# License for the specific language governing permissions and limitations
# under the License.
-from neutron.openstack.common.rootwrap import cmd
+from oslo.rootwrap import cmd
cmd.main()
if os.path.exists(os.path.join(possible_topdir, "neutron", "__init__.py")):
sys.path.insert(0, possible_topdir)
- from neutron.openstack.common.rootwrap import wrapper
+ from oslo.rootwrap import wrapper
# Execute command if it matches any of the loaded filters
filters = wrapper.load_filters(filters_path)
# License for the specific language governing permissions and limitations
# under the License.
-from neutron.openstack.common.rootwrap import cmd
+from oslo.rootwrap import cmd
cmd.main()
if os.path.exists(os.path.join(possible_topdir, "neutron", "__init__.py")):
sys.path.insert(0, possible_topdir)
- from neutron.openstack.common.rootwrap import wrapper
+ from oslo.rootwrap import wrapper
# Execute command if it matches any of the loaded filters
filters = wrapper.load_filters(filters_path)
+++ /dev/null
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright (c) 2011 OpenStack Foundation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+++ /dev/null
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright (c) 2011 OpenStack Foundation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""Root wrapper for OpenStack services
-
- Filters which commands a service is allowed to run as another user.
-
- To use this with neutron, you should set the following in
- neutron.conf:
- rootwrap_config=/etc/neutron/rootwrap.conf
-
- You also need to let the neutron user run neutron-rootwrap
- as root in sudoers:
- neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap
- /etc/neutron/rootwrap.conf *
-
- Service packaging should deploy .filters files only on nodes where
- they are needed, to avoid allowing more than is necessary.
-"""
-
-from __future__ import print_function
-
-import ConfigParser
-import logging
-import os
-import pwd
-import signal
-import subprocess
-import sys
-
-
-RC_UNAUTHORIZED = 99
-RC_NOCOMMAND = 98
-RC_BADCONFIG = 97
-RC_NOEXECFOUND = 96
-
-
-def _subprocess_setup():
- # Python installs a SIGPIPE handler by default. This is usually not what
- # non-Python subprocesses expect.
- signal.signal(signal.SIGPIPE, signal.SIG_DFL)
-
-
-def _exit_error(execname, message, errorcode, log=True):
- print("%s: %s" % (execname, message), file=sys.stderr)
- if log:
- logging.error(message)
- sys.exit(errorcode)
-
-
-def _getlogin():
- try:
- return os.getlogin()
- except OSError:
- return (os.getenv('USER') or
- os.getenv('USERNAME') or
- os.getenv('LOGNAME'))
-
-
-def main():
- # Split arguments, require at least a command
- execname = sys.argv.pop(0)
- if len(sys.argv) < 2:
- _exit_error(execname, "No command specified", RC_NOCOMMAND, log=False)
-
- configfile = sys.argv.pop(0)
- userargs = sys.argv[:]
-
- # Add ../ to sys.path to allow running from branch
- possible_topdir = os.path.normpath(os.path.join(os.path.abspath(execname),
- os.pardir, os.pardir))
- if os.path.exists(os.path.join(possible_topdir, "neutron", "__init__.py")):
- sys.path.insert(0, possible_topdir)
-
- from neutron.openstack.common.rootwrap import wrapper
-
- # Load configuration
- try:
- rawconfig = ConfigParser.RawConfigParser()
- rawconfig.read(configfile)
- config = wrapper.RootwrapConfig(rawconfig)
- except ValueError as exc:
- msg = "Incorrect value in %s: %s" % (configfile, exc.message)
- _exit_error(execname, msg, RC_BADCONFIG, log=False)
- except ConfigParser.Error:
- _exit_error(execname, "Incorrect configuration file: %s" % configfile,
- RC_BADCONFIG, log=False)
-
- if config.use_syslog:
- wrapper.setup_syslog(execname,
- config.syslog_log_facility,
- config.syslog_log_level)
-
- # Execute command if it matches any of the loaded filters
- filters = wrapper.load_filters(config.filters_path)
- try:
- filtermatch = wrapper.match_filter(filters, userargs,
- exec_dirs=config.exec_dirs)
- if filtermatch:
- command = filtermatch.get_command(userargs,
- exec_dirs=config.exec_dirs)
- if config.use_syslog:
- logging.info("(%s > %s) Executing %s (filter match = %s)" % (
- _getlogin(), pwd.getpwuid(os.getuid())[0],
- command, filtermatch.name))
-
- obj = subprocess.Popen(command,
- stdin=sys.stdin,
- stdout=sys.stdout,
- stderr=sys.stderr,
- preexec_fn=_subprocess_setup,
- env=filtermatch.get_environment(userargs))
- obj.wait()
- sys.exit(obj.returncode)
-
- except wrapper.FilterMatchNotExecutable as exc:
- msg = ("Executable not found: %s (filter match = %s)"
- % (exc.match.exec_path, exc.match.name))
- _exit_error(execname, msg, RC_NOEXECFOUND, log=config.use_syslog)
-
- except wrapper.NoFilterMatched:
- msg = ("Unauthorized command: %s (no filter matched)"
- % ' '.join(userargs))
- _exit_error(execname, msg, RC_UNAUTHORIZED, log=config.use_syslog)
+++ /dev/null
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright (c) 2011 OpenStack Foundation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import os
-import re
-
-
-class CommandFilter(object):
- """Command filter only checking that the 1st argument matches exec_path."""
-
- def __init__(self, exec_path, run_as, *args):
- self.name = ''
- self.exec_path = exec_path
- self.run_as = run_as
- self.args = args
- self.real_exec = None
-
- def get_exec(self, exec_dirs=[]):
- """Returns existing executable, or empty string if none found."""
- if self.real_exec is not None:
- return self.real_exec
- self.real_exec = ""
- if os.path.isabs(self.exec_path):
- if os.access(self.exec_path, os.X_OK):
- self.real_exec = self.exec_path
- else:
- for binary_path in exec_dirs:
- expanded_path = os.path.join(binary_path, self.exec_path)
- if os.access(expanded_path, os.X_OK):
- self.real_exec = expanded_path
- break
- return self.real_exec
-
- def match(self, userargs):
- """Only check that the first argument (command) matches exec_path."""
- return userargs and os.path.basename(self.exec_path) == userargs[0]
-
- def get_command(self, userargs, exec_dirs=[]):
- """Returns command to execute (with sudo -u if run_as != root)."""
- to_exec = self.get_exec(exec_dirs=exec_dirs) or self.exec_path
- if (self.run_as != 'root'):
- # Used to run commands at lesser privileges
- return ['sudo', '-u', self.run_as, to_exec] + userargs[1:]
- return [to_exec] + userargs[1:]
-
- def get_environment(self, userargs):
- """Returns specific environment to set, None if none."""
- return None
-
-
-class RegExpFilter(CommandFilter):
- """Command filter doing regexp matching for every argument."""
-
- def match(self, userargs):
- # Early skip if command or number of args don't match
- if (not userargs or len(self.args) != len(userargs)):
- # DENY: argument numbers don't match
- return False
- # Compare each arg (anchoring pattern explicitly at end of string)
- for (pattern, arg) in zip(self.args, userargs):
- try:
- if not re.match(pattern + '$', arg):
- break
- except re.error:
- # DENY: Badly-formed filter
- return False
- else:
- # ALLOW: All arguments matched
- return True
-
- # DENY: Some arguments did not match
- return False
-
-
-class PathFilter(CommandFilter):
- """Command filter checking that path arguments are within given dirs
-
- One can specify the following constraints for command arguments:
- 1) pass - pass an argument as is to the resulting command
- 2) some_str - check if an argument is equal to the given string
- 3) abs path - check if a path argument is within the given base dir
-
- A typical rootwrapper filter entry looks like this:
- # cmdname: filter name, raw command, user, arg_i_constraint [, ...]
- chown: PathFilter, /bin/chown, root, nova, /var/lib/images
-
- """
-
- def match(self, userargs):
- if not userargs or len(userargs) < 2:
- return False
-
- command, arguments = userargs[0], userargs[1:]
-
- equal_args_num = len(self.args) == len(arguments)
- exec_is_valid = super(PathFilter, self).match(userargs)
- args_equal_or_pass = all(
- arg == 'pass' or arg == value
- for arg, value in zip(self.args, arguments)
- if not os.path.isabs(arg) # arguments not specifying abs paths
- )
- paths_are_within_base_dirs = all(
- os.path.commonprefix([arg, os.path.realpath(value)]) == arg
- for arg, value in zip(self.args, arguments)
- if os.path.isabs(arg) # arguments specifying abs paths
- )
-
- return (equal_args_num and
- exec_is_valid and
- args_equal_or_pass and
- paths_are_within_base_dirs)
-
- def get_command(self, userargs, exec_dirs=[]):
- command, arguments = userargs[0], userargs[1:]
-
- # convert path values to canonical ones; copy other args as is
- args = [os.path.realpath(value) if os.path.isabs(arg) else value
- for arg, value in zip(self.args, arguments)]
-
- return super(PathFilter, self).get_command([command] + args,
- exec_dirs)
-
-
-class KillFilter(CommandFilter):
- """Specific filter for the kill calls.
-
- 1st argument is the user to run /bin/kill under
- 2nd argument is the location of the affected executable
- if the argument is not absolute, it is checked against $PATH
- Subsequent arguments list the accepted signals (if any)
-
- This filter relies on /proc to accurately determine affected
- executable, so it will only work on procfs-capable systems (not OSX).
- """
-
- def __init__(self, *args):
- super(KillFilter, self).__init__("/bin/kill", *args)
-
- def match(self, userargs):
- if not userargs or userargs[0] != "kill":
- return False
- args = list(userargs)
- if len(args) == 3:
- # A specific signal is requested
- signal = args.pop(1)
- if signal not in self.args[1:]:
- # Requested signal not in accepted list
- return False
- else:
- if len(args) != 2:
- # Incorrect number of arguments
- return False
- if len(self.args) > 1:
- # No signal requested, but filter requires specific signal
- return False
- try:
- command = os.readlink("/proc/%d/exe" % int(args[1]))
- except (ValueError, OSError):
- # Incorrect PID
- return False
-
- # NOTE(yufang521247): /proc/PID/exe may have '\0' on the
- # end, because python doen't stop at '\0' when read the
- # target path.
- command = command.partition('\0')[0]
-
- # NOTE(dprince): /proc/PID/exe may have ' (deleted)' on
- # the end if an executable is updated or deleted
- if command.endswith(" (deleted)"):
- command = command[:-len(" (deleted)")]
-
- kill_command = self.args[0]
-
- if os.path.isabs(kill_command):
- return kill_command == command
-
- return (os.path.isabs(command) and
- kill_command == os.path.basename(command) and
- os.path.dirname(command) in os.environ.get('PATH', ''
- ).split(':'))
-
-
-class ReadFileFilter(CommandFilter):
- """Specific filter for the utils.read_file_as_root call."""
-
- def __init__(self, file_path, *args):
- self.file_path = file_path
- super(ReadFileFilter, self).__init__("/bin/cat", "root", *args)
-
- def match(self, userargs):
- return (userargs == ['cat', self.file_path])
-
-
-class IpFilter(CommandFilter):
- """Specific filter for the ip utility to that does not match exec."""
-
- def match(self, userargs):
- if userargs[0] == 'ip':
- if userargs[1] == 'netns':
- return (userargs[2] in ('list', 'add', 'delete'))
- else:
- return True
-
-
-class EnvFilter(CommandFilter):
- """Specific filter for the env utility.
-
- Behaves like CommandFilter, except that it handles
- leading env A=B.. strings appropriately.
- """
-
- def _extract_env(self, arglist):
- """Extract all leading NAME=VALUE arguments from arglist."""
-
- envs = set()
- for arg in arglist:
- if '=' not in arg:
- break
- envs.add(arg.partition('=')[0])
- return envs
-
- def __init__(self, exec_path, run_as, *args):
- super(EnvFilter, self).__init__(exec_path, run_as, *args)
-
- env_list = self._extract_env(self.args)
- # Set exec_path to X when args are in the form of
- # env A=a B=b C=c X Y Z
- if "env" in exec_path and len(env_list) < len(self.args):
- self.exec_path = self.args[len(env_list)]
-
- def match(self, userargs):
- # ignore leading 'env'
- if userargs[0] == 'env':
- userargs.pop(0)
-
- # require one additional argument after configured ones
- if len(userargs) < len(self.args):
- return False
-
- # extract all env args
- user_envs = self._extract_env(userargs)
- filter_envs = self._extract_env(self.args)
- user_command = userargs[len(user_envs):len(user_envs) + 1]
-
- # match first non-env argument with CommandFilter
- return (super(EnvFilter, self).match(user_command)
- and len(filter_envs) and user_envs == filter_envs)
-
- def exec_args(self, userargs):
- args = userargs[:]
-
- # ignore leading 'env'
- if args[0] == 'env':
- args.pop(0)
-
- # Throw away leading NAME=VALUE arguments
- while args and '=' in args[0]:
- args.pop(0)
-
- return args
-
- def get_command(self, userargs, exec_dirs=[]):
- to_exec = self.get_exec(exec_dirs=exec_dirs) or self.exec_path
- return [to_exec] + self.exec_args(userargs)[1:]
-
- def get_environment(self, userargs):
- env = os.environ.copy()
-
- # ignore leading 'env'
- if userargs[0] == 'env':
- userargs.pop(0)
-
- # Handle leading NAME=VALUE pairs
- for a in userargs:
- env_name, equals, env_value = a.partition('=')
- if not equals:
- break
- if env_name and env_value:
- env[env_name] = env_value
-
- return env
-
-
-class ChainingFilter(CommandFilter):
- def exec_args(self, userargs):
- return []
-
-
-class IpNetnsExecFilter(ChainingFilter):
- """Specific filter for the ip utility to that does match exec."""
-
- def match(self, userargs):
- # Network namespaces currently require root
- # require <ns> argument
- if self.run_as != "root" or len(userargs) < 4:
- return False
-
- return (userargs[:3] == ['ip', 'netns', 'exec'])
-
- def exec_args(self, userargs):
- args = userargs[4:]
- if args:
- args[0] = os.path.basename(args[0])
- return args
+++ /dev/null
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright (c) 2011 OpenStack Foundation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-
-import logging
-import logging.handlers
-import os
-import string
-
-from six import moves
-
-from neutron.openstack.common.rootwrap import filters
-
-
-class NoFilterMatched(Exception):
- """This exception is raised when no filter matched."""
- pass
-
-
-class FilterMatchNotExecutable(Exception):
- """Raised when a filter matched but no executable was found."""
- def __init__(self, match=None, **kwargs):
- self.match = match
-
-
-class RootwrapConfig(object):
-
- def __init__(self, config):
- # filters_path
- self.filters_path = config.get("DEFAULT", "filters_path").split(",")
-
- # exec_dirs
- if config.has_option("DEFAULT", "exec_dirs"):
- self.exec_dirs = config.get("DEFAULT", "exec_dirs").split(",")
- else:
- self.exec_dirs = []
- # Use system PATH if exec_dirs is not specified
- if "PATH" in os.environ:
- self.exec_dirs = os.environ['PATH'].split(':')
-
- # syslog_log_facility
- if config.has_option("DEFAULT", "syslog_log_facility"):
- v = config.get("DEFAULT", "syslog_log_facility")
- facility_names = logging.handlers.SysLogHandler.facility_names
- self.syslog_log_facility = getattr(logging.handlers.SysLogHandler,
- v, None)
- if self.syslog_log_facility is None and v in facility_names:
- self.syslog_log_facility = facility_names.get(v)
- if self.syslog_log_facility is None:
- raise ValueError('Unexpected syslog_log_facility: %s' % v)
- else:
- default_facility = logging.handlers.SysLogHandler.LOG_SYSLOG
- self.syslog_log_facility = default_facility
-
- # syslog_log_level
- if config.has_option("DEFAULT", "syslog_log_level"):
- v = config.get("DEFAULT", "syslog_log_level")
- self.syslog_log_level = logging.getLevelName(v.upper())
- if (self.syslog_log_level == "Level %s" % v.upper()):
- raise ValueError('Unexepected syslog_log_level: %s' % v)
- else:
- self.syslog_log_level = logging.ERROR
-
- # use_syslog
- if config.has_option("DEFAULT", "use_syslog"):
- self.use_syslog = config.getboolean("DEFAULT", "use_syslog")
- else:
- self.use_syslog = False
-
-
-def setup_syslog(execname, facility, level):
- rootwrap_logger = logging.getLogger()
- rootwrap_logger.setLevel(level)
- handler = logging.handlers.SysLogHandler(address='/dev/log',
- facility=facility)
- handler.setFormatter(logging.Formatter(
- os.path.basename(execname) + ': %(message)s'))
- rootwrap_logger.addHandler(handler)
-
-
-def build_filter(class_name, *args):
- """Returns a filter object of class class_name."""
- if not hasattr(filters, class_name):
- logging.warning("Skipping unknown filter class (%s) specified "
- "in filter definitions" % class_name)
- return None
- filterclass = getattr(filters, class_name)
- return filterclass(*args)
-
-
-def load_filters(filters_path):
- """Load filters from a list of directories."""
- filterlist = []
- for filterdir in filters_path:
- if not os.path.isdir(filterdir):
- continue
- for filterfile in filter(lambda f: not f.startswith('.'),
- os.listdir(filterdir)):
- filterconfig = moves.configparser.RawConfigParser()
- filterconfig.read(os.path.join(filterdir, filterfile))
- for (name, value) in filterconfig.items("Filters"):
- filterdefinition = [string.strip(s) for s in value.split(',')]
- newfilter = build_filter(*filterdefinition)
- if newfilter is None:
- continue
- newfilter.name = name
- filterlist.append(newfilter)
- return filterlist
-
-
-def match_filter(filter_list, userargs, exec_dirs=[]):
- """Checks user command and arguments through command filters.
-
- Returns the first matching filter.
-
- Raises NoFilterMatched if no filter matched.
- Raises FilterMatchNotExecutable if no executable was found for the
- best filter match.
- """
- first_not_executable_filter = None
-
- for f in filter_list:
- if f.match(userargs):
- if isinstance(f, filters.ChainingFilter):
- # This command calls exec verify that remaining args
- # matches another filter.
- def non_chain_filter(fltr):
- return (fltr.run_as == f.run_as
- and not isinstance(fltr, filters.ChainingFilter))
-
- leaf_filters = [fltr for fltr in filter_list
- if non_chain_filter(fltr)]
- args = f.exec_args(userargs)
- if (not args or not match_filter(leaf_filters,
- args, exec_dirs=exec_dirs)):
- continue
-
- # Try other filters if executable is absent
- if not f.get_exec(exec_dirs=exec_dirs):
- if not first_not_executable_filter:
- first_not_executable_filter = f
- continue
- # Otherwise return matching filter for execution
- return f
-
- if first_not_executable_filter:
- # A filter matched, but no executable was found for it
- raise FilterMatchNotExecutable(match=first_not_executable_filter)
-
- # No filter matched
- raise NoFilterMatched()
module=rpc
module=service
module=sslutils
-module=rootwrap
module=threadgroup
module=timeutils
module=uuidutils
six>=1.4.1
stevedore>=0.12
oslo.config>=1.2.0
+oslo.rootwrap
python-novaclient>=2.15.0
neutron-ovs-cleanup = neutron.agent.ovs_cleanup_util:main
neutron-ryu-agent = neutron.plugins.ryu.agent.ryu_neutron_agent:main
neutron-server = neutron.server:main
- neutron-rootwrap = neutron.openstack.common.rootwrap.cmd:main
+ neutron-rootwrap = oslo.rootwrap.cmd:main
neutron-usage-audit = neutron.cmd.usage_audit:main
quantum-check-nvp-config = neutron.plugins.nicira.check_nsx_config:main
quantum-db-manage = neutron.db.migration.cli:main
quantum-ovs-cleanup = neutron.agent.ovs_cleanup_util:main
quantum-ryu-agent = neutron.plugins.ryu.agent.ryu_neutron_agent:main
quantum-server = neutron.server:main
- quantum-rootwrap = neutron.openstack.common.rootwrap.cmd:main
+ quantum-rootwrap = oslo.rootwrap.cmd:main
quantum-usage-audit = neutron.cmd.usage_audit:main
neutron-metering-agent = neutron.services.metering.agents.metering_agent:main
neutron.core_plugins =
Code Review / openstack-build / neutron-build.git / commitdiff