Remove hawk_invoke and use capture3 instead of runas

Makefile

@@ -81,11 +81,7 @@ tools/hawk_monitor: tools/hawk_monitor.c
 		$(shell pkg-config --libs glib-2.0) \
 		$(shell pkg-config --libs libxml-2.0)
 
-# TODO(must): This is inching towards becoming annoying: want better build infrastructure/deps
-tools/hawk_invoke: tools/hawk_invoke.c tools/common.h
-	gcc -fpie -pie $(CFLAGS) -o $@ $<
-
-tools: tools/hawk_chkpwd tools/hawk_monitor tools/hawk_invoke
+tools: tools/hawk_chkpwd tools/hawk_monitor
 
 base/install:
 	mkdir -p $(DESTDIR)$(WWW_BASE)/hawk/log
@@ -118,10 +114,6 @@ tools/install:
 	-chown root.haclient $(DESTDIR)/usr/sbin/hawk_chkpwd || true
 	-chmod u+s $(DESTDIR)/usr/sbin/hawk_chkpwd
 
-	install -D -m 4750 tools/hawk_invoke $(DESTDIR)/usr/sbin/hawk_invoke
-	-chown root.haclient $(DESTDIR)/usr/sbin/hawk_invoke || true
-	-chmod u+s $(DESTDIR)/usr/sbin/hawk_invoke
-
 	install -D -m 0755 tools/hawk_monitor $(DESTDIR)/usr/sbin/hawk_monitor
 
 # TODO(should): Verify this is really clean (it won't get rid of .mo files,
@@ -132,7 +124,6 @@ clean:
 	rm -f scripts/hawk.{suse,redhat,service}
 	rm -f tools/hawk_chkpwd
 	rm -f tools/hawk_monitor
-	rm -f tools/hawk_invoke
 	rm -f tools/common.h
 
 # Note: chown & chmod here are only necessary if *not* doing an RPM build

hawk/app/models/cib.rb

@@ -501,7 +501,7 @@ def initialize(id, user, use_file = false, stonithwarning = false)
         init_offline_cluster id, user, use_file
         return
       end
-      out, err, status = Util.run_as(user, 'cibadmin', '-Ql')
+      out, err, status = Util.capture3('cibadmin', '-Ql')
       case status.exitstatus
       when 0
         @xml = REXML::Document.new(out)

hawk/app/models/cluster.rb

@@ -102,8 +102,7 @@ def cluster_copy(clusters)
       fname = "#{Rails.root}/tmp/dashboard.js"
       File.open(fname, "w") { |f| f.write(JSON.pretty_generate(clusters)) }
       File.chmod(0660, fname)
-      out, err, rc = Util.run_as("root", "crm", "cluster", "copy", fname)
-      out, err, rc = Util.run_as("root", "crm", "cluster", "run", "chown hacluster:haclient #{fname}") if rc == 0
+      out, err, rc = Util.capture3("crm", "cluster", "copy", fname)
       Rails.logger.debug "Copy: #{out} #{err} #{rc}"
       # always succeed here: we don't really care that much if the copy succeeded or not
       true

hawk/app/models/report.rb

@@ -144,7 +144,7 @@ def graph(hb_report, path, format = :svg)
     require "tempfile"
     tmpfile = Tempfile.new("hawk_dot")
     tmpfile.close
-    _out, err, status = Util.run_as('hacluster', 'crm_simulate', '-x', tpath.to_s, format == :xml ? "-G" : "-D", tmpfile.path.to_s)
+    _out, err, status = Util.capture3('crm_simulate', '-x', tpath.to_s, format == :xml ? "-G" : "-D", tmpfile.path.to_s)
     rc = status.exitstatus
 
     ret = [false, err]

hawk/lib/hb_report.rb

@@ -99,7 +99,7 @@ def generate(from_time, to_time, all_nodes = true)
       args.push("-S") unless all_nodes
       args.push(@path)
 
-      out, err, status = Util.run_as("root", "crm", "report", *args)
+      out, err, status = Util.capture3('crm', "report", *args)
       f = File.new(@outfile, "w")
       f.write(out)
       f.close

hawk/lib/invoker.rb

@@ -27,7 +27,7 @@ def initialize
   # cleaned up further)
   # Returns [out, err, exitstatus]
   def run(*cmd)
-    out, err, status = Util.run_as(current_user, *cmd)
+    out, err, status = Util.capture3(*cmd)
     [out, fudge_error(status.exitstatus, err), status.exitstatus]
   end
 
@@ -73,7 +73,7 @@ def crm_configure_load_update(cmd)
   # Invoke cibadmin with command line arguments.  Returns stdout as string,
   # Raises NotFoundError, SecurityError or RuntimeError on failure.
   def cibadmin(*cmd)
-    out, err, status = run_as current_user, 'cibadmin', *cmd
+    out, err, status = Util.capture3('cibadmin', *cmd)
     case status.exitstatus
     when 0
       return out
@@ -105,7 +105,7 @@ def cibadmin_modify(xml)
 
   # Used by the simulator
   def crm_simulate(*cmd)
-    run_as current_user, 'crm_simulate', *cmd
+    Util.capture3('crm_simulate', *cmd)
   end
 
   private
@@ -131,7 +131,7 @@ def invoke_crm(input, *cmd)
       end
     end
     cmd << { stdin_data: input }
-    out, err, status = run_as current_user, 'crm', *cmd
+    out, err, status = Util.capture3('crm', *cmd)
     [out, fudge_error(status.exitstatus, err), status.exitstatus]
   end
 

hawk/lib/util.rb

@@ -110,23 +110,6 @@ def ensure_home_for(user)
   end
   module_function :ensure_home_for
 
-  # Like capture3, but via /usr/sbin/hawk_invoke
-  def run_as(user, *cmd)
-    Rails.logger.debug "Executing `#{cmd.join(' ').inspect}` through `run_as`"
-    old_home = ensure_home_for(user)
-    # RORSCAN_INL: multi-arg invocation safe from shell injection.
-    ret = capture3('/usr/sbin/hawk_invoke', user, *cmd)
-    # Having invoked a command, reset $HOME to what it was before,
-    # else it sticks, and other (non-invoker) crm invoctiaons, e.g.
-    # has_feature() run the shell as hacluster, which in turn causes
-    # $HOME/.cache and $HOME/.config to revert to 600 with uid hacluster,
-    # which means the *next* call after that will die with permission
-    # problems, and you will spend an entire day debugging it.
-    ENV['HOME'] = old_home
-    ret
-  end
-  module_function :run_as
-
   def diff(a, b)
     # call diff on a and b
     # returns [data, ok?]