[PATCH] Get user groups correctly
Kimchi uses the Python API (module "grp") to get the groups which a user belongs to. But that implementation is not correct, in some cases some groups are left out. For example, take a look at the following commands. Here's the Python method of getting the user groups (user=vianac): $ python -c "import grp; u = 'vianac'; print [ g.gr_name for g in grp.getgrall() if u in g.gr_mem ]" ['wheel', 'vianac', 'desktop_admin_r', 'aline'] And here's another method of getting the same groups, using a GNU/Linux command: $ id -Gn vianac vianac wheel desktop_admin_r aline Now, let's try the same thing with a different user (user=root): $ python -c "import grp; u = 'root'; print [ g.gr_name for g in grp.getgrall() if u in g.gr_mem ]" [] $ id -Gn root root As shown above, the Python method doesn't always display the correct results. As the command "id" is bundled in the GNU/Linux package "coreutils", I'd say its output is the correct one. Use the external command "id" to get the user groups instead of the Python API. Signed-off-by: Crístian Viana <vianac@linux.vnet.ibm.com> --- src/kimchi/auth.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index aabcb6c..41538f1 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -20,7 +20,6 @@ import base64 import cherrypy import fcntl -import grp import multiprocessing import os import PAM @@ -71,8 +70,10 @@ class User(object): self.user[USER_ROLES] = dict.fromkeys(tabs, 'user') def get_groups(self): - self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall() - if self.user[USER_NAME] in g.gr_mem] + out, err, rc = run_command([ 'id', '-Gn', self.user[USER_NAME] ]) + if rc == 0: + self.user[USER_GROUPS] = out.rstrip().split(" ") + return self.user[USER_GROUPS] def get_roles(self): -- 1.9.3
Reviewed-by: Aline Manera <alinefm@linux.vnet.ibm.com> On 07/24/2014 02:30 PM, Crístian Viana wrote:
Kimchi uses the Python API (module "grp") to get the groups which a user belongs to. But that implementation is not correct, in some cases some groups are left out.
For example, take a look at the following commands. Here's the Python method of getting the user groups (user=vianac):
$ python -c "import grp; u = 'vianac'; print [ g.gr_name for g in grp.getgrall() if u in g.gr_mem ]" ['wheel', 'vianac', 'desktop_admin_r', 'aline']
And here's another method of getting the same groups, using a GNU/Linux command:
$ id -Gn vianac vianac wheel desktop_admin_r aline
Now, let's try the same thing with a different user (user=root):
$ python -c "import grp; u = 'root'; print [ g.gr_name for g in grp.getgrall() if u in g.gr_mem ]" []
$ id -Gn root root
As shown above, the Python method doesn't always display the correct results. As the command "id" is bundled in the GNU/Linux package "coreutils", I'd say its output is the correct one.
Use the external command "id" to get the user groups instead of the Python API.
Signed-off-by: Crístian Viana <vianac@linux.vnet.ibm.com> --- src/kimchi/auth.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index aabcb6c..41538f1 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -20,7 +20,6 @@ import base64 import cherrypy import fcntl -import grp import multiprocessing import os import PAM @@ -71,8 +70,10 @@ class User(object): self.user[USER_ROLES] = dict.fromkeys(tabs, 'user')
def get_groups(self): - self.user[USER_GROUPS] = [g.gr_name for g in grp.getgrall() - if self.user[USER_NAME] in g.gr_mem] + out, err, rc = run_command([ 'id', '-Gn', self.user[USER_NAME] ]) + if rc == 0: + self.user[USER_GROUPS] = out.rstrip().split(" ") + return self.user[USER_GROUPS]
def get_roles(self):
participants (2)
-
Aline Manera -
Crístian Viana