Bug 1328882 - [cli] pcs command should launch Python interpreter with "sane" options
Summary: [cli] pcs command should launch Python interpreter with "sane" options
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Jelinek
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-20 13:22 UTC by Jan Pokorný [poki]
Modified: 2017-08-01 18:22 UTC (History)
6 users (show)

(edit)
Cause: 
The user runs a pcs command.

Consequence: 
Pcs crashes, because it loads a user code instead of pcs code, based on user's custom settings.

Fix: 
Prevent pcs to load user specified code instead of its own.

Result: 
Pcs works even if user has custom python modules matching pcs modules.
Clone Of:
: 1600893 (view as bug list)
(edit)
Last Closed: 2017-08-01 18:22:57 UTC


Attachments (Terms of Use)
proposed fix (2.06 KB, patch)
2017-03-22 11:58 UTC, Tomas Jelinek
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1958 normal SHIPPED_LIVE pcs bug fix and enhancement update 2017-08-01 18:09:47 UTC

Description Jan Pokorný [poki] 2016-04-20 13:22:08 UTC
Demonstration why this is strongly desired:

$ LOCAL_PYLIB=~/.local/lib/python$(rpm -E '%{python_version}')
$ mkdir -p "${LOCAL_PYLIB}/site-packages"
$ touch "${LOCAL_PYLIB}/site-packages/commands.py"
$ > "${LOCAL_PYLIB}/site-packages/commands_override.pth" cat <EOF
import sys; sys.__plen = len(sys.path)
.
import sys; new=sys.path[sys.__plen:]; del sys.path[sys.__plen:]; p=getattr(sys,'__egginsert',0); sys.path[p:p]=new; sys.__egginsert = p+len(new)
EOF
$ pcs help
> Traceback (most recent call last):
>   File "/usr/sbin/pcs", line 13, in <module>
>     import cluster
>   File "/usr/lib/python2.6/site-packages/pcs/cluster.py", line 21, in <module>
>     from subprocess import getstatusoutput
> ImportError: cannot import name getstatusoutput

This can be prevented with "-s" option to Python interpreter.

Something similar can be achieved with PYTHONPATH et al. environment
variable manipulation.

This can be prevented with "-E" option to Python interpreter.


Modified bits, regardless if on filesystem or in runtime (this case) are
not supportable in principle, whether the modification is noticable or
completely hidden (this case) --> make "pcs" run Python with "-Es" flags

For inspiration see:
https://pagure.io/clufter/91a2bd5d87952eabe767bb464c43ed2d40d80e33

Comment 3 Tomas Jelinek 2017-03-22 11:58 UTC
Created attachment 1265359 [details]
proposed fix

Test:
Added -Es flags to shebang in pcs executable:
#!/usr/bin/python -Es

Comment 4 Jan Pokorný [poki] 2017-03-24 19:17:33 UTC
If I may suggest something, it's perhaps more forward-looking
to use:

> %{__python*} setup.py build --executable='%{__python*} -Es'

unlike as with clufter which already uses setup.cfg heavily anyway.

Note that this is also what Fedora's %py*_build packaging macros
(also coming to RHEL 7.4, but it's likely not possible to use
them, yet: [bug 1297522]) for Python utilize.

(I would personally be interested in whether using this new
form actually helps to overcome [bug 1353934] issue, see also
[bug 1297522 comment 11].)

Comment 5 Ivan Devat 2017-04-10 16:02:20 UTC
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.157-1.el7.x86_64

[vm-rhel72-3 ~] $ which pcs
/usr/sbin/pcs
[vm-rhel72-3 ~] $ head -n1 $(which pcs)
#!/usr/bin/python -Es

Comment 6 Ivan Devat 2017-04-10 16:14:03 UTC
This change requires a test that the original reproducer does not cause the misbehavior and everything other works.

Comment 10 errata-xmlrpc 2017-08-01 18:22:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1958


Note You need to log in before you can comment on or make changes to this bug.