[Kimchi-devel] [PATCH] add a method to probe the permission as qemu user

Fri Feb 28 15:06:44 UTC 2014

On 02/28/2014 09:49 AM, Aline Manera wrote:
> On 02/26/2014 09:08 AM, shaohef at linux.vnet.ibm.com wrote:
>> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>
>> now I want to improve the template integrity verification.
>> I need to check the 'qemu' user can open an iso files.
>
> Is it related to the patch Christy has sent?
> [PATCH] Don't allow templates to be created with ISOs that won't be 
> usable.
Yes.
Christy's patch can call this method to not allow templates to be 
created when ISOs that is usable.
and other place that need to check the permission.

CC Christy:
we need work together to solve this problem.

IMO, your code just check other permission is not enough.
The permission is some complex.
such as:
If the the files user is qemu, why we need other permission.

+def check_iso_path_perm(path):
+    """
+    libvirt requires that all parent dirs have o+x
+    """
+    if path == '/': return True
+    return os.stat(path).st_mode & stat.S_IXOTH and \
+                            check_iso_path_perm(os.path.dirname(path))

Now we can try to open the file with qemu user, if failed,
that means the qemu do not have the permission to open this file.

>
>> This patch is used to 'qemu' user has permission to open a file.
>>
>> Test this patch:
>> $ mkdir -p a/b/c
>> $ touch a/b/c/f
>> $ chmod o-x a/b/c
>> $ sudo PYTHONPATH=src python -c '
>> from kimchi.utils import probe_file_permission_as_user
>> print probe_file_permission_as_user("a/b/c/f", "qemu")'
>>
>> It will return False
>> change another user, it may return True
>>
>> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>> ---
>> src/kimchi/utils.py | 24 ++++++++++++++++++++++++
>> 1 file changed, 24 insertions(+)
>>
>> diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py
>> index d4ab1a1..baee936 100644
>> --- a/src/kimchi/utils.py
>> +++ b/src/kimchi/utils.py
>> @@ -22,8 +22,11 @@
>> #
>>
>> import cherrypy
>> +import grp
>> +from multiprocessing import Process, Queue
>> import os
>> import psutil
>> +import pwd
>> import re
>> import subprocess
>> import urllib2
>> @@ -234,3 +237,24 @@ def run_setfacl_set_attr(path, attr="r", user=""):
>> set_user = ["setfacl", "--modify", "user:%s:%s" % (user, attr), path]
>> out, error, ret = run_command(set_user)
>> return ret == 0
>> +
>> +
>> +def probe_file_permission_as_user(file, user):
>> + def probe_permission(q, file, user):
>> + uid = pwd.getpwnam(user).pw_uid
>> + gid = pwd.getpwnam(user).pw_gid
>> + gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
>> + os.setgid(gid)
>> + os.setgroups(gids)
>> + os.setuid(uid)
>> + try:
>> + with open(file) as f:
>> + q.put(True)
>> + except Exception as e:
>> + q.put(False)
>> +
>> + queue = Queue()
>> + p = Process(target=probe_permission, args=(queue, file, user))
>> + p.start()
>> + p.join()
>> + return queue.get()
>
>
>

-- 
Thanks and best regards!

Sheldon Feng(冯少合)<shaohef at linux.vnet.ibm.com>
IBM Linux Technology Center