Drop unreachable/unnecessary code
Drop code that is no longer used or no longer required since the move back to strictly confined snaps. * Everything is run as root in strict snaps so there's no need to drop privileges, no need to chown dirs/templates to anything but root, and the default dir/file modes should suffice. * copyfiles: we wanted to move away from this and finally did, so so it's no longer used. * rchown and rchmod: these are no longer used. chmod is still used by nova-hypervisor, so let's keep it. I'm not sure that we still need chown, but I've left that in case we happen to. Change-Id: I45be76121b73f0c354a9bcc4014af534455cb533
This commit is contained in:
Corey Bryant
parent
85ecf808ce
commit
4544448c83
@ -16,7 +16,6 @@
|
||||
|
||||
import logging
|
||||
import os
|
||||
import shutil
|
||||
import yaml
|
||||
|
||||
from oslo_concurrency import lockutils
|
||||
@ -41,7 +40,6 @@ DEFAULT_UWSGI_ARGS = ["--master",
|
||||
DEFAULT_NGINX_ARGS = ["-g",
|
||||
"daemon on; master_process on;"]
|
||||
|
||||
DEFAULT_OWNER = "root:root"
|
||||
DEFAULT_DIR_MODE = 0o750
|
||||
DEFAULT_FILE_MODE = 0o640
|
||||
|
||||
@ -155,49 +153,13 @@ class OpenStackSnap(object):
|
||||
|
||||
with lockutils.lock('setup.lock', external=True,
|
||||
lock_path=lock_file):
|
||||
if 'users' in setup.keys():
|
||||
for user, groups in setup['users'].items():
|
||||
home = os.path.join(
|
||||
"{snap_common}".format(**utils.snap_env),
|
||||
"lib", user
|
||||
)
|
||||
utils.add_user(user, groups, home)
|
||||
|
||||
default_owner = setup.get('default-owner', DEFAULT_OWNER)
|
||||
default_user, default_group = default_owner.split(':')
|
||||
default_dir_mode = setup.get('default-dir-mode',
|
||||
DEFAULT_DIR_MODE)
|
||||
default_file_mode = setup.get('default-file-mode',
|
||||
DEFAULT_FILE_MODE)
|
||||
|
||||
for directory in setup.get('dirs', []):
|
||||
dir_name = directory.format(**utils.snap_env)
|
||||
utils.ensure_dir(dir_name, perms=default_dir_mode)
|
||||
utils.rchmod(dir_name, default_dir_mode, default_file_mode)
|
||||
utils.rchown(dir_name, default_user, default_group)
|
||||
|
||||
if 'copyfiles' in setup.keys():
|
||||
for source, target in setup['copyfiles'].items():
|
||||
source_dir = source.format(**utils.snap_env)
|
||||
dest_dir = target.format(**utils.snap_env)
|
||||
for source_name in os.listdir(source_dir):
|
||||
s_file = os.path.join(source_dir, source_name)
|
||||
d_file = os.path.join(dest_dir, source_name)
|
||||
if not os.path.isfile(s_file):
|
||||
continue
|
||||
LOG.debug('Copying file {} to {}'.format(s_file,
|
||||
d_file))
|
||||
shutil.copy2(s_file, d_file)
|
||||
utils.chmod(d_file, default_file_mode)
|
||||
utils.chown(d_file, default_user, default_group)
|
||||
utils.ensure_dir(dir_name, perms=DEFAULT_DIR_MODE)
|
||||
|
||||
_render_templates(setup.get('templates', []), utils.snap_env,
|
||||
default_file_mode, default_user, default_group)
|
||||
|
||||
for target in setup.get('rchown', []):
|
||||
target_path = target.format(**utils.snap_env)
|
||||
user, group = setup['rchown'][target].split(':')
|
||||
utils.rchown(target_path, user, group)
|
||||
DEFAULT_FILE_MODE, 'root', 'root')
|
||||
|
||||
for target in setup.get('chmod', []):
|
||||
target_path = target.format(**utils.snap_env)
|
||||
@ -218,7 +180,6 @@ class OpenStackSnap(object):
|
||||
def execute(self, argv):
|
||||
'''Execute snap command building out configuration and log options'''
|
||||
utils = SnapUtils()
|
||||
setup = self.configuration['setup']
|
||||
|
||||
entry_point = self.configuration['entry_points'].get(argv[1])
|
||||
if not entry_point:
|
||||
@ -308,13 +269,8 @@ class OpenStackSnap(object):
|
||||
snap_env['pyargv'] = ' '.join(pyargv)
|
||||
LOG.debug('Setting pyargv to: {}'.format(' '.join(pyargv)))
|
||||
|
||||
default_owner = setup.get('default-owner', DEFAULT_OWNER)
|
||||
default_user, default_group = default_owner.split(':')
|
||||
default_file_mode = setup.get('default-file-mode',
|
||||
DEFAULT_FILE_MODE)
|
||||
|
||||
_render_templates(entry_point.get('templates', []), snap_env,
|
||||
default_file_mode, default_user, default_group)
|
||||
DEFAULT_FILE_MODE, 'root', 'root')
|
||||
|
||||
elif cmd_type == NGINX_EP_TYPE:
|
||||
cmd = ["{snap}/usr/sbin/nginx".format(**utils.snap_env)]
|
||||
@ -338,9 +294,5 @@ class OpenStackSnap(object):
|
||||
LOG.debug('Configuration file {} not found'
|
||||
', skipping'.format(cfile))
|
||||
|
||||
if 'run-as' in entry_point.keys():
|
||||
user, groups = list(entry_point['run-as'].items())[0]
|
||||
utils.drop_privileges(user, groups)
|
||||
|
||||
LOG.debug('Executing command {}'.format(' '.join(cmd)))
|
||||
os.execvp(cmd[0], cmd)
|
||||
|
||||
@ -63,7 +63,6 @@ class TestOpenStackSnapExecute(test_base.TestCase):
|
||||
def mock_snap_utils(self, mock_utils):
|
||||
snap_utils = mock_utils.return_value
|
||||
snap_utils.snap_env = MOCK_SNAP_ENV
|
||||
snap_utils.drop_privileges.return_value = None
|
||||
|
||||
@patch.object(base, 'SnapFileRenderer')
|
||||
@patch('snap_openstack.base.SnapUtils')
|
||||
|
||||
@ -18,7 +18,6 @@ import grp
|
||||
import logging
|
||||
import os
|
||||
import pwd
|
||||
import subprocess
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
@ -76,30 +75,6 @@ class SnapUtils(object):
|
||||
LOG.info('Creating directory {}'.format(dir_name))
|
||||
os.makedirs(dir_name, perms)
|
||||
|
||||
def add_user(self, user, groups, home):
|
||||
'''Add user to the system as a member of one ore more groups'''
|
||||
for group in groups:
|
||||
try:
|
||||
grp.getgrnam(group)
|
||||
except KeyError:
|
||||
LOG.debug('Adding group {} to system'.format(group))
|
||||
cmd = ['addgroup', '--system', group]
|
||||
subprocess.check_call(cmd)
|
||||
|
||||
try:
|
||||
pwd.getpwnam(user)
|
||||
except KeyError:
|
||||
self.ensure_dir(home)
|
||||
LOG.debug('Adding user {} to system'.format(user))
|
||||
cmd = ['adduser', '--quiet', '--system', '--home', home,
|
||||
'--no-create-home', '--shell', '/bin/false', user]
|
||||
subprocess.check_call(cmd)
|
||||
|
||||
for group in groups:
|
||||
LOG.debug('Adding user {} to group {}'.format(user, group))
|
||||
cmd = ['adduser', user, group]
|
||||
subprocess.check_call(cmd)
|
||||
|
||||
def chown(self, path, user, group):
|
||||
'''Change the owner of the specified file'''
|
||||
LOG.debug('Changing owner of {} to {}:{}'.format(path, user, group))
|
||||
@ -111,32 +86,3 @@ class SnapUtils(object):
|
||||
'''Change the file mode bits of the specified file'''
|
||||
LOG.debug('Changing file mode of {} to {}'.format(path, oct(mode)))
|
||||
os.chmod(path, mode)
|
||||
|
||||
def rchown(self, root_dir, user, group):
|
||||
'''Recursively change owner starting at the specified directory'''
|
||||
self.chown(root_dir, user, group)
|
||||
for dirpath, dirnames, filenames in os.walk(root_dir):
|
||||
for d in dirnames:
|
||||
self.chown(os.path.join(dirpath, d), user, group)
|
||||
for f in filenames:
|
||||
self.chown(os.path.join(dirpath, f), user, group)
|
||||
|
||||
def rchmod(self, root_dir, dir_mode, file_mode):
|
||||
'''Recursively change mode bits starting at the specified directory'''
|
||||
self.chmod(root_dir, dir_mode)
|
||||
for dirpath, dirnames, filenames in os.walk(root_dir):
|
||||
for d in dirnames:
|
||||
self.chmod(os.path.join(dirpath, d), dir_mode)
|
||||
for f in filenames:
|
||||
self.chmod(os.path.join(dirpath, f), file_mode)
|
||||
|
||||
def drop_privileges(self, user, groups):
|
||||
'''Drop privileges to the specified user and group(s)'''
|
||||
LOG.debug('Dropping privileges to {}:{}'.format(user, groups))
|
||||
uid = pwd.getpwnam(user).pw_uid
|
||||
gid = grp.getgrnam(groups[0]).gr_gid
|
||||
gids = [grp.getgrnam(g).gr_gid for g in groups]
|
||||
os.setgroups([])
|
||||
os.setgroups(gids)
|
||||
os.setgid(gid)
|
||||
os.setuid(uid)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user