On 03/06/2014 11:22 PM, Aline Manera wrote:
On 02/28/2014 12:06 PM, Sheldon wrote:
> On 02/28/2014 09:49 AM, Aline Manera wrote:
>> On 02/26/2014 09:08 AM, shaohef(a)linux.vnet.ibm.com wrote:
>>> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>>>
>>> now I want to improve the template integrity verification.
>>> I need to check the 'qemu' user can open an iso files.
>>
>> Is it related to the patch Christy has sent?
>> [PATCH] Don't allow templates to be created with ISOs that won't be
>> usable.
> Yes.
> Christy's patch can call this method to not allow templates to be
> created when ISOs that is usable.
> and other place that need to check the permission.
>
> CC Christy:
> we need work together to solve this problem.
>
> IMO, your code just check other permission is not enough.
> The permission is some complex.
> such as:
> If the the files user is qemu, why we need other permission.
>
> +def check_iso_path_perm(path):
> + """
> + libvirt requires that all parent dirs have o+x
> + """
> + if path == '/': return True
> + return os.stat(path).st_mode & stat.S_IXOTH and \
> + check_iso_path_perm(os.path.dirname(path))
>
>
> Now we can try to open the file with qemu user, if failed,
> that means the qemu do not have the permission to open this file.
>
>
Great.
Sheldon, could you join this patch with Christy's patches and send a
single patch set to close the bug #322?
https://github.com/kimchi-project/kimchi/issues/322 sure.
>>
>>> This patch is used to 'qemu' user has permission to open a file.
>>>
>>> Test this patch:
>>> $ mkdir -p a/b/c
>>> $ touch a/b/c/f
>>> $ chmod o-x a/b/c
>>> $ sudo PYTHONPATH=src python -c '
>>> from kimchi.utils import probe_file_permission_as_user
>>> print probe_file_permission_as_user("a/b/c/f",
"qemu")'
>>>
>>> It will return False
>>> change another user, it may return True
>>>
>>> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>>> ---
>>> src/kimchi/utils.py | 24 ++++++++++++++++++++++++
>>> 1 file changed, 24 insertions(+)
>>>
>>> diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py
>>> index d4ab1a1..baee936 100644
>>> --- a/src/kimchi/utils.py
>>> +++ b/src/kimchi/utils.py
>>> @@ -22,8 +22,11 @@
>>> #
>>>
>>> import cherrypy
>>> +import grp
>>> +from multiprocessing import Process, Queue
>>> import os
>>> import psutil
>>> +import pwd
>>> import re
>>> import subprocess
>>> import urllib2
>>> @@ -234,3 +237,24 @@ def run_setfacl_set_attr(path, attr="r",
>>> user=""):
>>> set_user = ["setfacl", "--modify", "user:%s:%s"
% (user, attr), path]
>>> out, error, ret = run_command(set_user)
>>> return ret == 0
>>> +
>>> +
>>> +def probe_file_permission_as_user(file, user):
>>> + def probe_permission(q, file, user):
>>> + uid = pwd.getpwnam(user).pw_uid
>>> + gid = pwd.getpwnam(user).pw_gid
>>> + gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
>>> + os.setgid(gid)
>>> + os.setgroups(gids)
>>> + os.setuid(uid)
>>> + try:
>>> + with open(file) as f:
>>> + q.put(True)
>>> + except Exception as e:
>>> + q.put(False)
>>> +
>>> + queue = Queue()
>>> + p = Process(target=probe_permission, args=(queue, file, user))
>>> + p.start()
>>> + p.join()
>>> + return queue.get()
>>
>>
>>
>
>
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center