Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update test-rofiles-fuse.sh #2727

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Conversation

zhrf2020
Copy link

@zhrf2020 zhrf2020 commented Oct 4, 2022

1.A normal user executing this user's occasional use case fails;
2.The main reason is that the cmd: fusermount -u mnt failed, of course, fuse is not excluded as a defect;
3.It is recommended that ostree do a circumvention here: the normal user skips this use case.

1.A normal user executing this user's occasional use case fails;
2.The main reason is that the cmd: fusermount -u mnt failed, of course, fuse is not excluded as a defect;
3.It is recommended that ostree do a circumvention here: the normal user skips this use case.
@openshift-ci
Copy link

openshift-ci bot commented Oct 4, 2022

Hi @zhrf2020. Thanks for your PR.

I'm waiting for a ostreedev member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Comment on lines +27 to +28
user=$(env | grep USER | cut -d "=" -f 2)
if [ "$user" != "root" ]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for the patch.

First, user=$(env | grep USER | cut -d "=" -f 2) is equivalent to just user=$USER as far as I can tell. Which, combined with the next line is just equivalent to if [ "$USER" != "root" ] right?

But backing up a level, the skip_without_fuse is intended to catch this; is the

    capsh --print | grep -q 'Bounding set.*[^a-z]cap_sys_admin' || \
        skip "No cap_sys_admin in bounding set, can't use FUSE"

bit not working in your environment for some reason? What does capsh --print show?

Copy link
Author

@zhrf2020 zhrf2020 Oct 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[root@localhost ~]# capsh --print
Current: =ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)

[root@localhost ~]#  capsh --print | grep -q 'Bounding set.*[^a-z]cap_sys_admin'

[root@localhost ~]#

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[zhangsan@localhost ~]$ id zhangsan
uid=1000(zhangsan) gid=1000(zhangsan) groups=1000(zhangsan)
[zhangsan@localhost ~]$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(zhangsan) euid=1000(zhangsan)
gid=1000(zhangsan)
groups=1000(zhangsan)
Guessed mode: UNCERTAIN (0)
[zhangsan@localhost ~]$ capsh --print | grep -q 'Bounding set.*[^a-z]cap_sys_admin'
[zhangsan@localhost ~]$

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

user=$(env | grep USER | cut -d "=" -f 2) // Gets the current user of the system
if [ "$user" != "root" ] // Judge whether the current user is an ordinary user

of course, there are omissions in this way, the program is a relatively fast and simple repair program, if there is a better program, the trouble to pay attention to the guidance, thank you very much

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sometimes it makes sense to do:

USER=$(id -un)

I've come across platforms that don't set USER by default, but the technique here is more complex than it needs to be

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants