mirrors/libguestfs
1
0
Fork 0
mirror of https://github.com/libguestfs/libguestfs.git synced 2026-03-21 22:53:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

New API: ntfs_chmod

Browse Source 
Add an API to do the equivalent of `chmod [-r] MODE PATH` for
NTFS filesystems.

Files created on a linux ntfs-3g mount can not change permissions
directly. New files and directories are created with rough windows
equivalent of `chmod 777`. These wide open permissions can generate
security warnings on windows after virt-v2v installs bits into
`Program Files\Guestfs`.

Behind the scenes we use `ntfssecaudit(8)` from `ntfsprogs`
which is already part of the appliance. We only expose the chmod-style
feature; the rest of `ntfssecaudit` is concerned reporting and
managing fine grained windows security info which is way more than
we need.

Also note, `ntfssecaudit` needs to run on an unmounted partition
so using this is more complicated than a traditional `chmod` call.

Related: https://issues.redhat.com/browse/RHEL-104352

Signed-off-by: Cole Robinson <crobinso@redhat.com>
This commit is contained in:
Cole Robinson
2025-09-06 09:36:15 -04:00
committed by rwmjones
parent e218dd73cc
commit a2e7dfc73b
5 changed files with 58 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
generator/actions_core.ml
View File

@@ -6616,6 +6616,29 @@ Restore the C<backupfile> (from a previous call to
C<guestfs_ntfsclone_out>) to C<device>, overwriting
any existing contents of this device." };
{ defaults with
name = "ntfs_chmod"; added = (1, 55, 13);
(* We don't use Pathname for `path` argument, since that implies
NEED_ROOT, and this command only operates on unmounted devices.
*)
style = RErr, [String (Device, "device"); Int "mode"; String (PlainString, "path")], [OBool "recursive"];
optional = Some "ntfs3g";
shortdesc = "change file permissions on NTFS filesystem";
longdesc = {|Change file permissions on an NTFS filesystem with
a chmod-style permission mask, using L<ntfssecaudit(8)>. Only numeric modes
are supported.
I<Note>: When using this command from guestfish, C<mode>
by default would be decimal, unless you prefix it with
C<0> to get octal, ie. use C<0700> not C<700>.
The C<device> parameter is the NTFS partition device (eg. C</dev/sda5>).
This must be unmounted.
The C<mode> parameter is the permission mode (eg. C<0744>).
The C<path> parameter is the file or directory path within the filesystem.
If the optional C<recursive> flag is set, directory permissions are set
recursively.|} };
{ defaults with
name = "set_label"; added = (1, 17, 9);
style = RErr, [String (Mountable, "mountable"); String (PlainString, "label")], [];

1
generator/proc_nr.ml
View File

@@ -522,6 +522,7 @@ let proc_nr = [
517, "sh_out";
518, "btrfs_scrub_full";
519, "setfiles";
520, "ntfs_chmod";
]
(* End of list. If adding a new entry, add it at the end of the list