Re: [Kimchi-devel] [PATCH] add a method to probe the permission as qemu user

On 02/28/2014 09:49 AM, Aline Manera wrote: > On 02/26/2014 09:08 AM, shaohef(a)linux.vnet.ibm.com wrote: >> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; >> >> now I want to improve the template integrity verification. >> I need to check the 'qemu' user can open an iso files. > > Is it related to the patch Christy has sent? > [PATCH] Don't allow templates to be created with ISOs that won't be > usable. Yes. Christy's patch can call this method to not allow templates to be created when ISOs that is usable. and other place that need to check the permission. CC Christy: we need work together to solve this problem. IMO, your code just check other permission is not enough. The permission is some complex. such as: If the the files user is qemu, why we need other permission. +def check_iso_path_perm(path): + """ + libvirt requires that all parent dirs have o+x + """ + if path == '/': return True + return os.stat(path).st_mode & stat.S_IXOTH and \ + check_iso_path_perm(os.path.dirname(path)) Now we can try to open the file with qemu user, if failed, that means the qemu do not have the permission to open this file.

> >> This patch is used to 'qemu' user has permission to open a file. >> >> Test this patch: >> $ mkdir -p a/b/c >> $ touch a/b/c/f >> $ chmod o-x a/b/c >> $ sudo PYTHONPATH=src python -c ' >> from kimchi.utils import probe_file_permission_as_user >> print probe_file_permission_as_user("a/b/c/f", "qemu")' >> >> It will return False >> change another user, it may return True >> >> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt; >> --- >> src/kimchi/utils.py | 24 ++++++++++++++++++++++++ >> 1 file changed, 24 insertions(+) >> >> diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py >> index d4ab1a1..baee936 100644 >> --- a/src/kimchi/utils.py >> +++ b/src/kimchi/utils.py >> @@ -22,8 +22,11 @@ >> # >> >> import cherrypy >> +import grp >> +from multiprocessing import Process, Queue >> import os >> import psutil >> +import pwd >> import re >> import subprocess >> import urllib2 >> @@ -234,3 +237,24 @@ def run_setfacl_set_attr(path, attr="r", user=""): >> set_user = ["setfacl", "--modify", "user:%s:%s" % (user, attr), path] >> out, error, ret = run_command(set_user) >> return ret == 0 >> + >> + >> +def probe_file_permission_as_user(file, user): >> + def probe_permission(q, file, user): >> + uid = pwd.getpwnam(user).pw_uid >> + gid = pwd.getpwnam(user).pw_gid >> + gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem] >> + os.setgid(gid) >> + os.setgroups(gids) >> + os.setuid(uid) >> + try: >> + with open(file) as f: >> + q.put(True) >> + except Exception as e: >> + q.put(False) >> + >> + queue = Queue() >> + p = Process(target=probe_permission, args=(queue, file, user)) >> + p.start() >> + p.join() >> + return queue.get() > > >