From: Junio C Hamano <gitster@pobox.com>
To: Adam Dinwoodie <adam@dinwoodie.org>
Cc: git@vger.kernel.org, Fabian Stelzer <fs@gigacodes.de>
Subject: Re: [PATCH] t/lib-git.sh: fix ACL-related permissions failure
Date: Fri, 05 Nov 2021 11:14:04 -0700 [thread overview]
Message-ID: <xmqqfssaxyfn.fsf@gitster.g> (raw)
In-Reply-To: <20211105112525.GA25887@dinwoodie.org> (Adam Dinwoodie's message of "Fri, 5 Nov 2021 11:25:25 +0000")
Adam Dinwoodie <adam@dinwoodie.org> writes:
> On Thursday 04 November 2021 at 12:49 pm -0700, Junio C Hamano wrote:
>> Adam Dinwoodie <adam@dinwoodie.org> writes:
>>
>> > SSH keys are expected to be created with very restrictive permissions,
>> > and SSH commands will fail if the permissions are not appropriate. When
>> > creating a directory for SSH keys in test scripts, attempt to clear any
>> > ACLs that might otherwise cause the private key to inherit less
>> > restrictive permissions than it requires.
>>
>> All of the above makes sense as an explanation as to why the
>> ssh-keygen command may be unhappy with the $GNUPGHOME directory that
>> is prepared here, but ...
>>
>> > This change is required in particular to avoid tests relating to SSH
>> > signing failing in Cygwin.
>>
>> ... I am not quite sure how this explains "tests relating to ssh
>> signing failing on Cygwin". After all, this piece of code is
>> lazy_prereq, which means that ssh-keygen in this block that fails
>> (due to a less restrictive permissions) would merely mean that tests
>> that are protected with GPGSSH prerequisite will be skipped without
>> causing test failures. After all that is the whole point of
>> computing prereq on the fly.
>
> The issue is that the prerequisite check isn't _just_ checking a
> prerequisite: it's also creating an SSH key that's used without further
> modification by the tests.
>
> There are three cases to consider:
>
> - On systems where this prerequisite check fails, a key may or may not
> be created, but the tests that rely on the key won't be run, so it
> doesn't matter either way.
>
> - On (clearly the mainline) systems where this check passes and there
> are no ACL problems, the key that's generated is stored with
> sufficiently restrictive permissions that the tests that rely on the
> key can pass.
>
> - On my system, where ACLs are a problem, the prerequisite check passes,
> and a key is created, but it has permissions that are too permissive.
> As a result, when a test calls OpenSSH to use that key, OpenSSH
> refuses due to the permissions, and the test fails.
Makes sense. If we can update the commit log message so that the
above three points are clear to readers without asking (all three
may not necessarily need to be spelled out in the bulletted list
form), that would be great.
next prev parent reply other threads:[~2021-11-05 18:14 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-04 19:25 [PATCH] t/lib-git.sh: fix ACL-related permissions failure Adam Dinwoodie
2021-11-04 19:49 ` Junio C Hamano
2021-11-04 20:03 ` Junio C Hamano
2021-11-04 22:36 ` Fabian Stelzer
2021-11-05 7:30 ` Junio C Hamano
2021-11-05 11:25 ` Adam Dinwoodie
2021-11-05 12:06 ` Jeff King
2021-11-05 12:13 ` Fabian Stelzer
2021-11-05 18:04 ` Junio C Hamano
2021-11-05 18:49 ` Adam Dinwoodie
2021-11-05 19:11 ` Junio C Hamano
2021-11-05 19:24 ` Adam Dinwoodie
2021-11-05 21:00 ` Carlo Arenas
2021-11-12 16:01 ` [RFC PATCH] lib-test: show failed prereq was " Fabian Stelzer
2021-11-13 6:10 ` Junio C Hamano
2021-11-13 14:43 ` Fabian Stelzer
2021-11-05 23:53 ` Jeff King
2021-11-05 23:39 ` Jeff King
2021-11-05 18:14 ` Junio C Hamano [this message]
2021-11-04 20:09 ` Ramsay Jones
2021-11-05 11:47 ` Adam Dinwoodie
2021-11-05 21:44 ` Ramsay Jones
2021-11-05 19:31 ` [PATCH v2] " Adam Dinwoodie
2021-11-05 21:03 ` Junio C Hamano
2021-11-08 16:40 ` Kerry, Richard
2021-11-08 19:14 ` Junio C Hamano
2021-11-09 17:23 ` Kerry, Richard
2021-11-09 18:19 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqfssaxyfn.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=adam@dinwoodie.org \
--cc=fs@gigacodes.de \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).