On 07/15/2011 07:23 AM, Michael Mraka wrote:
> Marcelo Moreira de Mello wrote:
> % Hello,
> %
> % Follow attached a new patch which include the 3 modifications:
> %
> % 1) Change KickstartFormatter.java to create the "run" file instead
> % of "all";
> %
> % 2) Adds a %post script to move any existing "all" to "run", making
> % it consistent with the documentation and with the new kickstart
> %
> % 3) Disable any actions based on the
> % /etc/sysconfig/rhn/allowed-actions/script/all and make it only use the
> % "run" file.
>
> Hi Marcello,
Hello Michael,
> * Which part (line of code) actually checks .../script/run file
> existence? I'd like to check it for a possible regression but was not
> able to find it ;).
rhncfg-* works based on modules. The are some functions with pass as
argument the module's name.
ModeController.py
56 #Check to see if the mode is on.
57 def is_on(self, mode_name):
58 if self.mode_list.has_key(mode_name):
59 return self.mode_list[mode_name].is_on()
60 else:
61 return 0
Modes.py
122 class RunMode(ConfigFilesBaseMode):
123 def __init__(self):
124 ConfigFilesBaseMode.__init__(self)
125 self.name = "run"
126
self.ph.set_rhn_root("/etc/sysconfig/rhn/allowed-actions/script").
ModeControllerCreator.py
58 def get_run_controller_creator():
59 if string.find(sys.platform, 'sunos') > -1:
60 mode_list = [Modes.SolarisRunMode()]
61 else:
62 mode_list = [Modes.RunMode()]
Basically the patch will only allow to execute remote commands if the
file allowed-actions/script/run exists.
# rhn_check -vv
D: check_action {'action': "<?xml
version='1.0'?>\n<methodCall>\n<methodName>script.run</methodName>\n<params>\n<param>\n<value><int>67</int></value>\n</param>\n<param>\n<value><struct>\n<member>\n<name>username</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>groupname</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>now</name>\n<value><string>2011-07-15
10:50:34</string></value>\n</member>\n<member>\n<name>timeout</name>\n<value><int>600</int></value>\n</member>\n<member>\n<name>script</name>\n<value><string>#!/bin/sh\ndate</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n",
'version': 2, 'id': 67}
{SNIP}
If you look the xml above, the methodName is script.run which will
match with the class RunMode().
So, our patch fixes the function which verify if the local system have
the permission (actually the files within allowed-actions/scripts or
allowed-actions/configfiles). The function receives an 'action_type'
passed by argument. If the action_type were per example 'diff' and the
local system only have the file allowed-actions/configfiles/'all', the
code used to append the 'all' and the diff files works as expected.
But, if a function receives a 'run' and the local system only have the
file allowed-actions/script/all, the function will first look for 'run',
and then append the 'all' and the remote command will be executed as
well (which is not expected, since the allow remote commands we need the
file 'run' and not 'all' according with the documentation).
What our patch does it to verify if the action_type is 'script.run', and
if yes ignoring to check if 'all' file is present. 'all' will continue
to be append for action_type configfiles.
configfiles.py
44 def _local_permission_check(action_type):
45 # action_type ala configfiles.deploy
46 atype_structure = split(action_type, '.')
47
48 for i in range(len(atype_structure)):
49 all_structure = atype_structure[:i]
50 if action_type == "script.run":
51 all_structure.append('run')
52 else:
53 all_structure.append('all')
54
55 potential_all_path = apply(os.path.join, all_structure)
56 if os.path.exists(os.path.join(_permission_root_dir,
potential_all_path)): <--- check file
57 return 1
58
59 action_path = apply(os.path.join, atype_structure)
60 return os.path.exists(os.path.join(_permission_root_dir,
action_path))
> * Will the new code work with kickstarts from current spacewalk which
> contain 'touch .../script/all'? I mean if new rhncfg-* is installed so
> it looks for .../script/run but no %postinst which renames
> .../script/all to .../script/run has fired.
Yes. If customer upgrade the rhncfg* packages, at the %post section, the
file will be automatically renamed to 'run' if ../script/'all' exists.
rhncfg.spec
107 %post
108 test -f /etc/sysconfig/rhn/allowed-actions/script/all \
109 && mv /etc/sysconfig/rhn/allowed-actions/script/all
/etc/sysconfig/rhn/allowed-actions/script/run
To new kickstarts, this the file will be deployed as expected.
KickstartFormatter.java
123 "touch /etc/sysconfig/rhn/allowed-actions/script/run";
Please, let me know if you have further questions.
Best Regards,
Marcelo
>
> Regards,
>
> --
> Michael Mráka
> Satellite Engineering, Red Hat
>
> _______________________________________________
> Spacewalk-devel mailing list
> Spacewalk-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-devel
--
Marcelo Moreira de Mello
RHCA RHCSS RHCVA
Software Maintenance Engineer/SEG
gpg id: 2048R/FDB110E5
gpg fingerprint: 3BE7 EF71 4DD7 6812 D309 8F18 BD42 D095 FDB1 10E5
_______________________________________________
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel
