diff options
| author | Richard Jones <rjones@redhat.com> | 2010-07-02 17:52:51 +0100 |
|---|---|---|
| committer | Richard Jones <rjones@redhat.com> | 2010-07-07 15:03:51 +0100 |
| commit | 49a71a4c606d52f78c364860a8917cf1076169e7 (patch) | |
| tree | 34a8f6c680e3fcec736b7d4dfaabc46125f4b391 /src/guestfs.c | |
| parent | 8161ea9bb046c8450384b5b15e1f4b2f3dca582b (diff) | |
| download | libguestfs-49a71a4c606d52f78c364860a8917cf1076169e7.tar.gz libguestfs-49a71a4c606d52f78c364860a8917cf1076169e7.tar.xz libguestfs-49a71a4c606d52f78c364860a8917cf1076169e7.zip | |
Make tmp directory world readable (RHBZ#610880).
If you have a restrictive umask (0077 for example) then
files in the tmp directory would be created with 0600
permissions. Example:
drwx------. 2 rjones rjones 4096 Jul 2 17:52 .
drwxrwxrwt. 57 root root 102400 Jul 2 17:52 ..
-rw-------. 1 rjones rjones 86328832 Jul 2 17:52 initrd
lrwxrwxrwx. 1 rjones rjones 46 Jul 2 17:52 kernel -> /boot/vmlinuz-2.6.33-0.40.rc7.git0.fc13.x86_64
This in itself is not a problem. However in virt-v2v we also
change UID:GID and the result is that qemu is unable to read
the initrd file:
qemu: could not load initial ram disk '/tmp/libguestfs2ssynP/initrd'
With this patch we make the tmp directory and the files
world readable. After the patch:
$ ls -la /tmp/libguestfsJFVzPg/
total 116192
drwxr-xr-x. 2 rjones rjones 4096 Jul 2 18:03 .
drwxrwxrwt. 56 root root 102400 Jul 2 18:03 ..
-rw-r--r--. 1 rjones rjones 118869504 Jul 2 18:03 initrd
lrwxrwxrwx. 1 rjones rjones 46 Jul 2 18:03 kernel -> /boot/vmlinuz-2.6.33-0.40.rc7.git0.fc13.x86_64
Diffstat (limited to 'src/guestfs.c')
| -rw-r--r-- | src/guestfs.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/guestfs.c b/src/guestfs.c index 1439361d..85a042a0 100644 --- a/src/guestfs.c +++ b/src/guestfs.c @@ -982,6 +982,14 @@ guestfs__launch (guestfs_h *g) } } + /* Allow anyone to read the temporary directory. There are no + * secrets in the kernel or initrd files. The socket in this + * directory won't be readable but anyone can see it exists if they + * want. (RHBZ#610880). + */ + if (chmod (g->tmpdir, 0755) == -1) + fprintf (stderr, "chmod: %s: %m (ignored)\n", g->tmpdir); + /* First search g->path for the supermin appliance, and try to * synthesize a kernel and initrd from that. If it fails, we * try the path search again looking for a backup ordinary @@ -1590,7 +1598,11 @@ build_supermin_appliance (guestfs_h *g, const char *path, *initrd = safe_malloc (g, len + 8); snprintf (*initrd, len+8, "%s/initrd", g->tmpdir); + /* Set a sensible umask in the subprocess, so kernel and initrd + * output files are world-readable (RHBZ#610880). + */ snprintf (cmd, sizeof cmd, + "umask 0002; " "febootstrap-supermin-helper%s " "-k '%s/kmod.whitelist' " "'%s/supermin.d' " |