Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restore support for access control filenames without a group (fixes #540) #541

Merged
merged 1 commit into from
Mar 15, 2022
Merged

Restore support for access control filenames without a group (fixes #540) #541

merged 1 commit into from
Mar 15, 2022

Conversation

hartwork
Copy link
Contributor

@hartwork hartwork commented Mar 5, 2022

Fixes #540

Regression from commit b15ef71 of release 1.1.0, detailed analysis online at #540 (comment) .

@hartwork hartwork mentioned this pull request Mar 5, 2022
Closed
@hartwork hartwork force-pushed the issue-540-fix-group-optionality branch from 00e5c25 to fe1858d Compare March 5, 2022 16:34
@ZoltanFridrich
Copy link
Contributor

@hartwork Please, add the same check for username as well. You can have ACL files in a form ":groupname", ie. with empty username.

@hartwork
Restore support for access control filenames without a group
db088d3 
Regression from commit b15ef71
of release 1.1.0, detailed analysis online at
USBGuard#540 (comment)
@hartwork hartwork force-pushed the issue-540-fix-group-optionality branch from fe1858d to db088d3 Compare March 11, 2022 13:20
@hartwork
Copy link
Contributor Author

@hartwork Please, add the same check for username as well. You can have ACL files in a form ":groupname", ie. with empty username.

@ZoltanFridrich @Cropi good point, thanks for speaking up about it! I wonder if cases user: and : should be (or were previously) supported. I have updated the PR with a version including those two cases and adding a comment about all the effectively supported variations. Please re-check, pushed.

@ZoltanFridrich
Copy link
Contributor

LGTM!
I am not sure how it works with : name. Does it work like a global IPC ACL meaning that it gets applied for everyone?

@hartwork
Copy link
Contributor Author

LGTM! I am not sure how it works with : name. Does it work like a global IPC ACL meaning that it gets applied for everyone?

That's a good point to bring up! From looking at IPCServerPrivate::matchACLByName code, my impression is that we are dealing with algorithm "start with nothing, then match user OR match group" rather than "start with everyone, then cut things away". I believe that filename : does effectively match no one (rather than everyone). I'm not sure that's the best way to implement it, but we probably cannot change semantics of it before 2.0.0 if we wanted to. My personal focus would be to support what was supported in 1.0.0. @ZoltanFridrich what do you think?

@ZoltanFridrich
Copy link
Contributor

I was just curious about : name situation. I agree with you and I think this PR can be merged.

radosroka
radosroka approved these changes Mar 15, 2022
View reviewed changes
Copy link
Member

@radosroka radosroka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@radosroka radosroka merged commit 22eb68c into USBGuard:master Mar 15, 2022
@hartwork hartwork deleted the issue-540-fix-group-optionality branch August 19, 2022 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radosroka radosroka radosroka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ignoring access control file because of malformed name
3 participants
@hartwork @ZoltanFridrich @radosroka