Remove paste into folder functionality, Check for the existence of a file or directory when pasting #457
Conversation
|
Let's add |
|
conclusion from Matrix discussion with @allisonkarlitskaya , drop |
There was a problem hiding this comment.
Sorry, but I put a very hard "no" on this. This has "exploit!" written all over it in big bold letters. The status quo is much preferable IMHO.
We keep running into these permission problems -- perhaps in version 1 we should restrict ourselves to files/dirs owned by the user (home dir) and run everything without superuser, or files/dirs owned by root and then do all copies as root. The rest would be a "sorry, not currently supported" thing.
src/fileActions.jsx
Outdated
| if (err.message.match(/cp: overwrite .*?/)) { | ||
| addAlert(_("Paste failed, not overwriting files"), "danger", new Date().getTime()); |
There was a problem hiding this comment.
Hmm, that's quite hackish, and the error message doesn't contain the conflicting file, so for large directories it may be hard to see what's wrong? If you parse error messages anyway, perhaps capture the .* in group and show it as "not overwriting $0"?
Not a blocker, but this feels like "we really should fix this" material.
There was a problem hiding this comment.
This no longer exists? I am not sure where you found it?
There was a problem hiding this comment.
Sorry, my first review round only applied to the first commit, and I forgot to review the other commits. But let's sort out the central superuser question first.
test/check-application
Outdated
| runuser -u admin echo "test_text" > /home/admin/newfile | ||
| runuser -u admin touch /home/admin/newfile | ||
| echo "test_text" > /home/admin/newfile |
There was a problem hiding this comment.
What does that change? If the file already exists, then echoing as root should not change the permissions. And if you do expect that, why touch it first?
There was a problem hiding this comment.
Good point, I should just echo as runuser...
test/check-application
Outdated
| b.wait_visible("[data-item='copyDir']") | ||
| b.click("[data-item='copyDir']") | ||
| b.wait_text("#description-list-owner dd", "admin") | ||
| b.wait_text("#description-list-group dd", "users") |
There was a problem hiding this comment.
I don't understand this. The hunk above changes the copy source from 'newfile' to 'copyDir' -- but here you again loko at the copy source, not the pasted version in newdir? (This is a bit hard to read and could use some comment)
test/check-application
Outdated
| b.mouse("[data-item='newfile']", "contextmenu") | ||
| b.click(".contextMenu button:contains('Copy')") | ||
|
|
||
| b.click(".breadcrumb-button:nth-of-type(4)") |
There was a problem hiding this comment.
Magic numbers -- could use comments into which directory that changes.
test/check-application
Outdated
| b.wait_visible("[data-item='newfile']") | ||
| b.wait_visible("[data-item='newfile2']") |
There was a problem hiding this comment.
The point of this PR is to retain permissions, so this could check that the testdir/newfile* copies are still owned by admin:admin?
src/fileActions.jsx
Outdated
| ...sourcePath, | ||
| targetPath | ||
| ]).catch(err => addAlert(err.message, "danger", new Date().getTime())); | ||
| ], { superuser: "try", environ: ["LC_ALL=C"] }).input() |
There was a problem hiding this comment.
Somehow GH ate my most important comment at all: This is a major security hole. If you copy a dir from e.g. /home/joe to /home/jane, or /tmp/download/ into /var/lib/postgresql, you give the source user a foot into the door of the target user. The CLI default is quite deliberately to copy files as root, to avoid this.
There was a problem hiding this comment.
And how about mv /home/joe/x /home/jane/x?
There was a problem hiding this comment.
What I mean to say is:
The CLI default is quite deliberately to copy files as root, to avoid this.
"citation needed".
I know you're very much allergic to this "different owner than parent directory" thing but other very common coreutils commands do exactly what you're suggesting is so evil, by default.
There was a problem hiding this comment.
That creates the same problem of course, but indeed unfortunately there's no warning. Of course on the CLI you, shouldn't do that, but the CLI gives you all sorts of ways to shoot yourself into the foot.
There was a problem hiding this comment.
Also, pasting something feels more like a clipboard, and it's not at all obvious during that operation what the source/target owner will be. mv /home/joe /home/jane is at least very explicit.
I think we can generalize this: We only support copying files (or copy/paste etc.) if the source and target directories have the same owner. Then superuser and |
The goal of this PR is to get something releasable but we keep getting stuck on discussions around permissions. I am not saying they are important but I feel that we are missing the big picture here. So this whole PR aims to:
So I am fine with dropping |
|
So this whole PR aims to:
Where else would you paste stuff if not a folder (directory)? Do you mean copying folders and pasting them? I.e. you only want to support copy&paste for individual files?
Big 👍
I for sure don't want that 😁 Keeping timestamps is also rather dubious -- I didn't think of that in my review, and I don't want it either, but I'd let that slide. |
It does support that.
Uhhh, the more I read the more I want to nuke this feature. |
src/fileActions.jsx
Outdated
| cockpit.spawn([ | ||
| "cp", | ||
| "-R", | ||
| ...sourcePath, | ||
| "--archive", |
There was a problem hiding this comment.
This includes file permissions, which in particular means that it will happily copy suid/sgid binaries or world-writable directories. This also is not desirable.
There was a problem hiding this comment.
That no longer happens as superuser so is it ok then? Otherwise hmm we need to scrap the whole functionality.
There was a problem hiding this comment.
Yes, without superuser it seems fine to me.
There was a problem hiding this comment.
I have created #467 for most of the mentioned / issues with copy / pasting.
This is brittle when we add new menu entries or change the order.
We want to disallow pasting into a folder until we have a good way to detect if the folder contains something we are pasting into it. The plan is to in the future handle conflicts when pasting, then we will revise the paste into folder situation.
|
@martinpitt I've reworked the whole PR, so now the code and test changes are together and hopefully this addresses all your comments. |
martinpitt
changed the title
src/fileActions.jsx
Outdated
| const currentPath = path.join("/") + "/"; | ||
| const menuItems = []; | ||
|
|
||
| const spawnPaste = (sourcePaths, targetPath) => { | ||
| if (sourcePaths.some(sourcePath => cwdInfo?.entries[basename(sourcePath)])) { | ||
| addAlert(_("Paste not overwriting existing files"), "danger", "paste-error"); |
There was a problem hiding this comment.
Not the nicest English, and for many files it'd be good to give a hint -- perhaps "$0 exists, not overwriting with paste". Garrett may have a better idea.
For now we don't have conflict resolution implemented yet for copy and paste so disallow pasting when any of the targets exist.
| if (elements.length === 0) { | ||
| return '/'; |
There was a problem hiding this comment.
These 2 added lines are not executed by any test.
When copy pasting pass the
--archiveflag tocpso permissions are retained. This also allows us to enable superuser try as permissions are now retained.Related: #435