Skip to content

Allow uploading files even when permissions cannot be set. #1471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Allow uploading files even when permissions cannot be set. #1471

wants to merge 2 commits into from

Conversation

@alip
Copy link

@alip alip commented Feb 12, 2021

By default, the "file" function uses sftp to upload the target file to
the server. During the upload, the Net::SFTP::Foreign runs chmod
unconditionally, failing if the target file is not owned by the ssh
user, unless that user is a root. This commit changes that behavior by
passing an optional "best_effort" flag that instructs sftp to continue
even if setting permissions has failed.

As a result, an unprivileged user will be able to use Rex scenarios that
call the "file" function without getting permission denied errors.

This PR is an attempt to fix # by .

Checklist

  • based on top of latest source code
  • changelog entry included
  • tests pass on Travis CI
  • git history is clean
  • git commit messages are well-written

alexeyklyukin and others added 2 commits February 12, 2021 10:15
@alexeyklyukin
Allow uploading files even when permissions cannot be set.
7cf37a1 
By default, the "file" function uses sftp to upload the target file to
the server. During the upload, the Net::SFTP::Foreign runs chmod
unconditionally, failing if the target file is not owned by the ssh
user, unless that user is a root. This commit changes that behavior by
passing an optional "best_effort" flag that instructs sftp to continue
even if setting permissions has failed.

As a result, an unprivileged user will be able to use Rex scenarios that
call the "file" function without getting permission denied errors.
@einhverfr
Only apply best effort option if sudo is not available.
1935065 
This ensures the current behavior continues for ops but best effort
for writeable files allows other teams to apply changes.

Also began some initial POD for the OpenSSH module in functions touched.
@alip alip mentioned this pull request Feb 12, 2021
Open
ferki
ferki requested changes Feb 15, 2021
View reviewed changes
Copy link
Member

@ferki ferki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this would be best discussed in a feature request issue first.

If we are going to make it a feature, I think the best_effort functionality should be controlled via a config option in Rex::Config (whether the user explicitly want it or not), instead of basing it on the fact whether sudo is used or not (which could break for other privilege escalation methods).

And if it's going to be a first class config option, I believe it would be best to make it a generic one to pass arbitrary (Net::SFTP::Foreign?) options similarly to set_openssh_opt. That would avoid having to do further pull requests for each use case that might arise.

@alip alip mentioned this pull request Feb 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferki ferki ferki requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alip @ferki @alexeyklyukin @einhverfr