action #20162

Create a group `openqa` during installation

Added by SLindoMansilla over 2 years ago. Updated over 1 year ago.

Status:NewStart date:29/06/2017
Priority:LowDue date:
Assignee:binary_sequence% Done:

0%

Category:Feature requests
Target version:QA - future
Difficulty:
Duration:

Description

User story

As an openQA test developer, I want that the package openQA installs a group for the files that are accesed by user geekotest and _openqa-worker to have an easier way to access and modify the files installed by the package openQA without using the root user and without loosing the my file permissions each time that I install an update of the package.

Acceptance criteria

  • AC1: The package openQA create during installation a group named openqa-test-developers
  • AC2: The files and directories listed bellow are owned by the group openqa-test-developers, they have read-write permission for the group owner and have the gid set.
    • /var/lib/openqa/pool/
    • /var/lib/openqa/share/factory/
    • /var/lib/openqa/share/tests/

Tasks

  1. Modify the installation/specfile to create a group named openqa-test-developers
  2. Install the files and directories listed on AC2 with group owner openqa-test-developers,
  3. and add read-write permissions to them,
  4. and add the gid bit to them.

Further information

History

#1 Updated by coolo over 2 years ago

you need to train markdown - you only added 3 pairs of quotes where there is supposed to be a list of directories

#2 Updated by SLindoMansilla over 2 years ago

  • Description updated (diff)

XD

#3 Updated by coolo over 2 years ago

  • Status changed from New to Rejected

I think you misunderstand the security concept behind having different users. If we wanted every component to be able write everywhere, we wouldn't have introduced a 2nd user.

#4 Updated by SLindoMansilla over 2 years ago

  • Description updated (diff)

What about not adding those user to the group?

#5 Updated by coolo over 2 years ago

  • Status changed from Rejected to New

#6 Updated by lnussel over 2 years ago

What's the point? The files are world readable anyways, changing the root group to a different one is a noop. Changing file permissions to group writable would not be acceptable. openqa must not be able to write it's own code.

#7 Updated by SLindoMansilla over 2 years ago

  • Description updated (diff)

Hello lnussel,

those files and directories are not writable (some of then even not readable) by my local user. I had nothing against configuring my own file permission directive on my machine, but each time I update the package, it resets everything and I have to reconfigure after that.

After talking with coolo, I agree that the group openqa should be created empty, but the group owner and file permissions have to be done by the specfile so it doesn't reset my changes.

About "[...]openqa must not be able to write it's own code[...]". Only creating an empty user group and adding writable permission for it is not causing this. Perhaps you mention that because I choose a wrong name for the group. I have remove the parts that are a security problem and changed the name of the group to openqa-developers.

Regards.

#8 Updated by lnussel over 2 years ago

  • Status changed from New to Rejected

no thanks. you can run openqa from a local git checkout in parallel to having the package installed btw.

#9 Updated by coolo over 2 years ago

  • Status changed from Rejected to New

remove /usr/share/openqa from your list of directories and make /var/lib/openqa more specific. /var/lib/openqa/{db,images,testresults} you better do not break manually.

Write permission to factory/*, pool/* and share/tests for the group sound plausible though

#10 Updated by SLindoMansilla over 2 years ago

  • Description updated (diff)

coolo, yes, that sound good. Thanks!

How do you find the new list? Am I still missing something?

#11 Updated by coolo over 2 years ago

. /var/lib/openqa/{db,images,testresults} you better do not break manually.

#12 Updated by SLindoMansilla over 2 years ago

  • Description updated (diff)

DB out

#13 Updated by coolo over 2 years ago

  • Priority changed from Normal to Low
  • Target version set to Ready

#14 Updated by SLindoMansilla over 2 years ago

  • Description updated (diff)

To make it clear that this "feature" is for openqa test developers also users.

#15 Updated by SLindoMansilla about 2 years ago

  • Description updated (diff)

#16 Updated by binary_sequence almost 2 years ago

  • Assignee set to binary_sequence

#17 Updated by coolo over 1 year ago

  • Target version changed from Ready to future

Take your time

Also available in: Atom PDF