Projects
Kolab:3.4
pykolab
pykolab-0.6.11-saslauthd-logger-permissions.patch
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File pykolab-0.6.11-saslauthd-logger-permissions.patch of Package pykolab (Revision 61)
Currently displaying revision
61
,
Show latest
commit 8a2d66c45f1de4a1c7326372a96a022eae202171 Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> Date: Thu Feb 13 12:04:24 2014 +0100 Make sure permissions on log files are OK, and saslauthd itself switches uid/gid too diff --git a/pykolab/logger.py b/pykolab/logger.py index 6f82d5d..10fa8a2 100644 --- a/pykolab/logger.py +++ b/pykolab/logger.py @@ -37,6 +37,8 @@ class Logger(logging.Logger): debuglevel = 0 fork = False loglevel = logging.CRITICAL + process_username = 'kolab' + process_groupname = 'kolab-n' if hasattr(sys, 'argv'): for arg in sys.argv: @@ -66,6 +68,26 @@ class Logger(logging.Logger): else: loglevel = logging.DEBUG + if '-u' == arg or '--user' == arg: + process_username = -1 + continue + + if arg.startswith('--user='): + process_username = arg.split('=')[1] + + if process_username == -1: + process_username = arg + + if '-g' == arg or '--group' == arg: + process_groupname = -1 + continue + + if arg.startswith('--group='): + process_groupname = arg.split('=')[1] + + if process_groupname == -1: + process_groupname = arg + def __init__(self, *args, **kw): if kw.has_key('name'): name = kw['name'] @@ -91,23 +113,81 @@ class Logger(logging.Logger): # Make sure (read: attempt to change) the permissions try: - (ruid, euid, suid) = os.getresuid() - (rgid, egid, sgid) = os.getresgid() - except AttributeError, errmsg: - ruid = os.getuid() - rgid = os.getgid() - - if ruid == 0 or rgid == 0: - if os.path.isfile(self.logfile): + try: + (ruid, euid, suid) = os.getresuid() + (rgid, egid, sgid) = os.getresgid() + except AttributeError, errmsg: + ruid = os.getuid() + rgid = os.getgid() + + if ruid == 0: + # Means we can setreuid() / setregid() / setgroups() + if rgid == 0: + # Get group entry details + try: + ( + group_name, + group_password, + group_gid, + group_members + ) = grp.getgrnam(self.process_groupname) + + except KeyError: + print >> sys.stderr, _("Group %s does not exist") % ( + self.process_groupname + ) + + sys.exit(1) + + # Set real and effective group if not the same as current. + if not group_gid == rgid: + self.debug( + _("Switching real and effective group id to %d") % ( + group_gid + ), + level=8 + ) + + os.setregid(group_gid, group_gid) + + if ruid == 0: + # Means we haven't switched yet. + try: + ( + user_name, + user_password, + user_uid, + user_gid, + user_gecos, + user_homedir, + user_shell + ) = pwd.getpwnam(self.process_username) + + except KeyError: + print >> sys.stderr, _("User %s does not exist") % ( + self.process_username + ) + + sys.exit(1) + try: os.chown( self.logfile, - pwd.getpwnam('kolab')[2], - grp.getgrnam('kolab-n')[2] + user_uid, + group_gid ) os.chmod(self.logfile, 0660) - except: - pass + except Exception, errmsg: + self.error(_("Could not change permissions on %s: %r") % (self.logfile, errmsg)) + if self.debuglevel > 8: + import traceback + traceback.print_exc() + + except Exception, errmsg: + self.error(_("Could not change permissions on %s: %r") % (self.logfile, errmsg)) + if self.debuglevel > 8: + import traceback + traceback.print_exc() # Make sure the log file exists try: diff --git a/saslauthd/__init__.py b/saslauthd/__init__.py index 90a7413..69accce 100644 --- a/saslauthd/__init__.py +++ b/saslauthd/__init__.py @@ -28,7 +28,9 @@ from optparse import OptionParser from ConfigParser import SafeConfigParser +import grp import os +import pwd import shutil import sys import time @@ -107,6 +109,79 @@ class SASLAuthDaemon(object): exitcode = 0 try: + try: + (ruid, euid, suid) = os.getresuid() + (rgid, egid, sgid) = os.getresgid() + except AttributeError, errmsg: + ruid = os.getuid() + rgid = os.getgid() + + if ruid == 0: + # Means we can setreuid() / setregid() / setgroups() + if rgid == 0: + # Get group entry details + try: + ( + group_name, + group_password, + group_gid, + group_members + ) = grp.getgrnam(conf.process_groupname) + + except KeyError: + print >> sys.stderr, _("Group %s does not exist") % ( + conf.process_groupname + ) + + sys.exit(1) + + # Set real and effective group if not the same as current. + if not group_gid == rgid: + log.debug( + _("Switching real and effective group id to %d") % ( + group_gid + ), + level=8 + ) + + os.setregid(group_gid, group_gid) + + if ruid == 0: + # Means we haven't switched yet. + try: + ( + user_name, + user_password, + user_uid, + user_gid, + user_gecos, + user_homedir, + user_shell + ) = pwd.getpwnam(conf.process_username) + + except KeyError: + print >> sys.stderr, _("User %s does not exist") % ( + conf.process_username + ) + + sys.exit(1) + + + # Set real and effective user if not the same as current. + if not user_uid == ruid: + log.debug( + _("Switching real and effective user id to %d") % ( + user_uid + ), + level=8 + ) + + os.setreuid(user_uid, user_uid) + + except: + log.error(_("Could not change real and effective uid and/or gid")) + + try: pid = 1 if conf.fork_mode: pid = os.fork()
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.