Added user and group checks. Auto create socket dir. #205
Conversation
|
I've tested this on my machine with a If I add my local user to |
sbailey-arm
force-pushed
the
add-user-and-group-checks-to-service
branch
2 times, most recently
from
ab5de20 to
1404b42
Compare
|
(This isn't going to pass our stock CI as it won't be using the |
I really like having the ability to do this! It'll make life much easier for admins... but, at the same time, I'd also like to give them an option - at the moment the only way to not have this run is by using the I was thinking you could add a new section in the config file, something like [fs-permissions]
service-user = "parsec"
clients-group = "parsec-clients"If the section exists, the feature is enabled, and it will be enabled in our example config file. We could add these fields (and a boolean flag tracking if it's enabled) in the Thoughts? |
That sounds like a good idea. It makes it easier for admins to enable or disable this feature, and they can also specify their own Parsec user and group. |
|
I agree with having a separate |
Makes sense. I really wish we could make this synchronisation problem disappear somehow - both around the paths and the usernames/groups |
So would this mean we have a |
|
@ionut-arm If this feature is meant to be activated by default, do you think we could have it at build time? Like the one in the Rust client? |
Yeah, I think if we don't want to make any of the values configurable, just compiling it in (or not) makes sense |
|
Isn't this what's already there? The compile time option |
Yep, that makes sense, just renaming it should be fine. I didn't realise it was a feature created by this PR, thought it was older (like in some other crates) |
sbailey-arm
force-pushed
the
add-user-and-group-checks-to-service
branch
3 times, most recently
from
d42db07 to
2285d90
Compare
|
I've changed the feature to |
This commit adds a GlobalConfig structure with a `log_error_details` flag which controls if Rust error objects are logged along with the message. A `format_error` macro is also added to make the conditional logging easier. Signed-off-by: Ionut Mihalcea <[email protected]>
sbailey-arm
force-pushed
the
add-user-and-group-checks-to-service
branch
from
2285d90 to
91c838d
Compare
|
I guess on the CI we do not have to active the feature. But we should at some point add tests for a secure deployment where all checks are in place. |
src/front/domain_socket.rs
Outdated
| } else { | ||
| // Invalid path - socket should not be created in root | ||
| // `socket.path` returns None if there is no parent directory (i.e. is in root) | ||
| error!("Socket path {} is invalid.", SOCKET_PATH); | ||
| return Err(Error::new( | ||
| ErrorKind::InvalidInput, | ||
| "Socket path is invalid", | ||
| )); | ||
| } |
There was a problem hiding this comment.
Is this part actually needed, since the path is declared statically at the top?
There was a problem hiding this comment.
I don't think so. It was added because socket.parent() can fail, but should never in our case. Does it make sense to remove the else? It should never be hit, but then if you look at the code without the else, it looks like it would continue as normal, even if it failed. Maybe converting the Option that parent() returns to a Result and returning the error (if there is one - which there never should be!) instead, to make the code more compact?
There was a problem hiding this comment.
You can simply unwrap the result of socket.parent() - even if we ever change it to something where that fails, the service won't start so the CI will let us know.
sbailey-arm
force-pushed
the
add-user-and-group-checks-to-service
branch
from
91c838d to
f709548
Compare
I've modified the CI script to add |
|
For the problem you described, it might be better to do something similar as in the client: have a |
sbailey-arm
force-pushed
the
add-user-and-group-checks-to-service
branch
from
f709548 to
8f83866
Compare
|
There seems to have been two Travis Builds triggered by this PR. Weird. |
| "Parsec run as incorrect user", | ||
| )); | ||
| } | ||
| // Check Parsec client group exists and parsec user is a member of it |
There was a problem hiding this comment.
Does parsec need to be part of parsec-clients? Since parsec owns the socket dir, can't they use it how they want?
There was a problem hiding this comment.
A user has to be a member of a group in order to change permissions of the group to that group. So if parsec is not a member of parsec-clients, it cannot change the group permission of the directory to parsec-clients.
There was a problem hiding this comment.
I see, that makes sense, thanks.
|
With this PR, the |
Should we just get it into that state now instead of coming up with a stopgap that will definitely be changed at somepoint? |
Parsec must be run as user `parsec` and `parsec` must be member of group `parsec-client`. This is disabled if feature `testing` is specified. Also auto created `/tmp/parsec` if it does not already exist. Signed-off-by: Samuel Bailey <[email protected]>
sbailey-arm
force-pushed
the
add-user-and-group-checks-to-service
branch
from
8f83866 to
6d9d9d9
Compare
I think some deployments might want to use this setup, even if we don't really recommend it. But maybe we should force them not to anyway - to at least use the peer credential authentication. That might be the "least secure" option we offer, converting the
Not really, because right now we need the |
|
Oops sorry for closing 😅 I agree with your points and I think this is fine to go with this now. My main concern is that there will be some changes needed in this code if we remove the |
Parsec must be run as user
parsecandparsecmust be member of groupparsec-client.This is disabled if feature
testingis specified.Also auto created
/tmp/parsecif it does not already exist with ownership set to userparsecand groupparsec_clients. Userparsecmust be a member ofparsec_clientsin order for it to be able to change group ownership to itSigned-off-by: Samuel Bailey [email protected]