It can insert the password

ClusterLabs · Sep 14, 2023 · b1a7330 · b1a7330
1 parent 091cc90
commit b1a7330
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 23 deletions.
diff --git a/hawk/app/lib/util.rb b/hawk/app/lib/util.rb
@@ -19,7 +19,7 @@ def numeric?(n)
   # DON'T USE THIS FUNCTION DIRECTLY - it's subject to deadlocks e.g.:
   # http://coldattic.info/shvedsky/pro/blogs/a-foo-walks-into-a-bar/posts/63
   # Rather you should prefer capture3.
-  def popen3(user, pass, *cmd)
+  def popen3(user, *cmd)
     raise SecurityError, "Util::popen3 called with < 2 args" if cmd.length < 2
     pw = IO::pipe   # pipe[0] for read, pipe[1] for write
     pr = IO::pipe
@@ -39,13 +39,12 @@ def popen3(user, pass, *cmd)
       STDERR.reopen(pe[1])
       pe[1].close
 
-      if user == nil or user=="" or user == "hacluster" or user == "root"
+      if user.to_s.strip.empty? or user == "hacluster" or user == "root"
         # RORSCAN_INL: cmd always has > 1 elem, so safe from shell injection
         exec(*cmd)
       else
-        #TODO: command = ['/usr/bin/su', user, '--shell=/bin/sh', '-c', "/usr/sbin/crm -f #{tmpf.path}", stdin_data: pass]
-        command = "hawk_invoke.sh #{user} #{pass} '#{cmd.join(" ")}' | tail -n +3"
-        exec(command)
+        command = ['su', '-', user, 'sh', '-c', "#{cmd.join(" ")}"]
+        exec(*command)
       end
     }
     wait_thr = Process.detach(pid)
@@ -79,7 +78,7 @@ def capture3(*cmd)
     end
     Rails.logger.debug "Executing `#{cmd.join(' ').inspect}` through `capture3`"
     stdin_data = opts.delete(:stdin_data) || ''
-    Util.popen3(nil, nil, *cmd) {|i, o, e, t|
+    Util.popen3(nil, *cmd) {|i, o, e, t|
       out_reader = Thread.new { o.read }
       err_reader = Thread.new { e.read }
       i.write stdin_data
@@ -97,9 +96,13 @@ def run_as(user, pass, *cmd)
     end
     Rails.logger.debug "Executing `#{cmd.join(' ').inspect}` as `#{user}` through `run_as`"
     stdin_data = opts.delete(:stdin_data) || ''
-    Util.popen3(user, pass, *cmd) {|i, o, e, t|
+    Util.popen3(user, *cmd) {|i, o, e, t|
       out_reader = Thread.new { o.read }
       err_reader = Thread.new { e.read }
+      if not user.to_s.strip.empty? and user != "hacluster" and user != "root"
+        i.write pass
+        i.write "\n"
+      end
       i.write stdin_data
       i.close
       [out_reader.value, err_reader.value, t.value]

diff --git a/tools/hawk_invoke.sh b/tools/hawk_invoke.sh