[ovirt-users] Building ovirt-engine fails due to failing estCanReadFile(org.ovirt.engine.core.utils.servlet.ServletUtilsTest): We should not be able to read this file.
Yedidyah Bar David
didi at redhat.com
Tue May 23 09:59:59 UTC 2017
On Tue, May 23, 2017 at 12:16 PM, Leni Kadali Mutungi
<lenikmutungi at gmail.com> wrote:
> On 5/23/17, Yedidyah Bar David <didi at redhat.com> wrote:
>> On Tue, May 23, 2017 at 6:21 AM, Leni Kadali Mutungi
>> <lenikmutungi at gmail.com> wrote:
>>> Tried to build ovirt-engine on my computer using the command `make
>>> clean install-dev`, on Debian Testing.
>>>
>>> The full output of the error is as follows:
>>> https://paste.fedoraproject.org/paste/F6p~LVdNtFlpzQijMbSIYV5M1UNdIGYhyRLivL9gydE=
>>
>> Did you search the code for relevant parts of the error message?
>> Searching for 'We should not be able to read this file' finds it in
>> backend/manager/modules/utils/src/test/java/org/ovirt/engine/core/utils/servlet/ServletUtilsTest.java
>> twice - once when trying to read '/doesnotexist/iamprettysure', and
>> the other when trying to read '/etc/securetty'.
> I did not think to look for the file. Will remember this in future.
>
>> The latter file is 0600 on Fedora, RHEL and derivatives. I guess it's
>> readable for your user on your system, which might not be a good idea
>> in itself - but that's a different discussion.
>>
>> Some options for how to continue:
>>
>> 1. Submit a patch for the engine to change this test to test for some
>> other file that is more likely to be unreadable, e.g. /etc/shadow.
>>
>> 2. Locally set it on your system to be unreadable to you.
>>
>> 3. Assuming it's Debian's default, ask on Debian lists/forums to
>> change it to be non-world-readable and/or why it's not like that
>> already.
>>
>> 4. Ignore unit tests for now, 'make BUILD_UT=0 install-dev'. Check
>> README.adoc for details.
> I am ccing the Deb Virtualization Team for this, in the hopes that
> they may have a different opinion, but when I asked in the #debian IRC
> channel on OFTC, I was told that the file is now presently read by
> pam_securetty so permissions of 0600 would be fine, though the person
> responding didn't see the use of making the permissions stricter than
> they already are (0644). Maybe you could elaborate on the importance
> of having this set to 0600?
I suggest to search the net etc. for more info on this. My intuitive
answer is that if a user can read the list of terminals that root can
login through, that user now has some useful information when trying
to break into the system, so better hide that if possible.
Fedora dropped this file altogether:
https://bugzilla.redhat.com/show_bug.cgi?id=1090639
Which is another reason for going with (1.) above.
> Pending that I will go for option 4, and
> choose from options 1 to 3 when packaging for Debian.
>
>>> I modified the following variables in the Makefile to suit where the
>>> required files are:
>>>
>>> JS_DEPS_DIR=/home/user/ovirt-js-dependencies
>>> PYFLAKES=/usr/bin/pyflakes
>>> JBOSS_HOME=/home/user/wildfly-11.0.0.Alpha1
>>> WILDFLY_OVERLAY_MODULES=/home/user/wildfly-11.0.0.Alpha1/modules
>>>
>>> I have pep8 but was unable to know how to correctly reference it in
>>> the Makefile, the syntax being:
>>>
>>> PEP8=pep8
>>
>> This should probably be ok, unless your version of pep8 is too old/
>> too new/has different defaults than what we use in CI (which is the
>> "common denominator").
>>
>> Good luck,
>>
>>>
>>> Advice on this would be welcome.
>>>
>>>
>>> --
>>> - Warm regards
>>> Leni Kadali Mutungi
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>> --
>> Didi
>
>
> --
> - Warm regards
> Leni Kadali Mutungi
--
Didi
More information about the Users
mailing list