Clean the PAM and Courier acls

This commit is contained in:
Guillaume Ayoub 2011-08-29 11:54:21 +02:00
parent ae5a68fa6a
commit 6ef7e1857a
2 changed files with 64 additions and 41 deletions

View File

@ -19,7 +19,7 @@
""" """
PAM ACL. PAM ACL.
Authentication based on the ``python-pam`` module Authentication based on the ``pam-python`` module.
""" """
@ -29,7 +29,7 @@ import pwd
from radicale import acl, config, log from radicale import acl, config, log
GROUP_MEMBERSHIP = config.get("acl", "group_membership") GROUP_MEMBERSHIP = config.get("acl", "pam_group_membership")
def has_right(owner, user, password): def has_right(owner, user, password):
@ -38,25 +38,39 @@ def has_right(owner, user, password):
# No user given, or owner is not private and is not user, forbidden # No user given, or owner is not private and is not user, forbidden
return False return False
try: # 1 - Does the user exist in the PAM system? # Check whether the user exists in the PAM system
try:
pwd.getpwnam(user).pw_uid pwd.getpwnam(user).pw_uid
log.LOGGER.debug("User %s found" % user) except KeyError:
except KeyError: # No such user in the PAM system
log.LOGGER.debug("User %s not found" % user) log.LOGGER.debug("User %s not found" % user)
return False return False
else:
log.LOGGER.debug("User %s found" % user)
try: # 2 - Does the user belong to the required group? # Check whether the group exists
for member in grp.getgrnam(GROUP_MEMBERSHIP): try:
if member == user: members = grp.getgrnam(GROUP_MEMBERSHIP)
raise Exception()
log.LOGGER.debug("The user doesn't belong to the required group (%s)" % GROUP_MEMBERSHIP)
return False
except KeyError: except KeyError:
log.LOGGER.debug("The membership required group (%s) doesn't exist" % GROUP_MEMBERSHIP) log.LOGGER.debug(
"The PAM membership required group (%s) doesn't exist" %
GROUP_MEMBERSHIP)
return False return False
except Exception:
log.LOGGER.debug("The user belong to the required group (%s)" % GROUP_MEMBERSHIP)
if pam.authenticate(user, password): # 3 - Does the password match ? # Check whether the user belongs to the required group
for member in members:
if member == user:
log.LOGGER.debug(
"The PAM user belongs to the required group (%s)" %
GROUP_MEMBERSHIP)
# Check the password
if pam.authenticate(user, password):
return True return True
return False # Authentication failled else:
log.LOGGER.debug("Wrong PAM password")
break
else:
log.LOGGER.debug(
"The PAM user doesn't belong to the required group (%s)" %
GROUP_MEMBERSHIP)
return False

View File

@ -16,11 +16,17 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with Radicale. If not, see <http://www.gnu.org/licenses/>. # along with Radicale. If not, see <http://www.gnu.org/licenses/>.
import socket,os,sys """
Courier-Authdaemon ACL.
"""
import sys
import socket
from radicale import acl, config, log from radicale import acl, config, log
COURIER_SOCKET = config.get("acl", "courier-auth_socket") COURIER_SOCKET = config.get("acl", "courier_socket")
def has_right(owner, user, password): def has_right(owner, user, password):
@ -29,20 +35,23 @@ def has_right(owner, user, password):
# No user given, or owner is not private and is not user, forbidden # No user given, or owner is not private and is not user, forbidden
return False return False
line = sys.argv[0] . "\nlogin\n" + user + "\n" + password line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
line = len(line) + "\n" + line line = "%i\n%s" % (len(line), line)
try: try:
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
s.connect(COURIER_SOCKET) sock.connect(COURIER_SOCKET)
log.LOGGER.debug("Sending to socket the request: %s" % line) log.LOGGER.debug("Sending to Courier socket the request: %s" % line)
s.send(line) sock.send(line)
data = s.recv(1024) data = sock.recv(1024)
s.close() sock.close()
except socket.error, (value,message): except socket.error, (_, message):
log.LOGGER.debug("Unable to communicate with the socket (error: %s)" % message) log.LOGGER.debug(
"Unable to communicate with Courier socket: %s" % message)
return False return False
log.LOGGER.debug("Got socket response: %s" % repr(data))
log.LOGGER.debug("Got Courier socket response: %r" % data)
if repr(data) == "FAIL": if repr(data) == "FAIL":
return False return False
return True
return True