From c8a181e847660bb9d7faedad0bed7d05afbe8103 Mon Sep 17 00:00:00 2001 From: Scott Garman Date: Sun, 3 Oct 2010 21:39:14 -0700 Subject: poky-qemu-ifup/ifdown: Require root privileges to run This fixes [BUGID #232], requiring root privileges to run these scripts and giving an error prompt when that requirement is not met. The tunctl uid fallback code has also been removed, as we can rely on the specific version of tunctl run from the native sysroot. Signed-off-by: Scott Garman --- scripts/poky-qemu-ifdown | 18 ++++++++++++++-- scripts/poky-qemu-ifup | 53 +++++++++++++++++------------------------------- 2 files changed, 35 insertions(+), 36 deletions(-) (limited to 'scripts') diff --git a/scripts/poky-qemu-ifdown b/scripts/poky-qemu-ifdown index 93a87559af..ece2dc998a 100755 --- a/scripts/poky-qemu-ifdown +++ b/scripts/poky-qemu-ifdown @@ -1,6 +1,15 @@ #!/bin/bash # -# QEMU network interface configuration script. +# QEMU network configuration script to bring down tap devices. This +# utility needs to be run as root, and will use the tunctl binary +# from a Poky sysroot. +# +# If you find yourself calling this script a lot, you can add the +# the following to your /etc/sudoers file to be able to run this +# command without entering your password each time: +# +# ALL=NOPASSWD: /path/to/poky-qemu-ifup +# ALL=NOPASSWD: /path/to/poky-qemu-ifdown # # Copyright (c) 2006-2010 Intel Corp. # @@ -18,9 +27,14 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. usage() { - echo "$0 " + echo "sudo $0 " } +if [ $EUID -ne 0 ]; then + echo "Error: This script (poky-qemu-ifdown) must be run with root privileges" + exit 1 +fi + if [ $# -ne 2 ]; then usage exit 1 diff --git a/scripts/poky-qemu-ifup b/scripts/poky-qemu-ifup index 5ae6c6aefb..cd4c47b608 100755 --- a/scripts/poky-qemu-ifup +++ b/scripts/poky-qemu-ifup @@ -6,14 +6,17 @@ # tunctl which does not support the group permissions option, hence # the need to use Poky's version. # -# If this script is being run standalone in order to set up a bank of tap -# devices for later qemu use, then a group id must be the first argument. -# The resulting tap device will be group-owned by this group, and qemu -# users must be members of this group. +# If you find yourself calling this script a lot, you can add the +# the following to your /etc/sudoers file to be able to run this +# command without entering your password each time: # -# If the kernel is too old to support TUNSETGROUP, then a user must be passed -# in as the second argument, the tap device will be owned by that user, and -# only that user will be able to use it. +# ALL=NOPASSWD: /path/to/poky-qemu-ifup +# ALL=NOPASSWD: /path/to/poky-qemu-ifdown +# +# If you'd like to create a bank of tap devices at once, you should use +# the poky-gen-tapdevs script instead. If tap devices are set up using +# that script, the poky-qemu script will never end up calling this +# script. # # Copyright (c) 2006-2010 Intel Corp. # @@ -31,26 +34,24 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. usage() { - echo "$0 {uid} " - echo "Where uid is *only* included if this script complains when it's missing" + echo "sudo $0 " } -if [[ $# -lt 2 || $# -gt 3 ]]; then +if [ $EUID -ne 0 ]; then + echo "Error: This script (poky-qemu-ifup) must be run with root privileges" + exit 1 +fi + +if [ $# -ne 2 ]; then usage exit 1 fi -USER="" GROUP="-g $1" -if [ $# -eq 2 ]; then - NATIVE_SYSROOT_DIR=$2 -else - USER=$2 - NATIVE_SYSROOT_DIR=$3 -fi +NATIVE_SYSROOT_DIR=$2 TUNCTL=$NATIVE_SYSROOT_DIR/usr/bin/tunctl -if [ ! -e "$TUNCTL" ]; then +if [ ! -x "$TUNCTL" ]; then echo "Error: Unable to find tunctl binary in '$NATIVE_SYSROOT_DIR/usr/bin'" if [[ "$NATIVE_SYSROOT_DIR" =~ ^\/opt\/poky ]]; then @@ -64,22 +65,6 @@ fi TAP=`$TUNCTL -b $GROUP 2>&1` STATUS=$? -if [[ "$TAP" =~ "TUNSETGROUP" ]]; then - # TUNSETGROUP failed because of permissions or the kernel being too old - # Retry, falling back to a specific user - if [ "$USER" = "" ]; then - echo "TUNSETGROUP failed - add a username to the command line in order" - echo "to have the tap device owned by that user" - exit 1 - fi - TAP=`$TUNCTL -b -u $USER 2>&1` - STATUS=$? - # Force this to appear on stderr in order that the user sees it if this - # is running from poky-qemu-internal and in order to avoid having this - # output confuse it. - echo "Only user $USER will be able to use $TAP - upgrade the kernel to " 1>&2 - echo "2.6.23 or later in order to allow group access to tap devices" 1>&2 -fi if [ $STATUS -ne 0 ]; then echo "tunctl failed:" echo $TAP -- cgit v1.2.3-54-g00ecf