From 0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c Mon Sep 17 00:00:00 2001 From: David Vallee Delisle Date: Wed, 5 Jan 2022 12:36:04 -0500 Subject: [PATCH] CommandFilter should allow exec from full path The current logic prevents from using a full path as argument. We can't just compare basename to basename as it would allow passing bogus paths. We need to make sure that passing a full path will compare to the config's full path. Closes-Bug: #1956606 Change-Id: I76094065de5b37f59a2500fbce7f500ada9915da --- oslo_rootwrap/filters.py | 5 ++++- oslo_rootwrap/tests/test_functional.py | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/oslo_rootwrap/filters.py b/oslo_rootwrap/filters.py index bcb03ac..0ea2821 100644 --- a/oslo_rootwrap/filters.py +++ b/oslo_rootwrap/filters.py @@ -74,7 +74,10 @@ class CommandFilter(object): def match(self, userargs): """Only check that the first argument (command) matches exec_path.""" - return userargs and os.path.basename(self.exec_path) == userargs[0] + if userargs: + user_path = os.path.basename(self.exec_path) == userargs[0] + exec_path = self.exec_path == userargs[0] + return exec_path or user_path def preexec(self): """Setuid in subprocess right before command is invoked.""" diff --git a/oslo_rootwrap/tests/test_functional.py b/oslo_rootwrap/tests/test_functional.py index 42c33c4..941e069 100644 --- a/oslo_rootwrap/tests/test_functional.py +++ b/oslo_rootwrap/tests/test_functional.py @@ -89,6 +89,14 @@ later_install_cmd: CommandFilter, %s, root self.assertEqual(expect_out, out) self.assertEqual(expect_err, err) + def test_run_with_path(self): + code, out, err = self.execute(['/bin/echo', 'teststr']) + self.assertEqual(0, code) + + def test_run_with_bogus_path(self): + code, out, err = self.execute(['/home/bob/bin/echo', 'teststr']) + self.assertEqual(cmd.RC_UNAUTHORIZED, code) + def test_run_command_not_found(self): code, out, err = self.execute(['unknown_cmd']) self.assertEqual(cmd.RC_NOEXECFOUND, code)