saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
https://docs.saltproject.io/salt/install-guide/en/latest/
Apache License 2.0
14.23k stars 5.49k forks source link

[linux_acl] #62210

Open talentix-ch opened 2 years ago

talentix-ch commented 2 years ago

Description

This problems make the state acl.present unusable. Saltstack has no reliable solution for managing ACLs - a basic Linux function. Saltstack-users have to manage ACLs with own scripts instead. I assume other configuration management tools have no problems with such a basic function.

The Linux engineers at Zurich University of Applied Sciences kindly ask the Saltstack developers to fix this state. We may support the development of a refactored version by supporting the developer with testing. Contact

Setup on-prem vm, salt-master 3004.1 (Ubuntu 18.04) on-prem vm, salt-minion 3004 (Ubuntu 18.04)

Details


**TEST A: Clear all ACLs, then check**

CLEAR ACLs:

setfacl -R -b /TEST/typo3

TEST ACLs with Linux command:

getfacl /TEST/typo3

file: TEST/typo3

owner: www-data

group: www-data

flags: -s-

user::rwx group::rwx other::---

TEST ACLs with Saltstack module command:

salt-call acl.getfacl /TEST/typo3 user: |_

          www-data:
              ----------
              octal:
                  7
              permissions:
                  ----------
                  execute:
                      True
                  read:
                      True
                  write:
                      True

**PROBLEM 1**
The salt module **acl.getfacl** combines the linux permissions (rwx) with the ACLs and indicates that ACLs are set. This is a bug. The command **getfacl** shows correctly, that no ACLs for user www-data are set.

**TEST B: Set ACLs for user www-data and check**
State to apply:
```yaml
{{ slspath }}> Set ACLs TEST A:
  acl.present:
    - name: /TEST/typo3
    - acl_type: user
    - acl_name: www-data
    - perms: rwx

PROBLEM 2: The state will not apply ACLs required to be set. This is probably because the salt module falsely reports that ACLs are set.

Testing ACLs returns this result:

getfacl /TEST/typo3

# file: TEST/typo3
# owner: www-data
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::---

TEST C: Set ACLs for user www-data by UID and check State to apply:

{{ slspath }}> Set ACLs TEST B:
  acl.present:
    - name: /TEST/typo3
    - acl_type: user
    - acl_name: 33
    - perms: rwx

PROBLEM 3: Applying the ACLs by UID will correctly set the ACLs. But the ACLs are set repeatedly each time when the state applied.

More Problems The state acl.present has countless errors and needs bug-fixes / refactoring by a person that really understands Linux ACLs. Some examples:

Today we are using scripts to set ACLs running by cmd.run. This is far from ideal and we should be able to use saltack acl.present - but this state is very buggy.

And of course we'd like to have the possibility to make use of the special permission perms:rwX for folders recursively. The large X specifies to set the execute-ACL on folders but not change ACLs on files.

welcome[bot] commented 2 years ago

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!