URL: https://github.com/freeipa/freeipa/pull/2278 Author: flo-renaud Title: #2278: [Backport][ipa-4-6] uninstall -v: remove Tracebacks Action: opened
PR body: """ This PR is a manual backport of PR #2265 to ipa-4-6. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2278/head:pr2278 git checkout pr2278
From e1b74b53e0f7cebe967297b953526b1ab7523ffe Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 21 Aug 2018 17:55:45 +0200 Subject: [PATCH 1/2] uninstall -v: remove Tracebacks ipa-server-install --uninstall -v -U prints Traceback in its log file. This issue happens because it calls subprocess.Popen with close_fds=True (which closes all file descriptors in the child process) but it is trying to use the file logger in the child process (preexec_fn is called in the child just before the child is executed). The fix is using the logger only in the parent process. Fixes: https://pagure.io/freeipa/issue/7681 Reviewed-By: Rob Crittenden <rcrit...@redhat.com> --- ipapython/ipautil.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 910be1e746..86695cef27 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -481,20 +481,21 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None, logger.debug('Starting external process') logger.debug('args=%s', arg_string) - def preexec_fn(): - if runas is not None: - pent = pwd.getpwnam(runas) + if runas is not None: + pent = pwd.getpwnam(runas) - suplementary_gids = [ - grp.getgrnam(sgroup).gr_gid for sgroup in suplementary_groups - ] + suplementary_gids = [ + grp.getgrnam(sgroup).gr_gid for sgroup in suplementary_groups + ] - logger.debug('runas=%s (UID %d, GID %s)', runas, - pent.pw_uid, pent.pw_gid) - if suplementary_groups: - for group, gid in zip(suplementary_groups, suplementary_gids): - logger.debug('suplementary_group=%s (GID %d)', group, gid) + logger.debug('runas=%s (UID %d, GID %s)', runas, + pent.pw_uid, pent.pw_gid) + if suplementary_groups: + for group, gid in zip(suplementary_groups, suplementary_gids): + logger.debug('suplementary_group=%s (GID %d)', group, gid) + def preexec_fn(): + if runas is not None: os.setgroups(suplementary_gids) os.setregid(pent.pw_gid, pent.pw_gid) os.setreuid(pent.pw_uid, pent.pw_uid) From 3b011a307cf77f8f9e4f961551ece36916d27b98 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 22 Aug 2018 10:23:10 +0200 Subject: [PATCH 2/2] ipautil.run: add test for runas parameter Add a test for ipautil.run() method called with runas parameter. The test is using ipautil.run() to execute /usr/bin/id and checks that the uid/gid are consistent with the runas parameter. Note that the test needs to be launched by the root user (non-privileged user may not have the rights to execute ipautil.run() with runas parameter). Related to: https://pagure.io/freeipa/issue/7681 Reviewed-By: Rob Crittenden <rcrit...@redhat.com> --- ipatests/test_ipapython/test_ipautil.py | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/ipatests/test_ipapython/test_ipautil.py b/ipatests/test_ipapython/test_ipautil.py index 7f3fcfeff4..e15b4f948e 100644 --- a/ipatests/test_ipapython/test_ipautil.py +++ b/ipatests/test_ipapython/test_ipautil.py @@ -23,12 +23,14 @@ """ from __future__ import absolute_import - +import os +import pwd import nose import pytest import six import tempfile +from ipalib.constants import IPAAPI_USER from ipapython import ipautil pytestmark = pytest.mark.tier0 @@ -479,3 +481,23 @@ def test_flush_sync(): with tempfile.NamedTemporaryFile('wb+') as f: f.write(b'data') ipautil.flush_sync(f) + + +@pytest.mark.skipif(os.geteuid() != 0, + reason="Must have root privileges to run this test") +def test_run_runas(): + """ + Test run method with the runas parameter. + The test executes 'id' to make sure that the process is + executed with the user identity specified in runas parameter. + The test is using 'ipaapi' user as it is configured when + ipa-server-common package is installed. + """ + user = pwd.getpwnam(IPAAPI_USER) + res = ipautil.run(['/usr/bin/id', '-u'], runas=IPAAPI_USER) + assert res.returncode == 0 + assert res.raw_output == b'%d\n' % user.pw_uid + + res = ipautil.run(['/usr/bin/id', '-g'], runas=IPAAPI_USER) + assert res.returncode == 0 + assert res.raw_output == b'%d\n' % user.pw_gid
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/MKCLGQ3TCAFMQWFTVOW5DSGTHSX65QP7/
