sysrepo: allow non-wheel users access to sysrepo data

rical · rical · commit ac89f945804d · 2025-04-28T15:41:09.000+02:00
Non-privileged users in the sys-cli group can now access sysrepo data. The data is now solely protected by the NCAM rules and not Unix file permissions. Any stray user that's not part of the (default) sys-cli group still can't access syrepo, like users added from the shell. Fixes #932 Signed-off-by: Richard Alpe <richard@bit42.se>
diff --git a/configs/aarch64_defconfig b/configs/aarch64_defconfig
@@ -34,6 +34,7 @@ BR2_LINUX_KERNEL_INSTALL_TARGET=y
 BR2_PACKAGE_BUSYBOX_CONFIG="${BR2_EXTERNAL_INFIX_PATH}/board/common/busybox_defconfig"
 BR2_PACKAGE_STRACE=y
 BR2_PACKAGE_STRESS_NG=y
+BR2_PACKAGE_SYSREPO_GROUP="sys-cli"
 BR2_PACKAGE_JQ=y
 BR2_PACKAGE_E2FSPROGS=y
 BR2_PACKAGE_DBUS_CXX=y
diff --git a/configs/aarch64_minimal_defconfig b/configs/aarch64_minimal_defconfig
@@ -34,6 +34,7 @@ BR2_LINUX_KERNEL_INSTALL_TARGET=y
 BR2_PACKAGE_BUSYBOX_CONFIG="${BR2_EXTERNAL_INFIX_PATH}/board/common/busybox_defconfig"
 BR2_PACKAGE_STRACE=y
 BR2_PACKAGE_STRESS_NG=y
+BR2_PACKAGE_SYSREPO_GROUP="sys-cli"
 BR2_PACKAGE_JQ=y
 BR2_PACKAGE_E2FSPROGS=y
 BR2_PACKAGE_DBUS_CXX=y
diff --git a/configs/r2s_defconfig b/configs/r2s_defconfig
@@ -41,6 +41,7 @@ BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
 BR2_PACKAGE_BUSYBOX_CONFIG="$(BR2_EXTERNAL_INFIX_PATH)/board/common/busybox_defconfig"
 BR2_PACKAGE_STRACE=y
 BR2_PACKAGE_STRESS_NG=y
+BR2_PACKAGE_SYSREPO_GROUP="sys-cli"
 BR2_PACKAGE_JQ=y
 BR2_PACKAGE_E2FSPROGS=y
 BR2_PACKAGE_LINUX_FIRMWARE=y
diff --git a/configs/riscv64_defconfig b/configs/riscv64_defconfig
@@ -39,6 +39,7 @@ BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
 BR2_PACKAGE_BUSYBOX_CONFIG="$(BR2_EXTERNAL_INFIX_PATH)/board/common/busybox_defconfig"
 BR2_PACKAGE_STRACE=y
 BR2_PACKAGE_STRESS_NG=y
+BR2_PACKAGE_SYSREPO_GROUP="sys-cli"
 BR2_PACKAGE_JQ=y
 BR2_PACKAGE_E2FSPROGS=y
 BR2_PACKAGE_LINUX_FIRMWARE=y
diff --git a/configs/x86_64_defconfig b/configs/x86_64_defconfig
@@ -34,6 +34,7 @@ BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
 BR2_PACKAGE_BUSYBOX_CONFIG="${BR2_EXTERNAL_INFIX_PATH}/board/common/busybox_defconfig"
 BR2_PACKAGE_STRACE=y
 BR2_PACKAGE_STRESS_NG=y
+BR2_PACKAGE_SYSREPO_GROUP="sys-cli"
 BR2_PACKAGE_JQ=y
 BR2_PACKAGE_E2FSPROGS=y
 BR2_PACKAGE_DBUS_CXX=y
diff --git a/configs/x86_64_minimal_defconfig b/configs/x86_64_minimal_defconfig
@@ -35,6 +35,7 @@ BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
 BR2_PACKAGE_BUSYBOX_CONFIG="${BR2_EXTERNAL_INFIX_PATH}/board/common/busybox_defconfig"
 BR2_PACKAGE_STRACE=y
 BR2_PACKAGE_STRESS_NG=y
+BR2_PACKAGE_SYSREPO_GROUP="sys-cli"
 BR2_PACKAGE_JQ=y
 BR2_PACKAGE_E2FSPROGS=y
 BR2_PACKAGE_DBUS_CXX=y
diff --git a/package/confd/confd.mk b/package/confd/confd.mk
@@ -71,9 +71,10 @@ endef
 endif
 
 define CONFD_PERMISSIONS
-	/etc/sysrepo/data/ r 660 root wheel - - - - -
-	/etc/sysrepo/data  d 770 root wheel - - - - -
+	/etc/sysrepo/data/ r 660 root sys-cli - - - - -
+	/etc/sysrepo/data  d 770 root sys-cli - - - - -
 endef
+
 define CONFD_EMPTY_SYSREPO
 	rm -rf $(TARGET_DIR)/etc/sysrepo/data/
 endef
diff --git a/src/confd/bin/load b/src/confd/bin/load
@@ -82,9 +82,6 @@ else
     fi
 fi
 
-# Ensure users in admin group can access all datastores
-chgrp wheel /dev/shm/*
-
 if [ ! -f "$fn" ]; then
     case "$config" in
 	startup-config)
