diff --git a/internal/daemon/sshd_config_test.go b/internal/daemon/sshd_config_test.go index 4135856..5b89e2f 100644 --- a/internal/daemon/sshd_config_test.go +++ b/internal/daemon/sshd_config_test.go @@ -30,7 +30,7 @@ func TestSshdGuestConfig_Hardened(t *testing.T) { // Things that must NOT appear. Each has a history and a reason. mustNotContain := map[string]string{ "LogLevel DEBUG3": "was debug leftover; floods journald", - "StrictModes no": "masked a /root perm drift; real fix is in normaliseHomeDirPerms", + "StrictModes no": "masked a /root perm drift; real fix is EnsureExt4RootPerms at authsync time", // Blanket "PermitRootLogin yes" (without prohibit-password) // would re-enable password root login if something else // flipped PasswordAuthentication back to yes. diff --git a/internal/daemon/vm_authsync.go b/internal/daemon/vm_authsync.go index 32a7eb4..b9a429e 100644 --- a/internal/daemon/vm_authsync.go +++ b/internal/daemon/vm_authsync.go @@ -85,25 +85,6 @@ func provisionAuthorizedKey(ctx context.Context, runner system.CommandRunner, im return system.WriteExt4FileOwned(ctx, runner, imagePath, "/.ssh/authorized_keys", 0o600, 0, 0, merged) } -// normaliseHomeDirPerms forces the home-directory mount point to -// 0755 root:root. sshd's StrictModes (the default, re-enabled after -// banger stopped shipping "StrictModes no") rejects authorized_keys -// if the user's HOME — here the work-disk filesystem root — is -// group/other-writable or owned by anyone other than root. mkfs.ext4 -// normally creates an ext4 root dir at 0755 root:root, but older -// work-seed images may have drifted, and `cp -a` on a non-standard -// source can carry weird bits forward. Forcing a known-good state -// here is cheap insurance. -func normaliseHomeDirPerms(ctx context.Context, runner system.CommandRunner, workMount string) error { - if _, err := runner.RunSudo(ctx, "chown", "0:0", workMount); err != nil { - return err - } - if _, err := runner.RunSudo(ctx, "chmod", "0755", workMount); err != nil { - return err - } - return nil -} - func (s *WorkspaceService) ensureGitIdentityOnWorkDisk(ctx context.Context, vm *model.VMRecord) error { runner := s.runner if runner == nil { diff --git a/internal/daemon/vm_disk.go b/internal/daemon/vm_disk.go index 660676d..e4ff38c 100644 --- a/internal/daemon/vm_disk.go +++ b/internal/daemon/vm_disk.go @@ -4,7 +4,6 @@ import ( "context" "fmt" "os" - "path/filepath" "strconv" "strings" @@ -177,27 +176,3 @@ func sshdGuestConfig() string { }, "\n") } -// flattenNestedWorkHome is a package-level helper used by the image, -// workspace-sync, and VM-disk paths, so it takes the runner explicitly -// rather than belonging to any one service struct. -func flattenNestedWorkHome(ctx context.Context, runner system.CommandRunner, workMount string) error { - nestedHome := filepath.Join(workMount, "root") - if !exists(nestedHome) { - return nil - } - if _, err := runner.RunSudo(ctx, "chmod", "755", nestedHome); err != nil { - return err - } - entries, err := os.ReadDir(nestedHome) - if err != nil { - return err - } - for _, entry := range entries { - sourcePath := filepath.Join(nestedHome, entry.Name()) - if _, err := runner.RunSudo(ctx, "cp", "-a", sourcePath, workMount+"/"); err != nil { - return err - } - } - _, err = runner.RunSudo(ctx, "rm", "-rf", nestedHome) - return err -} diff --git a/internal/daemon/vm_test.go b/internal/daemon/vm_test.go index 0c6733d..bbd793a 100644 --- a/internal/daemon/vm_test.go +++ b/internal/daemon/vm_test.go @@ -817,36 +817,6 @@ func TestSetVMDiskResizeFailsPreflightWhenToolsMissing(t *testing.T) { } } -func TestFlattenNestedWorkHomeCopiesEntriesIndividually(t *testing.T) { - t.Parallel() - - workMount := t.TempDir() - nestedHome := filepath.Join(workMount, "root") - if err := os.MkdirAll(filepath.Join(nestedHome, ".ssh"), 0o755); err != nil { - t.Fatalf("MkdirAll(.ssh): %v", err) - } - if err := os.WriteFile(filepath.Join(nestedHome, "notes.txt"), []byte("seed"), 0o644); err != nil { - t.Fatalf("WriteFile(notes.txt): %v", err) - } - - runner := &scriptedRunner{ - t: t, - steps: []runnerStep{ - sudoStep("", nil, "chmod", "755", nestedHome), - sudoStep("", nil, "cp", "-a", filepath.Join(nestedHome, ".ssh"), workMount+"/"), - sudoStep("", nil, "cp", "-a", filepath.Join(nestedHome, "notes.txt"), workMount+"/"), - sudoStep("", nil, "rm", "-rf", nestedHome), - }, - } - d := &Daemon{runner: runner} - wireServices(d) - - if err := flattenNestedWorkHome(context.Background(), d.runner, workMount); err != nil { - t.Fatalf("flattenNestedWorkHome: %v", err) - } - runner.assertExhausted() -} - func TestEnsureGitIdentityOnWorkDiskCopiesHostGlobalIdentity(t *testing.T) { if _, err := exec.LookPath("git"); err != nil { t.Skip("git not installed")