thr3ads.net - Xen devel - [Xen-devel] [PATCH] provide real error message when trying to run xm as non root [Jul 2005]

If this information is useful, please help other people find it:
Share via:

Sean Dague

2005-Jul-26 14:41 UTC

[Xen-devel] [PATCH] provide real error message when trying to run xm as non root

This patch prevents you from getting a screen full of stack trace when
trying to run commands like xm list as a normal user, and instead provides a
helpful error message.


Signed-off-by: Sean Dague <sean@dague.net>

Diffstat output:
 main.py |    7 +++++++
 1 files changed, 7 insertions(+)

diff -r 48aed1403fe3 tools/python/xen/xm/main.py
--- a/tools/python/xen/xm/main.py	Fri Jul 22 16:44:33 2005
+++ b/tools/python/xen/xm/main.py	Tue Jul 26 10:31:24 2005
@@ -11,6 +11,13 @@
 
 from xen.xend import PrettyPrint
 from xen.xend import sxp
+# this is a nasty place to stick this in, but required because
+# log file access is set up via a 5 deep import chain.  This
+# ensures the user sees a useful message instead of a stack trace
+if os.getuid() != 0:
+    print "xm requires root access to execute, please try again as
root"
+    sys.exit(1)
+
 from xen.xend.XendClient import XendError, server
 from xen.xend.XendClient import main as xend_client_main
 from xen.xm import create, destroy, migrate, shutdown, sysrq


	-Sean

-- 
__________________________________________________________________

Sean Dague                                       Mid-Hudson Valley
sean at dague dot net                            Linux Users Group
http://dague.net                                 http://mhvlug.org

There is no silver bullet.  Plus, werewolves make better neighbors
than zombies, and they tend to keep the vampire population down.
__________________________________________________________________


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Andrew Thompson

2005-Jul-26 14:52 UTC

head link

Re: [Xen-devel] [PATCH] provide real error message when trying to run xm as non root

Sean Dague wrote:> This patch prevents you from getting a screen full of stack trace when
> trying to run commands like xm list as a normal user, and instead provides
a
> helpful error message.
+1, Admirable. (non-binding/non-voter/non-commiter)
> Signed-off-by: Sean Dague <sean@dague.net>
> 
> Diffstat output:
>  main.py |    7 +++++++
>  1 files changed, 7 insertions(+)
> 
> diff -r 48aed1403fe3 tools/python/xen/xm/main.py
> --- a/tools/python/xen/xm/main.py	Fri Jul 22 16:44:33 2005
> +++ b/tools/python/xen/xm/main.py	Tue Jul 26 10:31:24 2005
> @@ -11,6 +11,13 @@
>  
>  from xen.xend import PrettyPrint
>  from xen.xend import sxp
> +# this is a nasty place to stick this in, but required because
> +# log file access is set up via a 5 deep import chain.  This
> +# ensures the user sees a useful message instead of a stack trace
> +if os.getuid() != 0:
> +    print "xm requires root access to execute, please try again as
root"
> +    sys.exit(1)
> +
>  from xen.xend.XendClient import XendError, server
>  from xen.xend.XendClient import main as xend_client_main
>  from xen.xm import create, destroy, migrate, shutdown, sysrq
Please allow me to show my possible ignorance...

Is there no better way to test for elevated privileges?
Would it be unreasonable to think xm maintenance tasks could be handed 
off to members of a non-root group?

-- 
Andrew Thompson
http://aktzero.com/


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Sean Dague

2005-Jul-26 15:09 UTC

head link

[Xen-devel] Re: [PATCH] provide real error message when trying to run xm as non root

On Tue, Jul 26, 2005 at 10:52:35AM -0400, Andrew Thompson
wrote:> Sean Dague wrote:
> >This patch prevents you from getting a screen full of stack trace when
> >trying to run commands like xm list as a normal user, and instead
provides
> >a
> >helpful error message.
> 
> +1, Admirable. (non-binding/non-voter/non-commiter)
> 
> >Signed-off-by: Sean Dague <sean@dague.net>
> >
> >Diffstat output:
> > main.py |    7 +++++++
> > 1 files changed, 7 insertions(+)
> >
> >diff -r 48aed1403fe3 tools/python/xen/xm/main.py
> >--- a/tools/python/xen/xm/main.py	Fri Jul 22 16:44:33 2005
> >+++ b/tools/python/xen/xm/main.py	Tue Jul 26 10:31:24 2005
> >@@ -11,6 +11,13 @@
> > 
> > from xen.xend import PrettyPrint
> > from xen.xend import sxp
> >+# this is a nasty place to stick this in, but required because
> >+# log file access is set up via a 5 deep import chain.  This
> >+# ensures the user sees a useful message instead of a stack trace
> >+if os.getuid() != 0:
> >+    print "xm requires root access to execute, please try again
as root"
> >+    sys.exit(1)
> >+
> > from xen.xend.XendClient import XendError, server
> > from xen.xend.XendClient import main as xend_client_main
> > from xen.xm import create, destroy, migrate, shutdown, sysrq
> 
> Please allow me to show my possible ignorance...
> 
> Is there no better way to test for elevated privileges?
> Would it be unreasonable to think xm maintenance tasks could be handed 
> off to members of a non-root group?
Unfortunately the root problem comes from the fact that xm writes to the
xend log file directly, and in unprivileged state, throws an exception
because it doesn''t have write access to that file.  The 2nd part of
this
problem is that this exception is buried down a whole series of 5 level
magical import object creation paths, and hence is very hard to reasonably
get to from the xm main().

I''m sure you *could* reorder xm code to make this a strict perms check,
but
the level of spagetti sorting to get there may not really be worth it.  I
also think you''d have to remove the direct logging from xm to be able
to do
priv seperate between xm and xend, and that is really strewn throughout all
the code.

	-Sean

-- 
__________________________________________________________________

Sean Dague                                       Mid-Hudson Valley
sean at dague dot net                            Linux Users Group
http://dague.net                                 http://mhvlug.org

There is no silver bullet.  Plus, werewolves make better neighbors
than zombies, and they tend to keep the vampire population down.
__________________________________________________________________


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

2005-Jul-26 15:35 UTC

head link

Re: [Xen-devel] Re: [PATCH] provide real error message when trying to run xm as non root

On 7/27/05, Sean Dague <sean@dague.net> wrote:> On Tue, Jul 26, 2005 at 10:52:35AM -0400, Andrew Thompson wrote:
> > Sean Dague wrote:
> > >This patch prevents you from getting a screen full of stack trace
when
> > >trying to run commands like xm list as a normal user, and instead
provides
> > >a
> > >helpful error message.
> >
> > +1, Admirable. (non-binding/non-voter/non-commiter)
> >
> > >Signed-off-by: Sean Dague <sean@dague.net>
> > >
> > >Diffstat output:
> > > main.py |    7 +++++++
> > > 1 files changed, 7 insertions(+)
> > >
> > >diff -r 48aed1403fe3 tools/python/xen/xm/main.py
> > >--- a/tools/python/xen/xm/main.py    Fri Jul 22 16:44:33 2005
> > >+++ b/tools/python/xen/xm/main.py    Tue Jul 26 10:31:24 2005
> > >@@ -11,6 +11,13 @@
> > >
> > > from xen.xend import PrettyPrint
> > > from xen.xend import sxp
> > >+# this is a nasty place to stick this in, but required because
> > >+# log file access is set up via a 5 deep import chain.  This
> > >+# ensures the user sees a useful message instead of a stack trace
> > >+if os.getuid() != 0:
> > >+    print "xm requires root access to execute, please try
again as root"
> > >+    sys.exit(1)
> > >+
> > > from xen.xend.XendClient import XendError, server
> > > from xen.xend.XendClient import main as xend_client_main
> > > from xen.xm import create, destroy, migrate, shutdown, sysrq
> >
> > Please allow me to show my possible ignorance...
> >
> > Is there no better way to test for elevated privileges?
> > Would it be unreasonable to think xm maintenance tasks could be handed
> > off to members of a non-root group?
> 
> Unfortunately the root problem comes from the fact that xm writes to the
> xend log file directly, and in unprivileged state, throws an exception
> because it doesn''t have write access to that file.  The 2nd part
of this
> problem is that this exception is buried down a whole series of 5 level
> magical import object creation paths, and hence is very hard to reasonably
> get to from the xm main().
> 
yes, most of the problem comes from the fact that most call to
XendRoot.py is to get xend configuations (in xend-config.sxp), but too
bad XendRoot has another function: to open a log file, wich is the job
of root.

actually i had a patch to split XendRoot.py (to make a new
XendConfig.py) and convert most call to XendRoot to XendConfig, but
never have a chance to submit it. probably i will give another attempt
this weekend.


regards,
aq

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Xen devel - Jul 2005 - [PATCH] provide real error message when trying to run xm as non root

[Xen-devel] [PATCH] provide real error message when trying to run xm as non root

Re: [Xen-devel] [PATCH] provide real error message when trying to run xm as non root

[Xen-devel] Re: [PATCH] provide real error message when trying to run xm as non root

Re: [Xen-devel] Re: [PATCH] provide real error message when trying to run xm as non root