Skip to content

Review NACM and UNIX permissions #1354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
troglobit wants to merge 31 commits into
base: main
Choose a base branch
from
Open

Review NACM and UNIX permissions #1354

troglobit wants to merge 31 commits into from

Conversation

@troglobit
Copy link
Contributor

@troglobit troglobit commented Jan 18, 2026
edited
Loading

Description

This PR introduces two new user levels in Infix: guest and operator. Each can only read parts of the configuration and the latter is allowed limited management as well. The NACM rules and default user levels are documented in the user guide.

Additionally, the default UNIX permissions for accessing sysrepo now require root access, which is limited to administrator level users. All access to the configuration, as admin, is now done exclusively using the copy tool which respects NACM rules based on the user name. It is now a multicall binary with added XPath and RPC support, the latter under the guise of an rpc command. See the usage text for each of the commands for details.

Checklist

Tick relevant boxes, this PR is-a or has-a:

  • Bugfix
    • Regression tests
    • ChangeLog updates (for next release)
  • Feature
    • YANG model change => revision updated?
    • Regression tests added?
    • ChangeLog updates (for next release)
    • Documentation added?
  • Test changes
    • Checked in changed Readme.adoc (make test-spec)
    • Added new test to group Readme.adoc and yaml file
  • Code style update (formatting, renaming)
  • Refactoring (please detail in commit messages)
  • Build related changes
  • Documentation content changes
    • ChangeLog updated (for major changes)
  • Other (please describe):

@troglobit
board/common: cleanup old aliases and 'cfg' tool
648296a 
The sysrepocfg tool does not set up nacm based on $USER, and we now have
the shell 'copy' tool which does.  So drop 'cfg' and while we're at it
we also drop the 'edit' alias.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
package/klish: bump for new SocketGroup setting and bugfix
8a624c7 
 - The new SocketGroup setting allows for configurable /run/klishd.sock
 - Also a bug fix for async commands, needed to fix regressions in the
   klish-plugin-sysrepo commands 'change passwordk' and 'text-editor'
   after the latest upgrade to sysrepo + libyang v4

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
package/klish-plugin-sysrepo: sysrepo session and mode bits fixes
c0844b9 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
package/finit: backport fixes to critical issues in v4.15
9e47c59 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
cli: fix default hash in 'do password encrypt'
3056ce4 
We could go with the old default sha512crypt, but since the default has
changed to yescrypt, as used by the 'change password' command.  We use
that for consistency.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
buildoot: enforce sysrepo group, umask, and permissions
b106bac 
This patch enables umask and nacm defalts in the Buildoot sysrepo
package and a patch to sysrepo to set the sysrepo group also on the
event pipes in /etc/sysrepo/, without which it would be hard to inject
any type of new event as non-root user now since the umask now prevent
all 'other' users from interacting with sysrepo.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
sys: rename sys-cli -> sysrepo + klish
32d585d 
Previously the sys-cli group was for interactive shell access, but with
ever changing requirements this split has become necessary.

This commit introduces the 'sysrepo' group for low-level access to all
sysrepo commands, i.e., bootstrap only.  For user-level shell access a
'klish' group is added which allows users to connect to the CLI.  This
is now the only group users, including the default 'admin', are members
of, effectively making the new 'copy' tool the norm.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: add operator and guest groups to factory-config
58d1d3f 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: fix "is admin" check
0aed63c 
Prevent non-admin level users from getting UNIX wheel group assignment.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
confd: prevent motd from showing on non-shell user login attempts
afbcd7e 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: leverage the simplicity of err.h in copy tool
4a07c13 
Like err.h but without the leading "argv[0]: " prefix.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: make DST in copy command optional and use in CLI
94ceb3e 
Since sysrepocfg does not do any NACM based on the UNIX user, we expand
the scope of the copy tool slightly to allow outputting JSON to stdout.

This allows us to replace all sysrepocfg commands in the CLI used to
show runnining/startup/factory.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: add -d debug mode to copy command
b9f745c 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: retain sysrepo subscription in import *and* export
613ef48 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: add optional xpath support to copy tool
87e1e4a 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: make copy a multicall binary with new rpc interface
46835be 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
statd: add optional min_width to columns in SimpleTable class
331bf58 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit troglobit marked this pull request as ready for review January 18, 2026 15:06
@troglobit troglobit requested review from mattiaswal and wkz January 18, 2026 15:06
@troglobit
cli: new admin-exec level command 'show nacm'
708ff90 
Show operational details about nacm and user//group mappings.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: relocate src/show.py to bin/show/ -- all tools in one place
d35f4ed 
 - relocate src/show.py to src/bin/show/
 - Refactor container() to use run_sysrepo() instead of rolling its own
 - Replace sysrepocfg with copy which supports nacm
 - Rename run_sysrepocfg() -> get_json()

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
cli: replace sysrepocfg with copy and rpc tools
e5eb88d 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
bin: add -f flag top force copy to existing file
978d49f 
Otherwise the file will not be updated by confd on datastore copy:

Jan 12 14:26:37 foo confd[3410]: Overwrite existing file /cfg/startup-config.cfg (y/N)? <FF>
Jan 12 14:26:37 foo confd[3410]: Error: OK, aborting.:Inappropriate ioctl for device

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
test/infamy: ensure residual state is cleaned up in dhcp server
fb022bf 
Fixes #1344

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
test/infamy: Use PATCH for RESTCONF merge semantics
687c26d 
Switch RESTCONF from PUT to PATCH for configuration updates. This gives
RESTCONF the same merge behavior as NETCONF edit-config, allowing NACM
to correctly enforce path-specific permissions instead of requiring
write access to the entire datastore.

Fixes #617

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
test/infamy: add patch_config() for single operations on running
0e1c30b 
Used by the new NACM basic test to verify ACL rules on explicit XPaths
or modules.  For this we cannot rely on put_config_dict() since it now
uses the candidate datastore for all changes.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
test: new case nacm-basic
2d7c4af 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
test: fix race condition in DHCP Server Multiple Subnets
5b40785 
Need to verify that client hostnames have been set before starting the
client, otherwise the test will fail due to clients getting pool lease,
which is intended.

In a real-world scenario this is not a problem. Here we've booby trapped
the server to try to trip up errors.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
doc: further discourage legacy scripting
d0ca108 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
doc: use 'example' consistently as hostname in cli examples
9c7d6d6 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
doc: update user guide with more on nacm and user privileges
409ab8d 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
doc: update restconf scripting with details on patch
828ff38 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
doc: update ChnageLog
e75fdaf 
Slight refactor of WARNING and NOTE admonintions to improve readability.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
wkz
wkz requested changes Jan 20, 2026
View reviewed changes
Copy link
Contributor

@wkz wkz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What a lift from the current situation! Great work! 🔥

src/bin/copy.c
Comment on lines +448 to +449
else if (!dst)
err = systemf("cat %s", srcpath);
Copy link
Contributor

@wkz wkz Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would really like to avoid any calls to system(), especially as we're running as root. Since srcpath is user provided, I think there might be Bobby;DROP TABLE issues hiding here.

I think you can use the subprocess() to implement cat() much like cp() above.

src/bin/copy.c

*path = strdup((*ds)->path);
} else if (!*dst) {
return 0;
Copy link
Contributor

@wkz wkz Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we move this check up to before the call to infix_ds(), then we won't have to have the NULL check bleed into that implementation as well.

src/bin/copy.c
Comment on lines -630 to +640
if (argc - optind != 2)
if (argc - optind < 1)
Copy link
Contributor

@wkz wkz Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2nd thought: Could we not set dst to /dev/stdout when it is missing, and avoid having any special cases at all in the rest of the code?

mattiaswal
mattiaswal approved these changes Jan 21, 2026
View reviewed changes
Copy link
Contributor

@mattiaswal mattiaswal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awseome additions. I really like the restconf PATCH addition, may speed up tests slightly.

@troglobit
Copy link
Contributor Author

troglobit commented Jan 21, 2026

Awseome additions. I really like the restconf PATCH addition, may speed up tests slightly.

Thanks! Have a few fixes left to address from Tobias' review, but soon we'll have PATCH support available for all in Infamy 😎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wkz wkz wkz requested changes

@mattiaswal mattiaswal mattiaswal approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@troglobit @wkz @mattiaswal