Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change file permissions on instances #3715

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

Change file permissions on instances #3715

wants to merge 20 commits into from

Conversation

Sploder12
Copy link
Contributor

@Sploder12 Sploder12 commented Oct 4, 2024
edited
Loading

This PR changes file permissions on Multipass cache and data directories to be read/write only by root. Previously the files could be read by all.

Fixes #3866

MULTI-1403
MULTI-1723

@Sploder12 Sploder12 marked this pull request as draft October 4, 2024 19:31
@ricab ricab added this to the 1.15.0 milestone Oct 7, 2024
@Sploder12 Sploder12 marked this pull request as ready for review October 21, 2024 13:22
@codecov Codecov
Copy link

codecov bot commented Oct 21, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 88.09524% with 5 lines in your changes missing coverage. Please review.

Project coverage is 89.11%. Comparing base (5b4d884) to head (e6fee0a).
Report is 18 commits behind head on main.

Files with missing lines Patch % Lines
src/platform/platform_unix.cpp 50.00% 3 Missing ⚠️
src/utils/permission_utils.cpp 93.33% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3715      +/-   ##
==========================================
- Coverage   89.11%   89.11%   -0.01%     
==========================================
  Files         255      256       +1     
  Lines       14603    14643      +40     
==========================================
+ Hits        13014    13049      +35     
- Misses       1589     1594       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch from 5a257a8 to 1e245a5 Compare November 13, 2024 17:53
levkropp
levkropp requested changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@levkropp levkropp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, it seems that codecov wants to see test coverage for some lines:

  • if (!MP_PLATFORM.set_root_as_owner(path)) in write_to
  • extract_image doesn't seem to have tests for it at all?

@Sploder12 Sploder12 marked this pull request as draft November 26, 2024 21:19
@Sploder12 Sploder12 marked this pull request as ready for review November 26, 2024 21:42
@Sploder12
Copy link
Contributor Author

I have decided that the vm_image_vault tests are out of the scope of this PR. This is because writing tests would require a significant refactor of unrelated code (see 1653 in Jira).

sharder996
sharder996 requested changes Nov 29, 2024
View reviewed changes
Copy link
Contributor

@sharder996 sharder996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work on this @Sploder12! Tackling these parts of the code can be tricky :)

Since this PR is closely related with #3782, there might be some overlap. But, here are some thoughts I had reviewing this:

  1. Existing instance directories/files do not have their permissions changed, only new instances.
  2. Is there a reason to apply permissions specifically to cloud_init_iso and instance directories and not to the other files stored within the data_directory and cache_directory?
  3. Would it be better/easier to apply blanket permissions on the storage_directory/cache_directory/data_directory in daemon_config? That would solve 1 if it doesn't interfere with 2.
  4. Instead of the name set_root_as_owner(), how about takeown()? If need be, it could default to root/admin with an option to set ownership to the current user. That would follow pretty closely the Windows definition of takeown.

@ricab ricab modified the milestones: 1.15.0, 1.15.1 Nov 29, 2024
@Sploder12
Copy link
Contributor Author

@sharder996

  1. Good point! Updating the permissions when the daemon starts is what I'm thinking to fix that, WDYT?
  2. Some files aren't as sensitive, but it might be worth covering those too, @ricab might have more thoughts on this.
  3. That might work, I'll give it a try
  4. I don't like takeown personally, reminds me too much of runic C string functions like wcsxfrm. But something like take_ownership or set_owner could be nice for that. WDYT?

@ricab
Copy link
Collaborator

ricab commented Dec 2, 2024
edited
Loading

Some files aren't as sensitive, but it might be worth covering those too, @ricab might have more thoughts on this.

I guess covering the whole directory would be safer for the future and agree with principle of least privilege better. We can always expose any thing we need on a case by case basis.

@Sploder12 Sploder12 marked this pull request as draft December 2, 2024 17:57
@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch 2 times, most recently from 3af663c to bafbd01 Compare December 4, 2024 17:28
@Sploder12 Sploder12 marked this pull request as ready for review December 4, 2024 20:12
@Sploder12 Sploder12 requested a review from sharder996 December 9, 2024 21:51
sharder996
sharder996 requested changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@sharder996 sharder996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initial review pass and I noticed some things that I think could be improved. Will make a more detailed review afterwards.

By setting permissions on the top level data/cache directories, all sub-directories should inherit those permissions, correct? If so, some of the code could be cleaned up.

@Sploder12 Sploder12 marked this pull request as draft December 12, 2024 16:58
@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch from d97135f to 36e630f Compare December 17, 2024 20:37
@Sploder12 Sploder12 changed the base branch from main to fix-platform-specific-functions-in-abstraction December 17, 2024 21:23
@Sploder12 Sploder12 force-pushed the fix-platform-specific-functions-in-abstraction branch from 5b088d8 to d50d4e4 Compare January 6, 2025 22:11
@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch 2 times, most recently from 2d9bed1 to 477d0b9 Compare January 7, 2025 21:05
@Sploder12 Sploder12 marked this pull request as ready for review January 9, 2025 18:24
@ricab
Copy link
Collaborator

ricab commented Jan 15, 2025

I meant to review this but I am a little bogged down with reviews right now. This has 2 reviewers already, so I'll leave it up to them.

@Sploder12 Sploder12 force-pushed the fix-platform-specific-functions-in-abstraction branch from 024baf7 to 48de023 Compare January 17, 2025 21:10
@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch from 477d0b9 to 4a1b649 Compare January 17, 2025 21:42
@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch from 4a1b649 to ad94156 Compare January 21, 2025 22:12
@Sploder12 Sploder12 force-pushed the fix-platform-specific-functions-in-abstraction branch from f401971 to ab13596 Compare January 24, 2025 16:40
@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch from ad94156 to ad5d54e Compare January 24, 2025 18:11
Base automatically changed from fix-platform-specific-functions-in-abstraction to main January 27, 2025 12:47
@ricab ricab modified the milestones: 1.15.1, 1.16.0 Feb 20, 2025
@Sploder12
[daemon] Change permissions for instances to root only
13bf2be 
# Conflicts:
#	src/utils/vm_image_vault_utils.cpp
@Sploder12
[lxd] Change instance image permissions to root only
6b5b9d9
@Sploder12
[tests] Add permission related tests for cloud_init
5429258
@Sploder12
[permissions] Add permission utils
42cc9df
@Sploder12
[tests] Add permission utils tests
fb1070d
@Sploder12
[daemon] Restrict permissions on data and cache dirs
263cbea
@Sploder12
[permissions] Remove root option from take ownership
d769021
@Sploder12
[tests] Change utils to use permission utils
8631702
@Sploder12
[format] Fix formatting broken by rebase conflicts
b5d1167
@Sploder12
Address some review comments
7637a2a
@Sploder12
Unify after rebase
3c50cb4
@Sploder12
Readd permission setting to new files/folders
af1ef2f
@Sploder12
[permissions] Remove all but top-level permission change
581d80f
@Sploder12
[permissions] Use umask on unix
33661d2
@Sploder12
Change Qt permissions to std
bb7c67b 
# Conflicts:
#	tests/linux/test_platform_linux.cpp
@Sploder12
Remove leftover Qt permissions
0709fb0
@Sploder12
Cleanup rebase
0429e81
@Sploder12
Address some review comments
7a6e292
@Sploder12
Remove unused permissions functions
3137add
@Sploder12
Address Review comments
e6fee0a
@Sploder12 Sploder12 force-pushed the change-permissions-on-instances branch from 8da9d37 to e6fee0a Compare February 20, 2025 17:44
levkropp
levkropp approved these changes Feb 21, 2025
View reviewed changes
Copy link
Contributor

@levkropp levkropp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done with these changes! Tests pass including new ones, and I can see the permissions are changed for the cache and data folders with no loss in functionality to multipass:

this PR:

/var/snap/multipass/common/cache/multipassd# ls -l
total 40
-rwx------ 1 root root 32287 Feb 21 10:11 multipass-blueprints.zip
drwx------ 4 root root  4096 Feb 12 10:30 network-cache
drwx------ 3 root root  4096 Feb 21 10:11 vault

/var/snap/multipass/common/data/multipassd# ls -l
total 28
drwx------ 2 root root 4096 Feb 12 10:30 authenticated-certs
drwx------ 2 root root 4096 Feb 12 10:30 certificates
-rwx------ 1 root root 5142 Feb 21 10:13 multipassd-vm-instances.json
drwx------ 2 root root 4096 Feb 21 10:11 network
drwx------ 2 root root 4096 Feb 12 10:30 ssh-keys
drwx------ 3 root root 4096 Feb 19 22:21 vault

current main:

/var/snap/multipass/common/data/multipassd# ls -l
total 24
drwxr-xr-x 2 root root 4096 Feb 21 10:25 authenticated-certs
drwxr-xr-x 2 root root 4096 Feb 21 10:25 certificates
-rw-r--r-- 1 root root 1567 Feb 21 10:30 multipassd-vm-instances.json
drwxr-xr-x 2 root root 4096 Feb 21 10:25 network
drwxr-xr-x 2 root root 4096 Feb 21 10:25 ssh-keys
drwxr-xr-x 3 root root 4096 Feb 21 10:26 vault

/var/snap/multipass/common/cache/multipassd# ls -l
total 40
-rw-r--r-- 1 root root 32287 Feb 21 10:25 multipass-blueprints.zip
drwxr-xr-x 4 root root  4096 Feb 21 10:25 network-cache
drwxr-xr-x 3 root root  4096 Feb 21 10:26 vault

@ricab ricab requested a review from sharder996 February 24, 2025 11:50
sharder996
sharder996 approved these changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@sharder996 sharder996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks much better now. Thanks @Sploder12!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@levkropp levkropp levkropp approved these changes

@sharder996 sharder996 sharder996 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.16.0
Development

Successfully merging this pull request may close these issues.

Multipass service does not start properly on Windows (Installed in French language!)
4 participants
@Sploder12 @ricab @levkropp @sharder996