Don't attempt to escalate nova-manage privileges
Remove code which allowed nova-manage to attempt to escalate privileges so that configuration files can be read by users who normally wouldn't have access, but do have sudo access. The privilege escalation came into nova-manage with commite9fd01e
to solve bug 805695. That bug report didn't describe a faulty behavior but a change request. NOTE: This is related to change I03063d2 from Kiall Mac Innes who did this for the "designate" project. I'm reusing the change-id from his change to make it clear that they are related to each other. NOTE: I removed the try-except block completely, as it doesn't make sense to continue when we cannot read the config file (due to a wrong path or permission errors). That's the same approach we used in the recent "nova/cmd/policy_check" module. https://github.com/openstack/nova/blob/master/nova/cmd/policy_check.py#L158 Co-Authored-By: Kiall Mac Innes <kiall@macinnes.ie> Closes-Bug: 1611171 Change-Id: I03063d2af14015e6506f1b6e958f5ff219aa4a87 (cherry picked from commit87530b6e67
)
This commit is contained in:
parent
e08cc356b0
commit
28e618921c
|
@ -1553,25 +1553,11 @@ category_opt = cfg.SubCommandOpt('category',
|
|||
def main():
|
||||
"""Parse options and call the appropriate class/method."""
|
||||
CONF.register_cli_opt(category_opt)
|
||||
try:
|
||||
config.parse_args(sys.argv)
|
||||
logging.set_defaults(
|
||||
default_log_levels=logging.get_default_log_levels() +
|
||||
_EXTRA_DEFAULT_LOG_LEVELS)
|
||||
logging.setup(CONF, "nova")
|
||||
except cfg.ConfigFilesNotFoundError:
|
||||
cfgfile = CONF.config_file[-1] if CONF.config_file else None
|
||||
if cfgfile and not os.access(cfgfile, os.R_OK):
|
||||
st = os.stat(cfgfile)
|
||||
print(_("Could not read %s. Re-running with sudo") % cfgfile)
|
||||
try:
|
||||
os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + sys.argv)
|
||||
except OSError:
|
||||
print(_('sudo failed, continuing as if nothing happened'))
|
||||
|
||||
print(_('Please re-run nova-manage as root.'))
|
||||
return(2)
|
||||
|
||||
config.parse_args(sys.argv)
|
||||
logging.set_defaults(
|
||||
default_log_levels=logging.get_default_log_levels() +
|
||||
_EXTRA_DEFAULT_LOG_LEVELS)
|
||||
logging.setup(CONF, "nova")
|
||||
objects.register_all()
|
||||
|
||||
if CONF.category.name == "version":
|
||||
|
|
Loading…
Reference in New Issue