Dima Kuznetsov has uploaded a new change for review.
Change subject: logging: Add log handler that enforces perms
......................................................................
logging: Add log handler that enforces perms
This handler, extending WatchedFileHandler, given the desired uid + gid of the
log file, checks that the running process satisfies the uid + gid
requirement.
Change-Id: I0a4d7212cb311b22e4fb60ffdc45163a496a74d6
Signed-off-by: Dima Kuznetsov <dkuznets(a)redhat.com>
---
M vdsm/logUtils.py
1 file changed, 16 insertions(+), 0 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/28/26728/1
diff --git a/vdsm/logUtils.py b/vdsm/logUtils.py
index 6949d44..dd16249 100644
--- a/vdsm/logUtils.py
+++ b/vdsm/logUtils.py
@@ -19,6 +19,8 @@
#
import logging
+import logging.handlers
+import os
import sys
from functools import wraps
from inspect import ismethod
@@ -163,3 +165,17 @@
raise
except:
self.handleError(record)
+
+
+class EnforcingWatchedFileHandler(logging.handlers.WatchedFileHandler):
+ def __init__(self, uid, gid, *args, **kwargs):
+ self._uid = uid
+ self._gid = gid
+ logging.handlers.WatchedFileHandler.__init__(self, *args, **kwargs)
+
+ def _open(self):
+ if (os.geteuid() != self._uid) or (os.getegid() != self._gid):
+ raise RuntimeError(
+ "Attempt to open log with incorrect credentials"
+ )
+ return logging.handlers.WatchedFileHandler._open(self)
--
To view, visit
http://gerrit.ovirt.org/26728
To unsubscribe, visit
http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0a4d7212cb311b22e4fb60ffdc45163a496a74d6
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Dima Kuznetsov <dkuznets(a)redhat.com>