cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix exec_command to not use a shell

Browse source
This commit is contained in:
Toshio Kuratomi 2015-06-23 22:27:45 -07:00
parent 480ad7413a
commit 784fb8ff8e
3 changed files with 28 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
lib/ansible/runner/connection_plugins/chroot.py
View file

@ -22,9 +22,11 @@ __metaclass__ = type
import distutils.spawn import distutils.spawn
import traceback import traceback
import os import os
import shlex
import subprocess import subprocess
from ansible import errors from ansible import errors
from ansible import utils from ansible import utils
from ansible.utils.unicode import to_bytes
from ansible.callbacks import vvv from ansible.callbacks import vvv
import ansible.constants as C import ansible.constants as C
@ -70,7 +72,11 @@ class Connection(object):
if executable: if executable:
local_cmd = [self.chroot_cmd, self.chroot, executable, '-c', cmd] local_cmd = [self.chroot_cmd, self.chroot, executable, '-c', cmd]
else: else:
local_cmd = '%s "%s" %s' % (self.chroot_cmd, self.chroot, cmd) # Prev to python2.7.3, shlex couldn't handle unicode type strings
cmd = to_bytes(cmd)
cmd = shlex.split(cmd)
local_cmd = [self.chroot_cmd, self.chroot]
local_cmd += cmd
return local_cmd return local_cmd
def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None, stdin=subprocess.PIPE): def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None, stdin=subprocess.PIPE):
@ -88,11 +94,11 @@ class Connection(object):
if in_data: if in_data:
raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining") raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining")
# We enter chroot as root so we ignore privlege escalation? # We enter zone as root so we ignore privilege escalation (probably need to fix in case we have to become a specific used [ex: postgres admin])?
local_cmd = self._generate_cmd(executable, cmd) local_cmd = self._generate_cmd(executable, cmd)
vvv("EXEC %s" % (local_cmd), host=self.chroot) vvv("EXEC %s" % (local_cmd), host=self.chroot)
p = subprocess.Popen(local_cmd, shell=isinstance(local_cmd, basestring), p = subprocess.Popen(local_cmd, shell=False,
cwd=self.runner.basedir, cwd=self.runner.basedir,
stdin=stdin, stdin=stdin,
stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@ -136,7 +142,7 @@ class Connection(object):
try: try:
p = self._buffered_exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE), None) p = self._buffered_exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE), None)
except OSError: except OSError:
raise errors.AnsibleError("chroot connection requires dd command in the jail") raise errors.AnsibleError("chroot connection requires dd command in the chroot")
with open(out_path, 'wb+') as out_file: with open(out_path, 'wb+') as out_file:
try: try:

12
lib/ansible/runner/connection_plugins/jail.py
View file

@ -23,8 +23,10 @@ __metaclass__ = type
import distutils.spawn import distutils.spawn
import traceback import traceback
import os import os
import shlex
import subprocess import subprocess
from ansible import errors from ansible import errors
from ansible.utils.unicode import to_bytes
from ansible.callbacks import vvv from ansible.callbacks import vvv
import ansible.constants as C import ansible.constants as C
@ -92,7 +94,11 @@ class Connection(object):
if executable: if executable:
local_cmd = [self.jexec_cmd, self.jail, executable, '-c', cmd] local_cmd = [self.jexec_cmd, self.jail, executable, '-c', cmd]
else: else:
local_cmd = '%s "%s" %s' % (self.jexec_cmd, self.jail, cmd) # Prev to python2.7.3, shlex couldn't handle unicode type strings
cmd = to_bytes(cmd)
cmd = shlex.split(cmd)
local_cmd = [self.jexec_cmd, self.jail]
local_cmd += cmd
return local_cmd return local_cmd
def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None, stdin=subprocess.PIPE): def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable='/bin/sh', in_data=None, stdin=subprocess.PIPE):
@ -110,11 +116,11 @@ class Connection(object):
if in_data: if in_data:
raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining") raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining")
# Ignores privilege escalation # We enter zone as root so we ignore privilege escalation (probably need to fix in case we have to become a specific used [ex: postgres admin])?
local_cmd = self._generate_cmd(executable, cmd) local_cmd = self._generate_cmd(executable, cmd)
vvv("EXEC %s" % (local_cmd), host=self.jail) vvv("EXEC %s" % (local_cmd), host=self.jail)
p = subprocess.Popen(local_cmd, shell=isinstance(local_cmd, basestring), p = subprocess.Popen(local_cmd, shell=False,
cwd=self.runner.basedir, cwd=self.runner.basedir,
stdin=stdin, stdin=stdin,
stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout=subprocess.PIPE, stderr=subprocess.PIPE)

12
lib/ansible/runner/connection_plugins/zone.py
View file

@ -24,8 +24,10 @@ __metaclass__ = type
import distutils.spawn import distutils.spawn
import traceback import traceback
import os import os
import shlex
import subprocess import subprocess
from ansible import errors from ansible import errors
from ansible.utils.unicode import to_bytes
from ansible.callbacks import vvv from ansible.callbacks import vvv
import ansible.constants as C import ansible.constants as C
@ -101,7 +103,11 @@ class Connection(object):
### TODO: Why was "-c" removed from here? (vs jail.py) ### TODO: Why was "-c" removed from here? (vs jail.py)
local_cmd = [self.zlogin_cmd, self.zone, executable, cmd] local_cmd = [self.zlogin_cmd, self.zone, executable, cmd]
else: else:
local_cmd = '%s "%s" %s' % (self.zlogin_cmd, self.zone, cmd) # Prev to python2.7.3, shlex couldn't handle unicode type strings
cmd = to_bytes(cmd)
cmd = shlex.split(cmd)
local_cmd = [self.zlogin_cmd, self.zone]
local_cmd += cmd
return local_cmd return local_cmd
def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable=None, in_data=None, stdin=subprocess.PIPE): def _buffered_exec_command(self, cmd, tmp_path, become_user=None, sudoable=False, executable=None, in_data=None, stdin=subprocess.PIPE):
@ -119,11 +125,11 @@ class Connection(object):
if in_data: if in_data:
raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining") raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining")
# We happily ignore privilege escalation # We enter zone as root so we ignore privilege escalation (probably need to fix in case we have to become a specific used [ex: postgres admin])?
local_cmd = self._generate_cmd(executable, cmd) local_cmd = self._generate_cmd(executable, cmd)
vvv("EXEC %s" % (local_cmd), host=self.zone) vvv("EXEC %s" % (local_cmd), host=self.zone)
p = subprocess.Popen(local_cmd, shell=isinstance(local_cmd, basestring), p = subprocess.Popen(local_cmd, shell=False,
cwd=self.runner.basedir, cwd=self.runner.basedir,
stdin=stdin, stdin=stdin,
stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout=subprocess.PIPE, stderr=subprocess.PIPE)