From 23bb68acaa063516ca301e4cebeffc1921a26d37 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 8 Oct 2024 18:29:01 +0200 Subject: [PATCH 1/5] Atomic copy_from in files promise Changes to `files` promise in `copy_from` attribute: - The new file (i.e., `.cfnew`) is now created with correct permission during remote copy. Previously it would be created with default permissions. - The destination file (i.e., ``) is no longer deleted on backup during file copy. Previously it would be renamed to `.cfsaved`, causing the original file to dissappear. Now an actual copy of the original file with the same permissions is created instead. As a result, there will no longer be a brief moment where the original file is inaccessible. Ticket: ENT-11988 Changelog: Commit Signed-off-by: Lars Erik Wik (cherry picked from commit 224ccc33652c2c97923ab97a29317f6c930671e1) --- cf-agent/verify_files_utils.c | 4 ++-- libcfnet/client_code.c | 4 ++-- libcfnet/client_code.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cf-agent/verify_files_utils.c b/cf-agent/verify_files_utils.c index 79ec481e33..84115f997f 100644 --- a/cf-agent/verify_files_utils.c +++ b/cf-agent/verify_files_utils.c @@ -1552,7 +1552,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } if (!CopyRegularFileNet(source, ToChangesPath(new), - sstat->st_size, attr->copy.encrypt, conn)) + sstat->st_size, attr->copy.encrypt, conn, sstat->st_mode)) { RecordFailure(ctx, pp, attr, "Failed to copy file '%s' from '%s'", source, conn->remoteip); @@ -1712,7 +1712,7 @@ bool CopyRegularFile(EvalContext *ctx, const char *source, const char *dest, con } } - if (rename(dest, changes_backup) == 0) + if (CopyRegularFileDisk(dest, changes_backup)) { RecordChange(ctx, pp, attr, "Backed up '%s' as '%s'", dest, backup); *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE); diff --git a/libcfnet/client_code.c b/libcfnet/client_code.c index d168d37b31..032eebcf83 100644 --- a/libcfnet/client_code.c +++ b/libcfnet/client_code.c @@ -751,7 +751,7 @@ static void FlushFileStream(int sd, int toget) /* TODO finalise socket or TLS session in all cases that this function fails * and the transaction protocol is out of sync. */ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn) + bool encrypt, AgentConnection *conn, mode_t mode) { char *buf, workbuf[CF_BUFSIZE], cfchangedstr[265]; const int buf_size = 2048; @@ -775,7 +775,7 @@ bool CopyRegularFileNet(const char *source, const char *dest, off_t size, unlink(dest); /* To avoid link attacks */ - int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, CF_PERMS_DEFAULT); + int dd = safe_open_create_perms(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, mode); if (dd == -1) { Log(LOG_LEVEL_ERR, diff --git a/libcfnet/client_code.h b/libcfnet/client_code.h index f0d560088f..ba32d4acdb 100644 --- a/libcfnet/client_code.h +++ b/libcfnet/client_code.h @@ -48,7 +48,7 @@ void DisconnectServer(AgentConnection *conn); bool CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentConnection *conn); bool CopyRegularFileNet(const char *source, const char *dest, off_t size, - bool encrypt, AgentConnection *conn); + bool encrypt, AgentConnection *conn, mode_t mode); Item *RemoteDirList(const char *dirname, bool encrypt, AgentConnection *conn); int TLSConnectCallCollect(ConnectionInfo *conn_info, const char *username); From 9d0fd65f035da121260fac09a876b2b30eadb058 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Thu, 12 Sep 2024 16:42:00 +0200 Subject: [PATCH 2/5] Workaround cppcheck ignoring `-i libpromises/cf3lex.c` When running cppcheck in static checks, we use `-i libpromises/cf3lex.c` in order to make cppcheck ignore the generated cf3lex.c file. However, the new version of cppcheck ignores this option and fails on issues found in the file. However, we don't want this file or any other generated files except for bootstrap.inc which contains the bootstrap policy. So we can run `make clean` and `make -C libpromise/ boostrap.inc` before running cppcheck to get a cleaner environment. (cherry picked from commit e9cfa4105cf5718a4bbfcb06adc737437d9bd3fa) Signed-off-by: Lars Erik Wik --- tests/static-check/run_checks.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/static-check/run_checks.sh b/tests/static-check/run_checks.sh index bcd059a3eb..4583968ff0 100755 --- a/tests/static-check/run_checks.sh +++ b/tests/static-check/run_checks.sh @@ -21,6 +21,8 @@ function check_with_clang() { function check_with_cppcheck() { rm -f config.cache + make clean + make -C libpromises/ bootstrap.inc # needed by libpromises/bootstrap.c ./configure -C --enable-debug # cppcheck options: From 2805fb1ec529fe5573a20da150911d845a95fb93 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Tue, 6 Aug 2024 17:54:26 +0200 Subject: [PATCH 3/5] Fixed failure to install cf-remote ``` error: externally-managed-environment ``` Since this is a container, it should be OK to potentially break system packages. Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 0195e21b735ccf0da8d889ecf34919689641d6db) --- .github/workflows/windows_acceptance_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/windows_acceptance_tests.yml b/.github/workflows/windows_acceptance_tests.yml index f387042f27..b6bb6c74ca 100644 --- a/.github/workflows/windows_acceptance_tests.yml +++ b/.github/workflows/windows_acceptance_tests.yml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@v3 - name: install cf-remote - run: pip install cf-remote + run: pip install cf-remote --break-system-packages # Note that msiexec can't install packages when running under msys; # But cf-remote currently can't run under powershell From 526d710d5e1ae6d03c631957837c4a6b3f88970b Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 11 Oct 2024 13:47:08 +0200 Subject: [PATCH 4/5] Fixed error in static checks libncurses5 was not available in the noble repository, but maybe libncurses6 will work. ``` E: Unable to locate package libncurses5 ``` Ticket: None Changelog: None Signed-off-by: Lars Erik Wik (cherry picked from commit 4d1944adc423ac19a99cb37d83f1a461909d4c53) --- .github/workflows/job-static-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/job-static-check.yml b/.github/workflows/job-static-check.yml index 1554ba5bb7..5609b28edd 100644 --- a/.github/workflows/job-static-check.yml +++ b/.github/workflows/job-static-check.yml @@ -46,7 +46,7 @@ jobs: - name: Prepare Environment run: | sudo apt-get update && \ - sudo apt-get install -y dpkg-dev debhelper g++ libncurses5 pkg-config \ + sudo apt-get install -y dpkg-dev debhelper g++ libncurses6 pkg-config \ build-essential libpam0g-dev fakeroot gcc make autoconf buildah \ liblmdb-dev libacl1-dev libcurl4-openssl-dev libyaml-dev libxml2-dev \ libssl-dev libpcre3-dev From 18c187348719ea58ca0e90b567dc4ce446f3f4c9 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Fri, 11 Oct 2024 15:39:23 +0200 Subject: [PATCH 5/5] Fixed missing PCRE in CodeQL test ``` checking for pcre_exec in -lpcre... no configure: error: Cannot find PCRE ``` Ticket: None Changelog: None Signed-off-by: Lars Erik Wik --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4777259e8e..dfe8dd437e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,7 +41,7 @@ jobs: - name: Install dependencies (C) if: ${{ matrix.language == 'cpp' }} - run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl + run: sudo apt-get update -y && sudo apt-get install -y libssl-dev libpam0g-dev liblmdb-dev byacc curl libpcre3-dev - name: Build (C) if: ${{ matrix.language == 'cpp' }}