[node-patches] Change in ovirt-node[master]: validate the cim user exists prior to setting password

mburns at redhat.com mburns at redhat.com
Sat Oct 13 12:58:12 UTC 2012 

Michael Burns has uploaded a new change for review.

Change subject: validate the cim user exists prior to setting password
......................................................................

validate the cim user exists prior to setting password

In certain upgrade conditions, the cim user is not created correctly.
This patch adds a validation to the set_password to ensure that
the user is setup and configured correctly prior to setting
the password.

rhbz#858246

Change-Id: I73ba337154728e20229d3814fb484826c335fb89
Signed-off-by: Mike Burns <mburns at redhat.com>
---
M recipe/common-post.ks
M scripts/ovirt-init-functions.sh
M scripts/ovirt_config_setup/cim.py
M scripts/ovirtnode/ovirtfunctions.py
4 files changed, 44 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/24/8524/1

diff --git a/recipe/common-post.ks b/recipe/common-post.ks
index e1c203b..3939419 100644
--- a/recipe/common-post.ks
+++ b/recipe/common-post.ks
@@ -243,7 +243,7 @@
 #CIM related changes
 # set read-only
 echo "readonly = true;" > /etc/libvirt-cim.conf
-useradd -G sfcb cim
+useradd -g cim -G sfcb -s /sbin/nologin cim
 
 # disable yum repos by default
 augtool << \EOF_yum
diff --git a/scripts/ovirt-init-functions.sh b/scripts/ovirt-init-functions.sh
index 72825aa..7c182db 100644
--- a/scripts/ovirt-init-functions.sh
+++ b/scripts/ovirt-init-functions.sh
@@ -550,7 +550,7 @@
             fi
             if ! grep -q ^cim /etc/passwd; then
                 unmount_config /etc/passwd /etc/shadow
-                useradd -g cim -s /usr/libexec/ovirt-admin-shell cim
+                useradd -G sfcb -g cim -s /sbin/nologin cim
                 persist /etc/shadow /etc/passwd
             fi
             ;;
diff --git a/scripts/ovirt_config_setup/cim.py b/scripts/ovirt_config_setup/cim.py
index 28bf0cd..babf31a 100755
--- a/scripts/ovirt_config_setup/cim.py
+++ b/scripts/ovirt_config_setup/cim.py
@@ -22,6 +22,8 @@
 from ovirtnode.password import *
 from snack import *
 import _snack
+import grp
+import pwd
 
 
 def enable_cim():
@@ -45,6 +47,10 @@
 
     def __init__(self, ncs):
         PluginBase.__init__(self, "CIM", ncs)
+        self.username = "cim"
+        self.shell = "/sbin/nologin"
+        self.main_group = "cim"
+        self.group_list = "sfcb"
 
     def form(self):
         elements = Grid(2, 9)
@@ -114,6 +120,7 @@
     def __set_cim_password(self):
         msg = None
         failed = True
+        self.create_cim_user()
         if self.valid_password:
             if set_password(self.cim_password_1.value(), "cim"):
                 msg = "CIM Password Successfully Set"
@@ -138,6 +145,23 @@
 
         return
 
+    def create_cim_user(self):
+        if not check_user_exists(self.username):
+            add_user(self.username, self.shell, self.main_group, self.groups)
+        else:
+            userinfo = pwd.getpwnam(self.username)
+            if not userinfo.pw_gid == grp.getgrnam(self.main_group).gr_gid:
+                system_closefds("usermod -g %s %s" % (self.main_group,
+                                                      self.username))
+            if not userinfo.pw_shell == self.shell:
+                system_closefds("usermod -s %s %s" % (self.shell,
+                                                      self.username))
+            for group in groups.split(","):
+                if self.username not in grp.getgrnam(group).gr_mem:
+                    system_closefds("usermod -G %s %s" % (self.groups,
+                                                          self.username))
+                    break
+
 
 def get_plugin(ncs):
     return Plugin(ncs)
diff --git a/scripts/ovirtnode/ovirtfunctions.py b/scripts/ovirtnode/ovirtfunctions.py
index fe49e7f..7dbf07b 100644
--- a/scripts/ovirtnode/ovirtfunctions.py
+++ b/scripts/ovirtnode/ovirtfunctions.py
@@ -35,6 +35,8 @@
 import cracklib
 import libvirt
 import logging
+import grp
+import pwd
 
 OVIRT_LOGFILE="/var/log/ovirt.log"
 OVIRT_TMP_LOGFILE="/tmp/ovirt.log"
@@ -1146,6 +1148,22 @@
     else:
         return False
 
+# Check if a user exists on the system
+def check_user_exists(name):
+    try:
+        pwd.getpwnam(name)
+        return True
+    except KeyError:
+        return False
+
+def add_user(username, shell="/usr/libexec/ovirt-admin-shell", group="",
+             sec_groups="", locked=True):
+    cmd = "useradd -g %s -G %s -s %s %s" % (group, sec_groups, shell, username)
+    system_closeFDS(cmd)
+    if locked:
+        cmd = "passwd -l %s" % username
+        system_closefds(cmd)
+
 def get_installed_version_number():
     if mount_liveos():
         existing_version = open("/liveos/version")


--
To view, visit http://gerrit.ovirt.org/8524
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I73ba337154728e20229d3814fb484826c335fb89
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Michael Burns <mburns at redhat.com>

More information about the node-patches mailing list