[et-mgmt-tools] [PATCH] Least privilege support

Atsushi SAKAI sakaia at jp.fujitsu.com
Thu Dec 4 12:41:19 UTC 2008


Hi, John

I have a question about this patch.
(because of my understanding)

It seems check "SunOS" only for Solaris.
(It will be added some code in future?)

Thanks
Atsushi SAKAI


john.levon at sun.com wrote:

> # HG changeset patch
> # User john.levon at sun.com
> # Date 1228271172 28800
> # Node ID 2771f870b247df02b16a4d79cdf549a1ad0132aa
> # Parent  a4538c6c2d6690526d80c011b46b4700c23a9ffd
> Least privilege support
> 
> On Solaris, which users can run virt-install depends on their effective
> privilege set, not their effective UID.
> 
> Signed-off-by: John Levon <john.levon at sun.com>
> 
> diff --git a/virt-clone b/virt-clone
> --- a/virt-clone
> +++ b/virt-clone
> @@ -185,7 +185,7 @@ def main():
>      logging.debug("start clone with HV " + options.connect)
>  
>      if options.connect is None or options.connect.lower()[0:3] == "xen":
> -        if os.geteuid() != 0:
> +        if not virtinst.util.privileged_user():
>              fail(_("Must be root to clone Xen guests"))
>  
>      conn = cli.getConnection(options.connect)
> diff --git a/virtinst/DistroManager.py b/virtinst/DistroManager.py
> --- a/virtinst/DistroManager.py
> +++ b/virtinst/DistroManager.py
> @@ -193,7 +193,7 @@ class DistroInstaller(Guest.Installer):
>                                 "or FTP network install source, or an existing "
>                                 "local file/device"))
>  
> -        if os.geteuid() != 0 and val.startswith("nfs:"):
> +        if val.startswith("nfs:") and not util.privileged_user():
>              raise ValueError(_("NFS installations are only supported as root"))
>  
>          self._location = val
> diff --git a/virtinst/Guest.py b/virtinst/Guest.py
> --- a/virtinst/Guest.py
> +++ b/virtinst/Guest.py
> @@ -28,6 +28,7 @@ import urlgrabber.progress as progress
>  import urlgrabber.progress as progress
>  import util
>  import libvirt
> +import platform
>  import __builtin__
>  import CapabilitiesParser
>  import VirtualDevice
> @@ -347,9 +348,11 @@ class Installer(object):
>      os_type = property(get_os_type, set_os_type)
>  
>      def get_scratchdir(self):
> +        if platform.system() == 'SunOS':
> +            return '/var/tmp'
>          if self.type == "xen" and os.path.exists(XEN_SCRATCH):
>              return XEN_SCRATCH
> -        if os.getuid() == 0 and os.path.exists(LIBVIRT_SCRATCH):
> +        if util.privileged_user() and os.path.exists(LIBVIRT_SCRATCH):
>              return LIBVIRT_SCRATCH
>          else:
>              return os.path.expanduser("~/.virtinst/boot")
> @@ -476,7 +479,7 @@ class Installer(object):
>              fd = os.open(guest.disks[0].path, os.O_RDONLY)
>          except OSError, (err, msg):
>              logging.debug("Failed to open guest disk: %s" % msg)
> -            if err == errno.EACCES and os.geteuid() != 0:
> +            if err == errno.EACCES and not util.privileged_user():
>                  return True # non root might not have access to block devices
>              else:
>                  raise
> diff --git a/virtinst/cli.py b/virtinst/cli.py
> --- a/virtinst/cli.py
> +++ b/virtinst/cli.py
> @@ -118,7 +118,7 @@ def nice_exit():
>  
>  def getConnection(connect):
>      if connect and connect.lower()[0:3] == "xen":
> -        if os.geteuid() != 0:
> +        if not util.privileged_user():
>              fail(_("Must be root to create Xen guests"))
>      if connect is None:
>          fail(_("Could not find usable default libvirt connection."))
> @@ -307,7 +307,7 @@ def digest_networks(conn, macs, bridges,
>      # Create extra networks up to the number of nics requested 
>      if len(macs) < nics:
>          for dummy in range(len(macs),nics):
> -            if os.getuid() == 0:
> +            if util.privileged_user():
>                  net = util.default_network(conn)
>                  networks.append(net[0] + ":" + net[1])
>              else:
> diff --git a/virtinst/util.py b/virtinst/util.py
> --- a/virtinst/util.py
> +++ b/virtinst/util.py
> @@ -93,7 +93,7 @@ def default_connection():
>           os.path.exists("/usr/bin/qemu-kvm") or \
>           os.path.exists("/usr/bin/kvm") or \
>           os.path.exists("/usr/bin/xenner"):
> -        if os.getuid() == 0:
> +        if privileged_user():
>              return "qemu:///system"
>          else:
>              return "qemu:///session"
> @@ -509,6 +509,14 @@ def lookup_pool_by_path(conn, path):
>              return pool
>      return None
>  
> +def privileged_user():
> +    """
> +    Return true if the user is privileged enough.  On Linux, this
> +    equates to being root.  On Solaris, it's more complicated, so we
> +    just assume we're OK.
> +    """
> +    return os.uname()[0] == 'SunOS' or os.geteuid() == 0
> +
>  def _test():
>      import doctest
>      doctest.testmod()
> 
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools





More information about the et-mgmt-tools mailing list