On 02/28/2014 09:49 AM, Aline Manera wrote:
On 02/26/2014 09:08 AM, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
>
> now I want to improve the template integrity verification.
> I need to check the 'qemu' user can open an iso files.
Is it related to the patch Christy has sent?
[PATCH] Don't allow templates to be created with ISOs that won't be
usable.
Yes.
Christy's patch can call this method to not allow templates to be
created when ISOs that is usable.
and other place that need to check the permission.
CC Christy:
we need work together to solve this problem.
IMO, your code just check other permission is not enough.
The permission is some complex.
such as:
If the the files user is qemu, why we need other permission.
+def check_iso_path_perm(path):
+ """
+ libvirt requires that all parent dirs have o+x
+ """
+ if path == '/': return True
+ return os.stat(path).st_mode & stat.S_IXOTH and \
+ check_iso_path_perm(os.path.dirname(path))
Now we can try to open the file with qemu user, if failed,
that means the qemu do not have the permission to open this file.
> This patch is used to 'qemu' user has permission to open a file.
>
> Test this patch:
> $ mkdir -p a/b/c
> $ touch a/b/c/f
> $ chmod o-x a/b/c
> $ sudo PYTHONPATH=src python -c '
> from kimchi.utils import probe_file_permission_as_user
> print probe_file_permission_as_user("a/b/c/f", "qemu")'
>
> It will return False
> change another user, it may return True
>
> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
> ---
> src/kimchi/utils.py | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
>
> diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py
> index d4ab1a1..baee936 100644
> --- a/src/kimchi/utils.py
> +++ b/src/kimchi/utils.py
> @@ -22,8 +22,11 @@
> #
>
> import cherrypy
> +import grp
> +from multiprocessing import Process, Queue
> import os
> import psutil
> +import pwd
> import re
> import subprocess
> import urllib2
> @@ -234,3 +237,24 @@ def run_setfacl_set_attr(path, attr="r",
user=""):
> set_user = ["setfacl", "--modify", "user:%s:%s" %
(user, attr), path]
> out, error, ret = run_command(set_user)
> return ret == 0
> +
> +
> +def probe_file_permission_as_user(file, user):
> + def probe_permission(q, file, user):
> + uid = pwd.getpwnam(user).pw_uid
> + gid = pwd.getpwnam(user).pw_gid
> + gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
> + os.setgid(gid)
> + os.setgroups(gids)
> + os.setuid(uid)
> + try:
> + with open(file) as f:
> + q.put(True)
> + except Exception as e:
> + q.put(False)
> +
> + queue = Queue()
> + p = Process(target=probe_permission, args=(queue, file, user))
> + p.start()
> + p.join()
> + return queue.get()
--
Thanks and best regards!
Sheldon Feng(冯少合)<shaohef(a)linux.vnet.ibm.com>
IBM Linux Technology Center