[et-mgmt-tools] [PATCH] Least privilege support
Atsushi SAKAI
sakaia at jp.fujitsu.com
Thu Dec 4 12:41:19 UTC 2008
Hi, John
I have a question about this patch.
(because of my understanding)
It seems check "SunOS" only for Solaris.
(It will be added some code in future?)
Thanks
Atsushi SAKAI
john.levon at sun.com wrote:
> # HG changeset patch
> # User john.levon at sun.com
> # Date 1228271172 28800
> # Node ID 2771f870b247df02b16a4d79cdf549a1ad0132aa
> # Parent a4538c6c2d6690526d80c011b46b4700c23a9ffd
> Least privilege support
>
> On Solaris, which users can run virt-install depends on their effective
> privilege set, not their effective UID.
>
> Signed-off-by: John Levon <john.levon at sun.com>
>
> diff --git a/virt-clone b/virt-clone
> --- a/virt-clone
> +++ b/virt-clone
> @@ -185,7 +185,7 @@ def main():
> logging.debug("start clone with HV " + options.connect)
>
> if options.connect is None or options.connect.lower()[0:3] == "xen":
> - if os.geteuid() != 0:
> + if not virtinst.util.privileged_user():
> fail(_("Must be root to clone Xen guests"))
>
> conn = cli.getConnection(options.connect)
> diff --git a/virtinst/DistroManager.py b/virtinst/DistroManager.py
> --- a/virtinst/DistroManager.py
> +++ b/virtinst/DistroManager.py
> @@ -193,7 +193,7 @@ class DistroInstaller(Guest.Installer):
> "or FTP network install source, or an existing "
> "local file/device"))
>
> - if os.geteuid() != 0 and val.startswith("nfs:"):
> + if val.startswith("nfs:") and not util.privileged_user():
> raise ValueError(_("NFS installations are only supported as root"))
>
> self._location = val
> diff --git a/virtinst/Guest.py b/virtinst/Guest.py
> --- a/virtinst/Guest.py
> +++ b/virtinst/Guest.py
> @@ -28,6 +28,7 @@ import urlgrabber.progress as progress
> import urlgrabber.progress as progress
> import util
> import libvirt
> +import platform
> import __builtin__
> import CapabilitiesParser
> import VirtualDevice
> @@ -347,9 +348,11 @@ class Installer(object):
> os_type = property(get_os_type, set_os_type)
>
> def get_scratchdir(self):
> + if platform.system() == 'SunOS':
> + return '/var/tmp'
> if self.type == "xen" and os.path.exists(XEN_SCRATCH):
> return XEN_SCRATCH
> - if os.getuid() == 0 and os.path.exists(LIBVIRT_SCRATCH):
> + if util.privileged_user() and os.path.exists(LIBVIRT_SCRATCH):
> return LIBVIRT_SCRATCH
> else:
> return os.path.expanduser("~/.virtinst/boot")
> @@ -476,7 +479,7 @@ class Installer(object):
> fd = os.open(guest.disks[0].path, os.O_RDONLY)
> except OSError, (err, msg):
> logging.debug("Failed to open guest disk: %s" % msg)
> - if err == errno.EACCES and os.geteuid() != 0:
> + if err == errno.EACCES and not util.privileged_user():
> return True # non root might not have access to block devices
> else:
> raise
> diff --git a/virtinst/cli.py b/virtinst/cli.py
> --- a/virtinst/cli.py
> +++ b/virtinst/cli.py
> @@ -118,7 +118,7 @@ def nice_exit():
>
> def getConnection(connect):
> if connect and connect.lower()[0:3] == "xen":
> - if os.geteuid() != 0:
> + if not util.privileged_user():
> fail(_("Must be root to create Xen guests"))
> if connect is None:
> fail(_("Could not find usable default libvirt connection."))
> @@ -307,7 +307,7 @@ def digest_networks(conn, macs, bridges,
> # Create extra networks up to the number of nics requested
> if len(macs) < nics:
> for dummy in range(len(macs),nics):
> - if os.getuid() == 0:
> + if util.privileged_user():
> net = util.default_network(conn)
> networks.append(net[0] + ":" + net[1])
> else:
> diff --git a/virtinst/util.py b/virtinst/util.py
> --- a/virtinst/util.py
> +++ b/virtinst/util.py
> @@ -93,7 +93,7 @@ def default_connection():
> os.path.exists("/usr/bin/qemu-kvm") or \
> os.path.exists("/usr/bin/kvm") or \
> os.path.exists("/usr/bin/xenner"):
> - if os.getuid() == 0:
> + if privileged_user():
> return "qemu:///system"
> else:
> return "qemu:///session"
> @@ -509,6 +509,14 @@ def lookup_pool_by_path(conn, path):
> return pool
> return None
>
> +def privileged_user():
> + """
> + Return true if the user is privileged enough. On Linux, this
> + equates to being root. On Solaris, it's more complicated, so we
> + just assume we're OK.
> + """
> + return os.uname()[0] == 'SunOS' or os.geteuid() == 0
> +
> def _test():
> import doctest
> doctest.testmod()
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
More information about the et-mgmt-tools
mailing list