From 1b1b960d0d6b0ddf63c5b0f9c6aa7c10a1914073 Mon Sep 17 00:00:00 2001 From: David Vallee Delisle Date: Wed, 5 Jan 2022 12:36:04 -0500 Subject: [PATCH] CommandFilter should allow exec from full path The current logic prevents from using a full path as argument. We can't just compare basename to basename as it would allow passing bogus paths. We need to make sure that passing a full path will compare to the config's full path. Closes-Bug: #1956606 Change-Id: I76094065de5b37f59a2500fbce7f500ada9915da --- oslo_rootwrap/filters.py | 6 +++++- oslo_rootwrap/tests/test_functional.py | 8 ++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/oslo_rootwrap/filters.py b/oslo_rootwrap/filters.py index bcb03ac..8d7bf0e 100644 --- a/oslo_rootwrap/filters.py +++ b/oslo_rootwrap/filters.py @@ -74,7 +74,11 @@ class CommandFilter(object): def match(self, userargs): """Only check that the first argument (command) matches exec_path.""" - return userargs and os.path.basename(self.exec_path) == userargs[0] + if userargs: + base_path_matches = os.path.basename(self.exec_path) == userargs[0] + exact_path_matches = self.exec_path == userargs[0] + return exact_path_matches or base_path_matches + return False def preexec(self): """Setuid in subprocess right before command is invoked.""" diff --git a/oslo_rootwrap/tests/test_functional.py b/oslo_rootwrap/tests/test_functional.py index 42c33c4..941e069 100644 --- a/oslo_rootwrap/tests/test_functional.py +++ b/oslo_rootwrap/tests/test_functional.py @@ -89,6 +89,14 @@ later_install_cmd: CommandFilter, %s, root self.assertEqual(expect_out, out) self.assertEqual(expect_err, err) + def test_run_with_path(self): + code, out, err = self.execute(['/bin/echo', 'teststr']) + self.assertEqual(0, code) + + def test_run_with_bogus_path(self): + code, out, err = self.execute(['/home/bob/bin/echo', 'teststr']) + self.assertEqual(cmd.RC_UNAUTHORIZED, code) + def test_run_command_not_found(self): code, out, err = self.execute(['unknown_cmd']) self.assertEqual(cmd.RC_NOEXECFOUND, code)