Projects
Kolab:3.4
pykolab
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 61
View file
pykolab-0.6.11-saslauthd-logger-permissions.patch
Added
@@ -0,0 +1,234 @@ +commit 8a2d66c45f1de4a1c7326372a96a022eae202171 +Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> +Date: Thu Feb 13 12:04:24 2014 +0100 + + Make sure permissions on log files are OK, and saslauthd itself switches uid/gid too + +diff --git a/pykolab/logger.py b/pykolab/logger.py +index 6f82d5d..10fa8a2 100644 +--- a/pykolab/logger.py ++++ b/pykolab/logger.py +@@ -37,6 +37,8 @@ class Logger(logging.Logger): + debuglevel = 0 + fork = False + loglevel = logging.CRITICAL ++ process_username = 'kolab' ++ process_groupname = 'kolab-n' + + if hasattr(sys, 'argv'): + for arg in sys.argv: +@@ -66,6 +68,26 @@ class Logger(logging.Logger): + else: + loglevel = logging.DEBUG + ++ if '-u' == arg or '--user' == arg: ++ process_username = -1 ++ continue ++ ++ if arg.startswith('--user='): ++ process_username = arg.split('=')[1] ++ ++ if process_username == -1: ++ process_username = arg ++ ++ if '-g' == arg or '--group' == arg: ++ process_groupname = -1 ++ continue ++ ++ if arg.startswith('--group='): ++ process_groupname = arg.split('=')[1] ++ ++ if process_groupname == -1: ++ process_groupname = arg ++ + def __init__(self, *args, **kw): + if kw.has_key('name'): + name = kw['name'] +@@ -91,23 +113,81 @@ class Logger(logging.Logger): + + # Make sure (read: attempt to change) the permissions + try: +- (ruid, euid, suid) = os.getresuid() +- (rgid, egid, sgid) = os.getresgid() +- except AttributeError, errmsg: +- ruid = os.getuid() +- rgid = os.getgid() +- +- if ruid == 0 or rgid == 0: +- if os.path.isfile(self.logfile): ++ try: ++ (ruid, euid, suid) = os.getresuid() ++ (rgid, egid, sgid) = os.getresgid() ++ except AttributeError, errmsg: ++ ruid = os.getuid() ++ rgid = os.getgid() ++ ++ if ruid == 0: ++ # Means we can setreuid() / setregid() / setgroups() ++ if rgid == 0: ++ # Get group entry details ++ try: ++ ( ++ group_name, ++ group_password, ++ group_gid, ++ group_members ++ ) = grp.getgrnam(self.process_groupname) ++ ++ except KeyError: ++ print >> sys.stderr, _("Group %s does not exist") % ( ++ self.process_groupname ++ ) ++ ++ sys.exit(1) ++ ++ # Set real and effective group if not the same as current. ++ if not group_gid == rgid: ++ self.debug( ++ _("Switching real and effective group id to %d") % ( ++ group_gid ++ ), ++ level=8 ++ ) ++ ++ os.setregid(group_gid, group_gid) ++ ++ if ruid == 0: ++ # Means we haven't switched yet. ++ try: ++ ( ++ user_name, ++ user_password, ++ user_uid, ++ user_gid, ++ user_gecos, ++ user_homedir, ++ user_shell ++ ) = pwd.getpwnam(self.process_username) ++ ++ except KeyError: ++ print >> sys.stderr, _("User %s does not exist") % ( ++ self.process_username ++ ) ++ ++ sys.exit(1) ++ + try: + os.chown( + self.logfile, +- pwd.getpwnam('kolab')[2], +- grp.getgrnam('kolab-n')[2] ++ user_uid, ++ group_gid + ) + os.chmod(self.logfile, 0660) +- except: +- pass ++ except Exception, errmsg: ++ self.error(_("Could not change permissions on %s: %r") % (self.logfile, errmsg)) ++ if self.debuglevel > 8: ++ import traceback ++ traceback.print_exc() ++ ++ except Exception, errmsg: ++ self.error(_("Could not change permissions on %s: %r") % (self.logfile, errmsg)) ++ if self.debuglevel > 8: ++ import traceback ++ traceback.print_exc() + + # Make sure the log file exists + try: +diff --git a/saslauthd/__init__.py b/saslauthd/__init__.py +index 90a7413..69accce 100644 +--- a/saslauthd/__init__.py ++++ b/saslauthd/__init__.py +@@ -28,7 +28,9 @@ + from optparse import OptionParser + from ConfigParser import SafeConfigParser + ++import grp + import os ++import pwd + import shutil + import sys + import time +@@ -107,6 +109,79 @@ class SASLAuthDaemon(object): + exitcode = 0 + + try: ++ try: ++ (ruid, euid, suid) = os.getresuid() ++ (rgid, egid, sgid) = os.getresgid() ++ except AttributeError, errmsg: ++ ruid = os.getuid() ++ rgid = os.getgid() ++ ++ if ruid == 0: ++ # Means we can setreuid() / setregid() / setgroups() ++ if rgid == 0: ++ # Get group entry details ++ try: ++ ( ++ group_name, ++ group_password, ++ group_gid, ++ group_members ++ ) = grp.getgrnam(conf.process_groupname) ++ ++ except KeyError: ++ print >> sys.stderr, _("Group %s does not exist") % ( ++ conf.process_groupname ++ ) ++ ++ sys.exit(1) ++ ++ # Set real and effective group if not the same as current. ++ if not group_gid == rgid: ++ log.debug( ++ _("Switching real and effective group id to %d") % ( ++ group_gid ++ ), ++ level=8 ++ ) ++ ++ os.setregid(group_gid, group_gid) ++ ++ if ruid == 0: ++ # Means we haven't switched yet. ++ try: ++ ( ++ user_name, ++ user_password, ++ user_uid, ++ user_gid, ++ user_gecos, ++ user_homedir, ++ user_shell ++ ) = pwd.getpwnam(conf.process_username) ++ ++ except KeyError: ++ print >> sys.stderr, _("User %s does not exist") % ( ++ conf.process_username ++ ) ++ ++ sys.exit(1) ++ ++ ++ # Set real and effective user if not the same as current. ++ if not user_uid == ruid: ++ log.debug( ++ _("Switching real and effective user id to %d") % ( ++ user_uid ++ ), ++ level=8 ++ ) ++ ++ os.setreuid(user_uid, user_uid) ++ ++ except: ++ log.error(_("Could not change real and effective uid and/or gid")) ++ ++ try: + pid = 1 + if conf.fork_mode: + pid = os.fork()
View file
debian.changelog
Changed
@@ -1,3 +1,9 @@ +pykolab (0.6.11-0~kolab11) unstable; urgency=low + + * Make sure the logger and saslauthd drop permissions too + + -- Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> Thu, 13 Feb 2014 20:00:00 +0100 + pykolab (0.6.11-0~kolab10) unstable; urgency=low * Fix use of deprecated function get_user_attribute
View file
debian.series
Changed
@@ -4,3 +4,4 @@ pykolab-0.6.11-unlink-cache-on-failure-to-get_entry.patch -p1 pykolab-0.6.11-apt-ldap-fixes-concat.patch -p1 pykolab-0.6.11-apt-sieve-fixes-concat.patch -p1 +pykolab-0.6.11-saslauthd-logger-permissions.patch -p1
View file
pykolab.dsc
Changed
@@ -2,7 +2,7 @@ Source: pykolab Binary: pykolab, kolab-cli, kolab-conf, kolab-saslauthd, kolab-server, kolab-telemetry, kolab-xml, wallace Architecture: all -Version: 0.6.11-0~kolab10 +Version: 0.6.11-0~kolab11 Maintainer: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> Uploaders: Paul Klos <kolab@klos2day.nl> Homepage: http://www.kolab.org
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.