Re: [qubes-devel] [PATCH v2] Fix policy.Replace changing mode and owners mode

Sun, 28 May 2023 06:39:36 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, May 28, 2023 at 09:41:37AM +0000, Ben Grande wrote:
> Enforce file mode and ownership for replaced files.
> 
> Signed-off-by: Ben Grande <ben.grand...@gmail.com>
> ---
>  qrexec/policy/admin.py | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/qrexec/policy/admin.py b/qrexec/policy/admin.py
> index da5bd9f..5f80070 100644
> --- a/qrexec/policy/admin.py
> +++ b/qrexec/policy/admin.py
> @@ -19,6 +19,8 @@
>  
>  from typing import Optional
>  from pathlib import Path
> +from pwd import getpwnam
> +from grp import getgrnam
>  import contextlib
>  import fcntl
>  import os
> @@ -201,6 +203,10 @@ class PolicyAdmin:
>  
>          temp_path = path.with_name(RENAME_PREFIX + path.name)
>          temp_path.write_bytes(data)
> +        temp_path.chmod(0o664)
> +        uid = getpwnam("root").pw_uid
> +        gid = getgrnam("qubes").gr_gid
> +        os.chown(temp_path, uid, gid)

Just in case, I'd wrap it in try/except to not fail the whole operation
if chown fails (if the thing is running as non-root user for example).

>          temp_path.rename(path)
>  
>      # Remove
> -- 
> Benjamin Grande <ben.grand...@gmail.com>
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-devel+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-devel/ZHMh0fQxcKHG70gP%40personal-mutt.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmRzWZEACgkQ24/THMrX
1yxnvAf+NJ5PSy0IKlHduJiMSsuGSmE1QarvNp6hOMZqxGgqjRg9pKwS2tF69StW
1zOM5xNmls888CKkxKeS7SsSOAMAlRt8gf1+mhS3SGGPYrDiZZcuvzClBw+JOmn7
moAbokIL5qBtTZ57X4eBC5e7iOisA1n1VIqCqwLxnQOsb2aP5BoItcpIKfilIh+I
5RI3rs/58fQfKVsLfb5IsLqolGh4PX3OKqDq8rCwABPmMYfyqfGAJ5ywiiV01LRf
lgsKVJHM1mQuSYUaazEmOVFLWvc73CeSbk+Blz08cYuogxnMK25iMSW78mPm5DiL
xo4w3oq4DvvjPW6wJcgOAN987AulDQ==
=utmA
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/ZHNZkbdivHwyTZG2%40mail-itl.

Reply via email to