CommandFilter should allow exec from full path

The current logic prevents from using a full path as argument. We can't just compare basename to basename as it would allow passing bogus paths. We need to make sure that passing a full path will compare to the config's full path. Closes-Bug: #1956606 Change-Id: I76094065de5b37f59a2500fbce7f500ada9915da
2022-01-05 12:36:04 -05:00 · 2022-01-05 12:36:04 -05:00 · 1b1b960d0d
parent 25fcff997b
commit 1b1b960d0d
2 changed files with 13 additions and 1 deletions
--- a/oslo_rootwrap/filters.py
+++ b/oslo_rootwrap/filters.py
@ -74,7 +74,11 @@ class CommandFilter(object):

    def match(self, userargs):
        """Only check that the first argument (command) matches exec_path."""
-        return userargs and os.path.basename(self.exec_path) == userargs[0]
+        if userargs:
+            base_path_matches = os.path.basename(self.exec_path) == userargs[0]
+            exact_path_matches = self.exec_path == userargs[0]
+            return exact_path_matches or base_path_matches
+        return False

    def preexec(self):
        """Setuid in subprocess right before command is invoked."""
--- a/oslo_rootwrap/tests/test_functional.py
+++ b/oslo_rootwrap/tests/test_functional.py
@ -89,6 +89,14 @@ later_install_cmd: CommandFilter, %s, root
        self.assertEqual(expect_out, out)
        self.assertEqual(expect_err, err)

+    def test_run_with_path(self):
+        code, out, err = self.execute(['/bin/echo', 'teststr'])
+        self.assertEqual(0, code)
+
+    def test_run_with_bogus_path(self):
+        code, out, err = self.execute(['/home/bob/bin/echo', 'teststr'])
+        self.assertEqual(cmd.RC_UNAUTHORIZED, code)
+
    def test_run_command_not_found(self):
        code, out, err = self.execute(['unknown_cmd'])
        self.assertEqual(cmd.RC_NOEXECFOUND, code)