Project

General

Profile

Actions

action #20162

open

Create a group `openqa` during installation

Added by SLindoMansilla over 7 years ago. Updated about 6 years ago.

Status:
New
Priority:
Low
Category:
Feature requests
Target version:
Start date:
2017-06-29
Due date:
% Done:

0%

Estimated time:

Description

User story

As an openQA test developer, I want that the package openQA installs a group for the files that are accesed by user geekotest and _openqa-worker to have an easier way to access and modify the files installed by the package openQA without using the root user and without loosing the my file permissions each time that I install an update of the package.

Acceptance criteria

  • AC1: The package openQA create during installation a group named openqa-test-developers
  • AC2: The files and directories listed bellow are owned by the group openqa-test-developers, they have read-write permission for the group owner and have the gid set.
    • /var/lib/openqa/pool/
    • /var/lib/openqa/share/factory/
    • /var/lib/openqa/share/tests/

Tasks

  1. Modify the installation/specfile to create a group named openqa-test-developers
  2. Install the files and directories listed on AC2 with group owner openqa-test-developers,
  3. and add read-write permissions to them,
  4. and add the gid bit to them.

Further information

Actions #1

Updated by coolo over 7 years ago

you need to train markdown - you only added 3 pairs of quotes where there is supposed to be a list of directories

Actions #2

Updated by SLindoMansilla over 7 years ago

  • Description updated (diff)

XD

Actions #3

Updated by coolo over 7 years ago

  • Status changed from New to Rejected

I think you misunderstand the security concept behind having different users. If we wanted every component to be able write everywhere, we wouldn't have introduced a 2nd user.

Actions #4

Updated by SLindoMansilla over 7 years ago

  • Description updated (diff)

What about not adding those user to the group?

Actions #5

Updated by coolo over 7 years ago

  • Status changed from Rejected to New
Actions #6

Updated by lnussel over 7 years ago

What's the point? The files are world readable anyways, changing the root group to a different one is a noop. Changing file permissions to group writable would not be acceptable. openqa must not be able to write it's own code.

Actions #7

Updated by SLindoMansilla over 7 years ago

  • Description updated (diff)

Hello lnussel,

those files and directories are not writable (some of then even not readable) by my local user. I had nothing against configuring my own file permission directive on my machine, but each time I update the package, it resets everything and I have to reconfigure after that.

After talking with coolo, I agree that the group openqa should be created empty, but the group owner and file permissions have to be done by the specfile so it doesn't reset my changes.

About "[...]openqa must not be able to write it's own code[...]". Only creating an empty user group and adding writable permission for it is not causing this. Perhaps you mention that because I choose a wrong name for the group. I have remove the parts that are a security problem and changed the name of the group to openqa-developers.

Regards.

Actions #8

Updated by lnussel over 7 years ago

  • Status changed from New to Rejected

no thanks. you can run openqa from a local git checkout in parallel to having the package installed btw.

Actions #9

Updated by coolo over 7 years ago

  • Status changed from Rejected to New

remove /usr/share/openqa from your list of directories and make /var/lib/openqa more specific. /var/lib/openqa/{db,images,testresults} you better do not break manually.

Write permission to factory/, pool/ and share/tests for the group sound plausible though

Actions #10

Updated by SLindoMansilla over 7 years ago

  • Description updated (diff)

coolo, yes, that sound good. Thanks!

How do you find the new list? Am I still missing something?

Actions #11

Updated by coolo over 7 years ago

. /var/lib/openqa/{db,images,testresults} you better do not break manually.

Actions #12

Updated by SLindoMansilla over 7 years ago

  • Description updated (diff)

DB out

Actions #13

Updated by coolo about 7 years ago

  • Priority changed from Normal to Low
  • Target version set to Ready
Actions #14

Updated by SLindoMansilla about 7 years ago

  • Description updated (diff)

To make it clear that this "feature" is for openqa test developers also users.

Actions #15

Updated by SLindoMansilla almost 7 years ago

  • Description updated (diff)
Actions #16

Updated by binary_sequence over 6 years ago

  • Assignee set to binary_sequence
Actions #17

Updated by coolo about 6 years ago

  • Target version changed from Ready to future

Take your time

Actions

Also available in: Atom PDF