Re: [ovirt-users] Building ovirt-engine fails due to failing estCanReadFile(org.ovirt.engine.core.utils.servlet.ServletUtilsTest): We should not be able to read this file.

[Yedidyah Bar David]

On Tue, May 23, 2017 at 12:16 PM, Leni Kadali Mutungi
 wrote:
> On 5/23/17, Yedidyah Bar David  wrote:
>> On Tue, May 23, 2017 at 6:21 AM, Leni Kadali Mutungi
>>  wrote:
>>> Tried to build ovirt-engine on my computer using the command `make
>>> clean install-dev`, on Debian Testing.
>>>
>>> The full output of the error is as follows:
>>> https://paste.fedoraproject.org/paste/F6p~LVdNtFlpzQijMbSIYV5M1UNdIGYhyRLivL9gydE=
>>
>> Did you search the code for relevant parts of the error message?
>> Searching for 'We should not be able to read this file' finds it in
>> backend/manager/modules/utils/src/test/java/org/ovirt/engine/core/utils/servlet/ServletUtilsTest.java
>> twice - once when trying to read '/doesnotexist/iamprettysure', and
>> the other when trying to read '/etc/securetty'.
> I did not think to look for the file. Will remember this in future.
>
>> The latter file is 0600 on Fedora, RHEL and derivatives. I guess it's
>> readable for your user on your system, which might not be a good idea
>> in itself - but that's a different discussion.
>>
>> Some options for how to continue:
>>
>> 1. Submit a patch for the engine to change this test to test for some
>> other file that is more likely to be unreadable, e.g. /etc/shadow.
>>
>> 2. Locally set it on your system to be unreadable to you.
>>
>> 3. Assuming it's Debian's default, ask on Debian lists/forums to
>> change it to be non-world-readable and/or why it's not like that
>> already.
>>
>> 4. Ignore unit tests for now, 'make BUILD_UT=0 install-dev'. Check
>> README.adoc for details.
> I am ccing the Deb Virtualization Team for this, in the hopes that
> they may have a different opinion, but when I asked in the #debian IRC
> channel on OFTC, I was told that the file is now presently read by
> pam_securetty so permissions of 0600 would be fine, though the person
> responding didn't see the use of making the permissions stricter than
> they already are (0644). Maybe you could elaborate on the importance
> of having this set to 0600?

I suggest to search the net etc. for more info on this. My intuitive
answer is that if a user can read the list of terminals that root can
login through, that user now has some useful information when trying
to break into the system, so better hide that if possible.

Fedora dropped this file altogether:

https://bugzilla.redhat.com/show_bug.cgi?id=1090639

Which is another reason for going with (1.) above.

> Pending that I will go for option 4, and
> choose from options 1 to 3 when packaging for Debian.
>
>>> I modified the following variables in the Makefile to suit where the
>>> required files are:
>>>
>>> JS_DEPS_DIR=/home/user/ovirt-js-dependencies
>>> PYFLAKES=/usr/bin/pyflakes
>>> JBOSS_HOME=/home/user/wildfly-11.0.0.Alpha1
>>> WILDFLY_OVERLAY_MODULES=/home/user/wildfly-11.0.0.Alpha1/modules
>>>
>>> I have pep8 but was unable to know how to correctly reference it in
>>> the Makefile, the syntax being:
>>>
>>> PEP8=pep8
>>
>> This should probably be ok, unless your version of pep8 is too old/
>> too new/has different defaults than what we use in CI (which is the
>> "common denominator").
>>
>> Good luck,
>>
>>>
>>> Advice on this would be welcome.
>>>
>>>
>>> --
>>> - Warm regards
>>> Leni Kadali Mutungi
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>> --
>> Didi
>
>
> --
> - Warm regards
> Leni Kadali Mutungi



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Building ovirt-engine fails due to failing estCanReadFile(org.ovirt.engine.core.utils.servlet.ServletUtilsTest): We should not be able to read this file.

[Leni Kadali Mutungi]

On 5/23/17, Yedidyah Bar David  wrote:
> On Tue, May 23, 2017 at 6:21 AM, Leni Kadali Mutungi
>  wrote:
>> Tried to build ovirt-engine on my computer using the command `make
>> clean install-dev`, on Debian Testing.
>>
>> The full output of the error is as follows:
>> https://paste.fedoraproject.org/paste/F6p~LVdNtFlpzQijMbSIYV5M1UNdIGYhyRLivL9gydE=
>
> Did you search the code for relevant parts of the error message?
> Searching for 'We should not be able to read this file' finds it in
> backend/manager/modules/utils/src/test/java/org/ovirt/engine/core/utils/servlet/ServletUtilsTest.java
> twice - once when trying to read '/doesnotexist/iamprettysure', and
> the other when trying to read '/etc/securetty'.
I did not think to look for the file. Will remember this in future.

> The latter file is 0600 on Fedora, RHEL and derivatives. I guess it's
> readable for your user on your system, which might not be a good idea
> in itself - but that's a different discussion.
>
> Some options for how to continue:
>
> 1. Submit a patch for the engine to change this test to test for some
> other file that is more likely to be unreadable, e.g. /etc/shadow.
>
> 2. Locally set it on your system to be unreadable to you.
>
> 3. Assuming it's Debian's default, ask on Debian lists/forums to
> change it to be non-world-readable and/or why it's not like that
> already.
>
> 4. Ignore unit tests for now, 'make BUILD_UT=0 install-dev'. Check
> README.adoc for details.
I am ccing the Deb Virtualization Team for this, in the hopes that
they may have a different opinion, but when I asked in the #debian IRC
channel on OFTC, I was told that the file is now presently read by
pam_securetty so permissions of 0600 would be fine, though the person
responding didn't see the use of making the permissions stricter than
they already are (0644). Maybe you could elaborate on the importance
of having this set to 0600? Pending that I will go for option 4, and
choose from options 1 to 3 when packaging for Debian.

>> I modified the following variables in the Makefile to suit where the
>> required files are:
>>
>> JS_DEPS_DIR=/home/user/ovirt-js-dependencies
>> PYFLAKES=/usr/bin/pyflakes
>> JBOSS_HOME=/home/user/wildfly-11.0.0.Alpha1
>> WILDFLY_OVERLAY_MODULES=/home/user/wildfly-11.0.0.Alpha1/modules
>>
>> I have pep8 but was unable to know how to correctly reference it in
>> the Makefile, the syntax being:
>>
>> PEP8=pep8
>
> This should probably be ok, unless your version of pep8 is too old/
> too new/has different defaults than what we use in CI (which is the
> "common denominator").
>
> Good luck,
>
>>
>> Advice on this would be welcome.
>>
>>
>> --
>> - Warm regards
>> Leni Kadali Mutungi
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
> --
> Didi


-- 
- Warm regards
Leni Kadali Mutungi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Building ovirt-engine fails due to failing estCanReadFile(org.ovirt.engine.core.utils.servlet.ServletUtilsTest): We should not be able to read this file.

[Yedidyah Bar David]

On Tue, May 23, 2017 at 6:21 AM, Leni Kadali Mutungi
 wrote:
> Tried to build ovirt-engine on my computer using the command `make
> clean install-dev`, on Debian Testing.
>
> The full output of the error is as follows:
> https://paste.fedoraproject.org/paste/F6p~LVdNtFlpzQijMbSIYV5M1UNdIGYhyRLivL9gydE=

Did you search the code for relevant parts of the error message?
Searching for 'We should not be able to read this file' finds it in
backend/manager/modules/utils/src/test/java/org/ovirt/engine/core/utils/servlet/ServletUtilsTest.java
twice - once when trying to read '/doesnotexist/iamprettysure', and
the other when trying to read '/etc/securetty'.

The latter file is 0600 on Fedora, RHEL and derivatives. I guess it's
readable for your user on your system, which might not be a good idea
in itself - but that's a different discussion.

Some options for how to continue:

1. Submit a patch for the engine to change this test to test for some
other file that is more likely to be unreadable, e.g. /etc/shadow.

2. Locally set it on your system to be unreadable to you.

3. Assuming it's Debian's default, ask on Debian lists/forums to
change it to be non-world-readable and/or why it's not like that
already.

4. Ignore unit tests for now, 'make BUILD_UT=0 install-dev'. Check
README.adoc for details.

>
> I modified the following variables in the Makefile to suit where the
> required files are:
>
> JS_DEPS_DIR=/home/user/ovirt-js-dependencies
> PYFLAKES=/usr/bin/pyflakes
> JBOSS_HOME=/home/user/wildfly-11.0.0.Alpha1
> WILDFLY_OVERLAY_MODULES=/home/user/wildfly-11.0.0.Alpha1/modules
>
> I have pep8 but was unable to know how to correctly reference it in
> the Makefile, the syntax being:
>
> PEP8=pep8

This should probably be ok, unless your version of pep8 is too old/
too new/has different defaults than what we use in CI (which is the
"common denominator").

Good luck,

>
> Advice on this would be welcome.
>
>
> --
> - Warm regards
> Leni Kadali Mutungi
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Building ovirt-engine fails due to failing estCanReadFile(org.ovirt.engine.core.utils.servlet.ServletUtilsTest): We should not be able to read this file.

[Leni Kadali Mutungi]

Tried to build ovirt-engine on my computer using the command `make
clean install-dev`, on Debian Testing.

The full output of the error is as follows:
https://paste.fedoraproject.org/paste/F6p~LVdNtFlpzQijMbSIYV5M1UNdIGYhyRLivL9gydE=

I modified the following variables in the Makefile to suit where the
required files are:

JS_DEPS_DIR=/home/user/ovirt-js-dependencies
PYFLAKES=/usr/bin/pyflakes
JBOSS_HOME=/home/user/wildfly-11.0.0.Alpha1
WILDFLY_OVERLAY_MODULES=/home/user/wildfly-11.0.0.Alpha1/modules

I have pep8 but was unable to know how to correctly reference it in
the Makefile, the syntax being:

PEP8=pep8

Advice on this would be welcome.


-- 
- Warm regards
Leni Kadali Mutungi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users