[et-mgmt-tools] [PATCH] Least privilege support
john.levon at sun.com
john.levon at sun.com
Wed Dec 3 02:26:23 UTC 2008
# HG changeset patch
# User john.levon at sun.com
# Date 1228271172 28800
# Node ID 2771f870b247df02b16a4d79cdf549a1ad0132aa
# Parent a4538c6c2d6690526d80c011b46b4700c23a9ffd
Least privilege support
On Solaris, which users can run virt-install depends on their effective
privilege set, not their effective UID.
Signed-off-by: John Levon <john.levon at sun.com>
diff --git a/virt-clone b/virt-clone
--- a/virt-clone
+++ b/virt-clone
@@ -185,7 +185,7 @@ def main():
logging.debug("start clone with HV " + options.connect)
if options.connect is None or options.connect.lower()[0:3] == "xen":
- if os.geteuid() != 0:
+ if not virtinst.util.privileged_user():
fail(_("Must be root to clone Xen guests"))
conn = cli.getConnection(options.connect)
diff --git a/virtinst/DistroManager.py b/virtinst/DistroManager.py
--- a/virtinst/DistroManager.py
+++ b/virtinst/DistroManager.py
@@ -193,7 +193,7 @@ class DistroInstaller(Guest.Installer):
"or FTP network install source, or an existing "
"local file/device"))
- if os.geteuid() != 0 and val.startswith("nfs:"):
+ if val.startswith("nfs:") and not util.privileged_user():
raise ValueError(_("NFS installations are only supported as root"))
self._location = val
diff --git a/virtinst/Guest.py b/virtinst/Guest.py
--- a/virtinst/Guest.py
+++ b/virtinst/Guest.py
@@ -28,6 +28,7 @@ import urlgrabber.progress as progress
import urlgrabber.progress as progress
import util
import libvirt
+import platform
import __builtin__
import CapabilitiesParser
import VirtualDevice
@@ -347,9 +348,11 @@ class Installer(object):
os_type = property(get_os_type, set_os_type)
def get_scratchdir(self):
+ if platform.system() == 'SunOS':
+ return '/var/tmp'
if self.type == "xen" and os.path.exists(XEN_SCRATCH):
return XEN_SCRATCH
- if os.getuid() == 0 and os.path.exists(LIBVIRT_SCRATCH):
+ if util.privileged_user() and os.path.exists(LIBVIRT_SCRATCH):
return LIBVIRT_SCRATCH
else:
return os.path.expanduser("~/.virtinst/boot")
@@ -476,7 +479,7 @@ class Installer(object):
fd = os.open(guest.disks[0].path, os.O_RDONLY)
except OSError, (err, msg):
logging.debug("Failed to open guest disk: %s" % msg)
- if err == errno.EACCES and os.geteuid() != 0:
+ if err == errno.EACCES and not util.privileged_user():
return True # non root might not have access to block devices
else:
raise
diff --git a/virtinst/cli.py b/virtinst/cli.py
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -118,7 +118,7 @@ def nice_exit():
def getConnection(connect):
if connect and connect.lower()[0:3] == "xen":
- if os.geteuid() != 0:
+ if not util.privileged_user():
fail(_("Must be root to create Xen guests"))
if connect is None:
fail(_("Could not find usable default libvirt connection."))
@@ -307,7 +307,7 @@ def digest_networks(conn, macs, bridges,
# Create extra networks up to the number of nics requested
if len(macs) < nics:
for dummy in range(len(macs),nics):
- if os.getuid() == 0:
+ if util.privileged_user():
net = util.default_network(conn)
networks.append(net[0] + ":" + net[1])
else:
diff --git a/virtinst/util.py b/virtinst/util.py
--- a/virtinst/util.py
+++ b/virtinst/util.py
@@ -93,7 +93,7 @@ def default_connection():
os.path.exists("/usr/bin/qemu-kvm") or \
os.path.exists("/usr/bin/kvm") or \
os.path.exists("/usr/bin/xenner"):
- if os.getuid() == 0:
+ if privileged_user():
return "qemu:///system"
else:
return "qemu:///session"
@@ -509,6 +509,14 @@ def lookup_pool_by_path(conn, path):
return pool
return None
+def privileged_user():
+ """
+ Return true if the user is privileged enough. On Linux, this
+ equates to being root. On Solaris, it's more complicated, so we
+ just assume we're OK.
+ """
+ return os.uname()[0] == 'SunOS' or os.geteuid() == 0
+
def _test():
import doctest
doctest.testmod()
More information about the et-mgmt-tools
mailing list