[Kimchi-devel] [PATCH] add a method to probe the permission as qemu user

Fri Mar 7 05:27:22 UTC 2014

On 03/06/2014 11:22 PM, Aline Manera wrote:
> On 02/28/2014 12:06 PM, Sheldon wrote:
>> On 02/28/2014 09:49 AM, Aline Manera wrote:
>>> On 02/26/2014 09:08 AM, shaohef at linux.vnet.ibm.com wrote:
>>>> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>>>
>>>> now I want to improve the template integrity verification.
>>>> I need to check the 'qemu' user can open an iso files.
>>>
>>> Is it related to the patch Christy has sent?
>>> [PATCH] Don't allow templates to be created with ISOs that won't be 
>>> usable.
>> Yes.
>> Christy's patch can call this method to not allow templates to be 
>> created when ISOs that is usable.
>> and other place that need to check the permission.
>>
>> CC Christy:
>> we need work together to solve this problem.
>>
>> IMO, your code just check other permission is not enough.
>> The permission is some complex.
>> such as:
>> If the the files user is qemu, why we need other permission.
>>
>> +def check_iso_path_perm(path):
>> +    """
>> +    libvirt requires that all parent dirs have o+x
>> +    """
>> +    if path == '/': return True
>> +    return os.stat(path).st_mode & stat.S_IXOTH and \
>> + check_iso_path_perm(os.path.dirname(path))
>>
>>
>> Now we can try to open the file with qemu user, if failed,
>> that means the qemu do not have the permission to open this file.
>>
>>
>
> Great.
> Sheldon, could you join this patch with Christy's patches and send a 
> single patch set to close the bug #322?
>
> https://github.com/kimchi-project/kimchi/issues/322
sure.
>
>>>
>>>> This patch is used to 'qemu' user has permission to open a file.
>>>>
>>>> Test this patch:
>>>> $ mkdir -p a/b/c
>>>> $ touch a/b/c/f
>>>> $ chmod o-x a/b/c
>>>> $ sudo PYTHONPATH=src python -c '
>>>> from kimchi.utils import probe_file_permission_as_user
>>>> print probe_file_permission_as_user("a/b/c/f", "qemu")'
>>>>
>>>> It will return False
>>>> change another user, it may return True
>>>>
>>>> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>>> ---
>>>> src/kimchi/utils.py | 24 ++++++++++++++++++++++++
>>>> 1 file changed, 24 insertions(+)
>>>>
>>>> diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py
>>>> index d4ab1a1..baee936 100644
>>>> --- a/src/kimchi/utils.py
>>>> +++ b/src/kimchi/utils.py
>>>> @@ -22,8 +22,11 @@
>>>> #
>>>>
>>>> import cherrypy
>>>> +import grp
>>>> +from multiprocessing import Process, Queue
>>>> import os
>>>> import psutil
>>>> +import pwd
>>>> import re
>>>> import subprocess
>>>> import urllib2
>>>> @@ -234,3 +237,24 @@ def run_setfacl_set_attr(path, attr="r", 
>>>> user=""):
>>>> set_user = ["setfacl", "--modify", "user:%s:%s" % (user, attr), path]
>>>> out, error, ret = run_command(set_user)
>>>> return ret == 0
>>>> +
>>>> +
>>>> +def probe_file_permission_as_user(file, user):
>>>> + def probe_permission(q, file, user):
>>>> + uid = pwd.getpwnam(user).pw_uid
>>>> + gid = pwd.getpwnam(user).pw_gid
>>>> + gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
>>>> + os.setgid(gid)
>>>> + os.setgroups(gids)
>>>> + os.setuid(uid)
>>>> + try:
>>>> + with open(file) as f:
>>>> + q.put(True)
>>>> + except Exception as e:
>>>> + q.put(False)
>>>> +
>>>> + queue = Queue()
>>>> + p = Process(target=probe_permission, args=(queue, file, user))
>>>> + p.start()
>>>> + p.join()
>>>> + return queue.get()
>>>
>>>
>>>
>>
>>
>
>
>


-- 
Thanks and best regards!

Sheldon Feng(冯少合)<shaohef at linux.vnet.ibm.com>
IBM Linux Technology Center