def check_permissions(username, current_path, full_path, is_file, strictmodes):
"""Check if the file/folder in @current_path has the right permissions.
We need to check that:
1. If StrictMode is enabled, the owner is either root or the user
2. the user can access the file/folder, otherwise ssh won't use it
3. If StrictMode is enabled, no write permission is given to group
and world users (022)
"""
# group/world can only execute the folder (access)
minimal_permissions = 0o711
if is_file:
# group/world can only read the file
minimal_permissions = 0o644
# 1. owner must be either root or the user itself
owner = util.get_owner(current_path)
if strictmodes and owner != username and owner != "root":
LOG.debug(
"Path %s in %s must be own by user %s or"
" by root, but instead is own by %s. Ignoring key.", current_path,
full_path, username, owner)
return False
parent_permission = util.get_permissions(current_path)
# 2. the user can access the file/folder, otherwise ssh won't use it
if owner == username:
# need only the owner permissions
minimal_permissions &= 0o700
else:
group_owner = util.get_group(current_path)
user_groups = util.get_user_groups(username)
if group_owner in user_groups:
# need only the group permissions
minimal_permissions &= 0o070
else:
# need only the world permissions
minimal_permissions &= 0o007
if parent_permission & minimal_permissions == 0:
LOG.debug(
"Path %s in %s must be accessible by user %s,"
" check its permissions", current_path, full_path, username)
return False
# 3. no write permission (w) is given to group and world users (022)
# Group and world user can still have +rx.
if strictmodes and parent_permission & 0o022 != 0:
LOG.debug(
"Path %s in %s must not give write"
"permission to group or world users. Ignoring key.", current_path,
full_path)
return False
return True
def mock_get_owner(updated_permissions, value):
try:
return updated_permissions[value][0]
except ValueError:
return util.get_owner(value)