Elevated Privileges
Early versions of TP2 made only two roles available; the namespace owner and "root". You had to be running a command as either of those for a package install to be successful. Although this fulfilled the original design requirement of the packaging solution, recently it was requested that a namespace should allow certain other users to install packages; not simply the namespace owner.
The concept was simple; the namespace should be owned by a system/application account, but the installs should be done as normal admin accounts to provide better levels of security and auditing. This of course is often combined with only allowing signed packages to prevent just anything from being installed.
Thus as of 1.3.3 if a normal user attempts to install a package into a namespace they do not own they will get a rather cryptic message (needs to be improved!):
$ tp2 verify --namespace opt
Error: The ALLOW_VERIFIERS setting is missing for namespace 'opt'.
The owner of the namespace (or a user that has the capabilities to create or modify namespaces), for example as root:
# tp2 mod_ns opt ALLOW_VERIFERS root,test
Then examining the namespace configuration:
$ tp2 show_ns --namespace opt
Packages installed 1
Compress Logs? Yes
Current log count 1
File System Growth Unit (MB) 256
Log space usage (MB) 0.01
Always repackage? Yes
Maximum space for logs (MB) 50
Log compression type gzip
Remove on reboot <None>
Users allowed to verify packages root,test
Grow file systems automatically? Yes
Maximum number of logs to keep 2000
Script to run after pkg install /usr/bin/true
Namespace root directory /opt
Duration to keep preview logs (Days) 10
Perform auditing? Yes
Temporary files location /var/adm/tp2/ns/opt/spool
Script to run after pkg removal /usr/bin/true
Namespace Owner root
Directory to extract packages in /var/adm/tp2/ns/opt/spool
At this point the normal user "test" should have access to run the verification process on that namespace:
$ tp2 verify --namespace opt --verbose
Log : Invocation of namespace verification via daemon starting.
Log : Loading configuration of packages in "opt" namespace...
Log : ...Done [1 packages]
Log : Loading any immutable files details for "opt" namespace...
Log : ...Done [0 files]
Log : Checking package "tp2" [directories].
Log : Checking package "tp2" [files].
Error: [tp2] Incorrect file checksum : /opt/bin/tp2make_ns [is aaa9854607a9c98655cdebbc9d133c5d26daeac2, should be 6c1c1dbd3e2f37e6cbc5a8a97631262fa0c7d67f]
Log : Total errors found: 1
At present there are four per-namespace privileges that can be configured:
ALLOW_VERIFIERS - allow the list of users configured to verify package configuration.
ALLOW_INSTALLERS - allow the users to install, upgrade, downgrade and clean packages.
ALLOW_REMOVERS - allow the users to remove package installations.
ALLOW_IMMUTABLES - allow the users to add/remove files to the namespace immutable files list.
What next?
Part two of this post will describe facilities to customise the package installation by allowing certain environment variables to be passed to pre/post install and remove scripts, and also to configure one or more queries that can be used to interact with the users prior to running the above scripts too.
No comments:
Post a Comment