[Pkg-libvirt-commits] [libguestfs] 22/40: customize: fix attributes of /etc/shadow (RHBZ#1146275)

Hilko Bengen bengen at moszumanska.debian.org
Fri Oct 3 14:49:12 UTC 2014 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag debian/1%1.27.57-1
in repository libguestfs.

commit 35daabed8f6da1b6039c4fd32848dcff6347e0dd
Author: Pino Toscano <ptoscano at redhat.com>
Date:   Mon Sep 29 13:49:09 2014 +0200

    customize: fix attributes of /etc/shadow (RHBZ#1146275)
    
    When saving a configuration file, Augeas creates a new file and
    replaces the old one with it; this creates a /etc/shadow file without
    the SELinux xattrs, since they are missing.
    
    Thus, create a temporary file with all the attributes of /etc/shadow, so
    all the attributes of it (permissions and xattrs, among others) can be
    restored properly on the new /etc/shadow.
    
    As side effect, if a guest is already properly SELinux-labelled, then
    there should be no more need to relabel it to make sure /etc/shadow
    still has the right SELinux xattrs.
---
 customize/password.ml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/customize/password.ml b/customize/password.ml
index 3437bf0..2bbfbbc 100644
--- a/customize/password.ml
+++ b/customize/password.ml
@@ -81,12 +81,19 @@ and read_password_from_file filename =
 (* Permissible characters in a salt. *)
 let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./"
 
-let rec set_linux_passwords ~prog ?password_crypto g root passwords =
+let rec set_linux_passwords ~prog ?password_crypto (g : Guestfs.guestfs) root passwords =
   let crypto =
     match password_crypto with
     | None -> default_crypto ~prog g root
     | Some c -> c in
 
+  (* Create a (almost) empty temporary file with the attributes of
+   * /etc/shadow, so we can restore them later.
+   *)
+  let tempfile = g#mktemp "/etc/shadow.guestfsXXXXXX" in
+  g#write tempfile "*";
+  g#copy_attributes ~all:true "/etc/shadow" tempfile;
+
   g#aug_init "/" 0;
   let users = Array.to_list (g#aug_ls "/files/etc/shadow") in
   List.iter (
@@ -116,9 +123,11 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords =
       with Not_found -> ()
   ) users;
   g#aug_save ();
+  g#aug_close ();
 
-  (* In virt-sysprep /.autorelabel will label it correctly. *)
-  g#chmod 0 "/etc/shadow"
+  (* Restore all the attributes from the temporary file, and remove it. *)
+  g#copy_attributes ~all:true tempfile "/etc/shadow";
+  g#rm tempfile
 
 (* Encrypt each password.  Use glibc (on the host).  See:
  * https://rwmj.wordpress.com/2013/07/09/setting-the-root-or-other-passwords-in-a-linux-guest/

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libguestfs.git

More information about the Pkg-libvirt-commits mailing list