Francesco Romani has uploaded a new change for review. Change subject: mkimage: setup right permissions before mkisofs ......................................................................
mkimage: setup right permissions before mkisofs We don't want to depend on the 'childUmask' argument of cpopen anymore, so that argument could be dropped in future release, to make the interface of cpopen identical to the one of the standard subprocess module. The 'childUmask' argument was added to make sure that the iso image we create has the right permissions right from the file creation, to avoid possible information leak. We can reach the same goal by preparing one hollow file with the right attributes on the same path mkisofs will use. mkisofs will truncate the (already empty) content of the file we prepared, and keep the other attributes. There are no planned change in functionality. Change-Id: Ibc971a39ae2a8eaf7af934bb0922647e4676d03f Bug-Url: https://bugzilla.redhat.com/1278414 Signed-off-by: Francesco Romani <[email protected]> --- M vdsm/mkimage.py 1 file changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/38/48538/1 diff --git a/vdsm/mkimage.py b/vdsm/mkimage.py index 7633662..07757bc 100644 --- a/vdsm/mkimage.py +++ b/vdsm/mkimage.py @@ -127,7 +127,13 @@ if volumeName is not None: command.extend(['-V', volumeName]) command.extend([dirname]) - rc, out, err = execCmd(command, raw=True, childUmask=0o027) + + # pre-create the destination iso path with the right permissions; + # mkisofs/genisoimage will truncate the content and keep the + # permissions. + os.open(isopath, os.O_CREAT | os.O_RDWR, mode=0o600) + + rc, out, err = execCmd(command, raw=True) if rc: raise OSError(errno.EIO, "could not create iso file: " "code %s, out %s\nerr %s" % (rc, out, err)) -- To view, visit https://gerrit.ovirt.org/48538 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibc971a39ae2a8eaf7af934bb0922647e4676d03f Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Francesco Romani <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
