From 4544448c8301542eb8c227075f4ec4808f1afcc8 Mon Sep 17 00:00:00 2001 From: Corey Bryant Date: Fri, 14 Jul 2017 00:50:43 +0000 Subject: [PATCH] Drop unreachable/unnecessary code Drop code that is no longer used or no longer required since the move back to strictly confined snaps. * Everything is run as root in strict snaps so there's no need to drop privileges, no need to chown dirs/templates to anything but root, and the default dir/file modes should suffice. * copyfiles: we wanted to move away from this and finally did, so so it's no longer used. * rchown and rchmod: these are no longer used. chmod is still used by nova-hypervisor, so let's keep it. I'm not sure that we still need chown, but I've left that in case we happen to. Change-Id: I45be76121b73f0c354a9bcc4014af534455cb533 --- snap_openstack/base.py | 54 ++------------------- snap_openstack/tests/test_snap_openstack.py | 1 - snap_openstack/utils.py | 54 --------------------- 3 files changed, 3 insertions(+), 106 deletions(-) diff --git a/snap_openstack/base.py b/snap_openstack/base.py index 6d8a295..f840035 100644 --- a/snap_openstack/base.py +++ b/snap_openstack/base.py @@ -16,7 +16,6 @@ import logging import os -import shutil import yaml from oslo_concurrency import lockutils @@ -41,7 +40,6 @@ DEFAULT_UWSGI_ARGS = ["--master", DEFAULT_NGINX_ARGS = ["-g", "daemon on; master_process on;"] -DEFAULT_OWNER = "root:root" DEFAULT_DIR_MODE = 0o750 DEFAULT_FILE_MODE = 0o640 @@ -155,49 +153,13 @@ class OpenStackSnap(object): with lockutils.lock('setup.lock', external=True, lock_path=lock_file): - if 'users' in setup.keys(): - for user, groups in setup['users'].items(): - home = os.path.join( - "{snap_common}".format(**utils.snap_env), - "lib", user - ) - utils.add_user(user, groups, home) - - default_owner = setup.get('default-owner', DEFAULT_OWNER) - default_user, default_group = default_owner.split(':') - default_dir_mode = setup.get('default-dir-mode', - DEFAULT_DIR_MODE) - default_file_mode = setup.get('default-file-mode', - DEFAULT_FILE_MODE) for directory in setup.get('dirs', []): dir_name = directory.format(**utils.snap_env) - utils.ensure_dir(dir_name, perms=default_dir_mode) - utils.rchmod(dir_name, default_dir_mode, default_file_mode) - utils.rchown(dir_name, default_user, default_group) - - if 'copyfiles' in setup.keys(): - for source, target in setup['copyfiles'].items(): - source_dir = source.format(**utils.snap_env) - dest_dir = target.format(**utils.snap_env) - for source_name in os.listdir(source_dir): - s_file = os.path.join(source_dir, source_name) - d_file = os.path.join(dest_dir, source_name) - if not os.path.isfile(s_file): - continue - LOG.debug('Copying file {} to {}'.format(s_file, - d_file)) - shutil.copy2(s_file, d_file) - utils.chmod(d_file, default_file_mode) - utils.chown(d_file, default_user, default_group) + utils.ensure_dir(dir_name, perms=DEFAULT_DIR_MODE) _render_templates(setup.get('templates', []), utils.snap_env, - default_file_mode, default_user, default_group) - - for target in setup.get('rchown', []): - target_path = target.format(**utils.snap_env) - user, group = setup['rchown'][target].split(':') - utils.rchown(target_path, user, group) + DEFAULT_FILE_MODE, 'root', 'root') for target in setup.get('chmod', []): target_path = target.format(**utils.snap_env) @@ -218,7 +180,6 @@ class OpenStackSnap(object): def execute(self, argv): '''Execute snap command building out configuration and log options''' utils = SnapUtils() - setup = self.configuration['setup'] entry_point = self.configuration['entry_points'].get(argv[1]) if not entry_point: @@ -308,13 +269,8 @@ class OpenStackSnap(object): snap_env['pyargv'] = ' '.join(pyargv) LOG.debug('Setting pyargv to: {}'.format(' '.join(pyargv))) - default_owner = setup.get('default-owner', DEFAULT_OWNER) - default_user, default_group = default_owner.split(':') - default_file_mode = setup.get('default-file-mode', - DEFAULT_FILE_MODE) - _render_templates(entry_point.get('templates', []), snap_env, - default_file_mode, default_user, default_group) + DEFAULT_FILE_MODE, 'root', 'root') elif cmd_type == NGINX_EP_TYPE: cmd = ["{snap}/usr/sbin/nginx".format(**utils.snap_env)] @@ -338,9 +294,5 @@ class OpenStackSnap(object): LOG.debug('Configuration file {} not found' ', skipping'.format(cfile)) - if 'run-as' in entry_point.keys(): - user, groups = list(entry_point['run-as'].items())[0] - utils.drop_privileges(user, groups) - LOG.debug('Executing command {}'.format(' '.join(cmd))) os.execvp(cmd[0], cmd) diff --git a/snap_openstack/tests/test_snap_openstack.py b/snap_openstack/tests/test_snap_openstack.py index d79d09f..8452cd7 100644 --- a/snap_openstack/tests/test_snap_openstack.py +++ b/snap_openstack/tests/test_snap_openstack.py @@ -63,7 +63,6 @@ class TestOpenStackSnapExecute(test_base.TestCase): def mock_snap_utils(self, mock_utils): snap_utils = mock_utils.return_value snap_utils.snap_env = MOCK_SNAP_ENV - snap_utils.drop_privileges.return_value = None @patch.object(base, 'SnapFileRenderer') @patch('snap_openstack.base.SnapUtils') diff --git a/snap_openstack/utils.py b/snap_openstack/utils.py index 8a0544e..c770c26 100644 --- a/snap_openstack/utils.py +++ b/snap_openstack/utils.py @@ -18,7 +18,6 @@ import grp import logging import os import pwd -import subprocess LOG = logging.getLogger(__name__) @@ -76,30 +75,6 @@ class SnapUtils(object): LOG.info('Creating directory {}'.format(dir_name)) os.makedirs(dir_name, perms) - def add_user(self, user, groups, home): - '''Add user to the system as a member of one ore more groups''' - for group in groups: - try: - grp.getgrnam(group) - except KeyError: - LOG.debug('Adding group {} to system'.format(group)) - cmd = ['addgroup', '--system', group] - subprocess.check_call(cmd) - - try: - pwd.getpwnam(user) - except KeyError: - self.ensure_dir(home) - LOG.debug('Adding user {} to system'.format(user)) - cmd = ['adduser', '--quiet', '--system', '--home', home, - '--no-create-home', '--shell', '/bin/false', user] - subprocess.check_call(cmd) - - for group in groups: - LOG.debug('Adding user {} to group {}'.format(user, group)) - cmd = ['adduser', user, group] - subprocess.check_call(cmd) - def chown(self, path, user, group): '''Change the owner of the specified file''' LOG.debug('Changing owner of {} to {}:{}'.format(path, user, group)) @@ -111,32 +86,3 @@ class SnapUtils(object): '''Change the file mode bits of the specified file''' LOG.debug('Changing file mode of {} to {}'.format(path, oct(mode))) os.chmod(path, mode) - - def rchown(self, root_dir, user, group): - '''Recursively change owner starting at the specified directory''' - self.chown(root_dir, user, group) - for dirpath, dirnames, filenames in os.walk(root_dir): - for d in dirnames: - self.chown(os.path.join(dirpath, d), user, group) - for f in filenames: - self.chown(os.path.join(dirpath, f), user, group) - - def rchmod(self, root_dir, dir_mode, file_mode): - '''Recursively change mode bits starting at the specified directory''' - self.chmod(root_dir, dir_mode) - for dirpath, dirnames, filenames in os.walk(root_dir): - for d in dirnames: - self.chmod(os.path.join(dirpath, d), dir_mode) - for f in filenames: - self.chmod(os.path.join(dirpath, f), file_mode) - - def drop_privileges(self, user, groups): - '''Drop privileges to the specified user and group(s)''' - LOG.debug('Dropping privileges to {}:{}'.format(user, groups)) - uid = pwd.getpwnam(user).pw_uid - gid = grp.getgrnam(groups[0]).gr_gid - gids = [grp.getgrnam(g).gr_gid for g in groups] - os.setgroups([]) - os.setgroups(gids) - os.setgid(gid) - os.setuid(uid)