Bug 1328882 - [cli] pcs command should launch Python interpreter with "sane" options
Summary: [cli] pcs command should launch Python interpreter with "sane" options
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Tomas Jelinek
QA Contact: cluster-qe@redhat.com
Depends On:
TreeView+ depends on / blocked
Reported: 2016-04-20 13:22 UTC by Jan Pokorný [poki]
Modified: 2017-08-01 18:22 UTC (History)
6 users (show)

The user runs a pcs command.

Pcs crashes, because it loads a user code instead of pcs code, based on user's custom settings.

Prevent pcs to load user specified code instead of its own.

Pcs works even if user has custom python modules matching pcs modules.
Clone Of:
: 1600893 (view as bug list)
Last Closed: 2017-08-01 18:22:57 UTC

Attachments (Terms of Use)
proposed fix (2.06 KB, patch)
2017-03-22 11:58 UTC, Tomas Jelinek
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1958 normal SHIPPED_LIVE pcs bug fix and enhancement update 2017-08-01 18:09:47 UTC

Description Jan Pokorný [poki] 2016-04-20 13:22:08 UTC
Demonstration why this is strongly desired:

$ LOCAL_PYLIB=~/.local/lib/python$(rpm -E '%{python_version}')
$ mkdir -p "${LOCAL_PYLIB}/site-packages"
$ touch "${LOCAL_PYLIB}/site-packages/commands.py"
$ > "${LOCAL_PYLIB}/site-packages/commands_override.pth" cat <EOF
import sys; sys.__plen = len(sys.path)
import sys; new=sys.path[sys.__plen:]; del sys.path[sys.__plen:]; p=getattr(sys,'__egginsert',0); sys.path[p:p]=new; sys.__egginsert = p+len(new)
$ pcs help
> Traceback (most recent call last):
>   File "/usr/sbin/pcs", line 13, in <module>
>     import cluster
>   File "/usr/lib/python2.6/site-packages/pcs/cluster.py", line 21, in <module>
>     from subprocess import getstatusoutput
> ImportError: cannot import name getstatusoutput

This can be prevented with "-s" option to Python interpreter.

Something similar can be achieved with PYTHONPATH et al. environment
variable manipulation.

This can be prevented with "-E" option to Python interpreter.

Modified bits, regardless if on filesystem or in runtime (this case) are
not supportable in principle, whether the modification is noticable or
completely hidden (this case) --> make "pcs" run Python with "-Es" flags

For inspiration see:

Comment 3 Tomas Jelinek 2017-03-22 11:58 UTC
Created attachment 1265359 [details]
proposed fix

Added -Es flags to shebang in pcs executable:
#!/usr/bin/python -Es

Comment 4 Jan Pokorný [poki] 2017-03-24 19:17:33 UTC
If I may suggest something, it's perhaps more forward-looking
to use:

> %{__python*} setup.py build --executable='%{__python*} -Es'

unlike as with clufter which already uses setup.cfg heavily anyway.

Note that this is also what Fedora's %py*_build packaging macros
(also coming to RHEL 7.4, but it's likely not possible to use
them, yet: [bug 1297522]) for Python utilize.

(I would personally be interested in whether using this new
form actually helps to overcome [bug 1353934] issue, see also
[bug 1297522 comment 11].)

Comment 5 Ivan Devat 2017-04-10 16:02:20 UTC
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs

[vm-rhel72-3 ~] $ which pcs
[vm-rhel72-3 ~] $ head -n1 $(which pcs)
#!/usr/bin/python -Es

Comment 6 Ivan Devat 2017-04-10 16:14:03 UTC
This change requires a test that the original reproducer does not cause the misbehavior and everything other works.

Comment 10 errata-xmlrpc 2017-08-01 18:22:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.