Include specific UID and GID checks in modules.file.check_perms #62792
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If the same username exists in more than one nsswitch database, it's possible to end up in a situation where users can be associated with more than one UID. When this happens - files that are owned by the user, but have the "previous" UID, will not have the UID updated by the `file.directory` state when `recurse` is set to `["user", "group"]`. This is due to `file.stats` returning the correct owning username, causing `file.check_perms`, which only compares owner permissions by name, to believe no permissions changes are required. If `file.check_perms` was to check permissions via ID as well, it would return the ID changes to be made. The PR updates the `file.check_perms` function to also check whether the UID and GID values of the file match the function arguments for `user` and `group` should they be IDs. Previously `file.check_perms` attempted to retrieve usernames via `file.uid_to_user`. An empty check was done on the return value which would signify a username not being present on the system - a hard failure as `os.chown` takes IDs, but no username means no ID. The PR changes this so that username checks are left to the `file.chown` function. The error string returned by `file.chown` is appended to `ret["comments"]` so it can be returned to the user should either the username or group name not be present. The PR also attempts to reduce the number of calls to `get_user` and `get_group` which result in repeat calls to stat. Instead use a single "post" `file.stats` call and compare user/group/mode changes using that. This can be reproduced with `libnss-cache` by defining a user with the same name, but different UID in `/etc/passwd.cache` and `/etc/group.cache`.
While refactoring the `mode` update section the `else` statements were removed which rendered the `if ...: pass` a NOP. The PR negates the `if is_link and not follow_symlinks` so we only continue to change the mode for non-links and link targets if `follow_symlinks == True`.
|
The |
rhodesn
force-pushed
the
check_perms-allow-name-id
branch
from
6921f92 to
d95607b
Compare
Ch3LL
suggested changes
Oct 4, 2022
garethgreenaway
previously approved these changes
Oct 4, 2022
twangboy
previously approved these changes
Oct 4, 2022
|
@nrhodes91 Just making sure you saw @Ch3LL's comment about needing a changelog on this one. Thanks! |
|
Created issue #62818 in keeping with the preferred changelog format. |
rhodesn
force-pushed
the
check_perms-allow-name-id
branch
from
d95607b to
799bae9
Compare
|
Added |
This mirrors the user/group checks which set `perms["cuser"]` etc when there are changes expected. These values are used to determine if we need to return changes in `ret["changes"]`. Before this commit `file.chec_perms` was returning `mode` changes for new files which didn't match the original behaviour.
rhodesn
force-pushed
the
check_perms-allow-name-id
branch
from
799bae9 to
7861126
Compare
Ch3LL
approved these changes
Oct 5, 2022
garethgreenaway
approved these changes
Oct 7, 2022
|
Congratulations on your first PR being merged! 🎉 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If the same username exists in more than one nsswitch database, it's possible to end up in a situation where users can be associated with more than one UID.
What does this PR do?
The PR updates the
file.check_permsfunction to check whether the UID and GID values of the file match the function arguments foruserandgroupshould they be IDs.The PR also attempts to reduce the number of calls to
get_userandget_groupwhich result in repeat calls to stat. Instead use a single "post"file.statscall and compare user/group/mode changes using that.What issues does this PR fix or reference?
Fixes: #62818
Previous Behavior
Files owned by a user who can be mapped to two UIDs, but have file permissions for the "wrong" UID will not be updated by
file.check_perms. This is due tofile.check_permsonly comparing ownership by names, and not also IDs.Under normal circumstances, if you supply an ID for
user:infile.directory, and that ID either represents a non-existent user, or maps to a username viafile.uid_to_user, then salt will correctly update file and directory permissions recursively. However if you end up in the unique situation where during a migration period, a username is present in two name databases but with different UIDs, salt will compare the output from stat (which returns the correct username but with the "previous" UIDs) for the file only against a username due touid_to_user(name)being used. This results in the UID owning the file not being updated.Example where file uid wont get updated even if a uid is supplied to
file.directory:When using:
The
file.directorystate returnschanges: {}, which makes sense as the usernames match even though the uid doesn't.Previously
file.check_permsattempted to retrieve usernames viafile.uid_to_user. An empty check was done on the return value which would signify a username not being present on the system - a hard failure asos.chowntakes IDs, but no username means no ID. The PR changes this so that username checks are left to thefile.chownfunction. The error string returned byfile.chownis appended toret["comments"]so it can be returned to the user should either the username or group name not be present.New Behavior
Salt will check both file username and UID permissions against the supplied
userandgrouparguments instead of trying to convert IDs to names and then comparing. This resolves an admittedly pretty unique situation.I should add that I looked into making salt capable of accepting a username, and performing both name and ID checks using that, but those changes are more significant.
Merge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
Commits signed with GPG?
Yes/No
Please review Salt's Contributing Guide for best practices.
See GitHub's page on GPG signing for more information about signing commits with GPG.