Re: [Kimchi-devel] [PATCH] add a method to probe the permission as qemu user
On 02/26/2014 09:08 AM, shaohef(a)linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
now I want to improve the template integrity verification.
I need to check the 'qemu' user can open an iso files.
Is it related to the patch Christy has sent?
[PATCH] Don't allow templates to be created with ISOs that won't be
usable.
This patch is used to 'qemu' user has permission to open a
file.
Test this patch:
$ mkdir -p a/b/c
$ touch a/b/c/f
$ chmod o-x a/b/c
$ sudo PYTHONPATH=src python -c '
from kimchi.utils import probe_file_permission_as_user
print probe_file_permission_as_user("a/b/c/f", "qemu")'
It will return False
change another user, it may return True
Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
---
src/kimchi/utils.py | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py
index d4ab1a1..baee936 100644
--- a/src/kimchi/utils.py
+++ b/src/kimchi/utils.py
@@ -22,8 +22,11 @@
#
import cherrypy
+import grp
+from multiprocessing import Process, Queue
import os
import psutil
+import pwd
import re
import subprocess
import urllib2
@@ -234,3 +237,24 @@ def run_setfacl_set_attr(path, attr="r",
user=""):
set_user = ["setfacl", "--modify", "user:%s:%s" %
(user, attr), path]
out, error, ret = run_command(set_user)
return ret == 0
+
+
+def probe_file_permission_as_user(file, user):
+ def probe_permission(q, file, user):
+ uid = pwd.getpwnam(user).pw_uid
+ gid = pwd.getpwnam(user).pw_gid
+ gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
+ os.setgid(gid)
+ os.setgroups(gids)
+ os.setuid(uid)
+ try:
+ with open(file) as f:
+ q.put(True)
+ except Exception as e:
+ q.put(False)
+
+ queue = Queue()
+ p = Process(target=probe_permission, args=(queue, file, user))
+ p.start()
+ p.join()
+ return queue.get()