[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [et-mgmt-tools] [PATCH] Least privilege support



Hi, John

I have a question about this patch.
(because of my understanding)

It seems check "SunOS" only for Solaris.
(It will be added some code in future?)

Thanks
Atsushi SAKAI


john levon sun com wrote:

> # HG changeset patch
> # User john levon sun com
> # Date 1228271172 28800
> # Node ID 2771f870b247df02b16a4d79cdf549a1ad0132aa
> # Parent  a4538c6c2d6690526d80c011b46b4700c23a9ffd
> Least privilege support
> 
> On Solaris, which users can run virt-install depends on their effective
> privilege set, not their effective UID.
> 
> Signed-off-by: John Levon <john levon sun com>
> 
> diff --git a/virt-clone b/virt-clone
> --- a/virt-clone
> +++ b/virt-clone
> @@ -185,7 +185,7 @@ def main():
>      logging.debug("start clone with HV " + options.connect)
>  
>      if options.connect is None or options.connect.lower()[0:3] == "xen":
> -        if os.geteuid() != 0:
> +        if not virtinst.util.privileged_user():
>              fail(_("Must be root to clone Xen guests"))
>  
>      conn = cli.getConnection(options.connect)
> diff --git a/virtinst/DistroManager.py b/virtinst/DistroManager.py
> --- a/virtinst/DistroManager.py
> +++ b/virtinst/DistroManager.py
> @@ -193,7 +193,7 @@ class DistroInstaller(Guest.Installer):
>                                 "or FTP network install source, or an existing "
>                                 "local file/device"))
>  
> -        if os.geteuid() != 0 and val.startswith("nfs:"):
> +        if val.startswith("nfs:") and not util.privileged_user():
>              raise ValueError(_("NFS installations are only supported as root"))
>  
>          self._location = val
> diff --git a/virtinst/Guest.py b/virtinst/Guest.py
> --- a/virtinst/Guest.py
> +++ b/virtinst/Guest.py
> @@ -28,6 +28,7 @@ import urlgrabber.progress as progress
>  import urlgrabber.progress as progress
>  import util
>  import libvirt
> +import platform
>  import __builtin__
>  import CapabilitiesParser
>  import VirtualDevice
> @@ -347,9 +348,11 @@ class Installer(object):
>      os_type = property(get_os_type, set_os_type)
>  
>      def get_scratchdir(self):
> +        if platform.system() == 'SunOS':
> +            return '/var/tmp'
>          if self.type == "xen" and os.path.exists(XEN_SCRATCH):
>              return XEN_SCRATCH
> -        if os.getuid() == 0 and os.path.exists(LIBVIRT_SCRATCH):
> +        if util.privileged_user() and os.path.exists(LIBVIRT_SCRATCH):
>              return LIBVIRT_SCRATCH
>          else:
>              return os.path.expanduser("~/.virtinst/boot")
> @@ -476,7 +479,7 @@ class Installer(object):
>              fd = os.open(guest.disks[0].path, os.O_RDONLY)
>          except OSError, (err, msg):
>              logging.debug("Failed to open guest disk: %s" % msg)
> -            if err == errno.EACCES and os.geteuid() != 0:
> +            if err == errno.EACCES and not util.privileged_user():
>                  return True # non root might not have access to block devices
>              else:
>                  raise
> diff --git a/virtinst/cli.py b/virtinst/cli.py
> --- a/virtinst/cli.py
> +++ b/virtinst/cli.py
> @@ -118,7 +118,7 @@ def nice_exit():
>  
>  def getConnection(connect):
>      if connect and connect.lower()[0:3] == "xen":
> -        if os.geteuid() != 0:
> +        if not util.privileged_user():
>              fail(_("Must be root to create Xen guests"))
>      if connect is None:
>          fail(_("Could not find usable default libvirt connection."))
> @@ -307,7 +307,7 @@ def digest_networks(conn, macs, bridges,
>      # Create extra networks up to the number of nics requested 
>      if len(macs) < nics:
>          for dummy in range(len(macs),nics):
> -            if os.getuid() == 0:
> +            if util.privileged_user():
>                  net = util.default_network(conn)
>                  networks.append(net[0] + ":" + net[1])
>              else:
> diff --git a/virtinst/util.py b/virtinst/util.py
> --- a/virtinst/util.py
> +++ b/virtinst/util.py
> @@ -93,7 +93,7 @@ def default_connection():
>           os.path.exists("/usr/bin/qemu-kvm") or \
>           os.path.exists("/usr/bin/kvm") or \
>           os.path.exists("/usr/bin/xenner"):
> -        if os.getuid() == 0:
> +        if privileged_user():
>              return "qemu:///system"
>          else:
>              return "qemu:///session"
> @@ -509,6 +509,14 @@ def lookup_pool_by_path(conn, path):
>              return pool
>      return None
>  
> +def privileged_user():
> +    """
> +    Return true if the user is privileged enough.  On Linux, this
> +    equates to being root.  On Solaris, it's more complicated, so we
> +    just assume we're OK.
> +    """
> +    return os.uname()[0] == 'SunOS' or os.geteuid() == 0
> +
>  def _test():
>      import doctest
>      doctest.testmod()
> 
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools redhat com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]