diff options
| author | Martin Basti <mbasti@redhat.com> | 2016-10-31 10:27:24 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-11-11 12:13:56 +0100 |
| commit | 83fe6b626fd2fb7f43ddf3568aaffca1ce569079 (patch) | |
| tree | 6b8b854fe63cd81d89f5a2a92a3e6b266f08732b | |
| parent | fcea3b3fb88ede0e9414f83ac2372e000e728587 (diff) | |
| download | freeipa-83fe6b626fd2fb7f43ddf3568aaffca1ce569079.tar.gz freeipa-83fe6b626fd2fb7f43ddf3568aaffca1ce569079.tar.xz freeipa-83fe6b626fd2fb7f43ddf3568aaffca1ce569079.zip | |
client: move custom env variable into client module
There is no need to have env as parameter because this is used only
once, so it can eb safely moved to client.py module
NOTE: PATH should be overwritten to safe values before we execute any
command
https://www.securecoding.cert.org/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
| -rwxr-xr-x | client/ipa-client-install | 8 | ||||
| -rw-r--r-- | ipaclient/install/client.py | 12 |
2 files changed, 13 insertions, 7 deletions
diff --git a/client/ipa-client-install b/client/ipa-client-install index a5c84a895..fe8f071e0 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -229,20 +229,18 @@ def main(): root_logger.debug("missing options might be asked for interactively later") root_logger.debug('IPA version %s' % version.VENDOR_VERSION) - env={"PATH":"/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin"} - if options.uninstall: rval_check = client.uninstall_check(options) if rval_check != client.SUCCESS: return rval_check - return client.uninstall(options, env) + return client.uninstall(options) rval_check = client.install_check(options) if rval_check != client.SUCCESS: return rval_check - rval = client.install(options, env) + rval = client.install(options) if rval == client.CLIENT_INSTALL_ERROR: if options.force: root_logger.warning( @@ -255,7 +253,7 @@ def main(): else: root_logger.error("Installation failed. Rolling back changes.") options.unattended = True - client.uninstall(options, env) + client.uninstall(options) return rval diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 878bb04b0..95d8fcea9 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -78,6 +78,10 @@ CLIENT_NOT_CONFIGURED = 2 CLIENT_ALREADY_CONFIGURED = 3 CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state +SECURE_PATH = ( + "/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin" +) + # global variables hostname = None hostname_source = None @@ -2280,7 +2284,9 @@ def install_check(options): return SUCCESS -def install(options, env): +def install(options): + env = {'PATH': SECURE_PATH} + fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) @@ -2884,7 +2890,9 @@ def uninstall_check(options): return SUCCESS -def uninstall(options, env): +def uninstall(options): + env = {'PATH': SECURE_PATH} + fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) |