[Kimchi-devel] [PATCH] [Kimchi 1/3] Fix issue #1020: Verify libvirt access on real file path instead of symlink

Aline Manera alinefm at linux.vnet.ibm.com
Fri Sep 23 12:21:31 UTC 2016


While checking libvirt file permission, it must be done on real file path as
it can be a symlink and it can impact the results.

Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
---
 model/storagevolumes.py | 3 ++-
 model/templates.py      | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/model/storagevolumes.py b/model/storagevolumes.py
index a6ce97b..0c710b2 100644
--- a/model/storagevolumes.py
+++ b/model/storagevolumes.py
@@ -330,7 +330,8 @@ class StorageVolumeModel(object):
         used_by = get_disk_used_by(self.conn, path)
         if (self.libvirt_user is None):
             self.libvirt_user = UserTests().probe_user()
-        ret, _ = probe_file_permission_as_user(path, self.libvirt_user)
+        ret, _ = probe_file_permission_as_user(os.path.realpath(path),
+                                               self.libvirt_user)
         res = dict(type=VOLUME_TYPE_MAP[info[0]],
                    capacity=info[1],
                    allocation=info[2],
diff --git a/model/templates.py b/model/templates.py
index 04e6626..0a6e049 100644
--- a/model/templates.py
+++ b/model/templates.py
@@ -101,8 +101,9 @@ class TemplatesModel(object):
             st_mode = os.stat(path).st_mode
             if stat.S_ISREG(st_mode) or stat.S_ISBLK(st_mode):
                 user = UserTests().probe_user()
-                run_setfacl_set_attr(path, user=user)
-                ret, excp = probe_file_permission_as_user(path, user)
+                realpath = os.path.realpath(path)
+                run_setfacl_set_attr(realpath, user=user)
+                ret, excp = probe_file_permission_as_user(realpath, user)
                 if ret is False:
                     raise InvalidParameter('KCHISO0008E',
                                            {'filename': path, 'user': user,
-- 
2.5.5




More information about the Kimchi-devel mailing list