[Kimchi-devel] [PATCH V7] add a method to fix search permissions

shaohef at linux.vnet.ibm.com shaohef at linux.vnet.ibm.com
Thu Jan 9 00:01:44 UTC 2014


From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>

First will use setfacl to set the path search permission for user or
group, if failed then set search permission for others on the path.

Usage:
check_path_permission("/tmp/need/to/fix/path", username)
fix_path_permission("/tmp/need/to/fix/path", username)

Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
Signed-off-by: Royce Lv <lvroyce at linux.vnet.ibm.com>
---
 Makefile.am         |   1 +
 src/kimchi/utils.py | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 122 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 04ad696..1f80e5f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -46,6 +46,7 @@ PEP8_WHITELIST = \
 	src/kimchi/cachebust.py \
 	src/kimchi/config.py.in \
 	src/kimchi/control/*.py \
+	src/kimchi/utils.py \
 	src/kimchi/disks.py \
 	src/kimchi/distroloader.py \
 	src/kimchi/exception.py \
diff --git a/src/kimchi/utils.py b/src/kimchi/utils.py
index af245c6..62a412d 100644
--- a/src/kimchi/utils.py
+++ b/src/kimchi/utils.py
@@ -18,11 +18,16 @@
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 #
 
 import cherrypy
+import grp
 import os
+import pwd
+import re
+import stat
+import subprocess
 import urllib2
 
 
@@ -34,6 +39,7 @@ from kimchi import config
 
 kimchi_log = cherrypy.log.error_log
 
+
 def is_digit(value):
     if isinstance(value, int):
         return True
@@ -96,3 +102,117 @@ def check_url_path(path):
         return False
 
     return True
+
+
+def run_command(cmd):
+    try:
+        proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
+                                stderr=subprocess.PIPE)
+        out, error = proc.communicate()
+
+        kimchi_log.debug("Run command '%s'", " ".join(cmd))
+        if out or error:
+            kimchi_log.debug("out:\n %s\nerror:\n %s", out, error)
+    except OSError as e:
+        kimchi_log.error("Failed to run command %s. %s", " ".join(cmd),
+                         e.message)
+        return (None, None, None)
+    if proc.returncode != 0:
+        kimchi_log.debug("Cmd '%s' failed, error code: %s", cmd, error)
+    return (out, error, proc.returncode)
+
+
+def name_uid(user):
+    return pwd.getpwnam(user).pw_uid
+
+
+def get_group_ids(user):
+    gids = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
+    gid = pwd.getpwnam(user).pw_gid
+    gids.append(grp.getgrgid(gid).gr_gid)
+    return gids
+
+
+def get_groups(user):
+    gids = get_group_ids(user)
+    return [grp.getgrgid(gid).gr_name for gid in gids]
+
+
+def run_setfacl_set_x(path, user="qemu"):
+    set_user = ["setfacl", "--modify", "user:%s:x" % user, path]
+    out, error, ret = run_command(set_user)
+    return ret == 0
+
+
+def run_getfacl(path, user="qemu", groups=[]):
+    cmd = ["getfacl", path]
+    out, error, ret = run_command(cmd)
+    if out and ret == 0:
+        res = re.findall("user:%s:..x" % user, out)
+        if res:
+            return True
+        res = re.findall("(?<=group:)(.*)(?=:..x)",
+                         out) if groups else []
+        return list(set(res) & set(groups)) != []
+    return False
+
+
+def set_x_on_path(path, who="other"):
+    S_IXWHO = ((stat.S_IXUSR if who == "user" else None) or
+               (stat.S_IXGRP if who == "group" else None) or
+               stat.S_IXOTH)
+    mode = os.stat(path).st_mode | S_IXWHO
+    os.chmod(path, mode)
+    ret = os.stat(path).st_mode == mode
+    if not ret:
+        kimchi_log.debug("faild to set +x attribute on %s", path)
+    return ret
+
+
+def get_x_on_path(path, uid, gids=[]):
+    try:
+        st = os.stat(path)
+        mode = st.st_mode
+        return ((uid == st.st_uid and mode & stat.S_IXUSR == stat.S_IXUSR) or
+                (st.st_gid in gids and mode & stat.S_IXGRP == stat.S_IXGRP) or
+                mode & stat.S_IXOTH == stat.S_IXOTH)
+    except OSError as e:
+        kimchi_log.error("faild to get attribute on %s as user id: %s. %s",
+                         path, uid, e.message)
+        return False
+
+
+def check_path_permission(path, user='qemu', groups=[]):
+    groups = groups if groups else get_groups(user)
+    gids = [grp.getgrnam(group).gr_gid for group in groups] if groups else []
+    path = os.path.abspath(path)
+    paths = path.split("/")
+    paths = paths[1:]
+    path = "/"
+    for p in paths:
+        path = os.path.join(path, p)
+        if not (get_x_on_path(path, name_uid(user), gids) or
+                run_getfacl(path, user, groups)):
+            return False
+    return True
+
+
+def fix_path_permission(path, user='qemu', groups=[]):
+    groups = groups if groups else get_groups(user)
+    gids = [grp.getgrnam(group).gr_gid for group in groups] if groups else []
+    path = os.path.abspath(path)
+    paths = path.split("/")
+    paths = paths[1:]
+    path = "/"
+    for p in paths:
+        path = os.path.join(path, p)
+        st = os.stat(path)
+        uid = name_uid(user)
+        who = 'user' if st.st_uid == uid else None
+        who = 'group' if not who and st.st_gid in gids else 'other'
+        if not (get_x_on_path(path, uid, gids) or
+                run_getfacl(path, user, groups) or
+                run_setfacl_set_x(path, user) or
+                set_x_on_path(path, who)):
+            return False
+    return True
-- 
1.8.4.2




More information about the Kimchi-devel mailing list