From da95eadfcebf0d61b37fe211eb7bb46b6116abb6 Mon Sep 17 00:00:00 2001 From: Pino Toscano Date: Wed, 24 Jul 2024 12:04:38 +0200 Subject: [PATCH] fix: use system temporary directory when running as non-root The temporary directory chosen to work properly with SELinux is /var/lib/insights, which can be accessed only by root. insights-client is basically not usable as non-root, and it will fail with "Insights client must be run as root.". The only exception here is "insights-client --version", which is run only in the client without loading the core; the exception is that the client will still verify the available eggs using GPG by default. Hence, use the default temporary directory when running as non-root: this way the available eggs can be validated, and the client will either - print the version and exit - keep exiting saying root is required Followup of commit dd6293d608f61a44e562a1fda44cad82cf667e7d. --- src/insights_client/__init__.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/insights_client/__init__.py b/src/insights_client/__init__.py index c75639ba..23f86214 100644 --- a/src/insights_client/__init__.py +++ b/src/insights_client/__init__.py @@ -32,7 +32,14 @@ REGISTERED_FILE = "/etc/insights-client/.registered" UNREGISTERED_FILE = "/etc/insights-client/.unregistered" -TEMPORARY_GPG_HOME_PARENT_DIRECTORY = "/var/lib/insights/" +# If we run as root, use the SELinux-safe temporary directory; +# otherwise, rely on the default temporary directory. +# This should be OK as the only operation doable as non-root is +# --version, and everything else already errors. +if os.geteuid() == 0: + TEMPORARY_GPG_HOME_PARENT_DIRECTORY = "/var/lib/insights/" +else: + TEMPORARY_GPG_HOME_PARENT_DIRECTORY = None logger = logging.getLogger(__name__)