def store(self, sender, reciever, message): if not self.owner: if 'filepermissions' in config and 'owner' in config['filepermissions']: self.owner = config['filepermissions']['owner'] else: self.owner = getpass.getuser() if not self.group: if 'filepermissions' in config and 'group' in config['filepermissions']: self.group = config['filepermissions']['group'] else: self.group = getpass.getuser() print('Mail will be stored as {}.{}'.format(self.owner, self.group)) if not self.uid: self.uid = pwd.getpwnam(self.owner).pw_uid if not self.gid: self.gid = grp.getgrnam(self.group).gr_gid chown(self.path, self.uid, self.gid) destination = '{}/{}.mail'.format(self.path, generate_UID()) log('Stored mail from {} to reciever {} under \'{}\''.format(sender, reciever, destination), product='slimSMTP', handler='storage_maildir', level=3) with open(destination, 'wb') as mail: mail.write(message) chown(destination, self.uid, self.gid) return True
def _create_bench_dir(self): """Create the directory for a benchmark.""" # Get group_id if available (given by JUBE_GROUP_NAME) group_id = jube2.util.check_and_get_group_id() # Check if outpath exists if not (os.path.exists(self._outpath) and os.path.isdir(self._outpath)): os.makedirs(self._outpath) if group_id is not None: os.chown(self._outpath, os.getuid(), group_id) # Generate unique ID in outpath if self._id < 0: self._id = jube2.util.get_current_id(self._outpath) + 1 if os.path.exists(self.bench_dir): raise RuntimeError("Benchmark directory \"{0}\" already exist" .format(self.bench_dir)) os.makedirs(self.bench_dir) # If JUBE_GROUP_NAME is given, set GID-Bit and change group if group_id is not None: os.chmod(self.bench_dir, os.stat(self.bench_dir).st_mode | stat.S_ISGID) os.chown(self.bench_dir, os.getuid(), group_id) self.write_benchmark_configuration( os.path.join(self.bench_dir, jube2.conf.CONFIGURATION_FILENAME)) jube2.util.update_timestamps(os.path.join(self.bench_dir, jube2.conf.TIMESTAMPS_INFO), "start", "change")
def ensure_permissions(path, user, group, permissions, maxdepth=-1): """Ensure permissions for path. If path is a file, apply to file and return. If path is a directory, apply recursively (if required) to directory contents and return. :param user: user name :param group: group name :param permissions: octal permissions :param maxdepth: maximum recursion depth. A negative maxdepth allows infinite recursion and maxdepth=0 means no recursion. :returns: None """ if not os.path.exists(path): log("File '%s' does not exist - cannot set permissions" % (path), level=WARNING) return _user = pwd.getpwnam(user) os.chown(path, _user.pw_uid, grp.getgrnam(group).gr_gid) os.chmod(path, permissions) if maxdepth == 0: log("Max recursion depth reached - skipping further recursion", level=DEBUG) return elif maxdepth > 0: maxdepth -= 1 if os.path.isdir(path): contents = glob.glob("%s/*" % (path)) for c in contents: ensure_permissions(c, user=user, group=group, permissions=permissions, maxdepth=maxdepth)
def download(self, url, get={}, post={}, ref=True, cookies=True, disposition=False): """Downloads the content at url to download folder :param url: :param get: :param post: :param ref: :param cookies: :param disposition: if True and server provides content-disposition header\ the filename will be changed if needed :return: The location where the file was saved """ self.checkForSameFiles() self.pyfile.setStatus("downloading") download_folder = self.config['general']['download_folder'] location = save_join(download_folder, self.pyfile.package().folder) if not exists(location): makedirs(location, int(self.core.config["permission"]["folder"], 8)) if self.core.config["permission"]["change_dl"] and os.name != "nt": try: uid = getpwnam(self.config["permission"]["user"])[2] gid = getgrnam(self.config["permission"]["group"])[2] chown(location, uid, gid) except Exception, e: self.log.warning(_("Setting User and Group failed: %s") % str(e))
def _init_log_file(self): if self._log_file is not None: self._log_file.close() if os.getuid() == 0 and not is_sudoed: logs_dir = SYSTEM_LOGS_DIR else: logs_dir = USER_LOGS_DIR if not os.path.exists(logs_dir): os.makedirs(logs_dir) # Fix permissions in case we need to create the dir with sudo if is_sudoed: uid = pwd.getpwnam(usr).pw_uid gid = grp.getgrnam(usr).gr_gid os.chown(logs_dir, uid, gid) log_fn = "{}/{}.log".format(logs_dir, self._app_name) # Fix permissions in case we need to create the file with sudo if not os.path.isfile(log_fn) and is_sudoed: # touch with open(log_fn, 'a'): pass uid = pwd.getpwnam(usr).pw_uid gid = grp.getgrnam(usr).gr_gid os.chown(log_fn, uid, gid) self._log_file = open("{}/{}.log".format(logs_dir, self._app_name), "a")
def store(self): """ Store data for next runs, set the attributes listed in :py:const:`waflib.Build.SAVED_ATTRS`. Uses a temporary file to avoid problems on ctrl+c. """ data = {} for x in SAVED_ATTRS: data[x] = getattr(self, x) db = os.path.join(self.variant_dir, Context.DBFILE) try: Node.pickle_lock.acquire() Node.Nod3 = self.node_class x = cPickle.dumps(data, PROTOCOL) finally: Node.pickle_lock.release() Utils.writef(db + '.tmp', x, m='wb') try: st = os.stat(db) os.remove(db) if not Utils.is_win32: # win32 has no chown but we're paranoid os.chown(db + '.tmp', st.st_uid, st.st_gid) except (AttributeError, OSError): pass # do not use shutil.move (copy is not thread-safe) os.rename(db + '.tmp', db)
def __setup_principal(self): dns_principal = "DNS/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(dns_principal) # Store the keytab on disk self.fstore.backup_file(paths.NAMED_KEYTAB) installutils.create_keytab(paths.NAMED_KEYTAB, dns_principal) p = self.move_service(dns_principal) if p is None: # the service has already been moved, perhaps we're doing a DNS reinstall dns_principal = DN(('krbprincipalname', dns_principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) else: dns_principal = p # Make sure access is strictly reserved to the named user pent = pwd.getpwnam(self.named_user) os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid) os.chmod(paths.NAMED_KEYTAB, 0o400) # modify the principal so that it is marked as an ipa service so that # it can host the memberof attribute, then also add it to the # dnsserver role group, this way the DNS is allowed to perform # DNS Updates dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'), ('cn', 'pbac'), self.suffix) mod = [(ldap.MOD_ADD, 'member', dns_principal)] try: self.admin_conn.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception, e: root_logger.critical("Could not modify principal's %s entry: %s" \ % (dns_principal, str(e))) raise
def _deploy(self, purpose, x509, pkey, path, group): """Write one certificate to the filesystem.""" try: groupid = grp.getgrnam(group).gr_gid except KeyError: log.info("Not deploying %r to %s: group %s not found.", purpose, path, group) return fobj = cny_util.AtomicFile(path, chmod=0640) os.chown(fobj.name, 0, groupid) ext = path.split('.')[-1] assert ext in ('pem', 'crt', 'key') if ext in ('pem', 'crt'): fobj.write(x509) if ext in ('pem', 'key'): fobj.write(pkey) if self.dry_run: fobj.close() log.debug("Would deploy %r to %s (group %s)", purpose, path, group) else: fobj.commit() log.debug("Deployed %r to %s (group %s)", purpose, path, group)
def makedirs(self, path, chown=True): log = self._log('makedirs') if os.path.exists(path) and not os.path.isdir(path): try: log("moving %s", path) os.rename(path, path+".backup") except: log("ok, then remove %s", path) os.unlink(path) if not os.path.exists(path): log("creating %s"%path) os.chdir(self.project_path) def makedirs(name): # modified from os.makedirs to chown each newly created path segment head, tail = os.path.split(name) if not tail: head, tail = os.path.split(head) if head and tail and not os.path.exists(head): try: makedirs(head) except OSError, e: # be happy if someone already created the path if e.errno != errno.EEXIST: raise if tail == os.curdir: # xxx/newdir/. exists if xxx/newdir exists return try: os.mkdir(name, 0700) except OSError, e: if e.errno != errno.EEXIST: raise if not self._dev: os.chown(name, self.uid, self.uid)
def chown(filename, owner=None, group=None): # -1 to chown means don't change it uid = pwd.getpwnam(owner).pw_uid if owner else -1 gid = grp.getgrnam(group).gr_gid if group else -1 os.chown(filename, uid, gid)
def setPermsPath(path, user='******', group='root', chmod=0750): """chown user.group and set permissions to chmod""" if not os.path.exists(path): raise OSError, "*** ERROR: Path doesn't exist (can't set permissions): %s" % path sys.exit(-1) # If non-root, don't bother to change owners if os.getuid() != 0: return gc = GecosCache() uid = gc.getuid(user) if uid is None: raise OSError, "*** ERROR: user '%s' doesn't exist. Cannot set permissions properly." % user sys.exit(-1) gid = gc.getgid(group) if gid is None: raise OSError, "*** ERROR: group '%s' doesn't exist. Cannot set permissions properly." % group sys.exit(-1) uid_, gid_ = os.stat(path)[4:6] if uid_ != uid or gid_ != gid: os.chown(path, uid, gid) os.chmod(path, chmod)
def ensure_file_exists(self, src, target): target = os.path.abspath(target) if not os.path.exists(target): self.makedirs(os.path.split(target)[0]) shutil.copyfile(src, target) if USERNAME == "root": os.chown(target, self.uid, self.uid)
def createMountPoint(): sys.stdout.write("Création de %s..." % (mount_point)) if not os.path.exists(mount_point): os.mkdir(mount_point) os.chown(mount_point, uid, gid) os.chmod(mount_point, 0775) print "OK"
def changeOwner(self, path, uid=None, gid=None): self._elevatePrivs() if uid is None: uid = self.unprivUid if gid is None: gid = self.unprivGid os.chown(path, uid, gid)
def configure(self): if os.path.isfile(installation_path + "/conf/user_data.yaml.tmpl"): userdatayaml = installation_path + "/user-data/" + self.username if os.path.isfile(userdatayaml): userdatayaml_data_stream = open(userdatayaml, "r") yaml_parsed_userdata = yaml.safe_load(userdatayaml_data_stream) userdatayaml_data_stream.close() myversion = yaml_parsed_userdata.get("PHP") backend_config_file = installation_path + "/conf/backends.yaml" backend_data_yaml = open(backend_config_file, "r") backend_data_yaml_parsed = yaml.safe_load(backend_data_yaml) backend_data_yaml.close() if "PHP" in backend_data_yaml_parsed: php_backends_dict = backend_data_yaml_parsed["PHP"] php_path = php_backends_dict.get(myversion) php_profile_set(self.username, php_path) path_to_socket = php_path + "/var/run/" + self.username + ".sock" if os.path.islink("/opt/fpmsockets/" + self.username + ".sock"): os.remove("/opt/fpmsockets/" + self.username + ".sock") os.symlink(path_to_socket, "/opt/fpmsockets/" + self.username + ".sock") else: os.symlink(path_to_socket, "/opt/fpmsockets/" + self.username + ".sock") else: print("ERROR:: PHP Backends missing") else: subprocess.call("cp " + installation_path + "/conf/user_data.yaml.tmpl " + userdatayaml, shell=True) cpuser_uid = pwd.getpwnam(self.username).pw_uid cpuser_gid = grp.getgrnam(self.username).gr_gid os.chown(userdatayaml, cpuser_uid, cpuser_gid) os.chmod(userdatayaml, 0660) self.configure() else: sys.exit(0)
def _create_cookie(self, timefunc=time.time): lockfd = self._get_lock() cookies = self._get_cookies(timefunc) cookie_id = 1 for tpl in cookies: if int(tpl[0]) >= cookie_id: cookie_id = int(tpl[0]) + 1 cookie = hexlify(os.urandom(24)) cookies.append( (str(cookie_id), str(int(timefunc())), cookie) ) for c in cookies: os.write(lockfd, ' '.join(c).encode('ascii') + b'\n') os.close(lockfd) if os.geteuid() == 0: os.chown(self.lock_file, self.uid, self.gid) os.rename(self.lock_file, self.cookie_file) self.cookieId = cookie_id self.cookie = cookie
def archive(config, srcPath, uid, gid): """ Move srcPath into dataroot/archived, giving the destination a unique (sequentially numbered) name in the case of duplicates. """ archiveDir = os.path.join(config.DataRoot, "archived") if not os.path.exists(archiveDir): os.mkdir(archiveDir) os.chown(archiveDir, uid, gid) baseName = os.path.basename(srcPath) newName = baseName count = 0 destPath = os.path.join(archiveDir, newName) while os.path.exists(destPath): count += 1 newName = "%s.%d" % (baseName, count) destPath = os.path.join(archiveDir, newName) try: os.rename(srcPath, destPath) except OSError: # Can't rename, must copy/delete shutil.copy2(srcPath, destPath) os.remove(srcPath)
def changeOwner(self, filePath, user, group): if os.path.exists(filePath): uid = pwd.getpwnam(user).pw_uid gid = grp.getgrnam(group).gr_gid os.chown(filePath, uid, gid) return 1 return 0
def _chown(self): if self.owner is not None: try: os.chown(self.path, self.owner[0], self.owner[1]) except Exception, e: raise ValueError("Could not change ownership of socket file: " + "%s" % (e))
def upgradeData(config): docRoot = config.DocumentRoot versionFilePath = os.path.join(docRoot, ".calendarserver_version") onDiskVersion = 0 if os.path.exists(versionFilePath): try: with open(versionFilePath) as versionFile: onDiskVersion = int(versionFile.read().strip()) except IOError: log.error("Cannot open %s; skipping migration" % (versionFilePath,)) except ValueError: log.error("Invalid version number in %s; skipping migration" % (versionFilePath,)) uid, gid = getCalendarServerIDs(config) for version, method in upgradeMethods: if onDiskVersion < version: log.warn("Upgrading to version %d" % (version,)) method(config) with open(versionFilePath, "w") as verFile: verFile.write(str(version)) os.chown(versionFilePath, uid, gid)
def temp_dirname(parent=None, prefix="dak", suffix="", mode=None, group=None): """ Return a secure and unique directory by pre-creating it. @type parent: str @param parent: If non-null it will be the directory the directory is pre-created in. @type prefix: str @param prefix: The filename will be prefixed with this string @type suffix: str @param suffix: The filename will end with this string @type mode: str @param mode: If set the file will get chmodded to those permissions @type group: str @param group: If set the file will get chgrped to the specified group. @rtype: list @return: Returns a pair (fd, name) """ tfname = tempfile.mkdtemp(suffix, prefix, parent) if mode: os.chmod(tfname, mode) if group: gid = grp.getgrnam(group).gr_gid os.chown(tfname, -1, gid) return tfname
def set_file_attr(filename, attr): """ Change a file's attributes on the local filesystem. The contents of C{attr} are used to change the permissions, owner, group ownership, and/or modification & access time of the file, depending on which attributes are present in C{attr}. This is meant to be a handy helper function for translating SFTP file requests into local file operations. @param filename: name of the file to alter (should usually be an absolute path). @type filename: str @param attr: attributes to change. @type attr: L{SFTPAttributes} """ if sys.platform != 'win32': # mode operations are meaningless on win32 if attr._flags & attr.FLAG_PERMISSIONS: os.chmod(filename, attr.st_mode) if attr._flags & attr.FLAG_UIDGID: os.chown(filename, attr.st_uid, attr.st_gid) if attr._flags & attr.FLAG_AMTIME: os.utime(filename, (attr.st_atime, attr.st_mtime)) if attr._flags & attr.FLAG_SIZE: open(filename, 'w+').truncate(attr.st_size)
def chown(path, uid, gid): try: os.chown(path, uid, gid) except OverflowError: if not ctypes: raise os.chown(path, uid, -ctypes.c_int(-gid).value)
def need_deployment(): """ Salt thin needs to be deployed - prep the target directory and emit the delimeter and exit code that signals a required deployment. """ if os.path.exists(OPTIONS.saltdir): shutil.rmtree(OPTIONS.saltdir) old_umask = os.umask(0o077) os.makedirs(OPTIONS.saltdir) os.umask(old_umask) # Verify perms on saltdir euid = os.geteuid() dstat = os.stat(OPTIONS.saltdir) if dstat.st_uid != euid: # Attack detected, try again need_deployment() if dstat.st_mode != 16832: # Attack detected need_deployment() # If SUDOing then also give the super user group write permissions sudo_gid = os.environ.get('SUDO_GID') if sudo_gid: os.chown(OPTIONS.saltdir, -1, int(sudo_gid)) stt = os.stat(OPTIONS.saltdir) os.chmod(OPTIONS.saltdir, stt.st_mode | stat.S_IWGRP | stat.S_IRGRP | stat.S_IXGRP) # Delimiter emitted on stdout *only* to indicate shim message to master. sys.stdout.write("{0}\ndeploy\n".format(OPTIONS.delimiter)) sys.exit(EX_THIN_DEPLOY)
def supermakedirs(self, path): try: if not path or os.path.exists(path): stat_info = os.stat(path) uid = stat_info.st_uid gid = stat_info.st_gid self.user = uid self.group = gid logging.debug('Found: {} - {} - {}'.format(self.user, self.group, path)) # Break recursion return [] (head, tail) = os.path.split(path) res = self.supermakedirs(head) os.mkdir(path) os.chmod(path, self.file_permission) os.chown(path, self.user, self.group) logging.debug('Created: {} - {} - {}'.format(self.user, self.group, path)) res += [path] return res except OSError as e: if e.errno == 17: logging.debug('Directory existed when creating. Ignoring') res += [path] return res raise
def fix_prod_setup_perms(bench_path='.', frappe_user=None): from .config.common_site_config import get_config files = [ "logs/web.error.log", "logs/web.log", "logs/workerbeat.error.log", "logs/workerbeat.log", "logs/worker.error.log", "logs/worker.log", "config/nginx.conf", "config/supervisor.conf", ] if not frappe_user: frappe_user = get_config(bench_path).get('frappe_user') if not frappe_user: print("frappe user not set") sys.exit(1) for path in files: if os.path.exists(path): uid = pwd.getpwnam(frappe_user).pw_uid gid = grp.getgrnam(frappe_user).gr_gid os.chown(path, uid, gid)
def __init__(self, cmd, environment_vars=None): tmpdir = _temp_dir LABELPREFIX = 'com.toppatch.agent.' # create a unique id for this job jobid = str(uuid.uuid1()) self.label = LABELPREFIX + jobid self.stdout_path = os.path.join(tmpdir, self.label + '.stdout') self.stderr_path = os.path.join(tmpdir, self.label + '.stderr') self.plist_path = os.path.join(tmpdir, self.label + '.plist') self.stdout = None self.stderr = None self.plist = {} self.plist['Label'] = self.label self.plist['ProgramArguments'] = cmd self.plist['StandardOutPath'] = self.stdout_path self.plist['StandardErrorPath'] = self.stderr_path if environment_vars: self.plist['EnvironmentVariables'] = environment_vars # write out launchd plist #FoundationPlist.writePlist(self.plist, self.plist_path) plistlib.writePlist(self.plist, self.plist_path) # set owner, group and mode to those required # by launchd os.chown(self.plist_path, 0, 0) os.chmod(self.plist_path, int('644', 8)) launchctl_cmd = ['/bin/launchctl', 'load', self.plist_path] proc = subprocess.Popen(launchctl_cmd, shell=False, bufsize=1, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) (unused_out, err) = proc.communicate() if proc.returncode: raise LaunchdJobException(err)
def write(self): newpath = os.path.join(self.path, self.name) if self.fullpath != newpath: logging.info('[fm] renaming %s -> %s' % (self.fullpath, newpath)) os.rename(self.fullpath, newpath) self.fullpath = os.path.join(self.path, self.name) os.chmod(self.fullpath, self.mode) err = None try: uid = int(self.owner) except: try: uid = pwd.getpwnam(self.owner)[2] except KeyError: uid = -1 err = Exception('Invalid owner') try: gid = int(self.group) except: try: gid = grp.getgrnam(self.group)[2] except KeyError: gid = -1 err = Exception('Invalid group') os.chown(self.fullpath, uid, gid) if err: raise err
def do_chown(path, uid, gid): try: os.chown(path, uid, gid) except OSError as err: raise SwiftOnFileSystemOSError( err.errno, '%s, os.chown("%s", %s, %s)' % ( err.strerror, path, uid, gid))
def create_key_directory(self, keystone_user_id=None, keystone_group_id=None): """Attempt to create the key directory if it doesn't exist.""" if not os.access(self.key_repository, os.F_OK): LOG.info( 'key_repository does not appear to exist; attempting to ' 'create it') try: os.makedirs(self.key_repository, 0o700) except OSError: LOG.error( 'Failed to create key_repository: either it already ' 'exists or you don\'t have sufficient permissions to ' 'create it') if keystone_user_id and keystone_group_id: os.chown( self.key_repository, keystone_user_id, keystone_group_id) elif keystone_user_id or keystone_group_id: LOG.warning( 'Unable to change the ownership of key_repository without ' 'a keystone user ID and keystone group ID both being ' 'provided: %s', self.key_repository)
def fix(self): try: if not self.ci.getcurrvalue(): return True config = "" if os.path.exists(self.path): config = readFile(self.path, self.logger) tmpconfig = self.path + ".tmp" config2 = [] configstring = "" if config: for line in config: splitline = line.split() if len(splitline) >= 1: if search("^\*timeout:", splitline[0]): continue elif search("^\*lockTimeout:", splitline[0]): continue elif search("^\*grabDesktopImages:", splitline[0]): continue elif search("^\*chooseRandomImages:", splitline[0]): continue elif search("^\*lock:", line): continue elif len(splitline) == 1 and splitline[0] not in \ self.badsavers: config2.append(line) elif len(splitline) == 2 and splitline[0] not in \ self.badsavers and splitline[1] not in self.badsavers: config2.append(line) elif len(splitline) > 2 and splitline[0] not in \ self.badsavers and splitline[1] not in \ self.badsavers and splitline[2] not in \ self.badsavers: config2.append(line) else: config2.append(line) else: config2.append(line) for line in config2: configstring += line configstring += "timeout: 0:10:00\nlockTimeout: 0:05:00\n\ grabDesktopImages: False\nchooseRandomImages: True\n\ lock: True\n" if writeFile(tmpconfig, configstring, self.logger): os.rename(tmpconfig, self.path) os.chown(self.path, 0, 0) os.chmod(self.path, 420) resetsecon(self.path) else: self.rulesuccess = False for saver in self.badsavers: for k, v in list(self.paths.items()): try: if os.path.exists(k + saver): os.remove(k + saver) elif os.path.exists(k + saver + v): os.remove(k + saver + v) except (OSError): self.detailedresults += "The following file had " + \ "issues being removed:" + saver + "\n" self.rulesuccess = False for saver in self.badkss: try: if os.path.exists("/usr/bin/" + saver): os.remove("/usr/bin/" + saver) except (OSError): self.detailedresults += "The following file had " + \ "issues being removed" + saver + "\n" self.rulesuccess = False except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
tests_require=["pyflakes>=0.6.1", "pep8>=1.4.1"], classifiers=[ "Development Status :: 5 - Production/Stable", "Environment :: Web Environment", "Framework :: Django", "Intended Audience :: Developers", "License :: OSI Approved :: BSD License", "Operating System :: OS Independent", "Programming Language :: Python", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Topic :: Internet :: WWW/HTTP", "Topic :: Internet :: WWW/HTTP :: Dynamic Content", "Topic :: Internet :: WWW/HTTP :: WSGI", "Topic :: Software Development :: Libraries :: Application Frameworks", "Topic :: Software Development :: Libraries :: Python Modules", ]) finally: for e in exclude: if exclude[e] is not None: data, stat = exclude[e] try: with open(e, "w") as f: f.write(data) os.chown(e, stat.st_uid, stat.st_gid) os.chmod(e, stat.st_mode) except: pass
initial = {} initial['path'] = path initial['uid'] = uid initial['gid'] = gid initial['user_name'] = user_name initial['group_name'] = group_name form = folder_management_forms.ModifyOwnershipForm(initial=initial, user_list = users, group_list = groups) return_dict["form"] = form return django.shortcuts.render_to_response('modify_dir_ownership.html', return_dict, context_instance=django.template.context.RequestContext(request)) else: form = folder_management_forms.ModifyOwnershipForm(request.POST, user_list = users, group_list = groups) return_dict["form"] = form if form.is_valid(): cd = form.cleaned_data os.chown(cd['path'], int(cd['uid']), int(cd['gid'])) user_name = pwd.getpwuid(int(cd['uid']))[0] group_name = grp.getgrgid(int(cd['gid']))[0] audit_str = "Set owner user to %s and owner group to %s for directory %s"%(user_name, group_name, cd["path"]) audit.audit("modify_dir_owner", audit_str, request.META) return django.http.HttpResponseRedirect('/view_dir_ownership_permissions?path=%s&ack=modified_ownership'%cd['path']) else: return django.shortcuts.render_to_response('modify_dir_ownership.html', return_dict, context_instance=django.template.context.RequestContext(request)) except Exception, e: return_dict['base_template'] = "storage_base.html" return_dict["page_title"] = 'Modify directory ownership' return_dict['tab'] = 'dir_permissions_tab' return_dict["error"] = 'Error modifying directory ownership' return_dict["error_details"] = str(e) return django.shortcuts.render_to_response("logged_in_error.html", return_dict, context_instance=django.template.context.RequestContext(request))
def verify_env(dirs, user, permissive=False, pki_dir='', skip_extra=False): ''' Verify that the named directories are in place and that the environment can shake the salt ''' if salt.utils.is_windows(): return win_verify_env(dirs, permissive, pki_dir, skip_extra) import pwd # after confirming not running Windows try: pwnam = pwd.getpwnam(user) uid = pwnam[2] gid = pwnam[3] groups = salt.utils.get_gid_list(user, include_default=False) except KeyError: err = ('Failed to prepare the Salt environment for user ' '{0}. The user is not available.\n').format(user) sys.stderr.write(err) sys.exit(salt.defaults.exitcodes.EX_NOUSER) for dir_ in dirs: if not dir_: continue if not os.path.isdir(dir_): try: cumask = os.umask(18) # 077 os.makedirs(dir_) # If starting the process as root, chown the new dirs if os.getuid() == 0: os.chown(dir_, uid, gid) os.umask(cumask) except OSError as err: msg = 'Failed to create directory path "{0}" - {1}\n' sys.stderr.write(msg.format(dir_, err)) sys.exit(err.errno) mode = os.stat(dir_) # If starting the process as root, chown the new dirs if os.getuid() == 0: fmode = os.stat(dir_) if fmode.st_uid != uid or fmode.st_gid != gid: if permissive and fmode.st_gid in groups: # Allow the directory to be owned by any group root # belongs to if we say it's ok to be permissive pass else: # chown the file for the new user os.chown(dir_, uid, gid) for subdir in [a for a in os.listdir(dir_) if 'jobs' not in a]: fsubdir = os.path.join(dir_, subdir) if '{0}jobs'.format(os.path.sep) in fsubdir: continue for root, dirs, files in os.walk(fsubdir): for name in files: if name.startswith('.'): continue path = os.path.join(root, name) try: fmode = os.stat(path) except (IOError, OSError): pass if fmode.st_uid != uid or fmode.st_gid != gid: if permissive and fmode.st_gid in groups: pass else: # chown the file for the new user os.chown(path, uid, gid) for name in dirs: path = os.path.join(root, name) fmode = os.stat(path) if fmode.st_uid != uid or fmode.st_gid != gid: if permissive and fmode.st_gid in groups: pass else: # chown the file for the new user os.chown(path, uid, gid) # Allow the pki dir to be 700 or 750, but nothing else. # This prevents other users from writing out keys, while # allowing the use-case of 3rd-party software (like django) # to read in what it needs to integrate. # # If the permissions aren't correct, default to the more secure 700. # If acls are enabled, the pki_dir needs to remain readable, this # is still secure because the private keys are still only readable # by the user running the master if dir_ == pki_dir: smode = stat.S_IMODE(mode.st_mode) if smode != 448 and smode != 488: if os.access(dir_, os.W_OK): os.chmod(dir_, 448) else: msg = 'Unable to securely set the permissions of "{0}".' msg = msg.format(dir_) if is_console_configured(): log.critical(msg) else: sys.stderr.write("CRITICAL: {0}\n".format(msg)) if skip_extra is False: # Run the extra verification checks zmq_version()
def create_project_path(self): if not os.path.exists(self.project_path): os.makedirs(self.project_path) if not self._dev: os.chown(self.project_path, self.uid, self.uid)
def insert(self, name, source): self.mkdir(name) path = self.path(name) shutil.move(source, path) if self.chown: os.chown(path, self.user, self.group)
# Edit get_info.py with open('modules/pastafari/scripts/monit/debian_wheezy/files/get_info.py' ) as f: get_info = f.read() with open('/usr/local/bin/get_info.py', 'w') as f: get_info = get_info.replace("http://url/to/server/token/ip", args.url) f.write(get_info) os.chmod('/usr/local/bin/get_info.py', 0o700) user_passwd = pwd.getpwnam(args.user) os.chown('/usr/local/bin/get_info.py', user_passwd[2], user_passwd[3]) #shutil.chown('/usr/local/bin/get_info.py', args.user, args.user) # Edit get_updates.py with open( 'modules/pastafari/scripts/monit/debian_wheezy/files/get_updates.py' ) as f: get_updates = f.read() with open('/etc/cron.daily/get_updates.py', 'w') as f: url_updates = args.url.replace('/getinfo/', '/getupdates/') get_updates = get_updates.replace("http://url/to/server/token/ip", url_updates) f.write(get_updates)
def apply(login): for user in login['add_users']: # make new user using vyatta shell and make home directory (-m), # default group of 100 (users) command = "useradd -m -N" # check if user already exists: if user['name'] in get_local_users(): # update existing account command = "usermod" # all accounts use /bin/vbash command += " -s /bin/vbash" # we need to use '' quotes when passing formatted data to the shell # else it will not work as some data parts are lost in translation if user['password_encrypted']: command += " -p '{}'".format(user['password_encrypted']) if user['full_name']: command += " -c '{}'".format(user['full_name']) if user['home_dir']: command += " -d '{}'".format(user['home_dir']) command += " -G frrvty,vyattacfg,sudo,adm,dip,disk" command += " {}".format(user['name']) try: cmd(command) uid = getpwnam(user['name']).pw_uid gid = getpwnam(user['name']).pw_gid # we should not rely on the value stored in user['home_dir'], as a # crazy user will choose username root or any other system user # which will fail. Should we deny using root at all? home_dir = getpwnam(user['name']).pw_dir # install ssh keys ssh_key_dir = home_dir + '/.ssh' if not os.path.isdir(ssh_key_dir): os.mkdir(ssh_key_dir) os.chown(ssh_key_dir, uid, gid) chmod_755(ssh_key_dir) ssh_key_file = ssh_key_dir + '/authorized_keys' with open(ssh_key_file, 'w') as f: f.write("# Automatically generated by VyOS\n") f.write("# Do not edit, all changes will be lost\n") for id in user['public_keys']: line = '' if id['options']: line = '{} '.format(id['options']) line += '{} {} {}\n'.format(id['type'], id['key'], id['name']) f.write(line) os.chown(ssh_key_file, uid, gid) chmod_600(ssh_key_file) except Exception as e: print(e) raise ConfigError( 'Adding user "{name}" raised exception'.format(**user)) for user in login['del_users']: try: # Logout user if he is logged in if user in list(set([tmp[0] for tmp in users()])): print('{} is logged in, forcing logout'.format(user)) call('pkill -HUP -u {}'.format(user)) # Remove user account but leave home directory to be safe call(f'userdel -r {user}', stderr=DEVNULL) except Exception as e: raise ConfigError(f'Deleting user "{user}" raised exception: {e}') # # RADIUS configuration # if len(login['radius_server']) > 0: try: env = os.environ.copy() env['DEBIAN_FRONTEND'] = 'noninteractive' # Enable RADIUS in PAM cmd("pam-auth-update --package --enable radius", env=env) # Make NSS system aware of RADIUS, too command = "sed -i -e \'/\smapname/b\' \ -e \'/^passwd:/s/\s\s*/&mapuid /\' \ -e \'/^passwd:.*#/s/#.*/mapname &/\' \ -e \'/^passwd:[^#]*$/s/$/ mapname &/\' \ -e \'/^group:.*#/s/#.*/ mapname &/\' \ -e \'/^group:[^#]*$/s/: */&mapname /\' \ /etc/nsswitch.conf" cmd(command) except Exception as e: raise ConfigError('RADIUS configuration failed: {}'.format(e)) else: try: env = os.environ.copy() env['DEBIAN_FRONTEND'] = 'noninteractive' # Disable RADIUS in PAM cmd("pam-auth-update --package --remove radius", env=env) command = "sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ -e \'/^passwd:.*[ \t]mapname/s/[ \t]mapname//\' \ -e \'/^group:.*[ \t]mapname/s/[ \t]mapname//\' \ -e \'s/[ \t]*$//\' \ /etc/nsswitch.conf" cmd(command) except Exception as e: raise ConfigError( 'Removing RADIUS configuration failed.\n{}'.format(e)) return None
def mkdir(path, owner='root', group='root', perms=0555, force=False): """Create a directory""" log("Making dir {} {}:{} {:o}".format(path, owner, group, perms)) uid = pwd.getpwnam(owner).pw_uid gid = grp.getgrnam(group).gr_gid realpath = os.path.abspath(path) if os.path.exists(realpath): if force and not os.path.isdir(realpath): log("Removing non-directory file {} prior to mkdir()".format(path)) os.unlink(realpath) else: os.makedirs(realpath, perms) os.chown(realpath, uid, gid) def write_file(path, content, owner='root', group='root', perms=0444): """Create or overwrite a file with the contents of a string""" log("Writing file {} {}:{} {:o}".format(path, owner, group, perms)) uid = pwd.getpwnam(owner).pw_uid gid = grp.getgrnam(group).gr_gid with open(path, 'w') as target: os.fchown(target.fileno(), uid, gid) os.fchmod(target.fileno(), perms) target.write(content) def mount(device, mountpoint, options=None, persist=False): """Mount a filesystem at a particular mountpoint"""
def chown(path, uid, gid): gid = abs(gid) & 0x7FFFFFFF # see note above. os.chown(path, uid, gid)
def chown(filename, uid_name, gid_name): os.chown(filename, pwd.getpwnam(uid_name)[2], grp.getgrnam(gid_name)[2])
} ############################################################################### # Create user if nessesary if args.create_user: os.system(create_user_cmd) uid = get_uid(user) gid = get_gid(group) if uid is None: sys.exit("Cannot create user '" + user + "'") if gid is None: sys.exit("Cannot create group '" + group + "'") recursive_chmod(user_home, 0o640, 0o750) if not os.path.exists(backup_dir): os.mkdir(backup_dir, 0o700) os.chown(backup_dir, uid, gid); ############################################################################### # Instantiate template os.mkdir(site_home) os.chdir(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates', template)) for dirpath, dirnames, filenames in os.walk('.'): for dirname in dirnames: os.mkdir(os.path.join(site_home, dirpath, dirname)) for filename in filenames: if filename == '.emptydir': continue src = os.path.join(dirpath, filename) dst = os.path.join(site_home, dirpath, filename) t = open(src, 'r').read() t = t.format(**template_keys)
os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'CREATE TABLE "thread_categories" ("thread_id" int NOT NULL, "category_id" int NOT NULL)'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'CREATE TABLE "threads" ("id" serial NOT NULL,"title" varchar NOT NULL,"created_by" varchar NOT NULL,"pinned" BOOLEAN NOT NULL DEFAULT 'false',"deleted" BOOLEAN NOT NULL DEFAULT 'false',"merged_id" int DEFAULT '-1',"is_visible" BOOLEAN NOT NULL,CONSTRAINT threads_pk PRIMARY KEY ("id"))'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'CREATE TABLE "posts" ("id" serial NOT NULL,"thread_id" int NOT NULL,"parent_id" int DEFAULT '-1',"author_user_id" character varying NOT NULL,"content" TEXT NOT NULL,"timestamp" timestamp with time zone NOT NULL,"anonymous" BOOLEAN NOT NULL,"deleted" BOOLEAN NOT NULL DEFAULT 'false',"endorsed_by" varchar,"resolved" BOOLEAN NOT NULL,"type" int NOT NULL, "has_attachment" BOOLEAN NOT NULL, CONSTRAINT posts_pk PRIMARY KEY ("id"))'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "posts" ADD CONSTRAINT "posts_fk0" FOREIGN KEY ("thread_id") REFERENCES "threads"("id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "posts" ADD CONSTRAINT "posts_fk1" FOREIGN KEY ("author_user_id") REFERENCES "users"("user_id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "thread_categories" ADD CONSTRAINT "thread_categories_fk0" FOREIGN KEY ("thread_id") REFERENCES "threads"("id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "thread_categories" ADD CONSTRAINT "thread_categories_fk1" FOREIGN KEY ("category_id") REFERENCES "categories_list"("category_id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "student_favorites" ADD CONSTRAINT "student_favorites_fk0" FOREIGN KEY ("user_id") REFERENCES "users"("user_id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "student_favorites" ADD CONSTRAINT "student_favorites_fk1" FOREIGN KEY ("thread_id") REFERENCES "threads"("id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "viewed_responses" ADD CONSTRAINT "viewed_responses_fk0" FOREIGN KEY ("thread_id") REFERENCES "threads"("id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) os.system("""PGPASSWORD='******' psql --host={} --username={} --dbname={} -c 'ALTER TABLE "viewed_responses" ADD CONSTRAINT "viewed_responses_fk1" FOREIGN KEY ("user_id") REFERENCES "users"("user_id")'""".format(settings['database_password'], settings['database_host'], settings['database_user'], db)) # create the forum attachments directory and set the owner, group, and permissions course_dir = os.path.join(settings['submitty_data_dir'],"courses",term.name,course.name) forum_dir = os.path.join(course_dir,"forum_attachments") if not os.path.exists(forum_dir): os.makedirs(forum_dir) stat_info = os.stat(course_dir) uid = stat_info.st_uid gid = stat_info.st_gid os.chown(forum_dir,uid,gid) os.chmod(forum_dir,0o770) print ("created directory:" + forum_dir) print ("\n")
# Generate CSV with open(os.path.join(textDir, "videos.csv"), "w", encoding="UTF-8") as csv: for video in videos: csv.write(video.getCSVLine()) # Generate names.php with open(os.path.join(textDir, "names.php"), "w", encoding="UTF-8") as php: phpData = "<?php $names = [" for aSeries in series: if aSeries.hasApprovedVideos(): phpData += aSeries.getPHP() + ",\n" # Remove the last comma and newline. phpData = phpData[:-2] phpData += "\n]; ?>\n" php.write(phpData) if groupID: try: os.chown(os.path.join(textDir, "videos.csv"), -1, groupID) os.chmod(os.path.join(textDir, "videos.csv"), 0o660) except: pass try: os.chown(os.path.join(textDir, "names.php"), -1, groupID) os.chmod(os.path.join(textDir, "names.php"), 0o660) except: pass
# Try to extract again. self.tar.extract(tarinfo) # tarfile.extract does not honor umask. It must be honored # explicitly. See --no-same-permissions option of tar(1), # which is the deafult behaviour. # # Note: This is no good while installing a pisi package. # Thats why this is optional. if self.no_same_permissions and not os.path.islink(tarinfo.name): os.chmod(tarinfo.name, tarinfo.mode & ~ctx.const.umask) if self.no_same_owner: if not os.path.islink(tarinfo.name): os.chown(tarinfo.name, uid, gid) else: os.lchown(tarinfo.name, uid, gid) if callback: callback(tarinfo, extracted=True) try: if oldwd: os.chdir(oldwd) # Bug #6748 except OSError: pass self.close() def add_to_archive(self, file_name, arc_name=None):
def chown(self, uid, gid): os.chown(self, uid, gid)
for f in args: if create_dir: if os.path.isdir (f): continue os.makedirs (f, mode=mode) chown_me.append (f) else: if copy: if os.path.exists (dest) and not os.path.isdir (dest): os.remove (dest) shutil.copy2 (f, dest) else: shutil.move (f, dest) if os.path.isdir (dest): chown_me.append (os.path.join (dest, os.path.basename (f))) else: chown_me.append (dest) for f in chown_me: os.chmod (f, mode) if group <> None or owner <> None: os.chown (f, group, owner)
def chown(fn): try: os.chown(fn, user.pw_uid, user.pw_gid) except: pass
def load_and_merge_ref_files(raw_files, target_file, uid, gid): header = [ 'ProductID', 'Product', 'Type', 'Exchange', 'Currency', 'Underlying', 'ExpiryDate', 'Strike', 'PutOrCall', 'ExerciseStyle', 'MinPriceIncrement', 'MinPriceIncrementAmount', 'SecurityDesc', 'PremiumDecimalPlace', 'SecurityID', 'UnderlyingSecurityID', 'MarketSegmentID', 'MarketSegment', 'DestinationExchange' ] decopt = re.compile("([0-9]),([0-9]+\\.[CP])") ref = [] # resulting data.frame (as a list so far) for f in raw_files: # decompress the file first if f.endswith('.xz'): the_file = lzma.open(f, 'rt', encoding='ISO-8859-1') else: the_file = open(f, 'rt', encoding='ISO-8859-1') # read data and filter out problems # filter out all sort of problems l = [line.replace('\n', '') for line in the_file] # read and remove all CR l = [line.rstrip(',') for line in l] # remove comma at the end of each lines l = [re.sub(',",', ',,', line) for line in l] # remove a double-quote alone in between comma for c in [ '\x00', '\x01', '\x02', '\x04', '\x0b', '\x0c', '\x10', '\x14', '\x15', '\x16', '\x17', '\x18', '\x1d', '\x1e', '\x1f', '\xfe', '`', u'\u0097', u'\u0098' ]: l = [line.replace(c, '') for line in l] # remove bad characters l = [line.replace(',&,', ',,') for line in l] # remove & l = [line.replace(',NA,', ',,') for line in l] # remove NA to be more generic if len(l) > 0: l[0] = l[0].replace(' ', '') # remove spaces in header # check for product name with a , in place of the decimal point for the strike # if they're not surrounded by quotes, then we add them for i in range(len(l)): if decopt.search(l[i]): l[i] = decopt.sub('\\1_\\2', l[i]) # make a long string again and read it into a data.frame x = pandas.read_csv(io.StringIO('\n'.join(l)), error_bad_lines=False) # add empty missing_col for missing_col in [w for w in header if w not in x.columns]: x[missing_col] = pandas.Series('') # reduce x to the columns we want (in header) and concat with ref ref.append(x[header]) ref = pandas.concat(ref) # make a big data.frame ref = ref.drop_duplicates() # remove duplicate lines ref.to_csv(target_file, na_rep='NA', columns=header, header=header, index=False) os.chown(target_file, uid, gid) os.chmod(target_file, 0o640)
def change_ownership(file_path): user_info = pwd.getpwnam(session["user"]) uid = user_info.pw_uid gid = user_info.pw_gid os.chown(file_path, uid, gid) return {"success": True, "message": "Permission updated correctly"}
def chown(self, uid, gid): """Change the owner (uid) and owning group (gid) of the file""" os.chown(self, uid, gid)
def copy_liquid_capture_to_db(config_file): """ Find new files from the raw data of liquid_capture and process them into the DB """ def find_compressed_files(rawdata_dir): """ get all the raw data compressed files """ raw_files = [] for root, dirs, files in os.walk(rawdata_dir): for f in files: if f.endswith( ".csv.xz" ) and 'Reference' not in f and 'Statistics' not in f: raw_files.append(os.path.join(root, f)) monitor_raw_files(raw_files, 5) # check if upload is done return raw_files def find_db_files(dbdir): """ get all the files from the database """ db_files = [] for root, dirs, files in os.walk(dbdir): for f in files: if f.endswith(".csv.bz2"): db_files.append(os.path.join(root, f)) return db_files def create_dict_of_files(raw_files, db_files, prefix, dbdir): """ create a dictionary with key = target db file and value = list of raw data files to process """ D = {} # build dict of new files to process for f in raw_files: x = os.path.basename(f).split('.')[0] # remove extensions for p in prefix: # remove any "exchange" prefix x = x.replace(p, '') ts = x.split('-')[-1] print(x) month = str(int(x.split('-')[-2]) // 100) # get month new_file = dbdir + '/' + month + '/' + x new_file = new_file.replace('-' + ts, '.csv.bz2') if new_file not in db_files: # check in file exists in db if new_file not in D: # if not, add the raw file to the list D[new_file] = [f] # of files to process (because the same else: # instrument can have many files) D[new_file].append(f) for k in D: # sort each sub list to be sure we concat files chronologically D[k].sort() return D def create_recompress_job_list(D): """ make a list of bash command to recompress everything """ cmd = [] for k in D: s = "( xz -cd " + D[k].pop(0) + ";" # first file of the list for x in D[k]: s = s + "xz -cd " + x + "|tail -n +2;" # remove first line of other files s = s + ") | bzip2 -9c > " + k cmd.append(s) return cmd def create_missing_dirs(D, uid, gid): """ create missing directories for target files """ for d in list(set([os.path.dirname(k) for k in D])): # extract unique target dir names if not os.path.exists(d): os.makedirs(d, mode=0o750) # create dir with mode 750 os.chown(d, uid, gid) # change owner and group # main program of this function with open(config_file) as cfg_file: cfg = json.load(cfg_file) # get json config file rawdata_dir = cfg['liquid_capture']['src_dir'] dbdir = cfg['liquid_capture']['dbdir'] prefix = cfg['liquid_capture']['prefix'] owner = cfg['liquid_capture']['owner'] group = cfg['liquid_capture']['group'] uid = pwd.getpwnam(owner).pw_uid gid = grp.getgrnam(group).gr_gid raw_files = find_compressed_files( rawdata_dir) # find all files in raw data db_files = find_db_files(dbdir) # find all files in DB D = create_dict_of_files( raw_files, db_files, prefix, dbdir) # make a diff and find new files to process job = create_recompress_job_list( D) # make a shell script of recompression jobs create_missing_dirs(D, uid, gid) # add missing dir for a new month print("Running ", len(job), " jobs") results = Parallel(n_jobs=-1)(delayed(os.system)(f) for f in job) # run // jobs for k in D: # finally change owners of each new file os.chown(k, uid, gid) os.chmod(k, 0o640) # and also set correct permissions
def build_config(self): """Build the config as a Plugins object and return back. """ config = monasca_setup.agent_config.Plugins() if self.dependencies_installed(): nova_cfg = ConfigParser.SafeConfigParser() log.info("\tUsing nova configuration file {0}".format(self.nova_conf)) nova_cfg.read(self.nova_conf) # Which configuration options are needed for the plugin YAML? # Use a dict so that they can be renamed later if necessary cfg_needed = {'admin_user': '******', 'admin_password': '******', 'admin_tenant_name': 'admin_tenant_name'} cfg_section = 'keystone_authtoken' # Handle Devstack's slightly different nova.conf names if (nova_cfg.has_option(cfg_section, 'username') and nova_cfg.has_option(cfg_section, 'password') and nova_cfg.has_option(cfg_section, 'project_name')): cfg_needed = {'admin_user': '******', 'admin_password': '******', 'admin_tenant_name': 'project_name'} # Start with plugin-specific configuration parameters init_config = {'cache_dir': cache_dir, 'nova_refresh': nova_refresh, 'vm_probation': vm_probation, 'metadata': metadata, 'customer_metadata': customer_metadata, 'max_ping_concurrency': default_max_ping_concurrency, 'disk_collection_period': default_disk_collection_period, 'vnic_collection_period': default_vnic_collection_period} # Set default parameters for included checks init_config['vm_cpu_check_enable'] = self.literal_eval('True') init_config['vm_disks_check_enable'] = self.literal_eval('True') init_config['vm_network_check_enable'] = self.literal_eval('True') init_config['vm_ping_check_enable'] = self.literal_eval('True') init_config['vm_extended_disks_check_enable'] = self.literal_eval('False') for option in cfg_needed: init_config[option] = nova_cfg.get(cfg_section, cfg_needed[option]) # Create an identity URI (again, slightly different for Devstack) if nova_cfg.has_option(cfg_section, 'auth_url'): init_config['identity_uri'] = "{0}/v2.0".format(nova_cfg.get(cfg_section, 'auth_url')) else: init_config['identity_uri'] = "{0}/v2.0".format(nova_cfg.get(cfg_section, 'identity_uri')) # Verify requirements to enable ping checks init_config['ping_check'] = self.literal_eval('False') if self.agent_user is None: log.warn("\tUnable to determine agent user. Skipping ping checks.") else: try: from neutronclient.v2_0 import client # Copy system 'ip' command to local directory copy(ip_cmd, sys.path[0]) # Restrict permissions on the local 'ip' command os.chown("{0}/ip".format(sys.path[0]), pwd.getpwnam(self.agent_user).pw_uid, 0) os.chmod("{0}/ip".format(sys.path[0]), 0o700) # Set capabilities on 'ip' which will allow # self.agent_user to exec commands in namespaces setcap_cmd = ['/sbin/setcap', 'cap_sys_admin+ep', "{0}/ip".format(sys.path[0])] subprocess.Popen(setcap_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) # Verify that the capabilities were set setcap_cmd.extend(['-v', '-q']) subprocess.check_call(setcap_cmd) # Look for the best ping command for ping_cmd in ping_options: if os.path.isfile(ping_cmd[0]): init_config['ping_check'] = "{0}/ip netns exec NAMESPACE {1}".format(sys.path[0], ' '.join(ping_cmd)) log.info("\tEnabling ping checks using {0}".format(ping_cmd[0])) break if init_config['ping_check'] is False: log.warn("\tUnable to find suitable ping command, disabling ping checks.") except ImportError: log.warn("\tneutronclient module missing, required for ping checks.") pass except IOError: log.warn("\tUnable to copy {0}, ping checks disabled.".format(ip_cmd)) pass except (subprocess.CalledProcessError, OSError): log.warn("\tUnable to set up ping checks, setcap failed ({0})".format(' '.join(setcap_cmd))) pass # Handle monasca-setup detection arguments, which take precedence if self.args: for arg in self.args: if arg in INT_ARGS: value = self.args[arg] try: init_config[arg] = int(value) except ValueError: log.warn("\tInvalid integer value '{0}' for parameter {1}, ignoring value" .format(value, arg)) else: init_config[arg] = self.literal_eval(self.args[arg]) config['libvirt'] = {'init_config': init_config, 'instances': []} return config
def install(): """ Ensure that this VM distro and version are supported. Install the Azure Monitor Linux Agent package, using retries. Note: install operation times out from WAAgent at 15 minutes, so do not wait longer. """ find_package_manager("Install") exit_if_vm_not_supported('Install') public_settings, protected_settings = get_settings() # if public_settings is None: # raise ParameterMissingException('Public configuration must be ' \ # 'provided') #public_settings.get('workspaceId') #protected_settings.get('workspaceKey') package_directory = os.path.join(os.getcwd(), PackagesDirectory) bundle_path = os.path.join(package_directory, BundleFileName) os.chmod(bundle_path, 100) print(PackageManager, " and ", BundleFileName) OneAgentInstallCommand = "{0} -i {1}".format(PackageManager, bundle_path) hutil_log_info('Running command "{0}"'.format(OneAgentInstallCommand)) # Retry, since install can fail due to concurrent package operations exit_code, output = run_command_with_retries_output( OneAgentInstallCommand, retries=15, retry_check=retry_if_dpkg_locked, final_check=final_check_if_dpkg_locked) default_configs = { "MCS_ENDPOINT": "amcs.control.monitor.azure.com", "AZURE_ENDPOINT": "https://management.azure.com/", "ADD_REGION_TO_MCS_ENDPOINT": "true", "ENABLE_MCS": "false", "MONITORING_USE_GENEVA_CONFIG_SERVICE": "false", #"OMS_TLD" : "int2.microsoftatlanta-int.com", #"customResourceId" : "/subscriptions/42e7aed6-f510-46a2-8597-a5fe2e15478b/resourcegroups/amcs-test/providers/Microsoft.OperationalInsights/workspaces/amcs-pretend-linuxVM", } # decide the mode if protected_settings is None or len(protected_settings) is 0: default_configs["ENABLE_MCS"] = "true" else: # look for LA protected settings for var in protected_settings.keys(): if "_key" in var or "_id" in var: default_configs[var] = protected_settings.get(var) # check if required GCS params are available MONITORING_GCS_CERT_CERTFILE = None if protected_settings.has_key("certificate"): MONITORING_GCS_CERT_CERTFILE = base64.standard_b64decode( protected_settings.get("certificate")) MONITORING_GCS_CERT_KEYFILE = None if protected_settings.has_key("certificateKey"): MONITORING_GCS_CERT_KEYFILE = base64.standard_b64decode( protected_settings.get("certificateKey")) MONITORING_GCS_ENVIRONMENT = "" if protected_settings.has_key("monitoringGCSEnvironment"): MONITORING_GCS_ENVIRONMENT = protected_settings.get( "monitoringGCSEnvironment") MONITORING_GCS_NAMESPACE = "" if protected_settings.has_key("namespace"): MONITORING_GCS_NAMESPACE = protected_settings.get("namespace") MONITORING_GCS_ACCOUNT = "" if protected_settings.has_key("monitoringGCSAccount"): MONITORING_GCS_ACCOUNT = protected_settings.get( "monitoringGCSAccount") MONITORING_GCS_REGION = "" if protected_settings.has_key("monitoringGCSRegion"): MONITORING_GCS_REGION = protected_settings.get( "monitoringGCSRegion") MONITORING_CONFIG_VERSION = "" if protected_settings.has_key("configVersion"): MONITORING_CONFIG_VERSION = protected_settings.get("configVersion") if MONITORING_GCS_CERT_CERTFILE is None or MONITORING_GCS_CERT_KEYFILE is None or MONITORING_GCS_ENVIRONMENT is "" or MONITORING_GCS_NAMESPACE is "" or MONITORING_GCS_ACCOUNT is "" or MONITORING_GCS_REGION is "" or MONITORING_CONFIG_VERSION is "": waagent_log_error('Not all required GCS parameters are provided') raise ParameterMissingException else: # set the values for GCS default_configs["MONITORING_USE_GENEVA_CONFIG_SERVICE"] = "true" default_configs[ "MONITORING_GCS_ENVIRONMENT"] = MONITORING_GCS_ENVIRONMENT default_configs[ "MONITORING_GCS_NAMESPACE"] = MONITORING_GCS_NAMESPACE default_configs["MONITORING_GCS_ACCOUNT"] = MONITORING_GCS_ACCOUNT default_configs["MONITORING_GCS_REGION"] = MONITORING_GCS_REGION default_configs[ "MONITORING_CONFIG_VERSION"] = MONITORING_CONFIG_VERSION default_configs[ "MONITORING_GCS_CERT_CERTFILE"] = "/etc/mdsd.d/gcscert.pem" default_configs[ "MONITORING_GCS_CERT_KEYFILE"] = "/etc/mdsd.d/gcskey.pem" # write the certificate and key to disk uid = pwd.getpwnam("syslog").pw_uid gid = grp.getgrnam("syslog").gr_gid fh = open("/etc/mdsd.d/gcscert.pem", "wb") fh.write(MONITORING_GCS_CERT_CERTFILE) fh.close() os.chown("/etc/mdsd.d/gcscert.pem", uid, gid) os.system('chmod {1} {0}'.format("/etc/mdsd.d/gcscert.pem", 400)) fh = open("/etc/mdsd.d/gcskey.pem", "wb") fh.write(MONITORING_GCS_CERT_KEYFILE) fh.close() os.chown("/etc/mdsd.d/gcskey.pem", uid, gid) os.system('chmod {1} {0}'.format("/etc/mdsd.d/gcskey.pem", 400)) config_file = "/etc/default/mdsd" config_updated = False try: if os.path.isfile(config_file): data = [] new_data = "" vars_set = set() with open(config_file, "r") as f: data = f.readlines() for line in data: for var in default_configs.keys(): if var in line: line = "export " + var + "=" + default_configs[ var] + "\n" vars_set.add(var) break new_data += line for var in default_configs.keys(): if var not in vars_set: new_data += "export " + var + "=" + default_configs[ var] + "\n" with open("/etc/default/mdsd_temp", "w") as f: f.write(new_data) config_updated = True if len(new_data) > 0 else False if not config_updated or not os.path.isfile( "/etc/default/mdsd_temp"): log_and_exit( "install", MissingorInvalidParameterErrorCode, "Error while updating MCS Environment Variables in /etc/default/mdsd" ) os.remove(config_file) os.rename("/etc/default/mdsd_temp", config_file) uid = pwd.getpwnam("syslog").pw_uid gid = grp.getgrnam("syslog").gr_gid os.chown(config_file, uid, gid) os.system('chmod {1} {0}'.format(config_file, 400)) else: log_and_exit("install", MissingorInvalidParameterErrorCode, "Could not find the file - /etc/default/mdsd") except: log_and_exit( "install", MissingorInvalidParameterErrorCode, "Failed to add MCS Environment Variables in /etc/default/mdsd") return exit_code, output
async def http_server(self): logger = logging.getLogger("Daemon.http_server") logger.info("Starting http server") def response_object(data=None, error=False): obj = {"data": data, "error": error} return web.json_response(obj) # Routes async def ping(request): return response_object() async def shutdown(request): logger = logging.getLogger("Daemon.http_server") logger.info("GET /shutdown, shutting down daemon") raise GracefulExit() async def get_setting(request): key = request.match_info.get("key", None) try: return response_object(self.global_settings.get(key)) except: return response_object(error="invalid key") async def set_setting(request): logger = logging.getLogger("Daemon.http_server.set_settings") key = request.match_info.get("key", None) val = await request.json() # Only change the setting if it's actually changing old_val = self.global_settings.get(key) if old_val == val: logger.debug( f"skipping {key}={val}, because it's already set", ) else: logger.debug(f"setting {key}={val}") self.global_settings.set(key, val) self.global_settings.save() if key == "use_server": if val: self.flock_log.log(FlockLogTypes.SERVER_ENABLED) else: self.flock_log.log(FlockLogTypes.SERVER_DISABLED) # Submit flock logs right away await self.submit_logs_flock() return response_object() async def exec_twig(request): twig_id = request.match_info.get("twig_id", None) try: twig = self.global_settings.get_twig(twig_id) data = self.osquery.exec(twig["query"]) return response_object(data) except: return response_object(error="invalid twig_id") async def enable_undecided_twigs(request): logger = logging.getLogger( "Daemon.http_server.enable_undecided_twigs") # If the user choose to automatically opt-in to new twigs, this enables them all enabled_twig_ids = [] twig_ids = self.global_settings.get_undecided_twig_ids() for twig_id in twig_ids: if not self.global_settings.is_twig_enabled(twig_id): self.global_settings.enable_twig(twig_id) enabled_twig_ids.append(twig_id) if enabled_twig_ids: logger.debug(f"enabled twigs: {enabled_twig_ids}") self.global_settings.save() self.osquery.refresh_osqueryd() self.flock_log.log(FlockLogTypes.TWIGS_ENABLED, enabled_twig_ids) return response_object() async def get_decided_twig_ids(request): return response_object(self.global_settings.get_decided_twig_ids()) async def get_undecided_twig_ids(request): return response_object( self.global_settings.get_undecided_twig_ids()) async def get_enabled_twig_ids(request): return response_object(self.global_settings.get_enabled_twig_ids()) async def get_twig_enabled_statuses(request): return response_object( self.global_settings.get_twig_enabled_statuses()) async def update_twig_status(request): logger = logging.getLogger("Daemon.update_twig_status") twig_status = await request.json() # Validate twig_status if type(twig_status) != dict: return response_object(error="twig_status must be a dict") for twig_id in twig_status: if twig_id not in self.global_settings.settings["twigs"]: return response_object( error="twig_status contains invalid twig_ids") if type(twig_status[twig_id]) != bool: return response_object( error="twig_status is in an invalid format") enabled_twig_ids = [] disabled_twig_ids = [] for twig_id in twig_status: if twig_status[ twig_id] and not self.global_settings.is_twig_enabled( twig_id): self.global_settings.enable_twig(twig_id) enabled_twig_ids.append(twig_id) if not twig_status[twig_id] and ( self.global_settings.is_twig_enabled(twig_id) or self.global_settings.is_twig_undecided(twig_id)): self.global_settings.disable_twig(twig_id) disabled_twig_ids.append(twig_id) if enabled_twig_ids or disabled_twig_ids: self.global_settings.save() self.osquery.refresh_osqueryd() if enabled_twig_ids: logger.info(f"enabled twigs: {enabled_twig_ids}") self.flock_log.log(FlockLogTypes.TWIGS_ENABLED, enabled_twig_ids) if disabled_twig_ids: logger.info(f"disabled twigs: {disabled_twig_ids}") self.flock_log.log(FlockLogTypes.TWIGS_DISABLED, disabled_twig_ids) return response_object() async def exec_health(request): health_item_name = request.match_info.get("health_item_name", None) query = None for health_item in health_items[Platform.current()]: if health_item["name"] == health_item_name: query = health_item["query"] break if query: try: data = self.osquery.exec(query) return response_object(data) except: return response_object( error="error executing health item query") else: return response_object(error="invalid health_item_name") async def register_server(request): data = await request.json() try: name = data["name"] server_url = data["server_url"] except: return response_object(error="Invalid request to daemon") # Validate server URL o = urlparse(server_url) if ((o.scheme != "http" and o.scheme != "https") or (o.path != "" and o.path != "/") or o.params != "" or o.query != "" or o.fragment != ""): return response_object(error="Invalid server URL") # Save the server URL in settings self.global_settings.set("gateway_url", server_url) self.global_settings.save() # Try to register try: self.api_client.register(name) self.api_client.ping() return response_object() except PermissionDenied: return response_object(error="Permission denied") except BadStatusCode as e: return response_object(error=f"Bad status code: {e}") except ResponseIsNotJson: return response_object(error="Server response is not JSON") except RespondedWithError as e: return response_object(error=f"Server error: {e}") except InvalidResponse: return response_object( error="Server returned an invalid response") except ConnectionError: return response_object(error="Error connecting to server") # Anything else was an unknown failure return response_object(error="Unknown error") app = web.Application() app.router.add_get("/ping", ping) app.router.add_post("/shutdown", shutdown) app.router.add_get("/setting/{key}", get_setting) app.router.add_post("/setting/{key}", set_setting) app.router.add_get("/exec_twig/{twig_id}", exec_twig) app.router.add_post("/enable_undecided_twigs", enable_undecided_twigs) app.router.add_get("/decided_twig_ids", get_decided_twig_ids) app.router.add_get("/undecided_twig_ids", get_undecided_twig_ids) app.router.add_get("/enabled_twig_ids", get_enabled_twig_ids) app.router.add_get("/twig_enabled_statuses", get_twig_enabled_statuses) app.router.add_post("/update_twig_status", update_twig_status) app.router.add_get("/exec_health/{health_item_name}", exec_health) app.router.add_post("/register_server", register_server) loop = asyncio.get_event_loop() await loop.create_unix_server(app.make_handler(), self.unix_socket_path) # Change permissions of unix socket os.chmod(self.unix_socket_path, 0o660) os.chown(self.unix_socket_path, 0, self.gid) logger.info("Started http server")
try: os.chdir('/satori_test') DIRS = [ ('secure', 0, 0, 0o700), ('aux', 0, 0, 0o755), ('src', 0, 0, 0o755), ('build', 0, 0, 0o755), ('bin', 0, 0, 0o755), ('tool', 0, 0, 0o755), ] for d, u, g, r in DIRS: os.makedirs(d, exist_ok=True) os.chown(d, u, g) os.chmod(d, r) submit = communicate('submit') test = communicate('test') filename = submit['content'] if len(filename.split('.')) < 2: communicate('result', {'status': 'EXT'}) sys.exit(0) filebase = '.'.join(filename.split('.')[:-1]) fileext = filename.split('.')[-1].lower() time_limit = parse_time(test['time']) memory_limit = parse_memory(test['memory']) has_stack = 'stack' in test if has_stack:
print(os.path.realpath('to.txt')) os.remove('from.txt') os.remove('to.txt') # chmod() fp = open('file.txt', 'wt') fp.close() os.chmod('file.txt', 0o400) os.remove('file.txt') # chown(), getuid(), getgid() fp = open('file.txt', 'wt') fp.close() uid = os.getuid() gid = os.getgid() os.chown('file.txt', uid, gid) os.remove('file.txt') # getpid(), getcwd() print(os.getpid()) print(os.getcwd()) # abspath() print(os.path.abspath('.')) # mkdir(), rmdir() os.mkdir('test_dir') print(os.path.exists('test_dir')) os.rmdir('test_dir') print(os.path.exists('test_dir'))
def chown(self, path, uid, gid): full_path = self._full_path(path) return os.chown(full_path, uid, gid)
def main(): debug = os.environ.get('DEBUG', '') in ['1', 'true', 'on', 'ON'] args = parse_args() logging.basicConfig( format='%(asctime)s - bootstrapping - %(levelname)s - %(message)s', level=('DEBUG' if debug else (args.get('loglevel') or 'INFO').upper())) provider = get_provider() placeholders = get_placeholders(provider) logging.info('Looks like your running %s', provider) if (provider == PROVIDER_LOCAL and not USE_KUBERNETES and 'ETCD_HOST' not in placeholders and 'ETCD_HOSTS' not in placeholders and 'ETCD_URL' not in placeholders and 'ETCD_PROXY' not in placeholders and 'ETCD_DISCOVERY_DOMAIN' not in placeholders): write_etcd_configuration(placeholders) config = yaml.load(pystache_render(TEMPLATE, placeholders)) config.update(get_dcs_config(config, placeholders)) user_config = yaml.load( os.environ.get('SPILO_CONFIGURATION', os.environ.get('PATRONI_CONFIGURATION', ''))) or {} if not isinstance(user_config, dict): config_var_name = 'SPILO_CONFIGURATION' if 'SPILO_CONFIGURATION' in os.environ else 'PATRONI_CONFIGURATION' raise ValueError('{0} should contain a dict, yet it is a {1}'.format( config_var_name, type(user_config))) user_config_copy = deepcopy(user_config) config = deep_update(user_config_copy, config) # try to build bin_dir from PGVERSION environment variable if postgresql.bin_dir wasn't set in SPILO_CONFIGURATION if 'bin_dir' not in config['postgresql']: bin_dir = os.path.join('/usr/lib/postgresql', os.environ.get('PGVERSION', ''), 'bin') postgres = os.path.join(bin_dir, 'postgres') if os.path.isfile(postgres) and os.access( postgres, os.X_OK): # check that there is postgres binary inside config['postgresql']['bin_dir'] = bin_dir version = float(get_binary_version(config['postgresql'].get('bin_dir'))) if 'shared_preload_libraries' not in user_config.get('postgresql', {}).get( 'parameters', {}): libraries = [ ',' + n for n, v in extensions.items() if version >= v[0] and version <= v[1] and v[2] ] config['postgresql']['parameters'][ 'shared_preload_libraries'] += ''.join(libraries) if 'extwlist.extensions' not in user_config.get('postgresql', {}).get('parameters', {}): extwlist = [ ',' + n for n, v in extensions.items() if version >= v[0] and version <= v[1] and v[3] ] config['postgresql']['parameters']['extwlist.extensions'] += ''.join( extwlist) # Ensure replication is available if 'pg_hba' in config['bootstrap'] and not any( ['replication' in i for i in config['bootstrap']['pg_hba']]): rep_hba = 'hostssl replication {} all md5'.\ format(config['postgresql']['authentication']['replication']['username']) config['bootstrap']['pg_hba'].insert(0, rep_hba) patroni_configfile = os.path.join(placeholders['PGHOME'], 'postgres.yml') for section in args['sections']: logging.info('Configuring %s', section) if section == 'patroni': write_file(yaml.dump(config, default_flow_style=False, width=120), patroni_configfile, args['force']) link_runit_service(placeholders, 'patroni') pg_socket_dir = '/run/postgresql' if not os.path.exists(pg_socket_dir): os.makedirs(pg_socket_dir) st = os.stat(placeholders['PGHOME']) os.chown(pg_socket_dir, st.st_uid, st.st_gid) os.chmod(pg_socket_dir, 0o2775) # It is a recurring and very annoying problem with crashes (host/pod/container) # while the backup is taken in the exclusive mode which leaves the backup_label # in the PGDATA. Having the backup_label file in the PGDATA makes postgres think # that we are restoring from the backup and it puts this information into the # pg_control. Effectively it makes it impossible to start postgres in recovery # with such PGDATA because the recovery never-ever-ever-ever finishes. # # As a workaround we will remove the backup_label file from PGDATA if we know # for sure that the Postgres was already running with exactly this PGDATA. # As proof that the postgres was running we will use the presence of postmaster.pid # in the PGDATA, because it is 100% known that neither pg_basebackup nor # wal-e/wal-g are backing up/restoring this file. # # We are not doing such trick in the Patroni (removing backup_label) because # we have absolutely no idea what software people use for backup/recovery. # In case of some home-grown solution they might end up in copying postmaster.pid... pgdata = config['postgresql']['data_dir'] postmaster_pid = os.path.join(pgdata, 'postmaster.pid') backup_label = os.path.join(pgdata, 'backup_label') if os.path.isfile(postmaster_pid) and os.path.isfile(backup_label): os.unlink(backup_label) elif section == 'pgqd': link_runit_service(placeholders, 'pgqd') elif section == 'log': if bool(placeholders.get('LOG_S3_BUCKET')): write_log_environment(placeholders) elif section == 'wal-e': if placeholders['USE_WALE']: write_wale_environment(placeholders, '', args['force']) elif section == 'certificate': write_certificates(placeholders, args['force']) elif section == 'crontab': write_crontab(placeholders, args['force']) elif section == 'pam-oauth2': write_pam_oauth2_configuration(placeholders, args['force']) elif section == 'pgbouncer': write_pgbouncer_configuration(placeholders, args['force']) elif section == 'bootstrap': if placeholders['CLONE_WITH_WALE']: update_and_write_wale_configuration(placeholders, 'CLONE_', args['force']) if placeholders['CLONE_WITH_BASEBACKUP']: write_clone_pgpass(placeholders, args['force']) elif section == 'standby-cluster': if placeholders['STANDBY_WITH_WALE']: update_and_write_wale_configuration(placeholders, 'STANDBY_', args['force']) else: raise Exception('Unknown section: {}'.format(section)) # We will abuse non zero exit code as an indicator for the launch.sh that it should not even try to create a backup sys.exit(int(not placeholders['USE_WALE']))
def spawn(self, deployer): try: PKISPAWN_STARTUP_TIMEOUT_SECONDS = \ int(os.environ['PKISPAWN_STARTUP_TIMEOUT_SECONDS']) except (KeyError, ValueError): PKISPAWN_STARTUP_TIMEOUT_SECONDS = 60 if PKISPAWN_STARTUP_TIMEOUT_SECONDS <= 0: PKISPAWN_STARTUP_TIMEOUT_SECONDS = 60 if config.str2bool(deployer.mdict['pki_skip_configuration']): config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # Place "slightly" less restrictive permissions on # the top-level client directory ONLY deployer.directory.create( deployer.mdict['pki_client_subsystem_dir'], uid=0, gid=0, perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a client password file # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases deployer.password.create_password_conf( deployer.mdict['pki_client_password_conf'], deployer.mdict['pki_client_database_password'], pin_sans_token=True) deployer.file.modify( deployer.mdict['pki_client_password_conf'], uid=0, gid=0) # Similarly, create a simple password file containing the # PKCS #12 password used when exporting the "Admin Certificate" # into a PKCS #12 file deployer.password.create_client_pkcs12_password_conf( deployer.mdict['pki_client_pkcs12_password_conf']) deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf']) deployer.directory.create( deployer.mdict['pki_client_database_dir'], uid=0, gid=0) deployer.certutil.create_security_databases( deployer.mdict['pki_client_database_dir'], password_file=deployer.mdict['pki_client_password_conf']) instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) instance.load() subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) ocsp_uri = deployer.mdict.get('pki_default_ocsp_uri') if ocsp_uri: subsystem.config['ca.defaultOcspUri'] = ocsp_uri subsystem.save() # set ephemeral requests if needed if subsystem.name == 'kra': if config.str2bool(deployer.mdict['pki_kra_ephemeral_requests']): config.pki_log.info( "setting ephemeral requests to true", extra=config.PKI_INDENTATION_LEVEL_1) subsystem.config['kra.ephemeralRequests'] = 'true' subsystem.save() token = deployer.mdict['pki_token_name'] nssdb = instance.open_nssdb() existing = deployer.configuration_file.existing external = deployer.configuration_file.external standalone = deployer.configuration_file.standalone step_one = deployer.configuration_file.external_step_one step_two = deployer.configuration_file.external_step_two clone = deployer.configuration_file.clone try: if (external or standalone) and step_one: self.generate_system_cert_requests(deployer, nssdb, subsystem) # This is needed by IPA to detect step 1 completion. # See is_step_one_done() in ipaserver/install/cainstance.py. subsystem.config['preop.ca.type'] = 'otherca' subsystem.save() # End of step 1. return if existing or (external or standalone) and step_two: self.import_system_cert_requests(deployer, subsystem) self.import_system_certs(deployer, nssdb, subsystem) self.configure_system_certs(deployer, subsystem) self.update_system_certs(deployer, nssdb, subsystem) subsystem.save() self.validate_system_certs(deployer, nssdb, subsystem) else: # self-signed CA # To be implemented in ticket #1692. # Generate CA cert request. # Self sign CA cert. # Import self-signed CA cert into NSS database. pass finally: nssdb.close() create_temp_sslserver_cert = self.create_temp_sslserver_cert(deployer, instance) # Start/Restart this Tomcat PKI Process # Optionally prepare to enable a java debugger # (e. g. - 'eclipse'): if config.str2bool(deployer.mdict['pki_enable_java_debugger']): config.prepare_for_an_external_java_debugger( deployer.mdict['pki_target_tomcat_conf_instance_id']) tomcat_instance_subsystems = \ len(deployer.instance.tomcat_instance_subsystems()) if tomcat_instance_subsystems == 1: deployer.systemd.start() elif tomcat_instance_subsystems > 1: deployer.systemd.restart() # Configure status request timeout. This is used for each # status request in wait_for_startup value = deployer.mdict['pki_status_request_timeout'] if len(value) == 0: status_request_timeout = None else: status_request_timeout = int(value) if status_request_timeout <= 0: raise ValueError("timeout must be greater than zero") # wait for startup status = deployer.instance.wait_for_startup( PKISPAWN_STARTUP_TIMEOUT_SECONDS, request_timeout=status_request_timeout, ) if status is None: config.pki_log.error( "server failed to restart", extra=config.PKI_INDENTATION_LEVEL_2) raise Exception("server failed to restart") # Optionally wait for debugger to attach (e. g. - 'eclipse'): if config.str2bool(deployer.mdict['pki_enable_java_debugger']): config.wait_to_attach_an_external_java_debugger() # Construct PKI Subsystem Configuration Data nssdb = instance.open_nssdb(token) try: data = deployer.config_client.construct_pki_configuration_data(nssdb) finally: nssdb.close() # Configure the subsystem request = json.dumps(data, cls=pki.encoder.CustomTypeEncoder) connection = pki.client.PKIConnection( protocol='https', hostname=deployer.mdict['pki_hostname'], port=deployer.mdict['pki_https_port'], subsystem=deployer.mdict['pki_subsystem_type'], trust_env=False) client = pki.system.SystemConfigClient(connection) config.pki_log.info( 'Configuring %s subsystem', subsystem.type, extra=config.PKI_INDENTATION_LEVEL_0) response = client.configure(request) config.pki_log.info( "Setting up security domain", extra=config.PKI_INDENTATION_LEVEL_0) client.setupSecurityDomain(request) config.pki_log.info( "Setting up database user", extra=config.PKI_INDENTATION_LEVEL_0) client.setupDatabaseUser(request) config.pki_log.info( "Finalizing %s configuration", subsystem.type, extra=config.PKI_INDENTATION_LEVEL_0) client.finalizeConfiguration(request) config.pki_log.info( '%s configuration complete', subsystem.type, extra=config.PKI_INDENTATION_LEVEL_0) # Create an empty file that designates the fact that although # this server instance has been configured, it has NOT yet # been restarted! restart_server = os.path.join(instance.conf_dir, 'restart_server_after_configuration') config.pki_log.debug( 'creating %s', restart_server, extra=config.PKI_INDENTATION_LEVEL_2) open(restart_server, 'a').close() os.chown(restart_server, instance.uid, instance.gid) os.chmod(restart_server, 0o660) try: certs = response['systemCerts'] except KeyError: # no system certs created config.pki_log.debug( "No new system certificates generated.", extra=config.PKI_INDENTATION_LEVEL_2) certs = [] if not isinstance(certs, list): certs = [certs] sslserver = subsystem.get_subsystem_cert('sslserver') for cdata in certs: if cdata['tag'] == 'sslserver': sslserver['data'] = cdata['cert'] sslserver['request'] = cdata['request'] if standalone and not step_two: # Stand-alone PKI (Step 1) if cdata['tag'].lower() == "audit_signing": # Save Stand-alone PKI 'Audit Signing Certificate' CSR # (Step 1) deployer.config_client.save_system_csr( cdata['request'], log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_2, deployer.mdict['pki_audit_signing_csr_path'], subsystem.name) elif cdata['tag'].lower() == "signing": # Save Stand-alone PKI OCSP 'OCSP Signing Certificate' # CSR (Step 1) deployer.config_client.save_system_csr( cdata['request'], log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING_1, deployer.mdict['pki_signing_csr_path']) elif cdata['tag'].lower() == "sslserver": # Save Stand-alone PKI 'SSL Server Certificate' CSR # (Step 1) deployer.config_client.save_system_csr( cdata['request'], log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_2, deployer.mdict['pki_sslserver_csr_path'], subsystem.name) elif cdata['tag'].lower() == "storage": # Save Stand-alone PKI KRA 'Storage Certificate' CSR # (Step 1) deployer.config_client.save_system_csr( cdata['request'], log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE_1, deployer.mdict['pki_storage_csr_path']) elif cdata['tag'].lower() == "subsystem": # Save Stand-alone PKI 'Subsystem Certificate' CSR # (Step 1) deployer.config_client.save_system_csr( cdata['request'], log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_2, deployer.mdict['pki_subsystem_csr_path'], subsystem.name) elif cdata['tag'].lower() == "transport": # Save Stand-alone PKI KRA 'Transport Certificate' CSR # (Step 1) deployer.config_client.save_system_csr( cdata['request'], log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT_1, deployer.mdict['pki_transport_csr_path']) else: config.pki_log.debug( '%s cert: %s', cdata['tag'], cdata['cert'], extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug( '%s request: %s', cdata['tag'], cdata['request'], extra=config.PKI_INDENTATION_LEVEL_0) # Cloned PKI subsystems do not return an Admin Certificate if not clone: if external or standalone: if not step_two: # NOTE: Do nothing for Stand-alone PKI (Step 1) # as this has already been addressed # in 'set_admin_parameters()' pass else: admin_cert = response['adminCert']['cert'] deployer.config_client.process_admin_cert(admin_cert) elif not config.str2bool(deployer.mdict['pki_import_admin_cert']): admin_cert = response['adminCert']['cert'] deployer.config_client.process_admin_cert(admin_cert) # If temp SSL server cert was created and there's a new perm cert, # replace it with the perm cert. if create_temp_sslserver_cert and sslserver and sslserver['data']: deployer.systemd.stop() # Remove temp SSL server cert. self.remove_temp_sslserver_cert(instance, sslserver) # Import perm SSL server cert unless it's already imported # earlier in external/standalone installation. if not (standalone or external and subsystem.name in ['kra', 'ocsp']): nickname = sslserver['nickname'] token = sslserver['token'] instance.set_sslserver_cert_nickname(nickname, token) self.import_perm_sslserver_cert(instance, sslserver) deployer.systemd.start() elif config.str2bool(deployer.mdict['pki_restart_configured_instance']): # Optionally, programmatically 'restart' the configured PKI instance deployer.systemd.restart() # wait for startup status = None if deployer.fips.is_fips_enabled(): # must use 'http' protocol when FIPS mode is enabled status = deployer.instance.wait_for_startup( PKISPAWN_STARTUP_TIMEOUT_SECONDS, request_timeout=status_request_timeout, secure_connection=False, ) else: status = deployer.instance.wait_for_startup( PKISPAWN_STARTUP_TIMEOUT_SECONDS, request_timeout=status_request_timeout, secure_connection=True, ) if not status: config.pki_log.error( "server failed to restart", extra=config.PKI_INDENTATION_LEVEL_1) raise RuntimeError("server failed to restart")