action #20162
open
Create a group `openqa` during installation
Added by SLindoMansilla over 7 years ago.
Updated about 6 years ago.
Category:
Feature requests
Description
User story¶
As an openQA test developer, I want that the package openQA installs a group for the files that are accesed by user geekotest and _openqa-worker to have an easier way to access and modify the files installed by the package openQA without using the root user and without loosing the my file permissions each time that I install an update of the package.
Acceptance criteria¶
- AC1: The package openQA create during installation a group named
openqa-test-developers
- AC2: The files and directories listed bellow are owned by the group
openqa-test-developers, they have read-write permission for the group owner and have the gid set.
/var/lib/openqa/pool//var/lib/openqa/share/factory//var/lib/openqa/share/tests/
Tasks¶
- Modify the installation/specfile to create a group named
openqa-test-developers
- Install the files and directories listed on AC2 with group owner
openqa-test-developers,
- and add read-write permissions to them,
- and add the gid bit to them.
Further information¶
you need to train markdown - you only added 3 pairs of quotes where there is supposed to be a list of directories
- Description updated (diff)
- Status changed from New to Rejected
I think you misunderstand the security concept behind having different users. If we wanted every component to be able write everywhere, we wouldn't have introduced a 2nd user.
- Description updated (diff)
What about not adding those user to the group?
- Status changed from Rejected to New
What's the point? The files are world readable anyways, changing the root group to a different one is a noop. Changing file permissions to group writable would not be acceptable. openqa must not be able to write it's own code.
- Description updated (diff)
Hello lnussel,
those files and directories are not writable (some of then even not readable) by my local user. I had nothing against configuring my own file permission directive on my machine, but each time I update the package, it resets everything and I have to reconfigure after that.
After talking with coolo, I agree that the group openqa should be created empty, but the group owner and file permissions have to be done by the specfile so it doesn't reset my changes.
About "[...]openqa must not be able to write it's own code[...]". Only creating an empty user group and adding writable permission for it is not causing this. Perhaps you mention that because I choose a wrong name for the group. I have remove the parts that are a security problem and changed the name of the group to openqa-developers.
Regards.
- Status changed from New to Rejected
no thanks. you can run openqa from a local git checkout in parallel to having the package installed btw.
- Status changed from Rejected to New
remove /usr/share/openqa from your list of directories and make /var/lib/openqa more specific. /var/lib/openqa/{db,images,testresults} you better do not break manually.
Write permission to factory/, pool/ and share/tests for the group sound plausible though
- Description updated (diff)
coolo, yes, that sound good. Thanks!
How do you find the new list? Am I still missing something?
. /var/lib/openqa/{db,images,testresults} you better do not break manually.
- Description updated (diff)
- Priority changed from Normal to Low
- Target version set to Ready
- Description updated (diff)
To make it clear that this "feature" is for openqa test developers also users.
- Description updated (diff)
- Assignee set to binary_sequence
- Target version changed from Ready to future
Also available in: Atom
PDF