-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove paste into folder functionality, Check for the existence of a file or directory when pasting #457
Conversation
Let's add |
conclusion from Matrix discussion with @allisonkarlitskaya , drop |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, but I put a very hard "no" on this. This has "exploit!" written all over it in big bold letters. The status quo is much preferable IMHO.
We keep running into these permission problems -- perhaps in version 1 we should restrict ourselves to files/dirs owned by the user (home dir) and run everything without superuser
, or files/dirs owned by root and then do all copies as root. The rest would be a "sorry, not currently supported" thing.
src/fileActions.jsx
Outdated
if (err.message.match(/cp: overwrite .*?/)) { | ||
addAlert(_("Paste failed, not overwriting files"), "danger", new Date().getTime()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, that's quite hackish, and the error message doesn't contain the conflicting file, so for large directories it may be hard to see what's wrong? If you parse error messages anyway, perhaps capture the .*
in group and show it as "not overwriting $0"?
Not a blocker, but this feels like "we really should fix this" material.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This no longer exists? I am not sure where you found it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, my first review round only applied to the first commit, and I forgot to review the other commits. But let's sort out the central superuser question first.
test/check-application
Outdated
runuser -u admin echo "test_text" > /home/admin/newfile | ||
runuser -u admin touch /home/admin/newfile | ||
echo "test_text" > /home/admin/newfile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does that change? If the file already exists, then echoing as root should not change the permissions. And if you do expect that, why touch it first?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I should just echo as runuser...
test/check-application
Outdated
b.wait_visible("[data-item='copyDir']") | ||
b.click("[data-item='copyDir']") | ||
b.wait_text("#description-list-owner dd", "admin") | ||
b.wait_text("#description-list-group dd", "users") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand this. The hunk above changes the copy source from 'newfile' to 'copyDir' -- but here you again loko at the copy source, not the pasted version in newdir? (This is a bit hard to read and could use some comment)
test/check-application
Outdated
b.mouse("[data-item='newfile']", "contextmenu") | ||
b.click(".contextMenu button:contains('Copy')") | ||
|
||
b.click(".breadcrumb-button:nth-of-type(4)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Magic numbers -- could use comments into which directory that changes.
test/check-application
Outdated
b.wait_visible("[data-item='newfile']") | ||
b.wait_visible("[data-item='newfile2']") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The point of this PR is to retain permissions, so this could check that the testdir/newfile* copies are still owned by admin:admin?
src/fileActions.jsx
Outdated
...sourcePath, | ||
targetPath | ||
]).catch(err => addAlert(err.message, "danger", new Date().getTime())); | ||
], { superuser: "try", environ: ["LC_ALL=C"] }).input() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somehow GH ate my most important comment at all: This is a major security hole. If you copy a dir from e.g. /home/joe to /home/jane, or /tmp/download/ into /var/lib/postgresql, you give the source user a foot into the door of the target user. The CLI default is quite deliberately to copy files as root, to avoid this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And how about mv /home/joe/x /home/jane/x
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I mean to say is:
The CLI default is quite deliberately to copy files as root, to avoid this.
"citation needed".
I know you're very much allergic to this "different owner than parent directory" thing but other very common coreutils commands do exactly what you're suggesting is so evil, by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That creates the same problem of course, but indeed unfortunately there's no warning. Of course on the CLI you, shouldn't do that, but the CLI gives you all sorts of ways to shoot yourself into the foot.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, pasting something feels more like a clipboard, and it's not at all obvious during that operation what the source/target owner will be. mv /home/joe /home/jane
is at least very explicit.
I think we can generalize this: We only support copying files (or copy/paste etc.) if the source and target directories have the same owner. Then superuser and |
The goal of this PR is to get something releasable but we keep getting stuck on discussions around permissions. I am not saying they are important but I feel that we are missing the big picture here. So this whole PR aims to:
So I am fine with dropping |
So this whole PR aims to:
Where else would you paste stuff if not a folder (directory)? Do you mean copying folders and pasting them? I.e. you only want to support copy&paste for individual files?
Big 👍
I for sure don't want that 😁 Keeping timestamps is also rather dubious -- I didn't think of that in my review, and I don't want it either, but I'd let that slide. |
It does support that.
Uhhh, the more I read the more I want to nuke this feature. |
src/fileActions.jsx
Outdated
cockpit.spawn([ | ||
"cp", | ||
"-R", | ||
...sourcePath, | ||
"--archive", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This includes file permissions, which in particular means that it will happily copy suid/sgid binaries or world-writable directories. This also is not desirable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That no longer happens as superuser so is it ok then? Otherwise hmm we need to scrap the whole functionality.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, without superuser it seems fine to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have created #467 for most of the mentioned / issues with copy / pasting.
This is brittle when we add new menu entries or change the order.
We want to disallow pasting into a folder until we have a good way to detect if the folder contains something we are pasting into it. The plan is to in the future handle conflicts when pasting, then we will revise the paste into folder situation.
@martinpitt I've reworked the whole PR, so now the code and test changes are together and hopefully this addresses all your comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! This is by and large ok now, and if you can't see it any more I'll change to +1.
src/fileActions.jsx
Outdated
const currentPath = path.join("/") + "/"; | ||
const menuItems = []; | ||
|
||
const spawnPaste = (sourcePaths, targetPath) => { | ||
if (sourcePaths.some(sourcePath => cwdInfo?.entries[basename(sourcePath)])) { | ||
addAlert(_("Paste not overwriting existing files"), "danger", "paste-error"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not the nicest English, and for many files it'd be good to give a hint -- perhaps "$0 exists, not overwriting with paste". Garrett may have a better idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now we don't have conflict resolution implemented yet for copy and paste so disallow pasting when any of the targets exist.
if (elements.length === 0) { | ||
return '/'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These 2 added lines are not executed by any test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dankjewel!
When copy pasting pass the
--archive
flag tocp
so permissions are retained. This also allows us to enable superuser try as permissions are now retained.Related: #435