[Kimchi-devel] [PATCH] Get user groups correctly

Aline Manera alinefm at linux.vnet.ibm.com
Thu Jul 24 18:17:14 UTC 2014 

Reviewed-by: Aline Manera <alinefm at linux.vnet.ibm.com>

On 07/24/2014 02:30 PM, Crístian Viana wrote:
> Kimchi uses the Python API (module "grp") to get the groups which a user
> belongs to. But that implementation is not correct, in some cases
> some groups are left out.
>
> For example, take a look at the following commands. Here's the Python
> method of getting the user groups (user=vianac):
>
> $ python -c "import grp; u = 'vianac'; print [ g.gr_name for g in grp.getgrall() if u in g.gr_mem ]"
> ['wheel', 'vianac', 'desktop_admin_r', 'aline']
>
> And here's another method of getting the same groups, using a GNU/Linux
> command:
>
> $ id -Gn vianac
> vianac wheel desktop_admin_r aline
>
> Now, let's try the same thing with a different user (user=root):
>
> $ python -c "import grp; u = 'root'; print [ g.gr_name for g in grp.getgrall() if u in g.gr_mem ]"
> []
>
> $ id -Gn root
> root
>
> As shown above, the Python method doesn't always display the correct
> results. As the command "id" is bundled in the GNU/Linux package
> "coreutils", I'd say its output is the correct one.
>
> Use the external command "id" to get the user groups instead of the
> Python API.
>
> Signed-off-by: Crístian Viana <vianac at linux.vnet.ibm.com>
> ---
>   src/kimchi/auth.py | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index aabcb6c..41538f1 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -20,7 +20,6 @@
>   import base64
>   import cherrypy
>   import fcntl
> -import grp
>   import multiprocessing
>   import os
>   import PAM
> @@ -71,8 +70,10 @@ class User(object):
>           self.user[USER_ROLES] = dict.fromkeys(tabs, 'user')
>   
>       def get_groups(self):
> -        self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall()
> -                                  if self.user[USER_NAME] in g.gr_mem]
> +        out, err, rc = run_command([ 'id', '-Gn', self.user[USER_NAME] ])
> +        if rc == 0:
> +            self.user[USER_GROUPS] = out.rstrip().split(" ")
> +
>           return self.user[USER_GROUPS]
>   
>       def get_roles(self):

More information about the Kimchi-devel mailing list