diff --git a/designate/openstack/common/rootwrap/__init__.py b/designate/openstack/common/rootwrap/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/designate/openstack/common/rootwrap/cmd.py b/designate/openstack/common/rootwrap/cmd.py deleted file mode 100644 index 96af2ef5c..000000000 --- a/designate/openstack/common/rootwrap/cmd.py +++ /dev/null @@ -1,136 +0,0 @@ -# Copyright (c) 2011 OpenStack Foundation. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Root wrapper for OpenStack services - - Filters which commands a service is allowed to run as another user. - - To use this with designate, you should set the following in - designate.conf: - rootwrap_config=/etc/designate/rootwrap.conf - - You also need to let the designate user run designate-rootwrap - as root in sudoers: - designate ALL = (root) NOPASSWD: /usr/bin/designate-rootwrap - /etc/designate/rootwrap.conf * - - Service packaging should deploy .filters files only on nodes where - they are needed, to avoid allowing more than is necessary. -""" - -from __future__ import print_function - -import ConfigParser -import logging -import os -import pwd -import signal -import subprocess -import sys - - -RC_UNAUTHORIZED = 99 -RC_NOCOMMAND = 98 -RC_BADCONFIG = 97 -RC_NOEXECFOUND = 96 - - -def _subprocess_setup(): - # Python installs a SIGPIPE handler by default. This is usually not what - # non-Python subprocesses expect. - signal.signal(signal.SIGPIPE, signal.SIG_DFL) - - -def _exit_error(execname, message, errorcode, log=True): - print("%s: %s" % (execname, message), file=sys.stderr) - if log: - logging.error(message) - sys.exit(errorcode) - - -def _getlogin(): - try: - return os.getlogin() - except OSError: - return (os.getenv('USER') or - os.getenv('USERNAME') or - os.getenv('LOGNAME')) - - -def main(): - # Split arguments, require at least a command - execname = sys.argv.pop(0) - if len(sys.argv) < 2: - _exit_error(execname, "No command specified", RC_NOCOMMAND, log=False) - - configfile = sys.argv.pop(0) - userargs = sys.argv[:] - - # Add ../ to sys.path to allow running from branch - possible_topdir = os.path.normpath(os.path.join(os.path.abspath(execname), - os.pardir, os.pardir)) - if os.path.exists(os.path.join(possible_topdir, "designate", "__init__.py")): - sys.path.insert(0, possible_topdir) - - from designate.openstack.common.rootwrap import wrapper - - # Load configuration - try: - rawconfig = ConfigParser.RawConfigParser() - rawconfig.read(configfile) - config = wrapper.RootwrapConfig(rawconfig) - except ValueError as exc: - msg = "Incorrect value in %s: %s" % (configfile, exc.message) - _exit_error(execname, msg, RC_BADCONFIG, log=False) - except ConfigParser.Error: - _exit_error(execname, "Incorrect configuration file: %s" % configfile, - RC_BADCONFIG, log=False) - - if config.use_syslog: - wrapper.setup_syslog(execname, - config.syslog_log_facility, - config.syslog_log_level) - - # Execute command if it matches any of the loaded filters - filters = wrapper.load_filters(config.filters_path) - try: - filtermatch = wrapper.match_filter(filters, userargs, - exec_dirs=config.exec_dirs) - if filtermatch: - command = filtermatch.get_command(userargs, - exec_dirs=config.exec_dirs) - if config.use_syslog: - logging.info("(%s > %s) Executing %s (filter match = %s)" % ( - _getlogin(), pwd.getpwuid(os.getuid())[0], - command, filtermatch.name)) - - obj = subprocess.Popen(command, - stdin=sys.stdin, - stdout=sys.stdout, - stderr=sys.stderr, - preexec_fn=_subprocess_setup, - env=filtermatch.get_environment(userargs)) - obj.wait() - sys.exit(obj.returncode) - - except wrapper.FilterMatchNotExecutable as exc: - msg = ("Executable not found: %s (filter match = %s)" - % (exc.match.exec_path, exc.match.name)) - _exit_error(execname, msg, RC_NOEXECFOUND, log=config.use_syslog) - - except wrapper.NoFilterMatched: - msg = ("Unauthorized command: %s (no filter matched)" - % ' '.join(userargs)) - _exit_error(execname, msg, RC_UNAUTHORIZED, log=config.use_syslog) diff --git a/designate/openstack/common/rootwrap/filters.py b/designate/openstack/common/rootwrap/filters.py deleted file mode 100644 index ec8b6dd94..000000000 --- a/designate/openstack/common/rootwrap/filters.py +++ /dev/null @@ -1,316 +0,0 @@ -# Copyright (c) 2011 OpenStack Foundation. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import re - - -class CommandFilter(object): - """Command filter only checking that the 1st argument matches exec_path.""" - - def __init__(self, exec_path, run_as, *args): - self.name = '' - self.exec_path = exec_path - self.run_as = run_as - self.args = args - self.real_exec = None - - def get_exec(self, exec_dirs=[]): - """Returns existing executable, or empty string if none found.""" - if self.real_exec is not None: - return self.real_exec - self.real_exec = "" - if os.path.isabs(self.exec_path): - if os.access(self.exec_path, os.X_OK): - self.real_exec = self.exec_path - else: - for binary_path in exec_dirs: - expanded_path = os.path.join(binary_path, self.exec_path) - if os.access(expanded_path, os.X_OK): - self.real_exec = expanded_path - break - return self.real_exec - - def match(self, userargs): - """Only check that the first argument (command) matches exec_path.""" - return userargs and os.path.basename(self.exec_path) == userargs[0] - - def get_command(self, userargs, exec_dirs=[]): - """Returns command to execute (with sudo -u if run_as != root).""" - to_exec = self.get_exec(exec_dirs=exec_dirs) or self.exec_path - if (self.run_as != 'root'): - # Used to run commands at lesser privileges - return ['sudo', '-u', self.run_as, to_exec] + userargs[1:] - return [to_exec] + userargs[1:] - - def get_environment(self, userargs): - """Returns specific environment to set, None if none.""" - return None - - -class RegExpFilter(CommandFilter): - """Command filter doing regexp matching for every argument.""" - - def match(self, userargs): - # Early skip if command or number of args don't match - if (not userargs or len(self.args) != len(userargs)): - # DENY: argument numbers don't match - return False - # Compare each arg (anchoring pattern explicitly at end of string) - for (pattern, arg) in zip(self.args, userargs): - try: - if not re.match(pattern + '$', arg): - break - except re.error: - # DENY: Badly-formed filter - return False - else: - # ALLOW: All arguments matched - return True - - # DENY: Some arguments did not match - return False - - -class PathFilter(CommandFilter): - """Command filter checking that path arguments are within given dirs - - One can specify the following constraints for command arguments: - 1) pass - pass an argument as is to the resulting command - 2) some_str - check if an argument is equal to the given string - 3) abs path - check if a path argument is within the given base dir - - A typical rootwrapper filter entry looks like this: - # cmdname: filter name, raw command, user, arg_i_constraint [, ...] - chown: PathFilter, /bin/chown, root, nova, /var/lib/images - - """ - - def match(self, userargs): - if not userargs or len(userargs) < 2: - return False - - command, arguments = userargs[0], userargs[1:] - - equal_args_num = len(self.args) == len(arguments) - exec_is_valid = super(PathFilter, self).match(userargs) - args_equal_or_pass = all( - arg == 'pass' or arg == value - for arg, value in zip(self.args, arguments) - if not os.path.isabs(arg) # arguments not specifying abs paths - ) - paths_are_within_base_dirs = all( - os.path.commonprefix([arg, os.path.realpath(value)]) == arg - for arg, value in zip(self.args, arguments) - if os.path.isabs(arg) # arguments specifying abs paths - ) - - return (equal_args_num and - exec_is_valid and - args_equal_or_pass and - paths_are_within_base_dirs) - - def get_command(self, userargs, exec_dirs=[]): - command, arguments = userargs[0], userargs[1:] - - # convert path values to canonical ones; copy other args as is - args = [os.path.realpath(value) if os.path.isabs(arg) else value - for arg, value in zip(self.args, arguments)] - - return super(PathFilter, self).get_command([command] + args, - exec_dirs) - - -class KillFilter(CommandFilter): - """Specific filter for the kill calls. - - 1st argument is the user to run /bin/kill under - 2nd argument is the location of the affected executable - if the argument is not absolute, it is checked against $PATH - Subsequent arguments list the accepted signals (if any) - - This filter relies on /proc to accurately determine affected - executable, so it will only work on procfs-capable systems (not OSX). - """ - - def __init__(self, *args): - super(KillFilter, self).__init__("/bin/kill", *args) - - def match(self, userargs): - if not userargs or userargs[0] != "kill": - return False - args = list(userargs) - if len(args) == 3: - # A specific signal is requested - signal = args.pop(1) - if signal not in self.args[1:]: - # Requested signal not in accepted list - return False - else: - if len(args) != 2: - # Incorrect number of arguments - return False - if len(self.args) > 1: - # No signal requested, but filter requires specific signal - return False - try: - command = os.readlink("/proc/%d/exe" % int(args[1])) - except (ValueError, OSError): - # Incorrect PID - return False - - # NOTE(yufang521247): /proc/PID/exe may have '\0' on the - # end, because python doesn't stop at '\0' when read the - # target path. - command = command.partition('\0')[0] - - # NOTE(dprince): /proc/PID/exe may have ' (deleted)' on - # the end if an executable is updated or deleted - if command.endswith(" (deleted)"): - command = command[:-len(" (deleted)")] - - kill_command = self.args[0] - - if os.path.isabs(kill_command): - return kill_command == command - - return (os.path.isabs(command) and - kill_command == os.path.basename(command) and - os.path.dirname(command) in os.environ.get('PATH', '' - ).split(':')) - - -class ReadFileFilter(CommandFilter): - """Specific filter for the utils.read_file_as_root call.""" - - def __init__(self, file_path, *args): - self.file_path = file_path - super(ReadFileFilter, self).__init__("/bin/cat", "root", *args) - - def match(self, userargs): - return (userargs == ['cat', self.file_path]) - - -class IpFilter(CommandFilter): - """Specific filter for the ip utility to that does not match exec.""" - - def match(self, userargs): - if userargs[0] == 'ip': - if userargs[1] == 'netns': - return (userargs[2] in ('list', 'add', 'delete')) - else: - return True - - -class EnvFilter(CommandFilter): - """Specific filter for the env utility. - - Behaves like CommandFilter, except that it handles - leading env A=B.. strings appropriately. - """ - - def _extract_env(self, arglist): - """Extract all leading NAME=VALUE arguments from arglist.""" - - envs = set() - for arg in arglist: - if '=' not in arg: - break - envs.add(arg.partition('=')[0]) - return envs - - def __init__(self, exec_path, run_as, *args): - super(EnvFilter, self).__init__(exec_path, run_as, *args) - - env_list = self._extract_env(self.args) - # Set exec_path to X when args are in the form of - # env A=a B=b C=c X Y Z - if "env" in exec_path and len(env_list) < len(self.args): - self.exec_path = self.args[len(env_list)] - - def match(self, userargs): - # ignore leading 'env' - if userargs[0] == 'env': - userargs.pop(0) - - # require one additional argument after configured ones - if len(userargs) < len(self.args): - return False - - # extract all env args - user_envs = self._extract_env(userargs) - filter_envs = self._extract_env(self.args) - user_command = userargs[len(user_envs):len(user_envs) + 1] - - # match first non-env argument with CommandFilter - return (super(EnvFilter, self).match(user_command) - and len(filter_envs) and user_envs == filter_envs) - - def exec_args(self, userargs): - args = userargs[:] - - # ignore leading 'env' - if args[0] == 'env': - args.pop(0) - - # Throw away leading NAME=VALUE arguments - while args and '=' in args[0]: - args.pop(0) - - return args - - def get_command(self, userargs, exec_dirs=[]): - to_exec = self.get_exec(exec_dirs=exec_dirs) or self.exec_path - return [to_exec] + self.exec_args(userargs)[1:] - - def get_environment(self, userargs): - env = os.environ.copy() - - # ignore leading 'env' - if userargs[0] == 'env': - userargs.pop(0) - - # Handle leading NAME=VALUE pairs - for a in userargs: - env_name, equals, env_value = a.partition('=') - if not equals: - break - if env_name and env_value: - env[env_name] = env_value - - return env - - -class ChainingFilter(CommandFilter): - def exec_args(self, userargs): - return [] - - -class IpNetnsExecFilter(ChainingFilter): - """Specific filter for the ip utility to that does match exec.""" - - def match(self, userargs): - # Network namespaces currently require root - # require argument - if self.run_as != "root" or len(userargs) < 4: - return False - - return (userargs[:3] == ['ip', 'netns', 'exec']) - - def exec_args(self, userargs): - args = userargs[4:] - if args: - args[0] = os.path.basename(args[0]) - return args diff --git a/designate/openstack/common/rootwrap/wrapper.py b/designate/openstack/common/rootwrap/wrapper.py deleted file mode 100644 index 026683c98..000000000 --- a/designate/openstack/common/rootwrap/wrapper.py +++ /dev/null @@ -1,169 +0,0 @@ -# Copyright (c) 2011 OpenStack Foundation. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import logging -import logging.handlers -import os -import string - -from six import moves - -from designate.openstack.common.rootwrap import filters - - -class NoFilterMatched(Exception): - """This exception is raised when no filter matched.""" - pass - - -class FilterMatchNotExecutable(Exception): - """Raised when a filter matched but no executable was found.""" - def __init__(self, match=None, **kwargs): - self.match = match - - -class RootwrapConfig(object): - - def __init__(self, config): - # filters_path - self.filters_path = config.get("DEFAULT", "filters_path").split(",") - - # exec_dirs - if config.has_option("DEFAULT", "exec_dirs"): - self.exec_dirs = config.get("DEFAULT", "exec_dirs").split(",") - else: - self.exec_dirs = [] - # Use system PATH if exec_dirs is not specified - if "PATH" in os.environ: - self.exec_dirs = os.environ['PATH'].split(':') - - # syslog_log_facility - if config.has_option("DEFAULT", "syslog_log_facility"): - v = config.get("DEFAULT", "syslog_log_facility") - facility_names = logging.handlers.SysLogHandler.facility_names - self.syslog_log_facility = getattr(logging.handlers.SysLogHandler, - v, None) - if self.syslog_log_facility is None and v in facility_names: - self.syslog_log_facility = facility_names.get(v) - if self.syslog_log_facility is None: - raise ValueError('Unexpected syslog_log_facility: %s' % v) - else: - default_facility = logging.handlers.SysLogHandler.LOG_SYSLOG - self.syslog_log_facility = default_facility - - # syslog_log_level - if config.has_option("DEFAULT", "syslog_log_level"): - v = config.get("DEFAULT", "syslog_log_level") - self.syslog_log_level = logging.getLevelName(v.upper()) - if (self.syslog_log_level == "Level %s" % v.upper()): - raise ValueError('Unexpected syslog_log_level: %s' % v) - else: - self.syslog_log_level = logging.ERROR - - # use_syslog - if config.has_option("DEFAULT", "use_syslog"): - self.use_syslog = config.getboolean("DEFAULT", "use_syslog") - else: - self.use_syslog = False - - # use_syslog_rfc_format - if config.has_option("DEFAULT", "use_syslog_rfc_format"): - self.use_syslog_rfc_format = config.getboolean( - "DEFAULT", "use_syslog_rfc_format") - else: - self.use_syslog_rfc_format = False - - -def setup_syslog(execname, facility, level): - rootwrap_logger = logging.getLogger() - rootwrap_logger.setLevel(level) - handler = logging.handlers.SysLogHandler(address='/dev/log', - facility=facility) - handler.setFormatter(logging.Formatter( - os.path.basename(execname) + ': %(message)s')) - rootwrap_logger.addHandler(handler) - - -def build_filter(class_name, *args): - """Returns a filter object of class class_name.""" - if not hasattr(filters, class_name): - logging.warning("Skipping unknown filter class (%s) specified " - "in filter definitions" % class_name) - return None - filterclass = getattr(filters, class_name) - return filterclass(*args) - - -def load_filters(filters_path): - """Load filters from a list of directories.""" - filterlist = [] - for filterdir in filters_path: - if not os.path.isdir(filterdir): - continue - for filterfile in filter(lambda f: not f.startswith('.'), - os.listdir(filterdir)): - filterconfig = moves.configparser.RawConfigParser() - filterconfig.read(os.path.join(filterdir, filterfile)) - for (name, value) in filterconfig.items("Filters"): - filterdefinition = [string.strip(s) for s in value.split(',')] - newfilter = build_filter(*filterdefinition) - if newfilter is None: - continue - newfilter.name = name - filterlist.append(newfilter) - return filterlist - - -def match_filter(filter_list, userargs, exec_dirs=[]): - """Checks user command and arguments through command filters. - - Returns the first matching filter. - - Raises NoFilterMatched if no filter matched. - Raises FilterMatchNotExecutable if no executable was found for the - best filter match. - """ - first_not_executable_filter = None - - for f in filter_list: - if f.match(userargs): - if isinstance(f, filters.ChainingFilter): - # This command calls exec verify that remaining args - # matches another filter. - def non_chain_filter(fltr): - return (fltr.run_as == f.run_as - and not isinstance(fltr, filters.ChainingFilter)) - - leaf_filters = [fltr for fltr in filter_list - if non_chain_filter(fltr)] - args = f.exec_args(userargs) - if (not args or not match_filter(leaf_filters, - args, exec_dirs=exec_dirs)): - continue - - # Try other filters if executable is absent - if not f.get_exec(exec_dirs=exec_dirs): - if not first_not_executable_filter: - first_not_executable_filter = f - continue - # Otherwise return matching filter for execution - return f - - if first_not_executable_filter: - # A filter matched, but no executable was found for it - raise FilterMatchNotExecutable(match=first_not_executable_filter) - - # No filter matched - raise NoFilterMatched() diff --git a/etc/designate/designate.conf.sample b/etc/designate/designate.conf.sample index 0b1fe9b5d..0c635b963 100644 --- a/etc/designate/designate.conf.sample +++ b/etc/designate/designate.conf.sample @@ -20,7 +20,7 @@ debug = False # Use "sudo designate-rootwrap /etc/designate/rootwrap.conf" to use the real # root filter facility. # Change to "sudo" to skip the filtering and just run the comand directly -root_helper = sudo +# root_helper = sudo designate-rootwrap /etc/designate/rootwrap.conf # Which networking API to use, Defaults to neutron # network_api = neutron diff --git a/requirements.txt b/requirements.txt index d9bc26190..883137c1b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,6 +8,7 @@ jsonschema>=2.0.0,<3.0.0 kombu>=2.4.8 netaddr>=0.7.6 oslo.config>=1.2.0 +oslo.rootwrap Paste PasteDeploy>=1.5.0 pbr>=0.6,<1.0 diff --git a/setup.cfg b/setup.cfg index 2ace5ebf8..cfbca5d0b 100644 --- a/setup.cfg +++ b/setup.cfg @@ -28,11 +28,11 @@ setup-hooks = packages = designate scripts = - bin/designate-rootwrap bin/designate-rpc-zmq-receiver [entry_points] console_scripts = + designate-rootwrap = oslo.rootwrap.cmd:main designate-agent = designate.cmd.agent:main designate-api = designate.cmd.api:main designate-central = designate.cmd.central:main