Configurable exec_dirs to find rootwrap commands

Adds support for a configurable set of trusted directories to search executables in (exec_dirs), which defaults to system PATH. If your filter specifies an exec_path that doesn't start with '/', then it will be searched in exec_dirs. Avoids having to write multiple filters to care for distro differences. Fixes bug 1079723. Also returns a specific error rather than try to run absent executables. Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9
2012-11-16 15:50:01 +01:00
parent cbdaf96704
commit 96427353ac
4 changed files with 93 additions and 32 deletions
--- a/bin/nova-rootwrap
+++ b/bin/nova-rootwrap
@@ -42,6 +42,7 @@ import sys
 RC_UNAUTHORIZED = 99
 RC_NOCOMMAND = 98
 RC_BADCONFIG = 97
+RC_NOEXECFOUND = 96


 def _subprocess_setup():
@@ -65,6 +66,11 @@ if __name__ == '__main__':
    config.read(configfile)
    try:
        filters_path = config.get("DEFAULT", "filters_path").split(",")
+        if config.has_option("DEFAULT", "exec_dirs"):
+            exec_dirs = config.get("DEFAULT", "exec_dirs").split(",")
+        else:
+            # Use system PATH if exec_dirs is not specified
+            exec_dirs = os.environ["PATH"].split(':')
    except ConfigParser.Error:
        print "%s: Incorrect configuration file: %s" % (execname, configfile)
        sys.exit(RC_BADCONFIG)
@@ -79,16 +85,24 @@ if __name__ == '__main__':

    # Execute command if it matches any of the loaded filters
    filters = wrapper.load_filters(filters_path)
-    filtermatch = wrapper.match_filter(filters, userargs)
-    if filtermatch:
-        obj = subprocess.Popen(filtermatch.get_command(userargs),
-                               stdin=sys.stdin,
-                               stdout=sys.stdout,
-                               stderr=sys.stderr,
-                               preexec_fn=_subprocess_setup,
-                               env=filtermatch.get_environment(userargs))
-        obj.wait()
-        sys.exit(obj.returncode)
+    try:
+        filtermatch = wrapper.match_filter(filters, userargs,
+                                           exec_dirs=exec_dirs)
+        if filtermatch:
+            obj = subprocess.Popen(filtermatch.get_command(userargs,
+                                                      exec_dirs=exec_dirs),
+                                   stdin=sys.stdin,
+                                   stdout=sys.stdout,
+                                   stderr=sys.stderr,
+                                   preexec_fn=_subprocess_setup,
+                                   env=filtermatch.get_environment(userargs))
+            obj.wait()
+            sys.exit(obj.returncode)

-    print "Unauthorized command: %s" % ' '.join(userargs)
-    sys.exit(RC_UNAUTHORIZED)
+    except wrapper.FilterMatchNotExecutable as exc:
+        print "Executable not found: %s" % exc.match.exec_path
+        sys.exit(RC_NOEXECFOUND)
+
+    except wrapper.NoFilterMatched:
+        print "Unauthorized command: %s" % ' '.join(userargs)
+        sys.exit(RC_UNAUTHORIZED)
--- a/nova/rootwrap/filters.py
+++ b/nova/rootwrap/filters.py
@@ -26,6 +26,23 @@ class CommandFilter(object):
        self.exec_path = exec_path
        self.run_as = run_as
        self.args = args
+        self.real_exec = None
+
+    def get_exec(self, exec_dirs=[]):
+        """Returns existing executable, or empty string if none found"""
+        if self.real_exec is not None:
+            return self.real_exec
+        self.real_exec = ""
+        if self.exec_path.startswith('/'):
+            if os.access(self.exec_path, os.X_OK):
+                self.real_exec = self.exec_path
+        else:
+            for binary_path in exec_dirs:
+                expanded_path = os.path.join(binary_path, self.exec_path)
+                if os.access(expanded_path, os.X_OK):
+                    self.real_exec = expanded_path
+                    break
+        return self.real_exec

    def match(self, userargs):
        """Only check that the first argument (command) matches exec_path"""
@@ -33,12 +50,13 @@ class CommandFilter(object):
            return True
        return False

-    def get_command(self, userargs):
+    def get_command(self, userargs, exec_dirs=[]):
        """Returns command to execute (with sudo -u if run_as != root)."""
+        to_exec = self.get_exec(exec_dirs=exec_dirs) or self.exec_path
        if (self.run_as != 'root'):
            # Used to run commands at lesser privileges
-            return ['sudo', '-u', self.run_as, self.exec_path] + userargs[1:]
-        return [self.exec_path] + userargs[1:]
+            return ['sudo', '-u', self.run_as, to_exec] + userargs[1:]
+        return [to_exec] + userargs[1:]

    def get_environment(self, userargs):
        """Returns specific environment to set, None if none"""
@@ -82,9 +100,10 @@ class DnsmasqFilter(CommandFilter):
            return True
        return False

-    def get_command(self, userargs):
+    def get_command(self, userargs, exec_dirs=[]):
+        to_exec = self.get_exec(exec_dirs=exec_dirs) or self.exec_path
        dnsmasq_pos = userargs.index('dnsmasq')
-        return [self.exec_path] + userargs[dnsmasq_pos + 1:]
+        return [to_exec] + userargs[dnsmasq_pos + 1:]

    def get_environment(self, userargs):
        env = os.environ.copy()
--- a/nova/rootwrap/wrapper.py
+++ b/nova/rootwrap/wrapper.py
@@ -23,6 +23,20 @@ import string
 from nova.rootwrap import filters


+class NoFilterMatched(Exception):
+    """This exception is raised when no filter matched."""
+    pass
+
+
+class FilterMatchNotExecutable(Exception):
+    """
+    This exception is raised when a filter matched but no executable was
+    found.
+    """
+    def __init__(self, match=None, **kwargs):
+        self.match = match
+
+
 def build_filter(class_name, *args):
    """Returns a filter object of class class_name"""
    if not hasattr(filters, class_name):
@@ -50,23 +64,29 @@ def load_filters(filters_path):
    return filterlist


-def match_filter(filters, userargs):
+def match_filter(filters, userargs, exec_dirs=[]):
    """
    Checks user command and arguments through command filters and
-    returns the first matching filter, or None is none matched.
+    returns the first matching filter.
+    Raises NoFilterMatched if no filter matched.
+    Raises FilterMatchNotExecutable if no executable was found for the
+    best filter match.
    """
-
-    found_filter = None
+    first_not_executable_filter = None

    for f in filters:
        if f.match(userargs):
            # Try other filters if executable is absent
-            if not os.access(f.exec_path, os.X_OK):
-                if not found_filter:
-                    found_filter = f
+            if not f.get_exec(exec_dirs=exec_dirs):
+                if not first_not_executable_filter:
+                    first_not_executable_filter = f
                continue
            # Otherwise return matching filter for execution
            return f

-    # No filter matched or first missing executable
-    return found_filter
+    if first_not_executable_filter:
+        # A filter matched, but no executable was found for it
+        raise FilterMatchNotExecutable(match=first_not_executable_filter)
+
+    # No filter matched
+    raise NoFilterMatched()
--- a/nova/tests/test_nova_rootwrap.py
+++ b/nova/tests/test_nova_rootwrap.py
@@ -43,16 +43,16 @@ class RootwrapTestCase(test.TestCase):

    def test_RegExpFilter_reject(self):
        usercmd = ["ls", "root"]
-        filtermatch = wrapper.match_filter(self.filters, usercmd)
-        self.assertTrue(filtermatch is None)
+        self.assertRaises(wrapper.NoFilterMatched,
+            wrapper.match_filter, self.filters, usercmd)

    def test_missing_command(self):
        valid_but_missing = ["foo_bar_not_exist"]
        invalid = ["foo_bar_not_exist_and_not_matched"]
-        filtermatch = wrapper.match_filter(self.filters, valid_but_missing)
-        self.assertTrue(filtermatch is not None)
-        filtermatch = wrapper.match_filter(self.filters, invalid)
-        self.assertTrue(filtermatch is None)
+        self.assertRaises(wrapper.FilterMatchNotExecutable,
+            wrapper.match_filter, self.filters, valid_but_missing)
+        self.assertRaises(wrapper.NoFilterMatched,
+            wrapper.match_filter, self.filters, invalid)

    def _test_DnsmasqFilter(self, filter_class, config_file_arg):
        usercmd = ['env', config_file_arg + '=A', 'NETWORK_ID=foobar',
@@ -136,6 +136,14 @@ class RootwrapTestCase(test.TestCase):
        self.assertEqual(f.get_command(usercmd), ['/bin/cat', goodfn])
        self.assertTrue(f.match(usercmd))

+    def test_exec_dirs_search(self):
+        # This test supposes you have /bin/cat or /usr/bin/cat locally
+        f = filters.CommandFilter("cat", "root")
+        usercmd = ['cat', '/f']
+        self.assertTrue(f.match(usercmd))
+        self.assertTrue(f.get_command(usercmd, exec_dirs=['/bin',
+            '/usr/bin']) in (['/bin/cat', '/f'], ['/usr/bin/cat', '/f']))
+
    def test_skips(self):
        # Check that all filters are skipped and that the last matches
        usercmd = ["cat", "/"]