diff options
author | Scott Garman <scott.a.garman@intel.com> | 2010-10-03 21:39:14 -0700 |
---|---|---|
committer | Richard Purdie <rpurdie@linux.intel.com> | 2010-10-07 19:48:17 +0100 |
commit | c8a181e847660bb9d7faedad0bed7d05afbe8103 (patch) | |
tree | cf548194e5591459b323b672abda5c759b183791 | |
parent | fb2430212521680d593c8c725a9dfb635f40bd59 (diff) | |
download | openembedded-core-c8a181e847660bb9d7faedad0bed7d05afbe8103.tar.gz openembedded-core-c8a181e847660bb9d7faedad0bed7d05afbe8103.tar.bz2 openembedded-core-c8a181e847660bb9d7faedad0bed7d05afbe8103.tar.xz openembedded-core-c8a181e847660bb9d7faedad0bed7d05afbe8103.zip |
poky-qemu-ifup/ifdown: Require root privileges to run
This fixes [BUGID #232], requiring root privileges to run these scripts
and giving an error prompt when that requirement is not met.
The tunctl uid fallback code has also been removed, as we can rely on
the specific version of tunctl run from the native sysroot.
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
-rwxr-xr-x | scripts/poky-qemu-ifdown | 18 | ||||
-rwxr-xr-x | scripts/poky-qemu-ifup | 53 |
2 files changed, 35 insertions, 36 deletions
diff --git a/scripts/poky-qemu-ifdown b/scripts/poky-qemu-ifdown index 93a87559a..ece2dc998 100755 --- a/scripts/poky-qemu-ifdown +++ b/scripts/poky-qemu-ifdown @@ -1,6 +1,15 @@ #!/bin/bash # -# QEMU network interface configuration script. +# QEMU network configuration script to bring down tap devices. This +# utility needs to be run as root, and will use the tunctl binary +# from a Poky sysroot. +# +# If you find yourself calling this script a lot, you can add the +# the following to your /etc/sudoers file to be able to run this +# command without entering your password each time: +# +# <my-username> ALL=NOPASSWD: /path/to/poky-qemu-ifup +# <my-username> ALL=NOPASSWD: /path/to/poky-qemu-ifdown # # Copyright (c) 2006-2010 Intel Corp. # @@ -18,9 +27,14 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. usage() { - echo "$0 <tap-dev> <native-sysroot-basedir>" + echo "sudo $0 <tap-dev> <native-sysroot-basedir>" } +if [ $EUID -ne 0 ]; then + echo "Error: This script (poky-qemu-ifdown) must be run with root privileges" + exit 1 +fi + if [ $# -ne 2 ]; then usage exit 1 diff --git a/scripts/poky-qemu-ifup b/scripts/poky-qemu-ifup index 5ae6c6aef..cd4c47b60 100755 --- a/scripts/poky-qemu-ifup +++ b/scripts/poky-qemu-ifup @@ -6,14 +6,17 @@ # tunctl which does not support the group permissions option, hence # the need to use Poky's version. # -# If this script is being run standalone in order to set up a bank of tap -# devices for later qemu use, then a group id must be the first argument. -# The resulting tap device will be group-owned by this group, and qemu -# users must be members of this group. +# If you find yourself calling this script a lot, you can add the +# the following to your /etc/sudoers file to be able to run this +# command without entering your password each time: # -# If the kernel is too old to support TUNSETGROUP, then a user must be passed -# in as the second argument, the tap device will be owned by that user, and -# only that user will be able to use it. +# <my-username> ALL=NOPASSWD: /path/to/poky-qemu-ifup +# <my-username> ALL=NOPASSWD: /path/to/poky-qemu-ifdown +# +# If you'd like to create a bank of tap devices at once, you should use +# the poky-gen-tapdevs script instead. If tap devices are set up using +# that script, the poky-qemu script will never end up calling this +# script. # # Copyright (c) 2006-2010 Intel Corp. # @@ -31,26 +34,24 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. usage() { - echo "$0 <gid> {uid} <native-sysroot-basedir>" - echo "Where uid is *only* included if this script complains when it's missing" + echo "sudo $0 <gid> <native-sysroot-basedir>" } -if [[ $# -lt 2 || $# -gt 3 ]]; then +if [ $EUID -ne 0 ]; then + echo "Error: This script (poky-qemu-ifup) must be run with root privileges" + exit 1 +fi + +if [ $# -ne 2 ]; then usage exit 1 fi -USER="" GROUP="-g $1" -if [ $# -eq 2 ]; then - NATIVE_SYSROOT_DIR=$2 -else - USER=$2 - NATIVE_SYSROOT_DIR=$3 -fi +NATIVE_SYSROOT_DIR=$2 TUNCTL=$NATIVE_SYSROOT_DIR/usr/bin/tunctl -if [ ! -e "$TUNCTL" ]; then +if [ ! -x "$TUNCTL" ]; then echo "Error: Unable to find tunctl binary in '$NATIVE_SYSROOT_DIR/usr/bin'" if [[ "$NATIVE_SYSROOT_DIR" =~ ^\/opt\/poky ]]; then @@ -64,22 +65,6 @@ fi TAP=`$TUNCTL -b $GROUP 2>&1` STATUS=$? -if [[ "$TAP" =~ "TUNSETGROUP" ]]; then - # TUNSETGROUP failed because of permissions or the kernel being too old - # Retry, falling back to a specific user - if [ "$USER" = "" ]; then - echo "TUNSETGROUP failed - add a username to the command line in order" - echo "to have the tap device owned by that user" - exit 1 - fi - TAP=`$TUNCTL -b -u $USER 2>&1` - STATUS=$? - # Force this to appear on stderr in order that the user sees it if this - # is running from poky-qemu-internal and in order to avoid having this - # output confuse it. - echo "Only user $USER will be able to use $TAP - upgrade the kernel to " 1>&2 - echo "2.6.23 or later in order to allow group access to tap devices" 1>&2 -fi if [ $STATUS -ne 0 ]; then echo "tunctl failed:" echo $TAP |