[libvirt] [PATCH] tools: make virt-pki-validate work with acls and xattrs

This patch makes virt-pki-validate work with certificates that have acl or xattr set. Otherwise it failing due to wrong permissions. --- tools/virt-pki-validate.in | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index 01825d1..4164758 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -170,7 +170,8 @@ then else echo Found client private key $LIBVIRTP/clientkey.pem OWN=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $3 }'` - MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $1 }'` + # The substr($1, 1, 10) gets rid of acl and xattr markers + MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print substr($1, 1, 10) }'` if [ "$OWN" != "root" ] then echo The client private key should be owned by root @@ -222,7 +223,8 @@ then else echo Found server private key $LIBVIRTP/serverkey.pem OWN=`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print $3 }'` - MOD=`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print $1 }'` + # The substr($1, 1, 10) gets rid of acl and xattr markers + MOD=`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print substr($1, 1, 10) }'` if [ "$OWN" != "root" ] then echo The server private key should be owned by root -- 1.7.8.6

Hello, I find parsing the output of "ls -l" very suspect and fragile, since its output heaviely depends on the environment: SELinux, ACLs, locale. Perhaps using /usr/bin/stat would be better, but I don't know how available /usr/bin/stat" is on non-Linux-platforms (on my Debian system it's in coreutils). On Thursday 31 May 2012 11:02:51 Martin Kletzander wrote:
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index 01825d1..4164758 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in OWN=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $3 }'` OWN=`stat -c %U "$LIBVIRTP/clientkey.pem"`
- MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $1 }'` + # The substr($1, 1, 10) gets rid of acl and xattr markers + MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print substr($1, 1, 10) }'` MOD=`stat -c %s "$LIBVIRTP/clientkey.pem"`
Sincerely Philipp -- Philipp Hahn Open Source Software Engineer hahn@univention.de Univention GmbH be open. fon: +49 421 22 232- 0 Mary-Somerville-Str.1 D-28359 Bremen fax: +49 421 22 232-99 http://www.univention.de/

On 05/31/2012 05:57 AM, Philipp Hahn wrote:
Hello,
I find parsing the output of "ls -l" very suspect and fragile,
As do I.
since its output heaviely depends on the environment: SELinux, ACLs,
That only affects the 11th character, which we are stripping.
locale.
That affects the date string and other elements later on in the line, but not the mode string. This _particular_ use of 'ls -l' is portable, as POSIX guarantees a consistent interpretation of the first 11 bytes of each line (it's not until later in the line that you indeed run into fragile parsing aspects, even under POSIX rules).
Perhaps using /usr/bin/stat would be better, but I don't know how available /usr/bin/stat" is on non-Linux-platforms (on my Debian system it's in coreutils).
I agree that stat(1) would be safer, but it is less portable, and we want this validation script to run everywhere. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On 05/31/2012 03:02 AM, Martin Kletzander wrote:
This patch makes virt-pki-validate work with certificates that have acl or xattr set. Otherwise it failing due to wrong permissions. --- tools/virt-pki-validate.in | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index 01825d1..4164758 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -170,7 +170,8 @@ then else echo Found client private key $LIBVIRTP/clientkey.pem OWN=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $3 }'` - MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $1 }'` + # The substr($1, 1, 10) gets rid of acl and xattr markers + MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print substr($1, 1, 10) }'`
ACK. There really isn't any better _portable_ alternative to getting a file's permissions. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On 05/31/2012 04:49 PM, Eric Blake wrote:
On 05/31/2012 03:02 AM, Martin Kletzander wrote:
This patch makes virt-pki-validate work with certificates that have acl or xattr set. Otherwise it failing due to wrong permissions. --- tools/virt-pki-validate.in | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index 01825d1..4164758 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -170,7 +170,8 @@ then else echo Found client private key $LIBVIRTP/clientkey.pem OWN=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $3 }'` - MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $1 }'` + # The substr($1, 1, 10) gets rid of acl and xattr markers + MOD=`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print substr($1, 1, 10) }'`
ACK. There really isn't any better _portable_ alternative to getting a file's permissions.
Thanks, pushed. Martin
participants (3)
-
Eric Blake
-
Martin Kletzander
-
Philipp Hahn