action #20162
openCreate a group `openqa` during installation
0%
Description
User story¶
As an openQA test developer, I want that the package openQA installs a group for the files that are accesed by user geekotest and _openqa-worker to have an easier way to access and modify the files installed by the package openQA without using the root user and without loosing the my file permissions each time that I install an update of the package.
Acceptance criteria¶
- AC1: The package openQA create during installation a group named
openqa-test-developers
- AC2: The files and directories listed bellow are owned by the group
openqa-test-developers
, they have read-write permission for the group owner and have thegid
set./var/lib/openqa/pool/
/var/lib/openqa/share/factory/
/var/lib/openqa/share/tests/
Tasks¶
- Modify the installation/specfile to create a group named
openqa-test-developers
- Install the files and directories listed on AC2 with group owner
openqa-test-developers
, - and add read-write permissions to them,
- and add the gid bit to them.
Further information¶
Updated by coolo over 7 years ago
you need to train markdown - you only added 3 pairs of quotes where there is supposed to be a list of directories
Updated by coolo over 7 years ago
- Status changed from New to Rejected
I think you misunderstand the security concept behind having different users. If we wanted every component to be able write everywhere, we wouldn't have introduced a 2nd user.
Updated by SLindoMansilla over 7 years ago
- Description updated (diff)
What about not adding those user to the group?
Updated by lnussel over 7 years ago
What's the point? The files are world readable anyways, changing the root group to a different one is a noop. Changing file permissions to group writable would not be acceptable. openqa must not be able to write it's own code.
Updated by SLindoMansilla over 7 years ago
- Description updated (diff)
Hello lnussel,
those files and directories are not writable (some of then even not readable) by my local user. I had nothing against configuring my own file permission directive on my machine, but each time I update the package, it resets everything and I have to reconfigure after that.
After talking with coolo, I agree that the group openqa
should be created empty, but the group owner and file permissions have to be done by the specfile so it doesn't reset my changes.
About "[...]openqa must not be able to write it's own code[...]". Only creating an empty user group and adding writable permission for it is not causing this. Perhaps you mention that because I choose a wrong name for the group. I have remove the parts that are a security problem and changed the name of the group to openqa-developers
.
Regards.
Updated by lnussel over 7 years ago
- Status changed from New to Rejected
no thanks. you can run openqa from a local git checkout in parallel to having the package installed btw.
Updated by coolo over 7 years ago
- Status changed from Rejected to New
remove /usr/share/openqa from your list of directories and make /var/lib/openqa more specific. /var/lib/openqa/{db,images,testresults} you better do not break manually.
Write permission to factory/, pool/ and share/tests for the group sound plausible though
Updated by SLindoMansilla over 7 years ago
- Description updated (diff)
coolo, yes, that sound good. Thanks!
How do you find the new list? Am I still missing something?
Updated by coolo over 7 years ago
. /var/lib/openqa/{db,images,testresults} you better do not break manually.
Updated by coolo about 7 years ago
- Priority changed from Normal to Low
- Target version set to Ready
Updated by SLindoMansilla about 7 years ago
- Description updated (diff)
To make it clear that this "feature" is for openqa test developers also users.