From bc2744cea7800f7b84e1731e367e75b0f2d60d48 Mon Sep 17 00:00:00 2001 From: Radostin Stoyanov Date: Tue, 24 Apr 2018 09:18:26 +0100 Subject: safe_untar: Check for permissions to set attribs Make sure we have permissions to restore file extended attributes. [1] ... all processes have read access to extended security attributes, and write access is limited to processes that have the CAP_SYS_ADMIN capability. [2] The file owner and processes capable of CAP_FOWNER are granted the right to modify ACLs of a file. This is analogous to the permissions required for accessing the file mode. (On current Linux systems, root is the only user with the CAP_FOWNER capability.) [1] https://linux.die.net/man/5/attr [2] https://linux.die.net/man/1/setfacl Signed-off-by: Radostin Stoyanov --- src/virtBootstrap/utils.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/virtBootstrap/utils.py') diff --git a/src/virtBootstrap/utils.py b/src/virtBootstrap/utils.py index 94b3ccb..cd03a93 100644 --- a/src/virtBootstrap/utils.py +++ b/src/virtBootstrap/utils.py @@ -278,12 +278,12 @@ def safe_untar(src, dest): # Note: Here we use --absolute-names flag to get around the error message # "Cannot open: Permission denied" when symlynks are extracted, with the # qemu:/// driver. This flag must not be used outside virt-sandbox. - # + params = ['--', '/bin/tar', 'xf', src, '-C', '/mnt', '--exclude', 'dev/*', + '--overwrite', '--absolute-names'] # Preserve file attributes following the specification in # https://github.com/opencontainers/image-spec/blob/master/layer.md - params = ['--', '/bin/tar', 'xf', src, '-C', '/mnt', '--exclude', 'dev/*', - '--overwrite', '--absolute-names', - '--acls', '--xattrs', '--selinux'] + if os.geteuid() == 0: + params.extend(['--acls', '--xattrs', '--selinux']) execute(virt_sandbox + params) -- cgit