Revision 45bc4635 lib/backend.py
| b/lib/backend.py | ||
|---|---|---|
| 1 | 1 |
# |
| 2 | 2 |
# |
| 3 | 3 |
|
| 4 |
# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Google Inc. |
|
| 4 |
# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Google Inc.
|
|
| 5 | 5 |
# |
| 6 | 6 |
# This program is free software; you can redistribute it and/or modify |
| 7 | 7 |
# it under the terms of the GNU General Public License as published by |
| ... | ... | |
| 88 | 88 |
_MASTER_START = "start" |
| 89 | 89 |
_MASTER_STOP = "stop" |
| 90 | 90 |
|
| 91 |
#: Maximum file permissions for remote command directory and executables
|
|
| 91 |
#: Maximum file permissions for restricted command directory and executables
|
|
| 92 | 92 |
_RCMD_MAX_MODE = (stat.S_IRWXU | |
| 93 | 93 |
stat.S_IRGRP | stat.S_IXGRP | |
| 94 | 94 |
stat.S_IROTH | stat.S_IXOTH) |
| 95 | 95 |
|
| 96 |
#: Delay before returning an error for remote commands
|
|
| 96 |
#: Delay before returning an error for restricted commands
|
|
| 97 | 97 |
_RCMD_INVALID_DELAY = 10 |
| 98 | 98 |
|
| 99 |
#: How long to wait to acquire lock for remote commands (shorter than
|
|
| 99 |
#: How long to wait to acquire lock for restricted commands (shorter than
|
|
| 100 | 100 |
#: L{_RCMD_INVALID_DELAY}) to reduce blockage of noded forks when many
|
| 101 | 101 |
#: command requests arrive |
| 102 | 102 |
_RCMD_LOCK_TIMEOUT = _RCMD_INVALID_DELAY * 0.8 |
| ... | ... | |
| 3672 | 3672 |
|
| 3673 | 3673 |
|
| 3674 | 3674 |
def _VerifyRestrictedCmdName(cmd): |
| 3675 |
"""Verifies a remote command name.
|
|
| 3675 |
"""Verifies a restricted command name.
|
|
| 3676 | 3676 |
|
| 3677 | 3677 |
@type cmd: string |
| 3678 | 3678 |
@param cmd: Command name |
| ... | ... | |
| 3694 | 3694 |
|
| 3695 | 3695 |
|
| 3696 | 3696 |
def _CommonRestrictedCmdCheck(path, owner): |
| 3697 |
"""Common checks for remote command file system directories and files.
|
|
| 3697 |
"""Common checks for restricted command file system directories and files.
|
|
| 3698 | 3698 |
|
| 3699 | 3699 |
@type path: string |
| 3700 | 3700 |
@param path: Path to check |
| ... | ... | |
| 3724 | 3724 |
|
| 3725 | 3725 |
|
| 3726 | 3726 |
def _VerifyRestrictedCmdDirectory(path, _owner=None): |
| 3727 |
"""Verifies remote command directory.
|
|
| 3727 |
"""Verifies restricted command directory.
|
|
| 3728 | 3728 |
|
| 3729 | 3729 |
@type path: string |
| 3730 | 3730 |
@param path: Path to check |
| ... | ... | |
| 3745 | 3745 |
|
| 3746 | 3746 |
|
| 3747 | 3747 |
def _VerifyRestrictedCmd(path, cmd, _owner=None): |
| 3748 |
"""Verifies a whole remote command and returns its executable filename.
|
|
| 3748 |
"""Verifies a whole restricted command and returns its executable filename.
|
|
| 3749 | 3749 |
|
| 3750 | 3750 |
@type path: string |
| 3751 |
@param path: Directory containing remote commands
|
|
| 3751 |
@param path: Directory containing restricted commands
|
|
| 3752 | 3752 |
@type cmd: string |
| 3753 | 3753 |
@param cmd: Command name |
| 3754 | 3754 |
@rtype: tuple; (boolean, string) |
| ... | ... | |
| 3774 | 3774 |
_verify_dir=_VerifyRestrictedCmdDirectory, |
| 3775 | 3775 |
_verify_name=_VerifyRestrictedCmdName, |
| 3776 | 3776 |
_verify_cmd=_VerifyRestrictedCmd): |
| 3777 |
"""Performs a number of tests on a remote command.
|
|
| 3777 |
"""Performs a number of tests on a restricted command.
|
|
| 3778 | 3778 |
|
| 3779 | 3779 |
@type path: string |
| 3780 |
@param path: Directory containing remote commands
|
|
| 3780 |
@param path: Directory containing restricted commands
|
|
| 3781 | 3781 |
@type cmd: string |
| 3782 | 3782 |
@param cmd: Command name |
| 3783 | 3783 |
@return: Same as L{_VerifyRestrictedCmd}
|
| ... | ... | |
| 3804 | 3804 |
_prepare_fn=_PrepareRestrictedCmd, |
| 3805 | 3805 |
_runcmd_fn=utils.RunCmd, |
| 3806 | 3806 |
_enabled=constants.ENABLE_RESTRICTED_COMMANDS): |
| 3807 |
"""Executes a remote command after performing strict tests.
|
|
| 3807 |
"""Executes a restricted command after performing strict tests.
|
|
| 3808 | 3808 |
|
| 3809 | 3809 |
@type cmd: string |
| 3810 | 3810 |
@param cmd: Command name |
| ... | ... | |
| 3813 | 3813 |
@raise RPCFail: In case of an error |
| 3814 | 3814 |
|
| 3815 | 3815 |
""" |
| 3816 |
logging.info("Preparing to run remote command '%s'", cmd)
|
|
| 3816 |
logging.info("Preparing to run restricted command '%s'", cmd)
|
|
| 3817 | 3817 |
|
| 3818 | 3818 |
if not _enabled: |
| 3819 |
_Fail("Remote commands disabled at configure time")
|
|
| 3819 |
_Fail("Restricted commands disabled at configure time")
|
|
| 3820 | 3820 |
|
| 3821 | 3821 |
lock = None |
| 3822 | 3822 |
try: |
| ... | ... | |
| 3844 | 3844 |
# Do not include original error message in returned error |
| 3845 | 3845 |
_Fail("Executing command '%s' failed" % cmd)
|
| 3846 | 3846 |
elif cmdresult.failed or cmdresult.fail_reason: |
| 3847 |
_Fail("Remote command '%s' failed: %s; output: %s",
|
|
| 3847 |
_Fail("Restricted command '%s' failed: %s; output: %s",
|
|
| 3848 | 3848 |
cmd, cmdresult.fail_reason, cmdresult.output) |
| 3849 | 3849 |
else: |
| 3850 | 3850 |
return cmdresult.output |
Also available in: Unified diff