From dd8a40a99a57b384aaf5f27839646f99b3aee3ae Mon Sep 17 00:00:00 2001
From: Ondrej Famera <ondrej@famera.cz>
Date: Sun, 24 Dec 2017 23:22:51 +0100
Subject: [PATCH] FIX issue with sg in Issue #31 and document this in user
 guide

---
 docs/user_guide.txt | 22 +++++++++++++++++++++
 fast-vm             | 47 +++++++++++++++++++++++++++++++++++++++------
 2 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/docs/user_guide.txt b/docs/user_guide.txt
index a5c136d..ace4e78 100644
--- a/docs/user_guide.txt
+++ b/docs/user_guide.txt
@@ -782,3 +782,25 @@ To run the installation with above examples you can use command below:
 <pre>
 # ansible-playbook -i fast-vm-server.hosts install-fast-vm-server.yml
 </pre>
+
+<h3 id='using-fast-vm-on-systems-with-sssd'>6.3. Using <code>fast-vm</code> on systems with SSSD</h3>
+<p>It is possible to use SSSD for providing centralized users and groups on systems
+that will run the <code>fast-vm</code>. In case that user wants to use the
+<code>fast-vm</code> then it must be part of group that is allowed to use
+<code>fast-vm</code>. In case that this cannot be changed centraly then use
+the <code>sss_override</code> to make a primary group of such (centrally
+managed) user to be a group allowed to use <code>fast-vm</code>. This can be done
+using the command <code>sss_override</code>. Below example shows changing
+primary group of user 'myuser' (assuming that group allowed to access the
+<code>fast-vm</code> has GID 500):</p>
+
+<pre>
+sss_override user-add myuser -g 500
+</pre>
+
+<p>User will need to re-login and the <code>sssd</code> daemon may need to be
+restarted for this change to take effect.</p>
+
+<p>Adding user to group in local <code>/etc/group</code> file may not work
+properly since <code>fast-vm-1.3</code> that uses <code>sg</code> command for
+some operations. This is mitigated in <code>fast-vm-1.3.1</code></p>
diff --git a/fast-vm b/fast-vm
index 780bb1e..d378c70 100755
--- a/fast-vm
+++ b/fast-vm
@@ -189,8 +189,20 @@ update_access_time () {
 # Update the time of 'note' file for VM.
 # This can be used to track if the VM is actively used/accessed.
 	vm_number="$1"
-	if [ -f "$FASTVM_NOTES_DIR/$vm_number" ]; then sg $FASTVM_GROUP "touch $FASTVM_NOTES_DIR/$vm_number 2>/dev/null"; fi
-	if [ -f "$FASTVM_NOTES_DIR/$vm_number.profile" ]; then sg $FASTVM_GROUP "touch $FASTVM_NOTES_DIR/$vm_number.profile 2>/dev/null"; fi
+	if [ -f "$FASTVM_NOTES_DIR/$vm_number" ]; then
+		if [ "$safe_sg" == 0 ]; then
+			sg $FASTVM_GROUP "touch $FASTVM_NOTES_DIR/$vm_number 2>/dev/null"
+		else
+			touch $FASTVM_NOTES_DIR/$vm_number 2>/dev/null
+		fi
+	fi
+	if [ -f "$FASTVM_NOTES_DIR/$vm_number.profile" ]; then
+		if [ "$safe_sg" == 0 ]; then
+			sg $FASTVM_GROUP "touch $FASTVM_NOTES_DIR/$vm_number.profile 2>/dev/null"
+		else
+			touch $FASTVM_NOTES_DIR/$vm_number.profile 2>/dev/null
+		fi
+	fi
 }
 
 calculate_day_difference () {
@@ -301,6 +313,13 @@ if [ $(id |grep "($FASTVM_GROUP)"|wc -l) -eq 0 ] && [ $(whoami) != "root" ]; the
 	exit 1
 fi
 
+## check if 'sg' can work properly
+timeout 3 sg $FASTVM_GROUP date >/dev/null
+safe_sg=$?
+if [ "$safe_sg" != 0 ]; then
+	pmsg $P_WARNING "User cannot run properly commands as '$FASTVM_GROUP' group! Ensure that user can run command 'sg $FASTVM_GROUP date' without password.\n"
+fi
+
 ## try to detect if the defined thin pool is available
 double_dash_lv=$(echo "$THINPOOL_LV"|sed 's/-/--/g') # LVM uses double dash in the /dev/mapper
 double_dash_vg=$(echo "$THINPOOL_VG"|sed 's/-/--/g') # also for VGs
@@ -775,10 +794,18 @@ case "$1" in
 			exit 0
 		else
 			# create empty VM note to identify user which created VM only for non-base VMs
-			$(umask 0002; sg $FASTVM_GROUP "touch $FASTVM_NOTES_DIR/$vm_number 2>/dev/null")
+			if [ "$safe_sg" == 0 ]; then
+				$(umask 0002; sg $FASTVM_GROUP "touch $FASTVM_NOTES_DIR/$vm_number 2>/dev/null")
+			else
+				$(umask 0000; touch $FASTVM_NOTES_DIR/$vm_number 2>/dev/null)
+			fi
 			# if machine was created using profile put information about used profile into VM note
 			if [ "$profile_name" != "$image_name" ]; then
-				$(umask 0002; sg $FASTVM_GROUP "echo '$profile_name' > $FASTVM_NOTES_DIR/$vm_number.profile")
+				if [ "$safe_sg" == 0 ]; then
+					$(umask 0002; sg $FASTVM_GROUP "echo '$profile_name' > $FASTVM_NOTES_DIR/$vm_number.profile")
+				else
+					$(umask 0000; echo '$profile_name' > $FASTVM_NOTES_DIR/$vm_number.profile)
+				fi
 			fi
 		fi
 		
@@ -1070,13 +1097,21 @@ case "$1" in
 		owner=$(whoami)
 		if [ -z "$3" ]; then
 			#FIXME, add the umask 0002 in way that restores back to original umask
-			sg $FASTVM_GROUP "$EDITOR $FASTVM_NOTES_DIR/$vm_number"
+			if [ "$safe_sg" == 0 ]; then
+				sg $FASTVM_GROUP "$EDITOR $FASTVM_NOTES_DIR/$vm_number"
+			else
+				$EDITOR $FASTVM_NOTES_DIR/$vm_number
+			fi
 			content=$(cat $FASTVM_NOTES_DIR/$vm_number)
 		else
 			# get the whole content of note (do not care in how many arguments it seems to be splitted)
 			shift 2
 			content="$@"
-			$(umask 0002; sg $FASTVM_GROUP "echo '$content' > $FASTVM_NOTES_DIR/$vm_number")
+			if [ "$safe_sg" == 0 ]; then
+				$(umask 0002; sg $FASTVM_GROUP "echo '$content' > $FASTVM_NOTES_DIR/$vm_number")
+			else
+				$(umask 0000; echo '$content' > $FASTVM_NOTES_DIR/$vm_number)
+			fi
 		fi
 
 		if [ -f "$FASTVM_NOTES_DIR/$vm_number" ]; then