)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"664a967c45154da0ef49a729a11c2edf518666ac","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"d0e50d05_28038aa8","updated":"2022-01-06 15:59:37.000000000","message":"This sounds like a bug you\u0027ve hit? Could you create an upstream bug and link to this in the commit message? Also, can you add a simple test to prevent us regressing?","commit_id":"02ab32f3a891b646e846a1633932d0986f5f2dee"},{"author":{"_account_id":27419,"name":"David Vallee Delisle","email":"me@dvd.dev","username":"dvd"},"change_message_id":"f9d821b78f32ff01cf94ecfd4fcc9693f27ad73c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"62537988_57407e5f","in_reply_to":"d0e50d05_28038aa8","updated":"2022-01-06 16:02:52.000000000","message":"Sure will do.","commit_id":"02ab32f3a891b646e846a1633932d0986f5f2dee"},{"author":{"_account_id":308,"name":"Thierry Carrez","email":"thierry@openstack.org","username":"ttx"},"change_message_id":"db60b67fe973ad971d3bad9be5dd1d4af60309ce","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"c9928014_ae8df030","updated":"2022-01-10 10:52:18.000000000","message":"IIRC this was done on purpose: the CommandFilter would allow /bin/echo and if you tried to run \"echo\" as root it would allow you (and execute /bin/echo). Now, I agree that a complete match (trying to run /bin/echo) should succeed.\n\nOne issue with your patch is that by comparing basenames, if you try to run /home/bob/bin/echo, the CommandFilter would just compare basenames (echo\u003decho) and allow it (and end up running /bin/echo).\n\nSo my recommendation would be to return True if basename(exec_path)\u003d\u003duserargs[0] OR if exec_path \u003d\u003d userargs[0] (but not is basename(exec_path)\u003d\u003dbasename(userargs[0]))\n\n","commit_id":"1eeff872679c45f6a1ce193fa35efaf10e266807"},{"author":{"_account_id":27419,"name":"David Vallee Delisle","email":"me@dvd.dev","username":"dvd"},"change_message_id":"831bcaab3c7a77b38b351c032fb2cdb659257a47","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"8ae439c4_a3ade237","in_reply_to":"c9928014_ae8df030","updated":"2022-01-10 13:23:08.000000000","message":"That totally makes sense. Thanks for the insights, I\u0027ll work on a revision.","commit_id":"1eeff872679c45f6a1ce193fa35efaf10e266807"},{"author":{"_account_id":308,"name":"Thierry Carrez","email":"thierry@openstack.org","username":"ttx"},"change_message_id":"b23aca3ed29aa38ed696f580d36f07db1ec6ee72","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"fcbe75be_c9bb8beb","updated":"2022-01-13 11:30:57.000000000","message":"I think the proposed patch works, see suggestions on how to make it more self-explaining/minimal","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":27419,"name":"David Vallee Delisle","email":"me@dvd.dev","username":"dvd"},"change_message_id":"8566a6ace982096ba92d512d6b9e7b0acd5920a0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"d980d23a_11aeb061","updated":"2022-01-13 13:45:36.000000000","message":"Thanks for the feedback.","commit_id":"1b1b960d0d6b0ddf63c5b0f9c6aa7c10a1914073"}],"oslo_rootwrap/filters.py":[{"author":{"_account_id":308,"name":"Thierry Carrez","email":"thierry@openstack.org","username":"ttx"},"change_message_id":"b23aca3ed29aa38ed696f580d36f07db1ec6ee72","unresolved":true,"context_lines":[{"line_number":75,"context_line":"    def match(self, userargs):"},{"line_number":76,"context_line":"        \"\"\"Only check that the first argument (command) matches exec_path.\"\"\""},{"line_number":77,"context_line":"        if userargs:"},{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""}],"source_content_type":"text/x-python","patch_set":6,"id":"1fc2ab1a_944b1368","line":78,"range":{"start_line":78,"start_character":12,"end_line":78,"end_character":21},"updated":"2022-01-13 11:30:57.000000000","message":"For clarity I would rename that variable to \"base_path_matches\"","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":27419,"name":"David Vallee Delisle","email":"me@dvd.dev","username":"dvd"},"change_message_id":"8566a6ace982096ba92d512d6b9e7b0acd5920a0","unresolved":false,"context_lines":[{"line_number":75,"context_line":"    def match(self, userargs):"},{"line_number":76,"context_line":"        \"\"\"Only check that the first argument (command) matches exec_path.\"\"\""},{"line_number":77,"context_line":"        if userargs:"},{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""}],"source_content_type":"text/x-python","patch_set":6,"id":"6eaa9a88_0b542f47","line":78,"range":{"start_line":78,"start_character":12,"end_line":78,"end_character":21},"in_reply_to":"1fc2ab1a_944b1368","updated":"2022-01-13 13:45:36.000000000","message":"Done","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":308,"name":"Thierry Carrez","email":"thierry@openstack.org","username":"ttx"},"change_message_id":"b23aca3ed29aa38ed696f580d36f07db1ec6ee72","unresolved":true,"context_lines":[{"line_number":76,"context_line":"        \"\"\"Only check that the first argument (command) matches exec_path.\"\"\""},{"line_number":77,"context_line":"        if userargs:"},{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    def preexec(self):"}],"source_content_type":"text/x-python","patch_set":6,"id":"d8ab235c_b8ce3480","line":79,"range":{"start_line":79,"start_character":12,"end_line":79,"end_character":21},"updated":"2022-01-13 11:30:57.000000000","message":"For clarity I would rename that variable \"exact_path_matches\" (exec_path is already used as an instance property so reusing same name would be confusing)","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":27419,"name":"David Vallee Delisle","email":"me@dvd.dev","username":"dvd"},"change_message_id":"8566a6ace982096ba92d512d6b9e7b0acd5920a0","unresolved":false,"context_lines":[{"line_number":76,"context_line":"        \"\"\"Only check that the first argument (command) matches exec_path.\"\"\""},{"line_number":77,"context_line":"        if userargs:"},{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    def preexec(self):"}],"source_content_type":"text/x-python","patch_set":6,"id":"8df02bf8_56987a21","line":79,"range":{"start_line":79,"start_character":12,"end_line":79,"end_character":21},"in_reply_to":"d8ab235c_b8ce3480","updated":"2022-01-13 13:45:36.000000000","message":"Done","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":308,"name":"Thierry Carrez","email":"thierry@openstack.org","username":"ttx"},"change_message_id":"b23aca3ed29aa38ed696f580d36f07db1ec6ee72","unresolved":true,"context_lines":[{"line_number":77,"context_line":"        if userargs:"},{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    def preexec(self):"},{"line_number":83,"context_line":"        \"\"\"Setuid in subprocess right before command is invoked.\"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"1c7452b6_aa560c04","line":80,"range":{"start_line":80,"start_character":19,"end_line":80,"end_character":41},"updated":"2022-01-13 11:30:57.000000000","message":"This becomes \"base_path_matches or exact_path_matches\" which is pretty self-explaining","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":27419,"name":"David Vallee Delisle","email":"me@dvd.dev","username":"dvd"},"change_message_id":"8566a6ace982096ba92d512d6b9e7b0acd5920a0","unresolved":false,"context_lines":[{"line_number":77,"context_line":"        if userargs:"},{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    def preexec(self):"},{"line_number":83,"context_line":"        \"\"\"Setuid in subprocess right before command is invoked.\"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"dade89fc_a6f6bd5c","line":80,"range":{"start_line":80,"start_character":19,"end_line":80,"end_character":41},"in_reply_to":"1c7452b6_aa560c04","updated":"2022-01-13 13:45:36.000000000","message":"Done","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":308,"name":"Thierry Carrez","email":"thierry@openstack.org","username":"ttx"},"change_message_id":"b23aca3ed29aa38ed696f580d36f07db1ec6ee72","unresolved":true,"context_lines":[{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    def preexec(self):"},{"line_number":83,"context_line":"        \"\"\"Setuid in subprocess right before command is invoked.\"\"\""},{"line_number":84,"context_line":"        if self.run_as !\u003d \u0027root\u0027:"}],"source_content_type":"text/x-python","patch_set":6,"id":"00ed1882_c984fc59","line":81,"updated":"2022-01-13 11:30:57.000000000","message":"I would also explicitly return False if no userargs are present, like the original function (to minimize the proposed change)","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":27419,"name":"David Vallee Delisle","email":"me@dvd.dev","username":"dvd"},"change_message_id":"8566a6ace982096ba92d512d6b9e7b0acd5920a0","unresolved":false,"context_lines":[{"line_number":78,"context_line":"            user_path \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exec_path \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exec_path or user_path"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    def preexec(self):"},{"line_number":83,"context_line":"        \"\"\"Setuid in subprocess right before command is invoked.\"\"\""},{"line_number":84,"context_line":"        if self.run_as !\u003d \u0027root\u0027:"}],"source_content_type":"text/x-python","patch_set":6,"id":"9f3ac433_7f97b7e7","line":81,"in_reply_to":"00ed1882_c984fc59","updated":"2022-01-13 13:45:36.000000000","message":"Done","commit_id":"0e9b3b4fb79c612b191cdbb70ffe78c1d0869c2c"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"74f0196bd5831e40f16f352d987dadae8bf2ecd2","unresolved":true,"context_lines":[{"line_number":77,"context_line":"        if userargs:"},{"line_number":78,"context_line":"            base_path_matches \u003d os.path.basename(self.exec_path) \u003d\u003d userargs[0]"},{"line_number":79,"context_line":"            exact_path_matches \u003d self.exec_path \u003d\u003d userargs[0]"},{"line_number":80,"context_line":"            return exact_path_matches or base_path_matches"},{"line_number":81,"context_line":"        return False"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"    def preexec(self):"}],"source_content_type":"text/x-python","patch_set":7,"id":"2fa1fb7c_da88ea49","line":80,"updated":"2022-01-14 10:39:31.000000000","message":"Not a big deal but I think it will be more readable to use ternary operator here.","commit_id":"1b1b960d0d6b0ddf63c5b0f9c6aa7c10a1914073"}]}