[PATCH phosphor-networkd] Validating user & group names prior to system call and wait() on proc spawned with pexpect.

Brad Bishop bradleyb at fuzziesquirrel.com
Fri Feb 12 09:39:46 AEDT 2016 

Sorry about the dup Stewart…

grp just parses the file and returns a dictionary.  It doesn’t do anything mutable.

The only thing I could find was libuser….

-brad

> On Feb 11, 2016, at 5:18 PM, Stewart Smith <stewart at linux.vnet.ibm.com> wrote:
> 
> OpenBMC Patches <openbmc-patches at stwcx.xyz <mailto:openbmc-patches at stwcx.xyz>> writes:
>> From: Hariharasubramanian R <hramasub at in.ibm.com>
>> 
>> ---
>> userman.py | 106 ++++++++++++++++++++++++++++++++++++++++++++-----------------
>> 1 file changed, 76 insertions(+), 30 deletions(-)
>> 
>> diff --git a/userman.py b/userman.py
>> index 6109582..033d3d1 100755
>> --- a/userman.py
>> +++ b/userman.py
>> @@ -25,7 +25,8 @@ OBJ_NAME_USER = '/org/openbmc/UserManager/User'
>>     Object Path > /org/openbmc/UserManager/Groups
>>         Interface:Method > org.openbmc.Enrol.GroupAddSys string:"groupname"
>>         Interface:Method > org.openbmc.Enrol.GroupAddUsr string:"groupname"
>> -        Interface:Method > org.openbmc.Enrol.GroupList
>> +        Interface:Method > org.openbmc.Enrol.GroupListUsr
>> +        Interface:Method > org.openbmc.Enrol.GroupListSys
>>     Object Path > /org/openbmc/UserManager/Group
>>         Interface:Method > org.openbmc.Enrol.GroupDel string:"groupname"
>>     Object Path > /org/openbmc/UserManager/Users
>> @@ -60,16 +61,26 @@ class UserManGroups (dbus.service.Object):
>> 
>>     @dbus.service.method(INTF_NAME, "s", "x")
>>     def GroupAddUsr (self, groupname):
>> +        if not groupname : return 1
>> +
>> +        groups = self.GroupListAll ()
>> +        if groupname in groups: return 1
>> +
>>         r = call (["addgroup", groupname])
>>         return r
>> 
>>     @dbus.service.method(INTF_NAME, "s", "x")
>>     def GroupAddSys (self, groupname):
>> +        if not groupname : return 1
>> +
>> +        groups = self.GroupListAll ()
>> +        if groupname in groups: return 1
>> +
>>         r = call (["addgroup", "-S", groupname])
>>         return 0
>> 
>>     @dbus.service.method(INTF_NAME, "", "as")
>> -    def GroupList (self):
>> +    def GroupListUsr (self):
>>         groupList = []
>>         with open("/etc/group", "r") as f:
>>             for grent in f:
>> @@ -78,6 +89,23 @@ class UserManGroups (dbus.service.Object):
>>                     groupList.append(groupParams[0])
>>         return groupList
>> 
>> +    @dbus.service.method(INTF_NAME, "", "as")
>> +    def GroupListSys (self):
>> +        groupList = []
>> +        with open("/etc/group", "r") as f:
>> +            for grent in f:
>> +                groupParams = grent.split (":")
>> +                if (int(groupParams[2]) > 100 and int(groupParams[2]) < 1000): groupList.append(groupParams[0])
>> +        return groupList
> 
> Why aren't you using an existing python module such as grp rather than
> writing your own (likely buggy) parser?
> 
> It seems to have existed since at least python 2.6...
> https://docs.python.org/2.6/library/grp.html <https://docs.python.org/2.6/library/grp.html>
> 
>> @@ -111,39 +144,31 @@ class UserManUsers (dbus.service.Object):
>> 
>>     @dbus.service.method(INTF_NAME, "ssss", "x")
>>     def UserAdd (self, gecos, username, groupname, passwd):
>> +        if not username: return 1
>> +
>> +        users = self.UserList ()
>> +        if username in users : return 1
>> +
>>         if groupname:
>> -            cmd = "adduser "  + " -g "  + gecos + " -G ", groupname + " " + username
>> +            groups = Groupsobj.GroupListAll ()
>> +            if groupname not in groups: return 1
>> +
>> +        opts = ""
>> +        if gecos: opts = " -g " + '"' + gecos + '"'
>> +
>> +        if groupname:
>> +            cmd = "adduser "  + opts + " " + " -G " + groupname + " " + username
>>         else:
>> -            cmd = "adduser "  + " -g "  + gecos + username
>> +            cmd = "adduser "  + opts + " " + username
> 
> I note there's a python-libuser package on ubuntu, is that a library
> that could be used instead?
> 
> -- 
> Stewart Smith
> OPAL Architect, IBM.
> 
> _______________________________________________
> openbmc mailing list
> openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>
> https://lists.ozlabs.org/listinfo/openbmc <https://lists.ozlabs.org/listinfo/openbmc>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20160211/987bd99f/attachment-0001.html>

More information about the openbmc mailing list