Add function for checking file access permissions

The CanRead function checks whether a user of the local machine (specified
by name) can access a given file.

IsUserInGroup is a helper function for CanRead, but might also be used
independently, so its name does not begin with an underscore.

Signed-off-by: Michele Tartara <mtartara@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

diff --git a/lib/utils/io.py b/lib/utils/io.py
index f9675a8..808751c 100644 (file)
--- a/lib/utils/io.py
+++ b/lib/utils/io.py
@@ -29,6 +29,8 @@ import tempfile
 import errno
 import time
 import stat
+import grp
+import pwd
 
 from ganeti import errors
 from ganeti import constants
@@ -1063,3 +1065,38 @@ class TemporaryFileManager(object):
     """
     while self._files:
       RemoveFile(self._files.pop())
+
+
+def IsUserInGroup(uid, gid):
+  """Returns True if the user belongs to the group.
+
+  @type uid: int
+  @param uid: the user id
+  @type gid: int
+  @param gid: the group id
+  @rtype: bool
+
+  """
+  user = pwd.getpwuid(uid)
+  group = grp.getgrgid(gid)
+  return user.pw_gid == gid or user.pw_name in group.gr_mem
+
+
+def CanRead(username, filename):
+  """Returns True if the user can access (read) the file.
+
+  @type username: string
+  @param username: the name of the user
+  @type filename: string
+  @param filename: the name of the file
+  @rtype: bool
+
+  """
+  filestats = os.stat(filename)
+  user = pwd.getpwnam(username)
+  uid = user.pw_uid
+  user_readable = filestats.st_mode & stat.S_IRUSR != 0
+  group_readable = filestats.st_mode & stat.S_IRGRP != 0
+  return ((filestats.st_uid == uid and user_readable)
+          or (filestats.st_uid != uid and
+              IsUserInGroup(uid, filestats.st_gid) and group_readable))