Reviewed-by: Aline Manera <alinefm(a)linux.vnet.ibm.com>
On 07/24/2014 02:30 PM, Crístian Viana wrote:
Kimchi uses the Python API (module "grp") to get the groups
which a user
belongs to. But that implementation is not correct, in some cases
some groups are left out.
For example, take a look at the following commands. Here's the Python
method of getting the user groups (user=vianac):
$ python -c "import grp; u = 'vianac'; print [ g.gr_name for g in
grp.getgrall() if u in g.gr_mem ]"
['wheel', 'vianac', 'desktop_admin_r', 'aline']
And here's another method of getting the same groups, using a GNU/Linux
command:
$ id -Gn vianac
vianac wheel desktop_admin_r aline
Now, let's try the same thing with a different user (user=root):
$ python -c "import grp; u = 'root'; print [ g.gr_name for g in
grp.getgrall() if u in g.gr_mem ]"
[]
$ id -Gn root
root
As shown above, the Python method doesn't always display the correct
results. As the command "id" is bundled in the GNU/Linux package
"coreutils", I'd say its output is the correct one.
Use the external command "id" to get the user groups instead of the
Python API.
Signed-off-by: Crístian Viana <vianac(a)linux.vnet.ibm.com>
---
src/kimchi/auth.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index aabcb6c..41538f1 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -20,7 +20,6 @@
import base64
import cherrypy
import fcntl
-import grp
import multiprocessing
import os
import PAM
@@ -71,8 +70,10 @@ class User(object):
self.user[USER_ROLES] = dict.fromkeys(tabs, 'user')
def get_groups(self):
- self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall()
- if self.user[USER_NAME] in g.gr_mem]
+ out, err, rc = run_command([ 'id', '-Gn', self.user[USER_NAME]
])
+ if rc == 0:
+ self.user[USER_GROUPS] = out.rstrip().split(" ")
+
return self.user[USER_GROUPS]
def get_roles(self):