Clean the PAM and Courier acls
This commit is contained in:
parent
ae5a68fa6a
commit
6ef7e1857a
@ -19,7 +19,7 @@
|
||||
"""
|
||||
PAM ACL.
|
||||
|
||||
Authentication based on the ``python-pam`` module
|
||||
Authentication based on the ``pam-python`` module.
|
||||
|
||||
"""
|
||||
|
||||
@ -29,7 +29,7 @@ import pwd
|
||||
from radicale import acl, config, log
|
||||
|
||||
|
||||
GROUP_MEMBERSHIP = config.get("acl", "group_membership")
|
||||
GROUP_MEMBERSHIP = config.get("acl", "pam_group_membership")
|
||||
|
||||
|
||||
def has_right(owner, user, password):
|
||||
@ -37,26 +37,40 @@ def has_right(owner, user, password):
|
||||
if not user or (owner not in acl.PRIVATE_USERS and user != owner):
|
||||
# No user given, or owner is not private and is not user, forbidden
|
||||
return False
|
||||
|
||||
try: # 1 - Does the user exist in the PAM system?
|
||||
pwd.getpwnam(user).pw_uid
|
||||
log.LOGGER.debug("User %s found" % user)
|
||||
except KeyError: # No such user in the PAM system
|
||||
log.LOGGER.debug("User %s not found" % user)
|
||||
return False
|
||||
|
||||
try: # 2 - Does the user belong to the required group?
|
||||
for member in grp.getgrnam(GROUP_MEMBERSHIP):
|
||||
if member == user:
|
||||
raise Exception()
|
||||
log.LOGGER.debug("The user doesn't belong to the required group (%s)" % GROUP_MEMBERSHIP)
|
||||
return False
|
||||
|
||||
# Check whether the user exists in the PAM system
|
||||
try:
|
||||
pwd.getpwnam(user).pw_uid
|
||||
except KeyError:
|
||||
log.LOGGER.debug("The membership required group (%s) doesn't exist" % GROUP_MEMBERSHIP)
|
||||
return False
|
||||
except Exception:
|
||||
log.LOGGER.debug("The user belong to the required group (%s)" % GROUP_MEMBERSHIP)
|
||||
|
||||
if pam.authenticate(user, password): # 3 - Does the password match ?
|
||||
return True
|
||||
return False # Authentication failled
|
||||
log.LOGGER.debug("User %s not found" % user)
|
||||
return False
|
||||
else:
|
||||
log.LOGGER.debug("User %s found" % user)
|
||||
|
||||
# Check whether the group exists
|
||||
try:
|
||||
members = grp.getgrnam(GROUP_MEMBERSHIP)
|
||||
except KeyError:
|
||||
log.LOGGER.debug(
|
||||
"The PAM membership required group (%s) doesn't exist" %
|
||||
GROUP_MEMBERSHIP)
|
||||
return False
|
||||
|
||||
# Check whether the user belongs to the required group
|
||||
for member in members:
|
||||
if member == user:
|
||||
log.LOGGER.debug(
|
||||
"The PAM user belongs to the required group (%s)" %
|
||||
GROUP_MEMBERSHIP)
|
||||
# Check the password
|
||||
if pam.authenticate(user, password):
|
||||
return True
|
||||
else:
|
||||
log.LOGGER.debug("Wrong PAM password")
|
||||
break
|
||||
else:
|
||||
log.LOGGER.debug(
|
||||
"The PAM user doesn't belong to the required group (%s)" %
|
||||
GROUP_MEMBERSHIP)
|
||||
|
||||
return False
|
||||
|
@ -16,11 +16,17 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Radicale. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import socket,os,sys
|
||||
"""
|
||||
Courier-Authdaemon ACL.
|
||||
|
||||
"""
|
||||
|
||||
import sys
|
||||
import socket
|
||||
from radicale import acl, config, log
|
||||
|
||||
|
||||
COURIER_SOCKET = config.get("acl", "courier-auth_socket")
|
||||
COURIER_SOCKET = config.get("acl", "courier_socket")
|
||||
|
||||
|
||||
def has_right(owner, user, password):
|
||||
@ -28,21 +34,24 @@ def has_right(owner, user, password):
|
||||
if not user or (owner not in acl.PRIVATE_USERS and user != owner):
|
||||
# No user given, or owner is not private and is not user, forbidden
|
||||
return False
|
||||
|
||||
line = sys.argv[0] . "\nlogin\n" + user + "\n" + password
|
||||
line = len(line) + "\n" + line
|
||||
|
||||
line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
|
||||
line = "%i\n%s" % (len(line), line)
|
||||
try:
|
||||
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
s.connect(COURIER_SOCKET)
|
||||
log.LOGGER.debug("Sending to socket the request: %s" % line)
|
||||
s.send(line)
|
||||
data = s.recv(1024)
|
||||
s.close()
|
||||
except socket.error, (value,message):
|
||||
log.LOGGER.debug("Unable to communicate with the socket (error: %s)" % message)
|
||||
return False
|
||||
log.LOGGER.debug("Got socket response: %s" % repr(data))
|
||||
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
sock.connect(COURIER_SOCKET)
|
||||
log.LOGGER.debug("Sending to Courier socket the request: %s" % line)
|
||||
sock.send(line)
|
||||
data = sock.recv(1024)
|
||||
sock.close()
|
||||
except socket.error, (_, message):
|
||||
log.LOGGER.debug(
|
||||
"Unable to communicate with Courier socket: %s" % message)
|
||||
return False
|
||||
|
||||
log.LOGGER.debug("Got Courier socket response: %r" % data)
|
||||
|
||||
if repr(data) == "FAIL":
|
||||
return False
|
||||
return False
|
||||
|
||||
return True
|
||||
|
Loading…
Reference in New Issue
Block a user