moresandeep commented on PR #1151: URL: https://github.com/apache/knox/pull/1151#issuecomment-3935199636
> The use of a fixed GID and group-based access makes sense for Helm/Kubernetes compatibility. > > However, granting `g+rwx` on all directories under `home/knox` may be broader than necessary. > > Since the JIRA mentions keystore updates specifically, would it be safer to restrict write permissions to the directories that actually need mutation (e.g., `data/security/keystores`, possibly `conf`)? > > This would better follow the principle of least privilege while preserving the intended functionality. Good point, the issue is that we need to move other resources as well e.g. gateway-site.xml, there could be additional binaries that needs moving, then there is also the init scripts for gateway and LDAP. Specifically, the problem with k8s installations are The path `/home/knox/knox/data/security/keystores/truststore.jks` requires execute permission on every parent directory: `/home/knox` = needs `g+x` `/home/knox/knox` = needs g+x `/home/knox/knox/data` = needs g+x `/home/knox/knox/data/security` = needs g+x (from fsGroup + emptyDir) `/home/knox/knox/data/security/keystores` = needs g+x If any of these lack g+x, the entire path becomes inaccessible Now, just making `data/security/keystores`, possibly `conf writable the issues i ran into is ``` # Even if security/ is 777 $ ls -ld /home/knox/knox/data/security drwxrwxrwx 2 8000 8000 ... security # If parent data/ is 750 (no group execute) $ ls -ld /home/knox/knox/data drwxr-x--- 2 8000 8000 ... data # Process CANNOT reach security/ at all $ ls /home/knox/knox/data/security ls: cannot access '/home/knox/knox/data/security': Permission denied ``` The process is blocked at the parent directory before it even reaches the target binary. To sum up `g+rwx` on ALL directories is needed because: - Execute permission = to traverse through directories - Arbitrary UIDs rely on group permissions (not owner permissions) - Path resolution requires execute on ALL parent directories in the path - Without it, the process gets "Permission denied" even if the target has correct permissions NOTE: I mentioned emptyDir this is helm construct and a whole different mess as to why it is needed :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
