Clean the PAM and Courier acls
This commit is contained in:
parent
ae5a68fa6a
commit
6ef7e1857a
@ -19,7 +19,7 @@
|
|||||||
"""
|
"""
|
||||||
PAM ACL.
|
PAM ACL.
|
||||||
|
|
||||||
Authentication based on the ``python-pam`` module
|
Authentication based on the ``pam-python`` module.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@ -29,7 +29,7 @@ import pwd
|
|||||||
from radicale import acl, config, log
|
from radicale import acl, config, log
|
||||||
|
|
||||||
|
|
||||||
GROUP_MEMBERSHIP = config.get("acl", "group_membership")
|
GROUP_MEMBERSHIP = config.get("acl", "pam_group_membership")
|
||||||
|
|
||||||
|
|
||||||
def has_right(owner, user, password):
|
def has_right(owner, user, password):
|
||||||
@ -37,26 +37,40 @@ def has_right(owner, user, password):
|
|||||||
if not user or (owner not in acl.PRIVATE_USERS and user != owner):
|
if not user or (owner not in acl.PRIVATE_USERS and user != owner):
|
||||||
# No user given, or owner is not private and is not user, forbidden
|
# No user given, or owner is not private and is not user, forbidden
|
||||||
return False
|
return False
|
||||||
|
|
||||||
try: # 1 - Does the user exist in the PAM system?
|
# Check whether the user exists in the PAM system
|
||||||
pwd.getpwnam(user).pw_uid
|
try:
|
||||||
log.LOGGER.debug("User %s found" % user)
|
pwd.getpwnam(user).pw_uid
|
||||||
except KeyError: # No such user in the PAM system
|
|
||||||
log.LOGGER.debug("User %s not found" % user)
|
|
||||||
return False
|
|
||||||
|
|
||||||
try: # 2 - Does the user belong to the required group?
|
|
||||||
for member in grp.getgrnam(GROUP_MEMBERSHIP):
|
|
||||||
if member == user:
|
|
||||||
raise Exception()
|
|
||||||
log.LOGGER.debug("The user doesn't belong to the required group (%s)" % GROUP_MEMBERSHIP)
|
|
||||||
return False
|
|
||||||
except KeyError:
|
except KeyError:
|
||||||
log.LOGGER.debug("The membership required group (%s) doesn't exist" % GROUP_MEMBERSHIP)
|
log.LOGGER.debug("User %s not found" % user)
|
||||||
return False
|
return False
|
||||||
except Exception:
|
else:
|
||||||
log.LOGGER.debug("The user belong to the required group (%s)" % GROUP_MEMBERSHIP)
|
log.LOGGER.debug("User %s found" % user)
|
||||||
|
|
||||||
if pam.authenticate(user, password): # 3 - Does the password match ?
|
# Check whether the group exists
|
||||||
return True
|
try:
|
||||||
return False # Authentication failled
|
members = grp.getgrnam(GROUP_MEMBERSHIP)
|
||||||
|
except KeyError:
|
||||||
|
log.LOGGER.debug(
|
||||||
|
"The PAM membership required group (%s) doesn't exist" %
|
||||||
|
GROUP_MEMBERSHIP)
|
||||||
|
return False
|
||||||
|
|
||||||
|
# Check whether the user belongs to the required group
|
||||||
|
for member in members:
|
||||||
|
if member == user:
|
||||||
|
log.LOGGER.debug(
|
||||||
|
"The PAM user belongs to the required group (%s)" %
|
||||||
|
GROUP_MEMBERSHIP)
|
||||||
|
# Check the password
|
||||||
|
if pam.authenticate(user, password):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
log.LOGGER.debug("Wrong PAM password")
|
||||||
|
break
|
||||||
|
else:
|
||||||
|
log.LOGGER.debug(
|
||||||
|
"The PAM user doesn't belong to the required group (%s)" %
|
||||||
|
GROUP_MEMBERSHIP)
|
||||||
|
|
||||||
|
return False
|
||||||
|
@ -16,11 +16,17 @@
|
|||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with Radicale. If not, see <http://www.gnu.org/licenses/>.
|
# along with Radicale. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
import socket,os,sys
|
"""
|
||||||
|
Courier-Authdaemon ACL.
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import socket
|
||||||
from radicale import acl, config, log
|
from radicale import acl, config, log
|
||||||
|
|
||||||
|
|
||||||
COURIER_SOCKET = config.get("acl", "courier-auth_socket")
|
COURIER_SOCKET = config.get("acl", "courier_socket")
|
||||||
|
|
||||||
|
|
||||||
def has_right(owner, user, password):
|
def has_right(owner, user, password):
|
||||||
@ -28,21 +34,24 @@ def has_right(owner, user, password):
|
|||||||
if not user or (owner not in acl.PRIVATE_USERS and user != owner):
|
if not user or (owner not in acl.PRIVATE_USERS and user != owner):
|
||||||
# No user given, or owner is not private and is not user, forbidden
|
# No user given, or owner is not private and is not user, forbidden
|
||||||
return False
|
return False
|
||||||
|
|
||||||
line = sys.argv[0] . "\nlogin\n" + user + "\n" + password
|
line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
|
||||||
line = len(line) + "\n" + line
|
line = "%i\n%s" % (len(line), line)
|
||||||
try:
|
try:
|
||||||
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||||
s.connect(COURIER_SOCKET)
|
sock.connect(COURIER_SOCKET)
|
||||||
log.LOGGER.debug("Sending to socket the request: %s" % line)
|
log.LOGGER.debug("Sending to Courier socket the request: %s" % line)
|
||||||
s.send(line)
|
sock.send(line)
|
||||||
data = s.recv(1024)
|
data = sock.recv(1024)
|
||||||
s.close()
|
sock.close()
|
||||||
except socket.error, (value,message):
|
except socket.error, (_, message):
|
||||||
log.LOGGER.debug("Unable to communicate with the socket (error: %s)" % message)
|
log.LOGGER.debug(
|
||||||
return False
|
"Unable to communicate with Courier socket: %s" % message)
|
||||||
log.LOGGER.debug("Got socket response: %s" % repr(data))
|
return False
|
||||||
|
|
||||||
|
log.LOGGER.debug("Got Courier socket response: %r" % data)
|
||||||
|
|
||||||
if repr(data) == "FAIL":
|
if repr(data) == "FAIL":
|
||||||
return False
|
return False
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
Loading…
Reference in New Issue
Block a user