Ejemplo n.º 1
0
def check_user(user):
    '''
    Check user and assign process uid/gid.
    '''
    if salt.utils.is_windows():
        return True
    if user == salt.utils.get_user():
        return True
    import pwd  # after confirming not running Windows
    try:
        pwuser = pwd.getpwnam(user)
        try:
            if hasattr(os, 'initgroups'):
                os.initgroups(user, pwuser.pw_gid)
            else:
                os.setgroups(salt.utils.get_gid_list(user, include_default=False))
            os.setgid(pwuser.pw_gid)
            os.setuid(pwuser.pw_uid)

        except OSError:
            msg = 'Salt configured to run as user "{0}" but unable to switch.'
            msg = msg.format(user)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))
            return False
    except KeyError:
        msg = 'User not found: "{0}"'.format(user)
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL: {0}\n".format(msg))
        return False
    return True
Ejemplo n.º 2
0
def check_user(user):
    '''
    Check user and assign process uid/gid.
    '''
    if 'os' in os.environ:
        if os.environ['os'].startswith('Windows'):
            return True
    if user == getpass.getuser():
        return True
    import pwd  # after confirming not running Windows
    try:
        pwuser = pwd.getpwnam(user)
        try:
            os.setgid(pwuser.pw_gid)
            os.setuid(pwuser.pw_uid)
        except OSError:
            msg = 'Salt configured to run as user "{0}" but unable to switch.'
            msg = msg.format(user)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))
            return False
    except KeyError:
        msg = 'User not found: "{0}"'.format(user)
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL: {0}\n".format(msg))
        return False
    return True
Ejemplo n.º 3
0
def check_user(user):
    '''
    Check user and assign process uid/gid.
    '''
    if salt.utils.is_windows():
        return True
    if user == getpass.getuser():
        return True
    import pwd  # after confirming not running Windows
    try:
        pwuser = pwd.getpwnam(user)
        try:
            if hasattr(os, 'initgroups'):
                os.initgroups(user, pwuser.pw_gid)
            else:
                os.setgroups(salt.utils.get_gid_list(user, include_default=False))
            os.setgid(pwuser.pw_gid)
            os.setuid(pwuser.pw_uid)

        except OSError:
            msg = 'Salt configured to run as user "{0}" but unable to switch.'
            msg = msg.format(user)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))
            return False
    except KeyError:
        msg = 'User not found: "{0}"'.format(user)
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL: {0}\n".format(msg))
        return False
    return True
Ejemplo n.º 4
0
def check_user(user):
    '''
    Check user and assign process uid/gid.
    '''
    if 'os' in os.environ:
        if os.environ['os'].startswith('Windows'):
            return True
    if user == getpass.getuser():
        return True
    import pwd  # after confirming not running Windows
    try:
        p = pwd.getpwnam(user)
        try:
            os.setgid(p.pw_gid)
            os.setuid(p.pw_uid)
        except OSError:
            msg = 'Salt configured to run as user "{0}" but unable to switch.'
            msg = msg.format(user)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))
            return False
    except KeyError:
        msg = 'User not found: "{0}"'.format(user)
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL: {0}\n".format(msg))
        return False
    return True
Ejemplo n.º 5
0
def zmq_version():
    """
    ZeroMQ python bindings >= 2.1.9 are required
    """
    try:
        import zmq
    except Exception:  # pylint: disable=broad-except
        # Return True for local mode
        return True
    ver = zmq.__version__
    # The last matched group can be None if the version
    # is something like 3.1 and that will work properly
    match = re.match(r"^(\d+)\.(\d+)(?:\.(\d+))?", ver)

    # Fallthrough and hope for the best
    if not match:
        msg = "Using untested zmq python bindings version: '{}'".format(ver)
        if is_console_configured():
            log.warning(msg)
        else:
            sys.stderr.write("WARNING {}\n".format(msg))
        return True

    major, minor, point = match.groups()

    if major.isdigit():
        major = int(major)
    if minor.isdigit():
        minor = int(minor)

    # point very well could be None
    if point and point.isdigit():
        point = int(point)

    if major == 2 and minor == 1:
        # zmq 2.1dev could be built against a newer libzmq
        if "dev" in ver and not point:
            msg = "Using dev zmq module, please report unexpected results"
            if is_console_configured():
                log.warning(msg)
            else:
                sys.stderr.write("WARNING: {}\n".format(msg))
            return True
        elif point and point >= 9:
            return True
    elif major > 2 or (major == 2 and minor > 1):
        return True

    # If all else fails, gracefully croak and warn the user
    log.critical("ZeroMQ python bindings >= 2.1.9 are required")
    if "salt-master" in sys.argv[0]:
        msg = ("The Salt Master is unstable using a ZeroMQ version "
               "lower than 2.1.11 and requires this fix: http://lists.zeromq."
               "org/pipermail/zeromq-dev/2011-June/012094.html")
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL {}\n".format(msg))
    return False
Ejemplo n.º 6
0
def zmq_version():
    '''
    ZeroMQ python bindings >= 2.1.9 are required
    '''
    try:
        import zmq
    except Exception:
        # Return True for local mode
        return True
    ver = zmq.__version__
    # The last matched group can be None if the version
    # is something like 3.1 and that will work properly
    match = re.match(r'^(\d+)\.(\d+)(?:\.(\d+))?', ver)

    # Fallthrough and hope for the best
    if not match:
        msg = "Using untested zmq python bindings version: '{0}'".format(ver)
        if is_console_configured():
            log.warn(msg)
        else:
            sys.stderr.write("WARNING {0}\n".format(msg))
        return True

    major, minor, point = match.groups()

    if major.isdigit():
        major = int(major)
    if minor.isdigit():
        minor = int(minor)

    # point very well could be None
    if point and point.isdigit():
        point = int(point)

    if major == 2 and minor == 1:
        # zmq 2.1dev could be built against a newer libzmq
        if "dev" in ver and not point:
            msg = 'Using dev zmq module, please report unexpected results'
            if is_console_configured():
                log.warn(msg)
            else:
                sys.stderr.write("WARNING: {0}\n".format(msg))
            return True
        elif point and point >= 9:
            return True
    elif major > 2 or (major == 2 and minor > 1):
        return True

    # If all else fails, gracefully croak and warn the user
    log.critical('ZeroMQ python bindings >= 2.1.9 are required')
    if 'salt-master' in sys.argv[0]:
        msg = ('The Salt Master is unstable using a ZeroMQ version '
               'lower than 2.1.11 and requires this fix: http://lists.zeromq.'
               'org/pipermail/zeromq-dev/2011-June/012094.html')
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write('CRITICAL {0}\n'.format(msg))
    return False
Ejemplo n.º 7
0
def check_user(user):
    """
    Check user and assign process uid/gid.
    """
    if salt.utils.platform.is_windows():
        return True
    if user == salt.utils.user.get_user():
        return True
    import pwd  # after confirming not running Windows

    try:
        pwuser = pwd.getpwnam(user)
        try:
            if hasattr(os, "initgroups"):
                os.initgroups(user, pwuser.pw_gid)  # pylint: disable=minimum-python-version
            else:
                os.setgroups(
                    salt.utils.user.get_gid_list(user, include_default=False))
            os.setgid(pwuser.pw_gid)
            os.setuid(pwuser.pw_uid)

            # We could just reset the whole environment but let's just override
            # the variables we can get from pwuser
            if "HOME" in os.environ:
                os.environ["HOME"] = pwuser.pw_dir

            if "SHELL" in os.environ:
                os.environ["SHELL"] = pwuser.pw_shell

            for envvar in ("USER", "LOGNAME"):
                if envvar in os.environ:
                    os.environ[envvar] = pwuser.pw_name

        except OSError:
            msg = 'Salt configured to run as user "{0}" but unable to switch.'
            msg = msg.format(user)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))
            return False
    except KeyError:
        msg = 'User not found: "{0}"'.format(user)
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL: {0}\n".format(msg))
        return False
    return True
Ejemplo n.º 8
0
def verify_socket(interface, pub_port, ret_port):
    '''
    Attempt to bind to the sockets to verify that they are available
    '''
    pubsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    retsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        pubsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        pubsock.bind((interface, int(pub_port)))
        pubsock.close()
        retsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        retsock.bind((interface, int(ret_port)))
        retsock.close()
        result = True
    except Exception:
        msg = ("Unable to bind socket, this might not be a problem."
               " Is there another salt-master running?")
        if is_console_configured():
            log.warn(msg)
        else:
            sys.stderr.write("WARNING: {0}\n".format(msg))
        result = False
    finally:
        pubsock.close()
        retsock.close()

    return result
Ejemplo n.º 9
0
def verify_socket(interface, pub_port, ret_port):
    '''
    Attempt to bind to the sockets to verify that they are available
    '''

    addr_family = lookup_family(interface)
    pubsock = socket.socket(addr_family, socket.SOCK_STREAM)
    retsock = socket.socket(addr_family, socket.SOCK_STREAM)
    try:
        pubsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        pubsock.bind((interface, int(pub_port)))
        pubsock.close()
        retsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        retsock.bind((interface, int(ret_port)))
        retsock.close()
        result = True
    except Exception as exc:
        if exc.args:
            msg = ('Unable to bind socket, error: {0}'.format(str(exc)))
        else:
            msg = ('Unable to bind socket, this might not be a problem.'
                   ' Is there another salt-master running?')
        if is_console_configured():
            log.warn(msg)
        else:
            sys.stderr.write('WARNING: {0}\n'.format(msg))
        result = False
    finally:
        pubsock.close()
        retsock.close()

    return result
Ejemplo n.º 10
0
            def process(opt):
                default = self.defaults.get(opt.dest)
                if getattr(self.options, opt.dest, default) is False:
                    return

                # XXX: CLEAN THIS CODE WHEN 0.10.8 is about to come out
                if version.__version_info__ >= (0, 10, 7):
                    self.error(
                        'The option {0} is deprecated. You must now use '
                        '\'--out {1}\' instead.'.format(
                            opt.get_opt_string(),
                            opt.dest.split('_', 1)[0]
                        )
                    )

                if opt.dest != 'out':
                    msg = (
                        'The option {0} is deprecated. Please consider using '
                        '\'--out {1}\' instead.'.format(
                            opt.get_opt_string(),
                            opt.dest.split('_', 1)[0]
                        )
                    )
                    if log.is_console_configured():
                        logging.getLogger(__name__).warning(msg)
                    else:
                        sys.stdout.write('WARNING: {0}\n'.format(msg))

                self.selected_output_option = opt.dest
Ejemplo n.º 11
0
def verify_socket(interface, pub_port, ret_port):
    '''
    Attempt to bind to the sockets to verify that they are available
    '''

    addr_family = lookup_family(interface)
    pubsock = socket.socket(addr_family, socket.SOCK_STREAM)
    retsock = socket.socket(addr_family, socket.SOCK_STREAM)
    try:
        pubsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        pubsock.bind((interface, int(pub_port)))
        pubsock.close()
        retsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        retsock.bind((interface, int(ret_port)))
        retsock.close()
        result = True
    except Exception as exc:
        if exc.args:
            msg = ('Unable to bind socket, error: {0}'.format(str(exc)))
        else:
            msg = ('Unable to bind socket, this might not be a problem.'
                   ' Is there another salt-master running?')
        if is_console_configured():
            log.warn(msg)
        else:
            sys.stderr.write('WARNING: {0}\n'.format(msg))
        result = False
    finally:
        pubsock.close()
        retsock.close()

    return result
Ejemplo n.º 12
0
def verify_socket(interface, pub_port, ret_port):
    '''
    Attempt to bind to the sockets to verify that they are available
    '''
    pubsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    retsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        pubsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        pubsock.bind((interface, int(pub_port)))
        pubsock.close()
        retsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        retsock.bind((interface, int(ret_port)))
        retsock.close()
        result = True
    except Exception:
        msg = ("Unable to bind socket, this might not be a problem."
               " Is there another salt-master running?")
        if is_console_configured():
            log.warn(msg)
        else:
            sys.stderr.write("WARNING: {0}\n".format(msg))
        result = False
    finally:
        pubsock.close()
        retsock.close()

    return result
Ejemplo n.º 13
0
def verify_socket(interface, pub_port, ret_port):
    '''
    Attempt to bind to the sockets to verify that they are available
    '''

    addr_family = lookup_family(interface)
    for port in pub_port, ret_port:
        sock = socket.socket(addr_family, socket.SOCK_STREAM)
        try:
            sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            sock.bind((interface, int(port)))
        except Exception as exc:
            msg = 'Unable to bind socket {0}:{1}'.format(interface, port)
            if exc.args:
                msg = '{0}, error: {1}'.format(msg, str(exc))
            else:
                msg = '{0}, this might not be a problem.'.format(msg)
            msg += '; Is there another salt-master running?'
            if is_console_configured():
                log.warning(msg)
            else:
                sys.stderr.write('WARNING: {0}\n'.format(msg))
            return False
        finally:
            sock.close()

    return True
Ejemplo n.º 14
0
def verify_socket(interface, pub_port, ret_port):
    """
    Attempt to bind to the sockets to verify that they are available
    """

    addr_family = lookup_family(interface)
    for port in pub_port, ret_port:
        sock = socket.socket(addr_family, socket.SOCK_STREAM)
        try:
            sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            sock.bind((interface, int(port)))
        except Exception as exc:  # pylint: disable=broad-except
            msg = "Unable to bind socket {}:{}".format(interface, port)
            if exc.args:
                msg = "{}, error: {}".format(msg, str(exc))
            else:
                msg = "{}, this might not be a problem.".format(msg)
            msg += "; Is there another salt-master running?"
            if is_console_configured():
                log.warning(msg)
            else:
                sys.stderr.write("WARNING: {}\n".format(msg))
            return False
        finally:
            sock.close()

    return True
Ejemplo n.º 15
0
def check_user(user):
    '''
    Check user and assign process uid/gid.
    '''
    if salt.utils.is_windows():
        return True
    if user == salt.utils.get_user():
        return True
    import pwd  # after confirming not running Windows
    try:
        pwuser = pwd.getpwnam(user)
        try:
            if hasattr(os, 'initgroups'):
                os.initgroups(user, pwuser.pw_gid)  # pylint: disable=minimum-python-version
            else:
                os.setgroups(salt.utils.get_gid_list(user, include_default=False))
            os.setgid(pwuser.pw_gid)
            os.setuid(pwuser.pw_uid)

            # We could just reset the whole environment but let's just override
            # the variables we can get from pwuser
            if 'HOME' in os.environ:
                os.environ['HOME'] = pwuser.pw_dir

            if 'SHELL' in os.environ:
                os.environ['SHELL'] = pwuser.pw_shell

            for envvar in ('USER', 'LOGNAME'):
                if envvar in os.environ:
                    os.environ[envvar] = pwuser.pw_name

        except OSError:
            msg = 'Salt configured to run as user "{0}" but unable to switch.'
            msg = msg.format(user)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))
            return False
    except KeyError:
        msg = 'User not found: "{0}"'.format(user)
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL: {0}\n".format(msg))
        return False
    return True
Ejemplo n.º 16
0
def check_user(user):
    """
    Check user and assign process uid/gid.
    """
    if "os" in os.environ:
        if os.environ["os"].startswith("Windows"):
            return True
    if user == getpass.getuser():
        return True
    import pwd  # after confirming not running Windows
    import grp

    try:
        pwuser = pwd.getpwnam(user)
        try:
            if hasattr(os, "initgroups"):
                os.initgroups(user, pwuser.pw_gid)
            else:
                os.setgroups([e.gr_gid for e in grp.getgrall() if user in e.gr_mem] + [pwuser.pw_gid])
            os.setgid(pwuser.pw_gid)
            os.setuid(pwuser.pw_uid)

        except OSError:
            msg = 'Salt configured to run as user "{0}" but unable to switch.'
            msg = msg.format(user)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))
            return False
    except KeyError:
        msg = 'User not found: "{0}"'.format(user)
        if is_console_configured():
            log.critical(msg)
        else:
            sys.stderr.write("CRITICAL: {0}\n".format(msg))
        return False
    return True
Ejemplo n.º 17
0
def __get_version_info_from_git(version, version_info):
    '''
    If we can get a version from Git use that instead, otherwise we carry on
    '''
    try:
        process = subprocess.Popen('which git',
                                   stdout=subprocess.PIPE,
                                   shell=True)
        git, _ = process.communicate()
        if process.poll() != 0:
            return version, version_info
        git = git[:-1]

        process = subprocess.Popen([git, 'describe'],
                                   stdout=subprocess.PIPE,
                                   stderr=subprocess.PIPE,
                                   close_fds=True,
                                   cwd=os.path.abspath(
                                       os.path.dirname(__file__)))
        out, _ = process.communicate()
        if not out.strip():
            return version, version_info

        parsed_version = '{0}'.format(out.strip().lstrip('v'))
        parsed_version_info = tuple(
            [int(i) for i in parsed_version.split('-', 1)[0].split('.')])
        if parsed_version_info != version_info:
            msg = ('In order to get the proper salt version with the '
                   'git hash you need to update salt\'s local git '
                   'tags. Something like: \'git fetch --tags\' or '
                   '\'git fetch --tags upstream\' if you followed '
                   'salt\'s contribute documentation. The version '
                   'string WILL NOT include the git hash.')
            from salt import log
            if log.is_console_configured():
                import logging
                logging.getLogger(__name__).warning(msg)
            else:
                sys.stderr.write('WARNING: {0}\n'.format(msg))
            return version, version_info
        return parsed_version, parsed_version_info
    except OSError, err:
        if not hasattr(err, 'child_traceback'):
            # This is not an exception thrown within the Popen created child.
            # Let's raise it so it can be catch by the developers
            raise
Ejemplo n.º 18
0
def _get_pwnam(user):
    """
    Get the user from passwords database
    """
    if salt.utils.platform.is_windows():
        return True
    import pwd  # after confirming not running Windows

    try:
        return pwd.getpwnam(user)
    except KeyError:
        msg = "Failed to prepare the Salt environment for user {}. The user is not available.".format(
            user)
        if is_console_configured():
            log.critical(msg)
        else:
            print(msg, file=sys.stderr, flush=True)
        sys.exit(salt.defaults.exitcodes.EX_NOUSER)
Ejemplo n.º 19
0
            def process(opt):
                default = self.defaults.get(opt.dest)
                if getattr(self.options, opt.dest, default) is False:
                    return

                if opt.dest not in ('out', 'output_indent', 'no_color'):
                    msg = (
                        'The option {0} is deprecated. Please consider using '
                        '\'--out {1}\' instead.'.format(
                            opt.get_opt_string(),
                            opt.dest.split('_', 1)[0]))
                    if version.__version_info__ >= (0, 12):
                        # XXX: CLEAN THIS CODE WHEN 0.13 is about to come out
                        self.error(msg)
                    elif log.is_console_configured():
                        logging.getLogger(__name__).warning(msg)
                    else:
                        sys.stdout.write('WARNING: {0}\n'.format(msg))

                self.selected_output_option = opt.dest
Ejemplo n.º 20
0
def __get_version_info_from_git():
    '''
    If we can get a version from Git use that instead, otherwise we carry on
    '''
    try:
        from salt.utils import which

        git = which('git')
        if git:
            process = subprocess.Popen(
                [git, 'describe'],
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
                close_fds=True,
                cwd=os.path.abspath(os.path.dirname(__file__))
            )
            out, _ = process.communicate()
            if out:
                parsed_version = '{0}'.format(out.strip().lstrip('v'))
                parsed_version_info = tuple([
                    int(i) for i in parsed_version.split('-', 1)[0].split('.')
                ])
                if parsed_version_info != __version_info__:
                    msg = ('In order to get the proper salt version with the '
                           'git hash you need to update salt\'s local git '
                           'tags. Something like: \'git fetch --tags\' or '
                           '\'git fetch --tags upstream\' if you followed '
                           'salt\'s contribute documentation. The version '
                           'string WILL NOT include the git hash.')
                    from salt import log
                    if log.is_console_configured():
                        import logging
                        logging.getLogger(__name__).warning(msg)
                    else:
                        sys.stderr.write('WARNING: {0}\n'.format(msg))
                else:
                    __version__ = parsed_version
                    __version_info__ = parsed_version_info
    except Exception:
        pass
Ejemplo n.º 21
0
def win_verify_env(dirs, permissive=False, pki_dir='', skip_extra=False):
    '''
    Verify that the named directories are in place and that the environment
    can shake the salt
    '''
    import salt.utils.win_functions
    import salt.utils.win_dacl

    # Get the root path directory where salt is installed
    path = dirs[0]
    while os.path.basename(path) not in ['salt', 'salt-tests-tmpdir']:
        path, base = os.path.split(path)

    # Create the root path directory if missing
    if not os.path.isdir(path):
        os.makedirs(path)

    # Set permissions to the root path directory
    current_user = salt.utils.win_functions.get_current_user()
    if salt.utils.win_functions.is_admin(current_user):
        try:
            # Make the Administrators group owner
            # Use the SID to be locale agnostic
            salt.utils.win_dacl.set_owner(path, 'S-1-5-32-544')

        except CommandExecutionError:
            msg = 'Unable to securely set the owner of "{0}".'.format(path)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))

        if not permissive:
            try:
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.Dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace('S-1-5-32-544', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # System
                dacl.add_ace('S-1-5-18', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # Owner
                dacl.add_ace('S-1-3-4', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # Users Group
                dacl.add_ace('S-1-5-32-545', 'grant', 'read_execute',
                             'this_folder_subfolders_files')

                # Save the dacl to the object
                dacl.save(path, True)

            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of ' \
                      '"{0}".'.format(path)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    # Create the directories
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                os.makedirs(dir_)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        # The PKI dir gets its own permissions
        if dir_ == pki_dir:
            try:
                # Make Administrators group the owner
                salt.utils.win_dacl.set_owner(path, 'S-1-5-32-544')

                # Give Admins, System and Owner permissions
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.Dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace('S-1-5-32-544', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # System
                dacl.add_ace('S-1-5-18', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # Owner
                dacl.add_ace('S-1-3-4', 'grant', 'full_control',
                             'this_folder_subfolders_files')

                # Save the dacl to the object
                dacl.save(dir_, True)

            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of "{0}".'
                msg = msg.format(dir_)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    if skip_extra is False:
        # Run the extra verification checks
        zmq_version()
Ejemplo n.º 22
0
def win_verify_env(path, dirs, permissive=False, pki_dir="", skip_extra=False):
    """
    Verify that the named directories are in place and that the environment
    can shake the salt
    """
    import salt.utils.win_functions
    import salt.utils.win_dacl
    import salt.utils.path

    # Make sure the file_roots is not set to something unsafe since permissions
    # on that directory are reset

    # `salt.utils.path.safe_path` will consider anything inside `C:\Windows` to
    # be unsafe. In some instances the test suite uses
    # `C:\Windows\Temp\salt-tests-tmpdir\rootdir` as the file_roots. So, we need
    # to consider anything in `C:\Windows\Temp` to be safe
    system_root = os.environ.get("SystemRoot", r"C:\Windows")
    allow_path = "\\".join([system_root, "TEMP"])
    if not salt.utils.path.safe_path(path=path, allow_path=allow_path):
        raise CommandExecutionError(
            "`file_roots` set to a possibly unsafe location: {}".format(path))

    # Create the root path directory if missing
    if not os.path.isdir(path):
        os.makedirs(path)

    # Set permissions to the root path directory
    current_user = salt.utils.win_functions.get_current_user()
    if salt.utils.win_functions.is_admin(current_user):
        try:
            # Make the Administrators group owner
            # Use the SID to be locale agnostic
            salt.utils.win_dacl.set_owner(path, "S-1-5-32-544")

        except CommandExecutionError:
            msg = 'Unable to securely set the owner of "{}".'.format(path)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {}\n".format(msg))

        if not permissive:
            try:
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace(
                    "S-1-5-32-544",
                    "grant",
                    "full_control",
                    "this_folder_subfolders_files",
                )
                # System
                dacl.add_ace("S-1-5-18", "grant", "full_control",
                             "this_folder_subfolders_files")
                # Owner
                dacl.add_ace("S-1-3-4", "grant", "full_control",
                             "this_folder_subfolders_files")

                # Save the dacl to the object
                dacl.save(path, True)

            except CommandExecutionError:
                msg = "Unable to securely set the permissions of " '"{}".'.format(
                    path)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {}\n".format(msg))

    # Create the directories
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                os.makedirs(dir_)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        # The PKI dir gets its own permissions
        if dir_ == pki_dir:
            try:
                # Make Administrators group the owner
                salt.utils.win_dacl.set_owner(path, "S-1-5-32-544")

                # Give Admins, System and Owner permissions
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace(
                    "S-1-5-32-544",
                    "grant",
                    "full_control",
                    "this_folder_subfolders_files",
                )
                # System
                dacl.add_ace("S-1-5-18", "grant", "full_control",
                             "this_folder_subfolders_files")
                # Owner
                dacl.add_ace("S-1-3-4", "grant", "full_control",
                             "this_folder_subfolders_files")

                # Save the dacl to the object
                dacl.save(dir_, True)

            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of "{0}".'
                msg = msg.format(dir_)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {}\n".format(msg))

    if skip_extra is False:
        # Run the extra verification checks
        zmq_version()
Ejemplo n.º 23
0
def win_verify_env(
        path,
        dirs,
        permissive=False,
        pki_dir='',
        skip_extra=False,
        sensitive_dirs=None):
    '''
    Verify that the named directories are in place and that the environment
    can shake the salt
    '''
    if pki_dir:
        salt.utils.versions.warn_until(
            'Neon',
            'Use of \'pki_dir\' was detected: \'pki_dir\' has been deprecated '
            'in favor of \'sensitive_dirs\'. Support for \'pki_dir\' will be '
            'removed in Salt Neon.'
        )
        sensitive_dirs = sensitive_dirs or []
        sensitive_dirs.append(list(pki_dir))

    import salt.utils.win_functions
    import salt.utils.win_dacl
    import salt.utils.path

    # Make sure the file_roots is not set to something unsafe since permissions
    # on that directory are reset
    if not salt.utils.path.safe_path(path=path):
        raise CommandExecutionError(
            '`file_roots` set to a possibly unsafe location: {0}'.format(path)
        )

    # Create the root path directory if missing
    if not os.path.isdir(path):
        os.makedirs(path)

    # Set permissions to the root path directory
    current_user = salt.utils.win_functions.get_current_user()
    if salt.utils.win_functions.is_admin(current_user):
        try:
            # Make the Administrators group owner
            # Use the SID to be locale agnostic
            salt.utils.win_dacl.set_owner(path, 'S-1-5-32-544')

        except CommandExecutionError:
            msg = 'Unable to securely set the owner of "{0}".'.format(path)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))

        if not permissive:
            try:
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace('S-1-5-32-544', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # System
                dacl.add_ace('S-1-5-18', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # Owner
                dacl.add_ace('S-1-3-4', 'grant', 'full_control',
                             'this_folder_subfolders_files')

                # Save the dacl to the object
                dacl.save(path, True)

            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of ' \
                      '"{0}".'.format(path)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    # Create the directories
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                os.makedirs(dir_)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        # The senitive_dirs (i.e. pki_dir, key_dir) gets its own permissions
        sensitive_dirs = sensitive_dirs or []
        if dir_ in sensitive_dirs:
            try:
                # Make Administrators group the owner
                salt.utils.win_dacl.set_owner(path, 'S-1-5-32-544')

                # Give Admins, System and Owner permissions
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace('S-1-5-32-544', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # System
                dacl.add_ace('S-1-5-18', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # Owner
                dacl.add_ace('S-1-3-4', 'grant', 'full_control',
                             'this_folder_subfolders_files')

                # Save the dacl to the object
                dacl.save(dir_, True)

            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of "{0}".'
                msg = msg.format(dir_)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    if skip_extra is False:
        # Run the extra verification checks
        zmq_version()
Ejemplo n.º 24
0
def verify_env(dirs,
               user,
               permissive=False,
               pki_dir="",
               skip_extra=False,
               root_dir=ROOT_DIR):
    """
    Verify that the named directories are in place and that the environment
    can shake the salt
    """
    if salt.utils.platform.is_windows():
        return win_verify_env(root_dir,
                              dirs,
                              permissive=permissive,
                              skip_extra=skip_extra)

    # after confirming not running Windows
    pwnam = _get_pwnam(user)
    uid = pwnam[2]
    gid = pwnam[3]
    groups = salt.utils.user.get_gid_list(user, include_default=False)

    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                with salt.utils.files.set_umask(0o022):
                    os.makedirs(dir_)
                # If starting the process as root, chown the new dirs
                if os.getuid() == 0:
                    os.chown(dir_, uid, gid)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        mode = os.stat(dir_)
        # If starting the process as root, chown the new dirs
        if os.getuid() == 0:
            fmode = os.stat(dir_)
            if fmode.st_uid != uid or fmode.st_gid != gid:
                if permissive and fmode.st_gid in groups:
                    # Allow the directory to be owned by any group root
                    # belongs to if we say it's ok to be permissive
                    pass
                else:
                    # chown the file for the new user
                    os.chown(dir_, uid, gid)
            for subdir in [a for a in os.listdir(dir_) if "jobs" not in a]:
                fsubdir = os.path.join(dir_, subdir)
                if "{}jobs".format(os.path.sep) in fsubdir:
                    continue
                for root, dirs, files in salt.utils.path.os_walk(fsubdir):
                    for name in files:
                        if name.startswith("."):
                            continue
                        path = os.path.join(root, name)
                        try:
                            fmode = os.stat(path)
                        except OSError:
                            pass
                        if fmode.st_uid != uid or fmode.st_gid != gid:
                            if permissive and fmode.st_gid in groups:
                                pass
                            else:
                                # chown the file for the new user
                                os.chown(path, uid, gid)
                    for name in dirs:
                        path = os.path.join(root, name)
                        fmode = os.stat(path)
                        if fmode.st_uid != uid or fmode.st_gid != gid:
                            if permissive and fmode.st_gid in groups:
                                pass
                            else:
                                # chown the file for the new user
                                os.chown(path, uid, gid)
        # Allow the pki dir to be 700 or 750, but nothing else.
        # This prevents other users from writing out keys, while
        # allowing the use-case of 3rd-party software (like django)
        # to read in what it needs to integrate.
        #
        # If the permissions aren't correct, default to the more secure 700.
        # If acls are enabled, the pki_dir needs to remain readable, this
        # is still secure because the private keys are still only readable
        # by the user running the master
        if dir_ == pki_dir:
            smode = stat.S_IMODE(mode.st_mode)
            if smode != 448 and smode != 488:
                if os.access(dir_, os.W_OK):
                    os.chmod(dir_, 448)
                else:
                    msg = 'Unable to securely set the permissions of "{0}".'
                    msg = msg.format(dir_)
                    if is_console_configured():
                        log.critical(msg)
                    else:
                        sys.stderr.write("CRITICAL: {}\n".format(msg))

    if skip_extra is False:
        # Run the extra verification checks
        zmq_version()
Ejemplo n.º 25
0
                             close_fds=True,
                             cwd=os.path.abspath(os.path.dirname(__file__)))
        out, err = p.communicate()
        if out:
            parsed_version = '{0}'.format(out.strip().lstrip('v'))
            parsed_version_info = tuple(
                [int(i) for i in parsed_version.split('-', 1)[0].split('.')])
            if parsed_version_info != __version_info__:
                msg = ('In order to get the proper salt version with the git '
                       'hash you need to update salt\'s local git tags. '
                       'Something like: \'git fetch --tags\' or '
                       '\'git fetch --tags upstream\' if you followed '
                       'salt\'s contribute documentation. The version string '
                       'WILL NOT include the git hash.')
                from salt import log
                if log.is_console_configured():
                    import logging
                    logging.getLogger(__name__).warning(msg)
                else:
                    sys.stderr.write('WARNING: {0}\n'.format(msg))
            else:
                __version__ = parsed_version
                __version_info__ = parsed_version_info
except Exception:
    pass


def versions_report():
    libs = (
        ("Jinja2", "jinja2", "__version__"),
        ("M2Crypto", "M2Crypto", "version"),
Ejemplo n.º 26
0
        )
        out, err = p.communicate()
        if out:
            parsed_version = '{0}'.format(out.strip().lstrip('v'))
            parsed_version_info = tuple(
                [int(i) for i in parsed_version.split('-', 1)[0].split('.')]
            )
            if parsed_version_info != __version_info__:
                msg = ('In order to get the proper salt version with the git '
                       'hash you need to update salt\'s local git tags. '
                       'Something like: \'git fetch --tags\' or '
                       '\'git fetch --tags upstream\' if you followed '
                       'salt\'s contribute documentation. The version string '
                       'WILL NOT include the git hash.')
                from salt import log
                if log.is_console_configured():
                    import logging
                    logging.getLogger(__name__).warning(msg)
                else:
                    sys.stderr.write('WARNING: {0}\n'.format(msg))
            else:
                __version__ = parsed_version
                __version_info__ = parsed_version_info

except Exception:
    pass


def versions_report():
    libs = (
        ("Jinja2", "jinja2", "__version__"),
Ejemplo n.º 27
0
def verify_env(dirs,
               user,
               permissive=False,
               pki_dir='',
               skip_extra=False,
               sensitive_dirs=None):
    '''
    Verify that the named directories are in place and that the environment
    can shake the salt
    '''
    if pki_dir:
        salt.utils.versions.warn_until(
            'Neon',
            'Use of \'pki_dir\' was detected: \'pki_dir\' has been deprecated '
            'in favor of \'sensitive_dirs\'. Support for \'pki_dir\' will be '
            'removed in Salt Neon.')
        sensitive_dirs = sensitive_dirs or []
        sensitive_dirs.append(list(pki_dir))

    if salt.utils.platform.is_windows():
        return win_verify_env(dirs,
                              permissive=permissive,
                              skip_extra=skip_extra,
                              sensitive_dirs=sensitive_dirs)
    import pwd  # after confirming not running Windows
    try:
        pwnam = pwd.getpwnam(user)
        uid = pwnam[2]
        gid = pwnam[3]
        groups = salt.utils.user.get_gid_list(user, include_default=False)

    except KeyError:
        err = ('Failed to prepare the Salt environment for user '
               '{0}. The user is not available.\n').format(user)
        sys.stderr.write(err)
        sys.exit(salt.defaults.exitcodes.EX_NOUSER)
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                cumask = os.umask(18)  # 077
                os.makedirs(dir_)
                # If starting the process as root, chown the new dirs
                if os.getuid() == 0:
                    os.chown(dir_, uid, gid)
                os.umask(cumask)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        mode = os.stat(dir_)
        # If starting the process as root, chown the new dirs
        if os.getuid() == 0:
            fmode = os.stat(dir_)
            if fmode.st_uid != uid or fmode.st_gid != gid:
                if permissive and fmode.st_gid in groups:
                    # Allow the directory to be owned by any group root
                    # belongs to if we say it's ok to be permissive
                    pass
                else:
                    # chown the file for the new user
                    os.chown(dir_, uid, gid)
            for subdir in [a for a in os.listdir(dir_) if 'jobs' not in a]:
                fsubdir = os.path.join(dir_, subdir)
                if '{0}jobs'.format(os.path.sep) in fsubdir:
                    continue
                for root, dirs, files in os.walk(fsubdir):
                    for name in files:
                        if name.startswith('.'):
                            continue
                        path = os.path.join(root, name)
                        try:
                            fmode = os.stat(path)
                        except (IOError, OSError):
                            pass
                        if fmode.st_uid != uid or fmode.st_gid != gid:
                            if permissive and fmode.st_gid in groups:
                                pass
                            else:
                                # chown the file for the new user
                                os.chown(path, uid, gid)
                    for name in dirs:
                        path = os.path.join(root, name)
                        fmode = os.stat(path)
                        if fmode.st_uid != uid or fmode.st_gid != gid:
                            if permissive and fmode.st_gid in groups:
                                pass
                            else:
                                # chown the file for the new user
                                os.chown(path, uid, gid)
        # Allow the pki dir to be 700 or 750, but nothing else.
        # This prevents other users from writing out keys, while
        # allowing the use-case of 3rd-party software (like django)
        # to read in what it needs to integrate.
        #
        # If the permissions aren't correct, default to the more secure 700.
        # If acls are enabled, the sensitive_dirs (i.e. pki_dir, key_dir) needs to
        # remain readable, this is still secure because the private keys are still
        # only readable by the user running the master
        sensitive_dirs = sensitive_dirs or []
        if dir_ in sensitive_dirs:
            smode = stat.S_IMODE(mode.st_mode)
            if smode != 448 and smode != 488:
                if os.access(dir_, os.W_OK):
                    os.chmod(dir_, 448)
                else:
                    msg = 'Unable to securely set the permissions of "{0}".'
                    msg = msg.format(dir_)
                    if is_console_configured():
                        log.critical(msg)
                    else:
                        sys.stderr.write("CRITICAL: {0}\n".format(msg))

    if skip_extra is False:
        # Run the extra verification checks
        zmq_version()
Ejemplo n.º 28
0
def verify_env(dirs, user, permissive=False, pki_dir=''):
    '''
    Verify that the named directories are in place and that the environment
    can shake the salt
    '''
    if 'os' in os.environ:
        if os.environ['os'].startswith('Windows'):
            return True
    import pwd  # after confirming not running Windows
    import grp
    try:
        pwnam = pwd.getpwnam(user)
        uid = pwnam[2]
        gid = pwnam[3]
        groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]

    except KeyError:
        err = ('Failed to prepare the Salt environment for user '
               '{0}. The user is not available.\n').format(user)
        sys.stderr.write(err)
        sys.exit(2)
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                cumask = os.umask(18)  # 077
                os.makedirs(dir_)
                # If starting the process as root, chown the new dirs
                if os.getuid() == 0:
                    os.chown(dir_, uid, gid)
                os.umask(cumask)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        mode = os.stat(dir_)
        # If starting the process as root, chown the new dirs
        if os.getuid() == 0:
            fmode = os.stat(dir_)
            if not fmode.st_uid == uid or not fmode.st_gid == gid:
                if permissive and fmode.st_gid in groups:
                    # Allow the directory to be owned by any group root
                    # belongs to if we say it's ok to be permissive
                    pass
                else:
                    # chown the file for the new user
                    os.chown(dir_, uid, gid)
            for root, dirs, files in os.walk(dir_):
                if 'jobs' in root:
                    continue
                for name in files:
                    if name.startswith('.'):
                        continue
                    path = os.path.join(root, name)
                    try:
                        fmode = os.stat(path)
                    except (IOError, OSError):
                        pass
                    if not fmode.st_uid == uid or not fmode.st_gid == gid:
                        if permissive and fmode.st_gid in groups:
                            pass
                        else:
                            # chown the file for the new user
                            os.chown(path, uid, gid)
                for name in dirs:
                    path = os.path.join(root, name)
                    fmode = os.stat(path)
                    if not fmode.st_uid == uid or not fmode.st_gid == gid:
                        if permissive and fmode.st_gid in groups:
                            pass
                        else:
                            # chown the file for the new user
                            os.chown(path, uid, gid)
        # Allow the pki dir to be 700 or 750, but nothing else.
        # This prevents other users from writing out keys, while
        # allowing the use-case of 3rd-party software (like django)
        # to read in what it needs to integrate.
        #
        # If the permissions aren't correct, default to the more secure 700.
        # If acls are enabled, the pki_dir needs to remain readable, this
        # is still secure because the private keys are still only readbale
        # by the user running the master
        if dir_ == pki_dir:
            smode = stat.S_IMODE(mode.st_mode)
            if not smode == 448 and not smode == 488:
                if os.access(dir_, os.W_OK):
                    os.chmod(dir_, 448)
                else:
                    msg = 'Unable to securely set the permissions of "{0}".'
                    msg = msg.format(dir_)
                    if is_console_configured():
                        log.critical(msg)
                    else:
                        sys.stderr.write("CRITICAL: {0}\n".format(msg))
    # Run the extra verification checks
    zmq_version()
Ejemplo n.º 29
0
def win_verify_env(dirs, user, permissive=False, pki_dir='', skip_extra=False):
    '''
    Verify that the named directories are in place and that the environment
    can shake the salt
    '''
    import salt.utils.win_functions

    # Get the root path directory where salt is installed
    path = dirs[0]
    while os.path.basename(path) not in ['salt', 'salt-tests-tmpdir']:
        path, base = os.path.split(path)

    # Create the root path directory if missing
    if not os.path.isdir(path):
        os.makedirs(path)

    # Set permissions to the root path directory
    current_user = salt.utils.win_functions.get_current_user()
    if salt.utils.win_functions.is_admin(current_user):
        try:
            salt.utils.win_functions.set_path_owner(path)
        except CommandExecutionError:
            msg = 'Unable to securely set the owner of "{0}".'
            msg = msg.format(path)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))

        if not permissive:
            try:
                salt.utils.win_functions.set_path_permissions(path)
            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of "{0}".'
                msg = msg.format(path)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    # Create the directories
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                os.makedirs(dir_)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        if dir_ == pki_dir:
            try:
                salt.utils.win_functions.set_path_owner(dir_)
                salt.utils.win_functions.set_path_permissions(dir_)
            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of "{0}".'
                msg = msg.format(dir_)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    if skip_extra is False:
        # Run the extra verification checks
        zmq_version()
Ejemplo n.º 30
0
def win_verify_env(dirs, permissive=False, pki_dir='', skip_extra=False):
    '''
    Verify that the named directories are in place and that the environment
    can shake the salt
    '''
    import salt.utils.win_functions
    import salt.utils.win_dacl

    # Get the root path directory where salt is installed
    path = dirs[0]
    while os.path.basename(path) not in ['salt', 'salt-tests-tmpdir']:
        path, base = os.path.split(path)

    # Create the root path directory if missing
    if not os.path.isdir(path):
        os.makedirs(path)

    # Set permissions to the root path directory
    current_user = salt.utils.win_functions.get_current_user()
    if salt.utils.win_functions.is_admin(current_user):
        try:
            # Make the Administrators group owner
            # Use the SID to be locale agnostic
            salt.utils.win_dacl.set_owner(path, 'S-1-5-32-544')

        except CommandExecutionError:
            msg = 'Unable to securely set the owner of "{0}".'.format(path)
            if is_console_configured():
                log.critical(msg)
            else:
                sys.stderr.write("CRITICAL: {0}\n".format(msg))

        if not permissive:
            try:
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace('S-1-5-32-544', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # System
                dacl.add_ace('S-1-5-18', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # Owner
                dacl.add_ace('S-1-3-4', 'grant', 'full_control',
                             'this_folder_subfolders_files')

                # Save the dacl to the object
                dacl.save(path, True)

            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of ' \
                      '"{0}".'.format(path)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    # Create the directories
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                os.makedirs(dir_)
            except OSError as err:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, err))
                sys.exit(err.errno)

        # The PKI dir gets its own permissions
        if dir_ == pki_dir:
            try:
                # Make Administrators group the owner
                salt.utils.win_dacl.set_owner(path, 'S-1-5-32-544')

                # Give Admins, System and Owner permissions
                # Get a clean dacl by not passing an obj_name
                dacl = salt.utils.win_dacl.dacl()

                # Add aces to the dacl, use the GUID (locale non-specific)
                # Administrators Group
                dacl.add_ace('S-1-5-32-544', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # System
                dacl.add_ace('S-1-5-18', 'grant', 'full_control',
                             'this_folder_subfolders_files')
                # Owner
                dacl.add_ace('S-1-3-4', 'grant', 'full_control',
                             'this_folder_subfolders_files')

                # Save the dacl to the object
                dacl.save(dir_, True)

            except CommandExecutionError:
                msg = 'Unable to securely set the permissions of "{0}".'
                msg = msg.format(dir_)
                if is_console_configured():
                    log.critical(msg)
                else:
                    sys.stderr.write("CRITICAL: {0}\n".format(msg))

    if skip_extra is False:
        # Run the extra verification checks
        zmq_version()
Ejemplo n.º 31
0
def verify_env(dirs, user, permissive=False, pki_dir=''):
    '''
    Verify that the named directories are in place and that the environment
    can shake the salt
    '''
    if 'os' in os.environ:
        if os.environ['os'].startswith('Windows'):
            return True
    import pwd  # after confirming not running Windows
    import grp
    try:
        pwnam = pwd.getpwnam(user)
        uid = pwnam[2]
        gid = pwnam[3]
        groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]

    except KeyError:
        err = ('Failed to prepare the Salt environment for user '
               '{0}. The user is not available.\n').format(user)
        sys.stderr.write(err)
        sys.exit(2)
    for dir_ in dirs:
        if not dir_:
            continue
        if not os.path.isdir(dir_):
            try:
                cumask = os.umask(18)  # 077
                os.makedirs(dir_)
                # If starting the process as root, chown the new dirs
                if os.getuid() == 0:
                    os.chown(dir_, uid, gid)
                os.umask(cumask)
            except OSError as e:
                msg = 'Failed to create directory path "{0}" - {1}\n'
                sys.stderr.write(msg.format(dir_, e))
                sys.exit(e.errno)

        mode = os.stat(dir_)
        # If starting the process as root, chown the new dirs
        if os.getuid() == 0:
            fmode = os.stat(dir_)
            if not fmode.st_uid == uid or not fmode.st_gid == gid:
                if permissive and fmode.st_gid in groups:
                    # Allow the directory to be owned by any group root
                    # belongs to if we say it's ok to be permissive
                    pass
                else:
                    # chown the file for the new user
                    os.chown(dir_, uid, gid)
            for root, dirs, files in os.walk(dir_):
                if 'jobs' in root:
                    continue
                for name in files:
                    if name.startswith('.'):
                        continue
                    path = os.path.join(root, name)
                    try:
                        fmode = os.stat(path)
                    except (IOError, OSError):
                        pass
                    if not fmode.st_uid == uid or not fmode.st_gid == gid:
                        if permissive and fmode.st_gid in groups:
                            pass
                        else:
                            # chown the file for the new user
                            os.chown(path, uid, gid)
                for name in dirs:
                    path = os.path.join(root, name)
                    fmode = os.stat(path)
                    if not fmode.st_uid == uid or not fmode.st_gid == gid:
                        if permissive and fmode.st_gid in groups:
                            pass
                        else:
                            # chown the file for the new user
                            os.chown(path, uid, gid)
        # Allow the pki dir to be 700 or 750, but nothing else.
        # This prevents other users from writing out keys, while
        # allowing the use-case of 3rd-party software (like django)
        # to read in what it needs to integrate.
        #
        # If the permissions aren't correct, default to the more secure 700.
        # If acls are enabled, the pki_dir needs to remain readable, this
        # is still secure because the private keys are still only readbale
        # by the user running the master
        if dir_ == pki_dir:
            smode = stat.S_IMODE(mode.st_mode)
            if not smode == 448 and not smode == 488:
                if os.access(dir_, os.W_OK):
                    os.chmod(dir_, 448)
                else:
                    msg = 'Unable to securely set the permissions of "{0}".'
                    msg = msg.format(dir_)
                    if is_console_configured():
                        log.critical(msg)
                    else:
                        sys.stderr.write("CRITICAL: {0}\n".format(msg))
    # Run the extra verification checks
    zmq_version()