kraft net almost unusable with multiple users

[craciunoiuc]

Describe the bug

Trying to use the kraft net subcommands together with kraft run is almost impossible when using multiple users.

In order to create a network interface you need to use sudo, and then you should be able to use it inside kraft run.

But, to use it there, you also need to use sudo for kraft run. This means that the user is changed and the path to the config also becomes changed (effectively using the home of root).

This can prove confusing as people ca run:

1. sudo kraft run
2. kraft ps

And then see no output, even though they should.

Steps to reproduce

No response

Expected behavior

No response

Which architectures were you using or does this bug affect?

x86_64, arm, arm64

Which operating system were you using or does this bug affect?

linux/debian, linux/fedora, linux/alpine, linux/arch, linux/other

Relevant log output

No response

[craciunoiuc]

@LucaSeri is it okay if I assign this issue to you? I know you bumped into this recently

I'm not sure how a fix looks like, probably making kraftkit somehow ask for sudo privileges when running just for the bridge creation.

On a successful run, in my head:

1. kraftkit fetches all info related to bridges and prepares stuff (using user user)
2. kraftkit invokes the bridge command, or whatever it does (using user root)
3. kraftkit reports back on the status of the bridge creation and saves info (using user user)

This ensures that info is saved in the store with the correct permissions, and also the creation works as any user. It will of course ask for the root password, but that is to be expected.

Same in the case of kraft run, only exact, problematic operations should be grnted elevation, not everything

[craciunoiuc]

One more idea brainstorm resulted in this:

I was thinking on this and I have a possible stop-gap fix #992

What if we:

1. Ensure that all files and directories created use the permissions of the parent directory? So if I run the directory /home/cez/.local/shared/kraftkit as root, everything inside it will belong to cez, instead of a mix. This will be ensured by saving the user in the G(ctx) global context when starting.
   ^ This fixes the case of sudo, but will require people to provide a path to alternate configs

2. Use the $USER variable and the whoami result and equivalents:

➜  ~ sudo whoami
root
➜  ~ sudo -E whoami
root
➜  ~ sudo -E echo "$USER"
cez
➜  ~ sudo echo "$USER"
cez
➜  ~ sudo su
zen# echo "$USER"
root

^ With this we can add an Info message saying:
i kraft run with sudo by 'cez' user: defaulting to 'cez' file permissions

We can do 2. in the context where we print the sudo warning should be straight-forward -> just read $USER or $SUDO_USER

then we go and do 1. by checking if this is set and chowning all files that we touch/create

Might be a bit more annoying for MkdirAll

so it will require adding a:

defer func(){
  if user, group, ok := isSudoNotRoot(); ok {
    os.Chown(file, user, group)
  }
}()

os.CreateAsUser(path, user string)
os.OpenAsUser(path, user string)
os.MkdirAsUser(path, user string)
os.mkdirAllAsUser(path, user string)

there's also the nuclear option 3.: If root, create all files with extra permissions equal to user permissions