diff --git a/oslo_rootwrap/filters.py b/oslo_rootwrap/filters.py index bcb03ac..8d7bf0e 100644 --- a/oslo_rootwrap/filters.py +++ b/oslo_rootwrap/filters.py @@ -74,7 +74,11 @@ class CommandFilter(object): def match(self, userargs): """Only check that the first argument (command) matches exec_path.""" - return userargs and os.path.basename(self.exec_path) == userargs[0] + if userargs: + base_path_matches = os.path.basename(self.exec_path) == userargs[0] + exact_path_matches = self.exec_path == userargs[0] + return exact_path_matches or base_path_matches + return False def preexec(self): """Setuid in subprocess right before command is invoked.""" diff --git a/oslo_rootwrap/tests/test_functional.py b/oslo_rootwrap/tests/test_functional.py index 42c33c4..941e069 100644 --- a/oslo_rootwrap/tests/test_functional.py +++ b/oslo_rootwrap/tests/test_functional.py @@ -89,6 +89,14 @@ later_install_cmd: CommandFilter, %s, root self.assertEqual(expect_out, out) self.assertEqual(expect_err, err) + def test_run_with_path(self): + code, out, err = self.execute(['/bin/echo', 'teststr']) + self.assertEqual(0, code) + + def test_run_with_bogus_path(self): + code, out, err = self.execute(['/home/bob/bin/echo', 'teststr']) + self.assertEqual(cmd.RC_UNAUTHORIZED, code) + def test_run_command_not_found(self): code, out, err = self.execute(['unknown_cmd']) self.assertEqual(cmd.RC_NOEXECFOUND, code)