oslo_privsep package¶
Subpackages¶
Submodules¶
oslo_privsep.capabilities module¶
-
class
oslo_privsep.capabilities.
Capabilities
(value)¶ Bases:
enum.IntEnum
An enumeration.
-
CAP_AUDIT_CONTROL
= 30¶
-
CAP_AUDIT_READ
= 37¶
-
CAP_AUDIT_WRITE
= 29¶
-
CAP_BLOCK_SUSPEND
= 36¶
-
CAP_CHOWN
= 0¶
-
CAP_DAC_OVERRIDE
= 1¶
-
CAP_DAC_READ_SEARCH
= 2¶
-
CAP_FOWNER
= 3¶
-
CAP_FSETID
= 4¶
-
CAP_IPC_LOCK
= 14¶
-
CAP_IPC_OWNER
= 15¶
-
CAP_KILL
= 5¶
-
CAP_LEASE
= 28¶
-
CAP_LINUX_IMMUTABLE
= 9¶
-
CAP_MAC_ADMIN
= 33¶
-
CAP_MAC_OVERRIDE
= 32¶
-
CAP_MKNOD
= 27¶
-
CAP_NET_ADMIN
= 12¶
-
CAP_NET_BIND_SERVICE
= 10¶
-
CAP_NET_BROADCAST
= 11¶
-
CAP_NET_RAW
= 13¶
-
CAP_SETFCAP
= 31¶
-
CAP_SETGID
= 6¶
-
CAP_SETPCAP
= 8¶
-
CAP_SETUID
= 7¶
-
CAP_SYSLOG
= 34¶
-
CAP_SYS_ADMIN
= 21¶
-
CAP_SYS_BOOT
= 22¶
-
CAP_SYS_CHROOT
= 18¶
-
CAP_SYS_MODULE
= 16¶
-
CAP_SYS_NICE
= 23¶
-
CAP_SYS_PACCT
= 20¶
-
CAP_SYS_PTRACE
= 19¶
-
CAP_SYS_RAWIO
= 17¶
-
CAP_SYS_RESOURCE
= 24¶
-
CAP_SYS_TIME
= 25¶
-
CAP_SYS_TTY_CONFIG
= 26¶
-
CAP_WAKE_ALARM
= 35¶
-
-
oslo_privsep.capabilities.
drop_all_caps_except
(effective, permitted, inheritable)¶ Set (effective, permitted, inheritable) to provided list of caps
-
oslo_privsep.capabilities.
get_caps
()¶ Return (effective, permitted, inheritable) as lists of caps
-
oslo_privsep.capabilities.
set_keepcaps
(enable)¶ Set/unset thread’s “keep capabilities” flag - see prctl(2)
oslo_privsep.comm module¶
Serialization/Deserialization for privsep.
The wire format is a stream of msgpack objects encoding primitive python datatypes. Msgpack ‘raw’ is assumed to be a valid utf8 string (msgpack 2.0 ‘bin’ type is used for bytes). Python lists are converted to tuples during serialization/deserialization.
-
class
oslo_privsep.comm.
ClientChannel
(sock)¶ Bases:
object
-
close
()¶
-
out_of_band
(msg)¶ Received OOB message. Subclasses might want to override this.
-
send_recv
(msg)¶
-
-
class
oslo_privsep.comm.
Deserializer
(readsock)¶ Bases:
object
-
class
oslo_privsep.comm.
Future
(lock)¶ Bases:
object
A very simple object to track the return of a function call
-
result
()¶ Must already be holding lock used in constructor
-
set_exception
(exc)¶ Must already be holding lock used in constructor
-
set_result
(data)¶ Must already be holding lock used in constructor
-
oslo_privsep.daemon module¶
Privilege separation (“privsep”) daemon.
To ease transition this supports 2 alternative methods of starting the daemon, all resulting in a helper process running with elevated privileges and open socket(s) to the original process:
Start via fork()
Assumes process currently has all required privileges and is about to drop them (perhaps by setuid to an unprivileged user). If the the initial environment is secure and PrivContext.start(Method.FORK) is called early in main(), then this is the most secure and simplest. In particular, if the initial process is already running as non-root (but with sufficient capabilities, via eg suitable systemd service files), then no part needs to involve uid=0 or sudo.
Start via sudo/rootwrap
This starts the privsep helper on first use via sudo and rootwrap, and communicates via a temporary Unix socket passed on the command line. The communication channel is briefly exposed in the filesystem, but is protected with file permissions and connecting to it only grants access to the unprivileged process. Requires a suitable entry in sudoers or rootwrap.conf filters.
The privsep daemon exits when the communication channel is closed, (which usually occurs when the unprivileged process exits).
-
class
oslo_privsep.daemon.
Daemon
(channel, context)¶ Bases:
object
NB: This doesn’t fork() - do that yourself before calling run()
-
loop
()¶ Main body of daemon request loop
-
run
()¶ Run request loop. Sets up environment, then calls loop()
-
-
exception
oslo_privsep.daemon.
FailedToDropPrivileges
¶ Bases:
Exception
-
class
oslo_privsep.daemon.
ForkingClientChannel
(context)¶ Bases:
oslo_privsep.daemon._ClientChannel
-
class
oslo_privsep.daemon.
Message
(value)¶ Bases:
enum.IntEnum
Types of messages sent across the communication channel
-
CALL
= 3¶
-
ERR
= 5¶
-
LOG
= 6¶
-
PING
= 1¶
-
PONG
= 2¶
-
RET
= 4¶
-
-
class
oslo_privsep.daemon.
PrivsepLogHandler
(channel, processName=None)¶ Bases:
logging.Handler
-
emit
(record)¶ Do whatever it takes to actually log the specified logging record.
This version is intended to be implemented by subclasses and so raises a NotImplementedError.
-
-
exception
oslo_privsep.daemon.
ProtocolError
¶ Bases:
Exception
-
class
oslo_privsep.daemon.
RootwrapClientChannel
(context)¶ Bases:
oslo_privsep.daemon._ClientChannel
-
class
oslo_privsep.daemon.
StdioFd
(value)¶ Bases:
enum.IntEnum
An enumeration.
-
STDERR
= 2¶
-
STDIN
= 0¶
-
STDOUT
= 1¶
-
-
oslo_privsep.daemon.
fdopen
(fd, *args, **kwargs)¶
-
oslo_privsep.daemon.
helper_main
()¶ Start privileged process, serving requests over a Unix socket.
-
oslo_privsep.daemon.
replace_logging
(handler, log_root=None)¶
-
oslo_privsep.daemon.
set_cloexec
(fd)¶
-
oslo_privsep.daemon.
setgid
(group_id_or_name)¶
-
oslo_privsep.daemon.
setuid
(user_id_or_name)¶
-
oslo_privsep.daemon.
un_monkey_patch
()¶
oslo_privsep.priv_context module¶
-
oslo_privsep.priv_context.
CapNameOrInt
(value)¶
-
class
oslo_privsep.priv_context.
Method
(value)¶ Bases:
enum.Enum
An enumeration.
-
FORK
= 1¶
-
ROOTWRAP
= 2¶
-
-
class
oslo_privsep.priv_context.
PrivContext
(prefix, cfg_section='privsep', pypath=None, capabilities=None)¶ Bases:
object
-
property
conf
¶ Return the oslo.config section object as lazily as possible.
-
entrypoint
(func)¶ This is intended to be used as a decorator.
-
helper_command
(sockpath)¶
-
is_entrypoint
(func)¶
-
set_client_mode
(enabled)¶
-
start
(method=<Method.ROOTWRAP: 2>)¶
-
stop
()¶
-
property
-
oslo_privsep.priv_context.
init
(root_helper=None)¶ Initialise oslo.privsep library.
This function should be called at the top of main(), after the command line is parsed, oslo.config is initialised and logging is set up, but before calling any privileged entrypoint, changing user id, forking, or anything else “odd”.
- Parameters
root_helper – List of command and arguments to prefix privsep-helper with, in order to run helper as root. Note, ignored if context’s helper_command config option is set.