-
Notifications
You must be signed in to change notification settings - Fork 304
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update test-rofiles-fuse.sh #2727
base: main
Are you sure you want to change the base?
Conversation
1.A normal user executing this user's occasional use case fails; 2.The main reason is that the cmd: fusermount -u mnt failed, of course, fuse is not excluded as a defect; 3.It is recommended that ostree do a circumvention here: the normal user skips this use case.
Hi @zhrf2020. Thanks for your PR. I'm waiting for a ostreedev member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
user=$(env | grep USER | cut -d "=" -f 2) | ||
if [ "$user" != "root" ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thanks for the patch.
First, user=$(env | grep USER | cut -d "=" -f 2)
is equivalent to just user=$USER
as far as I can tell. Which, combined with the next line is just equivalent to if [ "$USER" != "root" ]
right?
But backing up a level, the skip_without_fuse
is intended to catch this; is the
capsh --print | grep -q 'Bounding set.*[^a-z]cap_sys_admin' || \
skip "No cap_sys_admin in bounding set, can't use FUSE"
bit not working in your environment for some reason? What does capsh --print
show?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[root@localhost ~]# capsh --print
Current: =ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
[root@localhost ~]# capsh --print | grep -q 'Bounding set.*[^a-z]cap_sys_admin'
[root@localhost ~]#
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[zhangsan@localhost ~]$ id zhangsan
uid=1000(zhangsan) gid=1000(zhangsan) groups=1000(zhangsan)
[zhangsan@localhost ~]$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(zhangsan) euid=1000(zhangsan)
gid=1000(zhangsan)
groups=1000(zhangsan)
Guessed mode: UNCERTAIN (0)
[zhangsan@localhost ~]$ capsh --print | grep -q 'Bounding set.*[^a-z]cap_sys_admin'
[zhangsan@localhost ~]$
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
user=$(env | grep USER | cut -d "=" -f 2) // Gets the current user of the system
if [ "$user" != "root" ] // Judge whether the current user is an ordinary user
of course, there are omissions in this way, the program is a relatively fast and simple repair program, if there is a better program, the trouble to pay attention to the guidance, thank you very much
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes it makes sense to do:
USER=$(id -un)
I've come across platforms that don't set USER by default, but the technique here is more complex than it needs to be
1.A normal user executing this user's occasional use case fails;
2.The main reason is that the cmd: fusermount -u mnt failed, of course, fuse is not excluded as a defect;
3.It is recommended that ostree do a circumvention here: the normal user skips this use case.