On 01/21/2014 03:07 PM, Petr Viktorin wrote:
On 01/16/2014 02:16 PM, Martin Kosek wrote:
[freeipa-mkosek-448-add-runas-option-to-run-function.patch]:
Run function can now run the specified command as different user by
setting the EUID and EGID for executed process.
Please add the new argument to the docstring, otherwise ACK
[freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]:
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as apache user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
This does not fix the issue for me.
On a fresh f20 machine, I installed the server, uninstalled it, and installed
again. The second installation failed with the ipa-client-install error
described in the ticket.
On your VM, I saw the method I use for running a command as different process
was indeed not effective. I had to change both effective and real UID/GID to
make the kdestroy function working.
I also added the missing docstrings in 448, both for runas as well as other
missing options.
Martin
From 3b6683c7a3da885350542157aae2afa0b3cdd37e Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 16 Jan 2014 14:10:42 +0100
Subject: [PATCH 1/2] Add runas option to run function
Run function can now run the specified command as different user by
setting the both real and effective UID and GID for executed process.
Add both the missing run function attribute doc strings as well as
a doc string for the runas attribute.
---
ipapython/ipautil.py | 59 +---
1 file changed, 38 insertions(+), 21 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a25dc358b9ddf9681925491ec1c4cd2de03d6b00..4ed32a6ad25daab2a606556cc0f532918abbfec1 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -42,6 +42,7 @@
import netaddr
import time
import krbV
+import pwd
from dns import resolver, rdatatype
from dns.exception import DNSException
@@ -246,29 +247,35 @@ def shell_quote(string):
return ' + string.replace(', '\\'') + '
def run(args, stdin=None, raiseonerr=True,
-nolog=(), env=None, capture_output=True, skip_output=False, cwd=None):
+nolog=(), env=None, capture_output=True, skip_output=False, cwd=None,
+runas=None):
Execute a command and return stdin, stdout and the process return code.
-args is a list of arguments for the command
-
-stdin is used if you want to pass input to the command
-
-raiseonerr raises an exception if the return code is not zero
-
-nolog is a tuple of strings that shouldn't be logged, like passwords.
-Each tuple consists of a string to be replaced by .
-
-For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
-
-We don't want to log the password so nolog would be set to:
-('Secret123',)
-
-The resulting log output would be:
-
-/usr/bin/setpasswd --password someuser
-
-If an value isn't found in the list it is silently ignored.
+:param args: List of arguments for the command
+:param stdin: Optional input to the command
+:param: raiseonerr: If True, raises an exception if the return code is
+not zero
+:param nolog: Tuple of strings that shouldn't be logged, like passwords.
+Each tuple consists of a string to be replaced by .
+
+Example:
+We have a command
+['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
+and we don't want to log the password so nolog would be set to:
+('Secret123',)
+The resulting log output would be:
+
+/usr/bin/setpasswd --password someuser
+
+If an value isn't found in the list it is silently ignored.
+:param env: Dictionary of environment variables passed to the command.
+When None, current environment is copied
+:param capture_output: Capture stderr and stdout
+:param skip_output: Redirect the output to /dev/null and do not capture it
+:param cwd: Current working directory
+:param runas: Name of a user that the command shold be run as. The spawned
+process will have both real and effective UID and GID set.
p_in = None
p_out = None
@@ -298,9 +305,19 @@ def run(args, stdin=None, raiseonerr=True,
root_logger.debug('Starting external process')
root_logger.debug('args=%s' % arg_string)
+preexec_fn = None
+if runas is not None:
+pent = pwd.getpwnam(runas)
+root_logger.debug('runas=%s (UID %d, GID %s)', runas,
+pent.pw_uid, pent.pw_gid)