Page MenuHomeFreeBSD
Differential D55455

sysutils/podman: Allow setting ownership on auto-created socket
AcceptedPublic
Actions

Authored by dch on Mon, Feb 23, 11:46 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Mar 1, 4:15 AM
Unknown Object (File)
Sun, Mar 1, 3:49 AM
Unknown Object (File)
Sun, Mar 1, 3:42 AM
Unknown Object (File)
Sun, Mar 1, 3:42 AM
Unknown Object (File)
Thu, Feb 26, 3:20 AM
Unknown Object (File)
Wed, Feb 25, 11:54 AM
Unknown Object (File)
Wed, Feb 25, 11:20 AM
Unknown Object (File)
Wed, Feb 25, 7:48 AM
View All 15 Files
Subscribers
None

Details

Reviewers
arrowd
dfr
Summary

The podman_service daemon auto-creates a socket on startup, along with
parent directory, and is always run as root. It is often useful to have
another proxy like haproxy or nginx provide more sophisticated security,
and these daemons do not need root privileges.

Test Plan
  • use podman_service instead of podman daemon (thanks arrowd)
  • rename all the vars accordingly
  • PORTREVISION++ again to ensure we are past reverted commit

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 70914
Build 67797: arc lint + arc unit

Event Timeline

dch requested review of this revision.Mon, Feb 23, 11:46 AM
dch created this revision.
Harbormaster completed remote builds in B70911: Diff 172502.Mon, Feb 23, 11:46 AM
dch updated this revision to Diff 172503.Mon, Feb 23, 11:47 AM

speling

Harbormaster completed remote builds in B70912: Diff 172503.Mon, Feb 23, 11:47 AM
dch edited the summary of this revision. (Show Details)Mon, Feb 23, 11:49 AM
dch edited the test plan for this revision. (Show Details)
dch added reviewers: arrowd, d.raith_comcast.net.
dch edited reviewers, added: dfr; removed: d.raith_comcast.net.
dch updated this revision to Diff 172505.Mon, Feb 23, 11:54 AM
dch edited the test plan for this revision. (Show Details)

ensure default perms align with prior behaviour

Harbormaster completed remote builds in B70914: Diff 172505.Mon, Feb 23, 11:55 AM
arrowd added inline comments.Mon, Feb 23, 11:59 AM
sysutils/podman/files/podman_service.in
29

Another option might be "operator".

30

This should be 0770 to make the socket actually useful for the group.

dfr accepted this revision.Mon, Feb 23, 1:15 PM

Thanks for fixing the style nits. For group ownership, I have a slight preference for wheel but operator would also be reasonable. The permission of 0770 suggested by arrowd@ will work but I don't think we need execute permissions so perhaps 0660 instead?

This revision is now accepted and ready to land.Mon, Feb 23, 1:15 PM
arrowd added a comment.Mon, Feb 23, 1:56 PM

If I understand it correctly, we need "7" to be set on podman_service_rundir to allow listing its contents. Client programs usually first check for socket existence which requires the ability to list dir's contents.

dfr added a comment.Mon, Feb 23, 4:30 PM
In D55455#1268471, @arrowd wrote:

If I understand it correctly, we need "7" to be set on podman_service_rundir to allow listing its contents. Client programs usually first check for socket existence which requires the ability to list dir's contents.

That makes perfect sense, thanks!

Revision Contents
Changeset List

PathSize
sysutils/
podman/
2 lines
files/
47 lines

Diff 172505

View Options

sysutils/podman/Makefile

Loading...
View Options

sysutils/podman/files/podman_service.in

Loading...