thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

daemon: delete flattenNestedWorkHome and normaliseHomeDirPerms

Browse source 
Both helpers are stranded: commit f068536 dropped their last callers
from ensureAuthorizedKeyOnWorkDisk and seedAuthorizedKeyOnExt4Image,
and commit 6ab1a2b dropped the ensureGitIdentity / runFileSync calls
that still held them up. Every on-disk-patch code path now drives the
ext4 image directly via MkdirExt4 / WriteExt4FileOwned /
EnsureExt4RootPerms.

Also drops TestFlattenNestedWorkHomeCopiesEntriesIndividually —
premise gone with the function. The sshd_config_test comment
referencing normaliseHomeDirPerms now points at EnsureExt4RootPerms.

Net sudo reduction across the five-commit series: work-disk creation,
authsync, image seeding, git identity sync, and file_sync all drop
sudo entirely against user-owned ext4 files. Remaining sudo in
internal/daemon is confined to firecracker process launch, tap/dm
device setup, iptables/NAT, and dmsnap/fcproc — things that
legitimately need CAP_SYS_ADMIN or CAP_NET_ADMIN. MountTempDir stays
on exclusively as an image-build helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Thales Maciel 2026-04-23 18:33:06 -03:00
parent 6ab1a2b844
commit 02773c1cf5
No known key found for this signature in database
GPG key ID: 33112E6833C34679
4 changed files with 1 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

19
internal/daemon/vm_authsync.go
View file

@ -85,25 +85,6 @@ func provisionAuthorizedKey(ctx context.Context, runner system.CommandRunner, im
return system.WriteExt4FileOwned(ctx, runner, imagePath, "/.ssh/authorized_keys", 0o600, 0, 0, merged)
}
// normaliseHomeDirPerms forces the home-directory mount point to
// 0755 root:root. sshd's StrictModes (the default, re-enabled after
// banger stopped shipping "StrictModes no") rejects authorized_keys
// if the user's HOME — here the work-disk filesystem root — is
// group/other-writable or owned by anyone other than root. mkfs.ext4
// normally creates an ext4 root dir at 0755 root:root, but older
// work-seed images may have drifted, and `cp -a` on a non-standard
// source can carry weird bits forward. Forcing a known-good state
// here is cheap insurance.
func normaliseHomeDirPerms(ctx context.Context, runner system.CommandRunner, workMount string) error {
if _, err := runner.RunSudo(ctx, "chown", "0:0", workMount); err != nil {
return err
}
if _, err := runner.RunSudo(ctx, "chmod", "0755", workMount); err != nil {
return err
}
return nil
}
func (s *WorkspaceService) ensureGitIdentityOnWorkDisk(ctx context.Context, vm *model.VMRecord) error {
runner := s.runner
if runner == nil {