[Kimchi-devel] [PATCH] add a method to probe the permission as qemu user

Fri Feb 28 01:49:39 UTC 2014

On 02/26/2014 09:08 AM, shaohef at linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>
> now I want to improve the template integrity verification.
> I need to check the 'qemu' user can open an iso files.

Is it related to the patch Christy has sent?
[PATCH] Don't allow templates to be created with    ISOs that won't be 
usable.

> This patch is used to 'qemu' user has permission to open a file.
>
> Test this patch:
> $ mkdir -p a/b/c
> $ touch a/b/c/f
> $ chmod o-x a/b/c
> $ sudo PYTHONPATH=src python -c '
> from kimchi.utils import probe_file_permission_as_user
> print probe_file_permission_as_user("a/b/c/f", "qemu")'
>
> It will return False
> change another user, it may return True
>
> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
> ---
>   src/kimchi/utils.py | 24 ++++++++++++++++++++++++
>   1 file changed, 24 insertions(+)
>
> diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py
> index d4ab1a1..baee936 100644
> --- a/src/kimchi/utils.py
> +++ b/src/kimchi/utils.py
> @@ -22,8 +22,11 @@
>   #
>
>   import cherrypy
> +import grp
> +from multiprocessing import Process, Queue
>   import os
>   import psutil
> +import pwd
>   import re
>   import subprocess
>   import urllib2
> @@ -234,3 +237,24 @@ def run_setfacl_set_attr(path, attr="r", user=""):
>       set_user = ["setfacl", "--modify", "user:%s:%s" % (user, attr), path]
>       out, error, ret = run_command(set_user)
>       return ret == 0
> +
> +
> +def probe_file_permission_as_user(file, user):
> +    def probe_permission(q, file, user):
> +        uid = pwd.getpwnam(user).pw_uid
> +        gid = pwd.getpwnam(user).pw_gid
> +        gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
> +        os.setgid(gid)
> +        os.setgroups(gids)
> +        os.setuid(uid)
> +        try:
> +            with open(file) as f:
> +                q.put(True)
> +        except Exception as e:
> +            q.put(False)
> +
> +    queue = Queue()
> +    p = Process(target=probe_permission, args=(queue, file, user))
> +    p.start()
> +    p.join()
> +    return queue.get()