[PATCH] Least privilege support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



# HG changeset patch
# User john.levon@xxxxxxx
# Date 1228271172 28800
# Node ID 2771f870b247df02b16a4d79cdf549a1ad0132aa
# Parent  a4538c6c2d6690526d80c011b46b4700c23a9ffd
Least privilege support

On Solaris, which users can run virt-install depends on their effective
privilege set, not their effective UID.

Signed-off-by: John Levon <john.levon@xxxxxxx>

diff --git a/virt-clone b/virt-clone
--- a/virt-clone
+++ b/virt-clone
@@ -185,7 +185,7 @@ def main():
     logging.debug("start clone with HV " + options.connect)
 
     if options.connect is None or options.connect.lower()[0:3] == "xen":
-        if os.geteuid() != 0:
+        if not virtinst.util.privileged_user():
             fail(_("Must be root to clone Xen guests"))
 
     conn = cli.getConnection(options.connect)
diff --git a/virtinst/DistroManager.py b/virtinst/DistroManager.py
--- a/virtinst/DistroManager.py
+++ b/virtinst/DistroManager.py
@@ -193,7 +193,7 @@ class DistroInstaller(Guest.Installer):
                                "or FTP network install source, or an existing "
                                "local file/device"))
 
-        if os.geteuid() != 0 and val.startswith("nfs:"):
+        if val.startswith("nfs:") and not util.privileged_user():
             raise ValueError(_("NFS installations are only supported as root"))
 
         self._location = val
diff --git a/virtinst/Guest.py b/virtinst/Guest.py
--- a/virtinst/Guest.py
+++ b/virtinst/Guest.py
@@ -28,6 +28,7 @@ import urlgrabber.progress as progress
 import urlgrabber.progress as progress
 import util
 import libvirt
+import platform
 import __builtin__
 import CapabilitiesParser
 import VirtualDevice
@@ -347,9 +348,11 @@ class Installer(object):
     os_type = property(get_os_type, set_os_type)
 
     def get_scratchdir(self):
+        if platform.system() == 'SunOS':
+            return '/var/tmp'
         if self.type == "xen" and os.path.exists(XEN_SCRATCH):
             return XEN_SCRATCH
-        if os.getuid() == 0 and os.path.exists(LIBVIRT_SCRATCH):
+        if util.privileged_user() and os.path.exists(LIBVIRT_SCRATCH):
             return LIBVIRT_SCRATCH
         else:
             return os.path.expanduser("~/.virtinst/boot")
@@ -476,7 +479,7 @@ class Installer(object):
             fd = os.open(guest.disks[0].path, os.O_RDONLY)
         except OSError, (err, msg):
             logging.debug("Failed to open guest disk: %s" % msg)
-            if err == errno.EACCES and os.geteuid() != 0:
+            if err == errno.EACCES and not util.privileged_user():
                 return True # non root might not have access to block devices
             else:
                 raise
diff --git a/virtinst/cli.py b/virtinst/cli.py
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -118,7 +118,7 @@ def nice_exit():
 
 def getConnection(connect):
     if connect and connect.lower()[0:3] == "xen":
-        if os.geteuid() != 0:
+        if not util.privileged_user():
             fail(_("Must be root to create Xen guests"))
     if connect is None:
         fail(_("Could not find usable default libvirt connection."))
@@ -307,7 +307,7 @@ def digest_networks(conn, macs, bridges,
     # Create extra networks up to the number of nics requested 
     if len(macs) < nics:
         for dummy in range(len(macs),nics):
-            if os.getuid() == 0:
+            if util.privileged_user():
                 net = util.default_network(conn)
                 networks.append(net[0] + ":" + net[1])
             else:
diff --git a/virtinst/util.py b/virtinst/util.py
--- a/virtinst/util.py
+++ b/virtinst/util.py
@@ -93,7 +93,7 @@ def default_connection():
          os.path.exists("/usr/bin/qemu-kvm") or \
          os.path.exists("/usr/bin/kvm") or \
          os.path.exists("/usr/bin/xenner"):
-        if os.getuid() == 0:
+        if privileged_user():
             return "qemu:///system"
         else:
             return "qemu:///session"
@@ -509,6 +509,14 @@ def lookup_pool_by_path(conn, path):
             return pool
     return None
 
+def privileged_user():
+    """
+    Return true if the user is privileged enough.  On Linux, this
+    equates to being root.  On Solaris, it's more complicated, so we
+    just assume we're OK.
+    """
+    return os.uname()[0] == 'SunOS' or os.geteuid() == 0
+
 def _test():
     import doctest
     doctest.testmod()

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools

[Index of Archives]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux