Alon Bar-Lev has uploaded a new change for review. Change subject: packaging: engine-service: do not allow execution as non-root ......................................................................
packaging: engine-service: do not allow execution as non-root all downstream has a mean to execute the script under the correct account. So no need for us to change identity nor expect other user. Change-Id: Ic30ce5316918a98bf2ef4cbf17d0eb91b85c74d1 Signed-off-by: Alon Bar-Lev <[email protected]> --- M packaging/fedora/engine-service.py.in 1 file changed, 7 insertions(+), 26 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/27/13627/1 diff --git a/packaging/fedora/engine-service.py.in b/packaging/fedora/engine-service.py.in index 89a303f..6174d31 100644 --- a/packaging/fedora/engine-service.py.in +++ b/packaging/fedora/engine-service.py.in @@ -196,30 +196,6 @@ global engineConfig engineConfig = Config(engineConfigFiles) - # Get the id of the engine user: - global engineUid - if os.geteuid() == 0: - engineUser = engineConfig.getString("ENGINE_USER") - if engineUser: - try: - engineUid = pwd.getpwnam(engineUser).pw_uid - except: - raise Exception("The engine user \"%s\" doesn't exist." % engineUser) - else: - engineUid = os.geteuid() - - # Get id of the engine group: - global engineGid - if os.geteuid() == 0: - engineGroup = engineConfig.getString("ENGINE_GROUP") - if engineGroup: - try: - engineGid = grp.getgrnam(engineGroup).gr_gid - except: - raise Exception("The engine group \"%s\" doesn't exist." % engineGroup) - else: - engineGid = os.getegid() - # Java home directory: global javaHomeDir javaHomeDir = engineConfig.getString("JAVA_HOME") @@ -363,6 +339,13 @@ def startEngine(): + if os.geteuid() == 0: + raise Exception("This script cannot be run as root") + global engineUid + global engineGid + engineUid = os.geteuid() + engineGid = os.getegid() + # perform checks: checkInstallation() @@ -552,8 +535,6 @@ signal.SIGINT: myterm, signal.SIGHUP: None, }, - uid=engineUid, - gid=engineGid, stdout=engineConsoleLog, stderr=engineConsoleLog, ): -- To view, visit http://gerrit.ovirt.org/13627 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic30ce5316918a98bf2ef4cbf17d0eb91b85c74d1 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
