Jeroen T. Vermeulen has proposed merging lp:~jtv/maas/bug-1042865 into lp:maas.

Requested reviews:
  MAAS Maintainers (maas-maintainers)
Related bugs:
  Bug #1042865 in MAAS: "maas-import-pxe-files sets incorrect permissions for 
commissioning dir"
  https://bugs.launchpad.net/maas/+bug/1042865

For more details, see:
https://code.launchpad.net/~jtv/maas/bug-1042865/+merge/121990

If the import scripts run with an overly strict umask, maas-import-ephemerals 
may produce a "commissioning" image directory that the TFTP server is not 
allowed to read.

The reason seems to be that the download code creates a temporary directory to 
download in, then sets a more permissive umask, and finally calls into 
maas-provision to install the new image — which copies the temporary directory 
including its permissions from the time with the stricter umask.

In this branch I address that in two ways:

1. The umask really didn't belong in the inner loop, since it affects global 
script state.  I hoisted it up to a global level, so that the temporary 
directory is created with the new umask.

2. Before copying the image, I make it world-readable.  The "X" flag on chmod 
pertains to the "search" permission.  It sets the "x" bit on directories 
("search") but not on files ("execute").

One open question is what happens to systems that had a non-world-readable 
directory created by an import script run from an older maas version.  That 
might be worth fixing up in postinst for now.  We don't need to carry it around 
forever: a permissions problem with the image go away as soon as the script 
downloads the first image update.  (Also, chmod -R a+rX is much easier to do in 
shell than in python.)

Sadly, the ephemerals import script has not been made testable and is not 
tested.  I can't even run it locally.  We'll have to see in Q/A whether this 
really fixes the problem.


Jeroen
-- 
https://code.launchpad.net/~jtv/maas/bug-1042865/+merge/121990
Your team MAAS Maintainers is requested to review the proposed merge of 
lp:~jtv/maas/bug-1042865 into lp:maas.
=== modified file 'scripts/maas-import-ephemerals'
--- scripts/maas-import-ephemerals	2012-08-15 12:54:49 +0000
+++ scripts/maas-import-ephemerals	2012-08-30 06:22:19 +0000
@@ -295,10 +295,6 @@
         cp -- "$src/$filename" "$tmpdir/"
     done
 
-    # All files we create here are public.  The TFTP user will need to be
-    # able to read them.
-    umask a+r
-
     debug 1 "maas-provision install-pxe-image --arch=$arch --subarch=$subarch --release=$release --purpose=commissioning --image=$tmpdir"
     maas-provision install-pxe-image \
         --arch=$arch --subarch=$subarch --release=$release \
@@ -346,6 +342,12 @@
 EOF
 fi
 
+
+# All files we create here are public.  The TFTP user will need to be
+# able to read them.
+umask a+r
+
+
 updates=0
 for release in $RELEASES; do
     for arch in $ARCHES; do
@@ -372,6 +374,7 @@
                 "$r_serial" "$r_arch" "$r_url" "$r_name" ||
                 fail "failed to prepare image for $release/$arch"
 
+            chmod -R a+rX "$wd"
             install_tftp_image "$wd" "$r_arch" "generic" "$r_release"
 
             target_name="${TARGET_NAME_PREFIX}${r_name}"

_______________________________________________
Mailing list: https://launchpad.net/~launchpad-reviewers
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~launchpad-reviewers
More help   : https://help.launchpad.net/ListHelp

Reply via email to