chore: remove root user restriction in RepoCache rebuild#1649
Conversation
1. Removed the check that prevented root users from writing to states.json during cache rebuild 2. The previous workaround was needed when ll-cli could make states.json owned by root, causing permission issues 3. This restriction is no longer necessary as the underlying ownership issue has been addressed 4. Root users can now fully rebuild the repository cache without skipping the write operation Log: Root users can now rebuild the repository cache and persist changes to states.json Influence: 1. Test RepoCache rebuild functionality when running as root user 2. Verify states.json is correctly written and readable by both root and non-root users 3. Test cache rebuild in scenarios where ll-cli initializes the repository as root 4. Verify file ownership and permissions of states.json after root- initiated rebuilds 5. Test cache persistence across multiple rebuild operations as root 6. Verify no permission denied errors occur during cache writes as root
deepin pr auto review这段代码的修改是移除了一段检查当前用户是否为 root 的逻辑。以下是对这段修改的详细审查意见,包括语法逻辑、代码质量、性能和安全性方面的分析: 1. 语法逻辑分析
2. 代码质量分析
3. 性能分析
4. 安全性分析
5. 改进建议
总结
|
There was a problem hiding this comment.
Code Review
This pull request removes a restriction that prevented the root user from updating the repository cache on disk. Reviewers identified a critical security vulnerability where root processes using fixed temporary filenames could be targeted by symlink attacks in user-writable directories. Additionally, concerns were raised regarding the noexcept specification of the rebuild function and the potential for state inconsistency if disk writes fail after the in-memory cache has been modified.
| return LINGLONG_OK; | ||
| } | ||
|
|
||
| auto ret = writeToDisk(); |
There was a problem hiding this comment.
Removing the root user check allows root processes to execute writeToDisk(). In the current implementation of writeToDisk(), a temporary file with a fixed name (temp-states.json) is created using std::ofstream. If this operation is performed in a directory writable by a non-privileged user (e.g., a user-local repository), it is vulnerable to a symlink attack. A malicious user could create a symlink at the temporary file's path to trick the root process into overwriting arbitrary system files. Consider using a unique temporary filename (e.g., via mkstemp) and opening it with O_EXCL, or ensuring that the repository directory permissions are strictly controlled to prevent non-root access.
| auto ret = writeToDisk(); | ||
| if (!ret) { | ||
| return LINGLONG_ERR(ret); |
There was a problem hiding this comment.
The rebuild function is marked as noexcept (at line 57), but it calls writeToDisk(), which is not noexcept and performs operations that can throw exceptions (e.g., std::filesystem path operations, std::string allocations, and nlohmann::json::dump()). If an exception is thrown, the program will call std::terminate().
Additionally, if writeToDisk() fails and returns an error, the in-memory state of this->cache has already been modified (cleared and repopulated), leading to an inconsistency with the persistent state on disk. Consider removing the noexcept specifier and implementing a transactional approach where the cache is rebuilt into a temporary object and only swapped into this->cache upon a successful write.
Codecov Report✅ All modified and coverable lines are covered by tests.
... and 3 files with indirect coverage changes 🚀 New features to boost your workflow:
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dengbo11, reddevillg The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Log: Root users can now rebuild the repository cache and persist changes to states.json
Influence: