[MediaWiki-commits] [Gerrit] Validate tool accounts before accepting them - change (operations...tools-manifest)

Mon, 06 Apr 2015 18:47:23 -0700 

Yuvipanda has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/202305

Change subject: Validate tool accounts before accepting them
......................................................................

Validate tool accounts before accepting them

- Username must exist
- uid must be greater than 50000
Change-Id: If04fa403a9ad6e66b89a96716fa53960571c0a5e
---
M destiny/collector.py
M destiny/tool.py
2 files changed, 15 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/software/tools-manifest 
refs/changes/05/202305/1

diff --git a/destiny/collector.py b/destiny/collector.py
index 55ff02e..032b217 100644
--- a/destiny/collector.py
+++ b/destiny/collector.py
@@ -34,7 +34,11 @@
             toolname = fileparts[3]  # FIXME: Have extra validation to make 
sure this *is* a tool
 
             with open(manifest_file) as f:
-                tool = Tool.from_name(toolname)
+                try:
+                    tool = Tool.from_name(toolname)
+                except Tool.InvalidToolException:
+                    self.log.exception("Exception trying to validate / load 
tool %s" % (toolname, ))
+                    continue
                 # Support files only if the owner of the file is the tool 
itself
                 # This should be ok protection against symlinks to random 
places, I think
                 if os.fstat(f.fileno()).st_uid != tool.uid:
diff --git a/destiny/tool.py b/destiny/tool.py
index 979eebc..c402743 100644
--- a/destiny/tool.py
+++ b/destiny/tool.py
@@ -7,6 +7,9 @@
 class Tool(object):
     USER_NAME_PATTERN = 'tools.%s'
 
+    class InvalidToolException(Exception):
+        pass
+
     def __init__(self, name, username, uid, home):
         self.name = name
         self.uid = uid
@@ -19,7 +22,13 @@
         Create a Tool instance from a tool name
         """
         username = Tool.USER_NAME_PATTERN % (name, )
-        user_info = pwd.getpwnam(username)
+        try:
+            user_info = pwd.getpwnam(username)
+        except KeyError:
+            # No such user was found
+            raise Tool.InvalidToolException("No tool with name %s" % (name, ))
+        if user_info.pw_uid < 50000:
+            raise Tool.InvalidToolException("uid of tools should be < 50000, 
%s has uid %s" % (name, user_info.pw_uid))
         return cls(name, user_info.pw_name, user_info.pw_uid, user_info.pw_dir)
 
     def log(self, message):

-- 
To view, visit https://gerrit.wikimedia.org/r/202305
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If04fa403a9ad6e66b89a96716fa53960571c0a5e
Gerrit-PatchSet: 1
Gerrit-Project: operations/software/tools-manifest
Gerrit-Branch: master
Gerrit-Owner: Yuvipanda <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to