains fixed to make make disctcheck work again.

bye,
Sumit

@sumit-bose sumit-bose force-pushed the make_install_capabilities branch from dd678cc to f3c4707 Compare April 23, 2024 08:31
@sumit-bose
Copy link
Contributor Author

Hi,

I used make distcheck to test make install. The second patch contains fixed to make make disctcheck work again.

bye, Sumit

I removed the second patch because it is currently breaking copr builds.

@alexey-tikhonov
Copy link
Member

Besides file capabilities of child helpers, also ownership and/or access mode of some /var/lib/sss/... dirs changed in spec-file and wasn't reflected in 'make install', I guess.

Hi,

there already is SSSD_USER_DIRS in Makefile.am which should take care of this.

There is, but I forgot about it while updating 'sssd.spec.in' (changing ownership and access mode of some dirs) so I'm pretty sure there are some discrepancies currently. I'm composing the list...

@alexey-tikhonov
Copy link
Member

Mismatch identified so far:

  • missing group access to /var/log/sssd, /var/lib/sss/db, keytabs,
  • missing group write access to deskprofile, gpo_cache, mc, pipes, pubconf
  • SSSD ownership and access mode of '/var/lib/sss' itself

I just compared results of 'make install' from this PR and installed recent copr build.

@sumit-bose sumit-bose marked this pull request as ready for review April 24, 2024 15:41
justin-stephenson
justin-stephenson approved these changes Apr 25, 2024
View reviewed changes
Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, thank you.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Apr 25, 2024
edited
Loading

@sumit-bose , I tried to build from sources on Rawhide and everything looks fine besides /var/lib/sss folder itself:

drwxrwxr-x. 10 root    root    4096 Apr 25 09:55 sss

I guess $(sss_statedir) should be added to SSSD_USER_DIRS as well?

@sumit-bose
dist: set capabilities during make install
4386fa1 
Resolves: SSSD#7284
@sumit-bose
conf: update path permissions
a925968 
Use the same permissions as in the spec file during 'make install'.
@sumit-bose sumit-bose force-pushed the make_install_capabilities branch from e9181e2 to a925968 Compare April 25, 2024 19:22
@sumit-bose
Copy link
Contributor Author

@sumit-bose , I tried to build from sources on Rawhide and everything looks fine besides /var/lib/sss folder itself:

drwxrwxr-x. 10 root    root    4096 Apr 25 09:55 sss

I guess $(sss_statedir) should be added to SSSD_USER_DIRS as well?

Hi,

of course you are right, fixed in the latest version.

bye,
Sumit

@alexey-tikhonov
Copy link
Member

Thank you, ACK.

@alexey-tikhonov alexey-tikhonov added the Ready to push Ready to push label Apr 26, 2024
@alexey-tikhonov
Copy link
Member

Pushed PR: #7292

  • master
    • 1199bd1 - conf: update path permissions
    • 7239dd6 - dist: set capabilities during make install

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joakim-tjernlund joakim-tjernlund joakim-tjernlund left review comments

@alexey-tikhonov alexey-tikhonov alexey-tikhonov approved these changes

@justin-stephenson justin-stephenson justin-stephenson approved these changes

Assignees

@justin-stephenson justin-stephenson

@alexey-tikhonov alexey-tikhonov

Labels
no-backport This should go to target branch only. non-privileged Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sumit-bose @alexey-tikhonov @justin-stephenson @joakim-tjernlund