set acl permissions on workdir root

In machines with umask set to `0027` it is necessary to setup an acl to overide it so the workdir root directory stays multi-user access. This is specially necessary on machines accessed with a non-root user, that are hardened to CIS Level 1 guidelines. Fixes: #2496 Signed-off-by: Carlos Rodriguez-Fernandez <[email protected]>
teemtee · Dec 3, 2023 · 9b5ad48 · 9b5ad48
1 parent 6a00e2f
commit 9b5ad48
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 0 deletions.
diff --git a/examples/plugins/provision.py b/examples/plugins/provision.py
@@ -84,6 +84,7 @@ def go(self):
 
         self._guest = GuestExample(data, name=self.name, parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
     def guest(self):
         """
@@ -106,6 +107,7 @@ class GuestExample(tmt.Guest):
     user ....... user name to log in
     key ........ private key
     password ... password
+    become ..... whether to run the scripts with sudo
 
     These are by default imported into instance attributes (see the
     class attribute '_keys' in tmt.Guest class).
@@ -186,6 +188,16 @@ def start(self):
         raise tmt.utils.ProvisionError(
             "All attempts to provision a machine with example failed.")
 
+    def setup(self):
+        """
+        Setup the guest
+
+        This should include all necessary configurations inside the instance
+        to get the plans to work. For example, ensure the permissions in
+        TMT_WORKDIR_ROOT will work if the user is non-root.
+        """
+        print("setup() called")
+
     # For advanced development
     def execute(self, command, **kwargs):
         """

diff --git a/tmt/steps/provision/__init__.py b/tmt/steps/provision/__init__.py
@@ -41,6 +41,7 @@
     SerializableContainer,
     ShellScript,
     cached_property,
+    effective_workdir_root,
     field,
     key_to_option,
     )
@@ -645,6 +646,13 @@ def start(self) -> None:
         """
         self.debug(f"Doing nothing to start guest '{self.guest}'.")
 
+    def setup(self) -> None:
+        """
+        Setup the guest
+
+        Setup the guest after it has been started. It is called after start().
+        """
+
     # A couple of requiremens for this field:
     #
     # * it should be valid, i.e. when someone tries to access it, the values
@@ -1268,6 +1276,23 @@ def is_ready(self) -> bool:
         # Enough for now, ssh connection can be created later
         return self.guest is not None
 
+    def setup(self) -> None:
+        if self.is_dry_run:
+            return
+        if self.guest is None and not self.is_dry_run:
+            raise tmt.utils.GeneralError('The guest is not available.')
+        if not self.facts.is_superuser and self.become:
+            assert self.facts.package_manager is not None
+            self.execute(
+                Command(
+                    'sudo',
+                    f'{self.facts.package_manager.value}',
+                    'install',
+                    '-y',
+                    'acl'))
+            workdir_root = effective_workdir_root()
+            self.execute(Command('setfacl', '-d', '-m', 'o:rX', f'{workdir_root}'))
+
     def execute(self,
                 command: Union[tmt.utils.Command, tmt.utils.ShellScript],
                 cwd: Optional[Path] = None,

diff --git a/tmt/steps/provision/artemis.py b/tmt/steps/provision/artemis.py
@@ -725,6 +725,7 @@ def go(self) -> None:
             name=self.name,
             parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
     def guest(self) -> Optional[GuestArtemis]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/connect.py b/tmt/steps/provision/connect.py
@@ -107,6 +107,7 @@ def go(self) -> None:
             data=data,
             name=self.name,
             parent=self.step)
+        self._guest.setup()
 
     def guest(self) -> Optional[tmt.GuestSsh]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/local.py b/tmt/steps/provision/local.py
@@ -167,6 +167,7 @@ def go(self) -> None:
             self.warn("The 'local' provision plugin does not support hardware requirements.")
 
         self._guest = GuestLocal(logger=self._logger, data=data, name=self.name, parent=self.step)
+        self._guest.setup()
 
     def guest(self) -> Optional[GuestLocal]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/mrack.py b/tmt/steps/provision/mrack.py
@@ -719,6 +719,7 @@ def go(self) -> None:
             logger=self._logger,
             )
         self._guest.start()
+        self._guest.setup()
 
     def guest(self) -> Optional[GuestBeaker]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/podman.py b/tmt/steps/provision/podman.py
@@ -435,6 +435,7 @@ def go(self) -> None:
             name=self.name,
             parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
     def guest(self) -> Optional[GuestContainer]:
         """ Return the provisioned guest """

diff --git a/tmt/steps/provision/testcloud.py b/tmt/steps/provision/testcloud.py
@@ -914,6 +914,7 @@ def _report_support(constraint: tmt.hardware.Constraint) -> bool:
             name=self.name,
             parent=self.step)
         self._guest.start()
+        self._guest.setup()
 
     def guest(self) -> Optional[tmt.Guest]:
         """ Return the provisioned guest """