Re: [virt-bootstrap] [PATCH 4/4] safe_untar: Check for permissions to set attribs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2018-04-28 at 23:21 +0100, Radostin Stoyanov wrote:
> Make sure we have permissions to restore file extended attributes.
> 
> [1] ... all processes have read access to extended security attributes,
> and write access is limited to processes that have the CAP_SYS_ADMIN
> capability.
> 
> [2] The file owner and processes capable of CAP_FOWNER are granted the
> right to modify ACLs of a file. This is analogous to the permissions
> required for accessing the file mode. (On current Linux systems, root
> is the only user with the CAP_FOWNER capability.)
> 
> [1] https://linux.die.net/man/5/attr
> [2] https://linux.die.net/man/1/setfacl
> 
> Signed-off-by: Radostin Stoyanov <rstoyanov1@xxxxxxxxx>
> ---
>  src/virtBootstrap/utils.py | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/src/virtBootstrap/utils.py b/src/virtBootstrap/utils.py
> index 94b3ccb..cd03a93 100644
> --- a/src/virtBootstrap/utils.py
> +++ b/src/virtBootstrap/utils.py
> @@ -278,12 +278,12 @@ def safe_untar(src, dest):
>      # Note: Here we use --absolute-names flag to get around the error message
>      # "Cannot open: Permission denied" when symlynks are extracted, with the
>      # qemu:/// driver. This flag must not be used outside virt-sandbox.
> -    #
> +    params = ['--', '/bin/tar', 'xf', src, '-C', '/mnt', '--exclude', 'dev/*',
> +              '--overwrite', '--absolute-names']
>      # Preserve file attributes following the specification in
>      # https://github.com/opencontainers/image-spec/blob/master/layer.md
> -    params = ['--', '/bin/tar', 'xf', src, '-C', '/mnt', '--exclude', 'dev/*',
> -              '--overwrite', '--absolute-names',
> -              '--acls', '--xattrs', '--selinux']
> +    if os.geteuid() == 0:
> +        params.extend(['--acls', '--xattrs', '--selinux'])

That doesn't check for actual capabilities, just effective UID. That said,
I'm not sure there is a way to check such precise and OS-dependent things in python.

Otherwise ACK
--
Cedric

>      execute(virt_sandbox + params)
>  
>  

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux