daemon: delete flattenNestedWorkHome and normaliseHomeDirPerms

Both helpers are stranded: commit f068536 dropped their last callers from ensureAuthorizedKeyOnWorkDisk and seedAuthorizedKeyOnExt4Image, and commit 6ab1a2b dropped the ensureGitIdentity / runFileSync calls that still held them up. Every on-disk-patch code path now drives the ext4 image directly via MkdirExt4 / WriteExt4FileOwned / EnsureExt4RootPerms. Also drops TestFlattenNestedWorkHomeCopiesEntriesIndividually — premise gone with the function. The sshd_config_test comment referencing normaliseHomeDirPerms now points at EnsureExt4RootPerms. Net sudo reduction across the five-commit series: work-disk creation, authsync, image seeding, git identity sync, and file_sync all drop sudo entirely against user-owned ext4 files. Remaining sudo in internal/daemon is confined to firecracker process launch, tap/dm device setup, iptables/NAT, and dmsnap/fcproc — things that legitimately need CAP_SYS_ADMIN or CAP_NET_ADMIN. MountTempDir stays on exclusively as an image-build helper. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 18:33:06 -03:00 · 2026-04-23 18:33:06 -03:00 · 02773c1cf5
commit 02773c1cf5
parent 6ab1a2b844
4 changed files with 1 additions and 75 deletions
--- a/internal/daemon/sshd_config_test.go
+++ b/internal/daemon/sshd_config_test.go
@ -30,7 +30,7 @@ func TestSshdGuestConfig_Hardened(t *testing.T) {
 	// Things that must NOT appear. Each has a history and a reason.
 	mustNotContain := map[string]string{
 		"LogLevel DEBUG3": "was debug leftover; floods journald",
-		"StrictModes no":  "masked a /root perm drift; real fix is in normaliseHomeDirPerms",
+		"StrictModes no":  "masked a /root perm drift; real fix is EnsureExt4RootPerms at authsync time",
 		// Blanket "PermitRootLogin yes" (without prohibit-password)
 		// would re-enable password root login if something else
 		// flipped PasswordAuthentication back to yes.
--- a/internal/daemon/vm_authsync.go
+++ b/internal/daemon/vm_authsync.go
@ -85,25 +85,6 @@ func provisionAuthorizedKey(ctx context.Context, runner system.CommandRunner, im
 	return system.WriteExt4FileOwned(ctx, runner, imagePath, "/.ssh/authorized_keys", 0o600, 0, 0, merged)
 }
 // normaliseHomeDirPerms forces the home-directory mount point to
 // 0755 root:root. sshd's StrictModes (the default, re-enabled after
 // banger stopped shipping "StrictModes no") rejects authorized_keys
 // if the user's HOME — here the work-disk filesystem root — is
 // group/other-writable or owned by anyone other than root. mkfs.ext4
 // normally creates an ext4 root dir at 0755 root:root, but older
 // work-seed images may have drifted, and `cp -a` on a non-standard
 // source can carry weird bits forward. Forcing a known-good state
 // here is cheap insurance.
 func normaliseHomeDirPerms(ctx context.Context, runner system.CommandRunner, workMount string) error {
 	if _, err := runner.RunSudo(ctx, "chown", "0:0", workMount); err != nil {
 		return err
 	}
 	if _, err := runner.RunSudo(ctx, "chmod", "0755", workMount); err != nil {
 		return err
 	}
 	return nil
 }
 func (s *WorkspaceService) ensureGitIdentityOnWorkDisk(ctx context.Context, vm *model.VMRecord) error {
 	runner := s.runner
 	if runner == nil {
--- a/internal/daemon/vm_disk.go
+++ b/internal/daemon/vm_disk.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
@ -177,27 +176,3 @@ func sshdGuestConfig() string {
 	}, "\n")
 }
 // flattenNestedWorkHome is a package-level helper used by the image,
 // workspace-sync, and VM-disk paths, so it takes the runner explicitly
 // rather than belonging to any one service struct.
 func flattenNestedWorkHome(ctx context.Context, runner system.CommandRunner, workMount string) error {
 	nestedHome := filepath.Join(workMount, "root")
 	if !exists(nestedHome) {
 		return nil
 	}
 	if _, err := runner.RunSudo(ctx, "chmod", "755", nestedHome); err != nil {
 		return err
 	}
 	entries, err := os.ReadDir(nestedHome)
 	if err != nil {
 		return err
 	}
 	for _, entry := range entries {
 		sourcePath := filepath.Join(nestedHome, entry.Name())
 		if _, err := runner.RunSudo(ctx, "cp", "-a", sourcePath, workMount+"/"); err != nil {
 			return err
 		}
 	}
 	_, err = runner.RunSudo(ctx, "rm", "-rf", nestedHome)
 	return err
 }
--- a/internal/daemon/vm_test.go
+++ b/internal/daemon/vm_test.go
@ -817,36 +817,6 @@ func TestSetVMDiskResizeFailsPreflightWhenToolsMissing(t *testing.T) {
 	}
 }
 func TestFlattenNestedWorkHomeCopiesEntriesIndividually(t *testing.T) {
 	t.Parallel()
 	workMount := t.TempDir()
 	nestedHome := filepath.Join(workMount, "root")
 	if err := os.MkdirAll(filepath.Join(nestedHome, ".ssh"), 0o755); err != nil {
 		t.Fatalf("MkdirAll(.ssh): %v", err)
 	}
 	if err := os.WriteFile(filepath.Join(nestedHome, "notes.txt"), []byte("seed"), 0o644); err != nil {
 		t.Fatalf("WriteFile(notes.txt): %v", err)
 	}
 	runner := &scriptedRunner{
 		t: t,
 		steps: []runnerStep{
 			sudoStep("", nil, "chmod", "755", nestedHome),
 			sudoStep("", nil, "cp", "-a", filepath.Join(nestedHome, ".ssh"), workMount+"/"),
 			sudoStep("", nil, "cp", "-a", filepath.Join(nestedHome, "notes.txt"), workMount+"/"),
 			sudoStep("", nil, "rm", "-rf", nestedHome),
 		},
 	}
 	d := &Daemon{runner: runner}
 	wireServices(d)
 	if err := flattenNestedWorkHome(context.Background(), d.runner, workMount); err != nil {
 		t.Fatalf("flattenNestedWorkHome: %v", err)
 	}
 	runner.assertExhausted()
 }
 func TestEnsureGitIdentityOnWorkDiskCopiesHostGlobalIdentity(t *testing.T) {
 	if _, err := exec.LookPath("git"); err != nil {
 		t.Skip("git not installed")