[virt-tools-list] [virt-bootstrap] [PATCH 4/4] safe_untar: Check for permissions to set attribs
Radostin Stoyanov
rstoyanov1 at gmail.com
Sat Apr 28 22:21:04 UTC 2018
Make sure we have permissions to restore file extended attributes.
[1] ... all processes have read access to extended security attributes,
and write access is limited to processes that have the CAP_SYS_ADMIN
capability.
[2] The file owner and processes capable of CAP_FOWNER are granted the
right to modify ACLs of a file. This is analogous to the permissions
required for accessing the file mode. (On current Linux systems, root
is the only user with the CAP_FOWNER capability.)
[1] https://linux.die.net/man/5/attr
[2] https://linux.die.net/man/1/setfacl
Signed-off-by: Radostin Stoyanov <rstoyanov1 at gmail.com>
---
src/virtBootstrap/utils.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/virtBootstrap/utils.py b/src/virtBootstrap/utils.py
index 94b3ccb..cd03a93 100644
--- a/src/virtBootstrap/utils.py
+++ b/src/virtBootstrap/utils.py
@@ -278,12 +278,12 @@ def safe_untar(src, dest):
# Note: Here we use --absolute-names flag to get around the error message
# "Cannot open: Permission denied" when symlynks are extracted, with the
# qemu:/// driver. This flag must not be used outside virt-sandbox.
- #
+ params = ['--', '/bin/tar', 'xf', src, '-C', '/mnt', '--exclude', 'dev/*',
+ '--overwrite', '--absolute-names']
# Preserve file attributes following the specification in
# https://github.com/opencontainers/image-spec/blob/master/layer.md
- params = ['--', '/bin/tar', 'xf', src, '-C', '/mnt', '--exclude', 'dev/*',
- '--overwrite', '--absolute-names',
- '--acls', '--xattrs', '--selinux']
+ if os.geteuid() == 0:
+ params.extend(['--acls', '--xattrs', '--selinux'])
execute(virt_sandbox + params)
--
2.14.3
More information about the virt-tools-list
mailing list