[Libguestfs] [PATCH 2/2] customize: fix attributes of /etc/shadow (RHBZ#1146275)

Richard W.M. Jones rjones at redhat.com
Mon Sep 29 12:18:11 UTC 2014 

On Mon, Sep 29, 2014 at 01:57:24PM +0200, Pino Toscano wrote:
> When saving a configuration file, Augeas creates a new file and
> replaces the old one with it; this creates a /etc/shadow file without
> the SELinux xattrs, since they are missing.
> 
> Thus, create a temporary file with all the attributes of /etc/shadow, so
> all the attributes of it (permissions and xattrs, among others) can be
> restored properly on the new /etc/shadow.
> 
> As side effect, if a guest is already properly SELinux-labelled, then
> there should be no more need to relabel it to make sure /etc/shadow
> still has the right SELinux xattrs.
> ---
>  customize/password.ml | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/customize/password.ml b/customize/password.ml
> index 3437bf0..2bbfbbc 100644
> --- a/customize/password.ml
> +++ b/customize/password.ml
> @@ -81,12 +81,19 @@ and read_password_from_file filename =
>  (* Permissible characters in a salt. *)
>  let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./"
>  
> -let rec set_linux_passwords ~prog ?password_crypto g root passwords =
> +let rec set_linux_passwords ~prog ?password_crypto (g : Guestfs.guestfs) root passwords =
>    let crypto =
>      match password_crypto with
>      | None -> default_crypto ~prog g root
>      | Some c -> c in
>  
> +  (* Create a (almost) empty temporary file with the attributes of
> +   * /etc/shadow, so we can restore them later.
> +   *)
> +  let tempfile = g#mktemp "/etc/shadow.guestfsXXXXXX" in
> +  g#write tempfile "*";
> +  g#copy_attributes ~all:true "/etc/shadow" tempfile;
> +
>    g#aug_init "/" 0;
>    let users = Array.to_list (g#aug_ls "/files/etc/shadow") in
>    List.iter (
> @@ -116,9 +123,11 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords =
>        with Not_found -> ()
>    ) users;
>    g#aug_save ();
> +  g#aug_close ();
>  
> -  (* In virt-sysprep /.autorelabel will label it correctly. *)
> -  g#chmod 0 "/etc/shadow"
> +  (* Restore all the attributes from the temporary file, and remove it. *)
> +  g#copy_attributes ~all:true tempfile "/etc/shadow";
> +  g#rm tempfile
>  
>  (* Encrypt each password.  Use glibc (on the host).  See:
>   * https://rwmj.wordpress.com/2013/07/09/setting-the-root-or-other-passwords-in-a-linux-guest/
> -- 
> 1.9.3

ACK to both.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

More information about the Libguestfs mailing list