From 894311a57200c5bc2094890033d6df0867d52c43 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Wed, 24 Apr 2019 00:08:43 +0300 Subject: [PATCH 01/10] __acl: if users/groups check fail, log error and exit in explorer --- cdist/conf/type/__acl/explorer/missing_users_groups | 3 ++- cdist/conf/type/__acl/gencode-remote | 8 -------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/cdist/conf/type/__acl/explorer/missing_users_groups b/cdist/conf/type/__acl/explorer/missing_users_groups index b4af614c..2f3b9e6d 100755 --- a/cdist/conf/type/__acl/explorer/missing_users_groups +++ b/cdist/conf/type/__acl/explorer/missing_users_groups @@ -40,7 +40,8 @@ do if ! getent "$getent_db" "$check" > /dev/null then - echo "missing $parameter '$check'" + echo "missing $parameter '$check'" >&2 + exit 1 fi done \ < "$__object/parameter/$parameter" diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index a0f25a15..c0594497 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -22,14 +22,6 @@ file_is="$( cat "$__object/explorer/file_is" )" [ "$file_is" = 'missing' ] && exit 0 -missing_users_groups="$( cat "$__object/explorer/missing_users_groups" )" - -if [ -n "$missing_users_groups" ] -then - echo "$missing_users_groups" >&2 - exit 1 -fi - os="$( cat "$__global/explorer/os" )" acl_is="$( cat "$__object/explorer/acl_is" )" From d66b6969f31ea2c7690a0b85a41a76d07b7ac3e0 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Wed, 24 Apr 2019 00:09:49 +0300 Subject: [PATCH 02/10] __acl: rename missing_users_groups explorer to more generic name for future checks --- cdist/conf/type/__acl/explorer/{missing_users_groups => checks} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cdist/conf/type/__acl/explorer/{missing_users_groups => checks} (100%) diff --git a/cdist/conf/type/__acl/explorer/missing_users_groups b/cdist/conf/type/__acl/explorer/checks similarity index 100% rename from cdist/conf/type/__acl/explorer/missing_users_groups rename to cdist/conf/type/__acl/explorer/checks From f586937614383ebf67e2bcbf061c0ab7b7847620 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Wed, 24 Apr 2019 00:36:53 +0300 Subject: [PATCH 03/10] __acl: drop Solaris because POSIX-draft ACL specification is not supported --- cdist/conf/type/__acl/gencode-remote | 48 ++++++++++++---------------- cdist/conf/type/__acl/man.rst | 6 ++-- 2 files changed, 22 insertions(+), 32 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index c0594497..61a83c8c 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -74,34 +74,26 @@ fi if [ -f "$__object/parameter/remove" ] then - if echo "$os" | grep -Fq 'solaris' - then - # Solaris setfacl behaves differently. - # We will not support Solaris for now, because no way to test it. - # But adding support should be easy (use -s instead of -m on modify). - echo "$os setfacl do not support -x flag for ACL remove" >&2 - else - echo "$acl_is" | while read -r acl - do - # Skip wanted ACL entries which already exist - # and skip mask and other entries, because we - # can't actually remove them, but only change. - if echo "$acl_should" | grep -Eq "^$acl" \ - || echo "$acl" | grep -Eq '^(default:)?(mask|other)' - then continue - fi - - if echo "$os" | grep -Eq 'macosx|freebsd' - then - remove="$acl" - else - remove="$( echo "$acl" | sed 's/:...$//' )" - fi - - echo "$setfacl_exec -x \"$remove\" \"$acl_path\"" - echo "removed '$remove'" >> "$__messages_out" - done - fi + echo "$acl_is" | while read -r acl + do + # Skip wanted ACL entries which already exist + # and skip mask and other entries, because we + # can't actually remove them, but only change. + if echo "$acl_should" | grep -Eq "^$acl" \ + || echo "$acl" | grep -Eq '^(default:)?(mask|other)' + then continue + fi + + if echo "$os" | grep -Eq 'macosx|freebsd' + then + remove="$acl" + else + remove="$( echo "$acl" | sed 's/:...$//' )" + fi + + echo "$setfacl_exec -x \"$remove\" \"$acl_path\"" + echo "removed '$remove'" >> "$__messages_out" + done fi for acl in $acl_should diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst index 092eb555..e6784c87 100644 --- a/cdist/conf/type/__acl/man.rst +++ b/cdist/conf/type/__acl/man.rst @@ -10,11 +10,9 @@ DESCRIPTION ----------- ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``. -Fully supported on Linux (tested on Debian and CentOS). +Fully supported and tested on Linux, partial support for FreeBSD. -Partial support for FreeBSD, OSX and Solaris. - -OpenBSD and NetBSD support is not possible. +OpenBSD, NetBSD and Solaris support is not possible. See ``setfacl`` and ``acl`` manpages for more details. From 4c21983698932e17ca9276873e32a908b4235bf7 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Wed, 24 Apr 2019 00:39:54 +0300 Subject: [PATCH 04/10] __acl: remove macosx because no way to properly test --- cdist/conf/type/__acl/gencode-remote | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 61a83c8c..ef903816 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -64,7 +64,7 @@ setfacl_exec='setfacl' if [ -f "$__object/parameter/recursive" ] then - if echo "$os" | grep -Eq 'macosx|freebsd' + if echo "$os" | grep -Fq 'freebsd' then echo "$os setfacl do not support recursive operations" >&2 else @@ -84,7 +84,7 @@ then then continue fi - if echo "$os" | grep -Eq 'macosx|freebsd' + if echo "$os" | grep -Fq 'freebsd' then remove="$acl" else @@ -100,7 +100,7 @@ for acl in $acl_should do if ! echo "$acl_is" | grep -Eq "^$acl" then - if echo "$os" | grep -Eq 'macosx|freebsd' \ + if echo "$os" | grep -Fq 'freebsd' \ && echo "$acl" | grep -Eq '^default:' then echo "setting default ACL in $os is currently not supported. sorry :(" >&2 From ca8bc959ed931734570b2c47d2d99c5b35c754a3 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 14 May 2019 13:27:43 +0300 Subject: [PATCH 05/10] __acl: add todo note --- cdist/conf/type/__acl/explorer/checks | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cdist/conf/type/__acl/explorer/checks b/cdist/conf/type/__acl/explorer/checks index 2f3b9e6d..2aae13f6 100755 --- a/cdist/conf/type/__acl/explorer/checks +++ b/cdist/conf/type/__acl/explorer/checks @@ -18,6 +18,8 @@ # along with cdist. If not, see . # +# TODO check if filesystem has ACL turned on etc + [ ! -e "/$__object_id" ] && exit 0 for parameter in user group From 7dfc5bc4736b00e8622555169c65800bb7bf4600 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 14 May 2019 13:41:32 +0300 Subject: [PATCH 06/10] __acl: we do not have to check here if file exist --- cdist/conf/type/__acl/explorer/checks | 2 -- 1 file changed, 2 deletions(-) diff --git a/cdist/conf/type/__acl/explorer/checks b/cdist/conf/type/__acl/explorer/checks index 2aae13f6..a2fcf44d 100755 --- a/cdist/conf/type/__acl/explorer/checks +++ b/cdist/conf/type/__acl/explorer/checks @@ -20,8 +20,6 @@ # TODO check if filesystem has ACL turned on etc -[ ! -e "/$__object_id" ] && exit 0 - for parameter in user group do if [ ! -f "$__object/parameter/$parameter" ] From 7a25ec00edb8458c8a11de3971024a9f99d1ba47 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Tue, 14 May 2019 13:42:56 +0300 Subject: [PATCH 07/10] __acl: add TODO note about dry-run --- cdist/conf/type/__acl/gencode-remote | 1 + 1 file changed, 1 insertion(+) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index ef903816..d47469c1 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -20,6 +20,7 @@ file_is="$( cat "$__object/explorer/file_is" )" +# TODO this check is not needed with dry-run [ "$file_is" = 'missing' ] && exit 0 os="$( cat "$__global/explorer/os" )" From 03f8c3aaed3d106792a05e9e24e14b86f7e0414c Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Sun, 19 May 2019 23:22:02 +0300 Subject: [PATCH 08/10] __acl: don't exit on missing file when dry run --- cdist/conf/type/__acl/gencode-remote | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index d47469c1..36eca3f8 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -20,8 +20,7 @@ file_is="$( cat "$__object/explorer/file_is" )" -# TODO this check is not needed with dry-run -[ "$file_is" = 'missing' ] && exit 0 +[ "$file_is" = 'missing' ] && [ -z "$__cdist_dry_run" ] && exit 0 os="$( cat "$__global/explorer/os" )" From 02e10b1ffd1d1fa28586caf234f5e007dfe7e606 Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Sun, 19 May 2019 23:27:58 +0300 Subject: [PATCH 09/10] __acl: fix SC1117 --- cdist/conf/type/__acl/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote index 36eca3f8..f5b0474f 100755 --- a/cdist/conf/type/__acl/gencode-remote +++ b/cdist/conf/type/__acl/gencode-remote @@ -48,7 +48,7 @@ do then [ "$file_is" = 'directory' ] && rep=x || rep=- - acl="$( echo "$acl" | sed "s/\(.*\)X/\1$rep/" )" + acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )" fi echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=: From e30d76014accf5e1f0860f504c287c5ed025da9c Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Sun, 19 May 2019 23:44:20 +0300 Subject: [PATCH 10/10] __acl: update man --- cdist/conf/type/__acl/man.rst | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst index e6784c87..d066aae5 100644 --- a/cdist/conf/type/__acl/man.rst +++ b/cdist/conf/type/__acl/man.rst @@ -10,9 +10,7 @@ DESCRIPTION ----------- ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``. -Fully supported and tested on Linux, partial support for FreeBSD. - -OpenBSD, NetBSD and Solaris support is not possible. +Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD. See ``setfacl`` and ``acl`` manpages for more details.