def _update_superuser(username,
directory='/root',
shell='/sbin/nologin',
crypt=None,
uid=None,
gid=None):
if crypt is None:
crypt = ''
if uid is None:
uid = 0
users = PasswdFile()
users.load()
groups = GroupFile()
groups.load()
if username not in groups:
group = GroupEntry()
group.group(username)
group.crypt("*")
if gid is None:
gid = users.new_uid()
while gid in groups:
gid = users.new_uid(gid)
group.gid(gid)
group.user_list((username, ))
groups[username] = group
groups.save()
gid = groups[username].gid()
if username in users:
user = users[username]
else:
user = PasswdEntry()
user.crypt(crypt)
user.gid(gid)
user.uid(uid)
user.user(username)
user.shell(shell)
user.directory(directory)
if crypt:
user.crypt(crypt)
users[username] = user
users.save()
user = users[username]
if user.gid() != gid:
user.gid(gid)
users[user.user()] = user
users.save()
return
def _update_superuser(username, directory="/root", shell="/sbin/nologin", crypt=None, uid=None, gid=None):
if crypt is None:
crypt = ""
if uid is None:
uid = 0
users = PasswdFile()
users.load()
groups = GroupFile()
groups.load()
if username not in groups:
group = GroupEntry()
group.group(username)
group.crypt("*")
if gid is None:
gid = users.new_uid()
while gid in groups:
gid = users.new_uid(gid)
group.gid(gid)
group.user_list((username,))
groups[username] = group
groups.save()
gid = groups[username].gid()
if username in users:
user = users[username]
else:
user = PasswdEntry()
user.crypt(crypt)
user.gid(gid)
user.uid(uid)
user.user(username)
user.shell(shell)
user.directory(directory)
if crypt:
user.crypt(crypt)
users[username] = user
users.save()
user = users[username]
if user.gid() != gid:
user.gid(gid)
users[user.user()] = user
users.save()
return
def __synchronize_system(self, usernode, currentname=None, validate=True):
system_users = PasswdFile()
system_shadow = ShadowFile()
system_groups = GroupFile()
userchange = False
shadowchange = False
groupchange = False
group_is_private = False
system_users.load()
system_shadow.load()
system_groups.load()
flag = 0
#flag will be used to check if system admin is
#being demoted. bug CSCth82465
#if system admin is being demoted,
#it's entry will be removed and added again
if usernode and usernode.name in system_users:
userentry = system_users[usernode.name]
#user is a system administrator, but not mpxadmin,
#and it's current role is not mpxadmin
#i.e. a system administrator other than mpxadmin is being demoted
if userentry.user_type() == 'mpxadmin' \
and usernode.name != 'mpxadmin' \
and self.role_manager.administrator.name not in usernode.roles:
flag = 1
if usernode is None or flag:
# If no usernode is provided, the user with name 'currentname' is
# being removed.
if flag:
currentname = usernode.name
if currentname is None:
raise ValueError('Name must be provided when removing user.')
userentry = system_users[currentname]
# Loop through all groups to which user belongs, removing user.
groups = userentry.groups(system_groups)
for groupentry in groups:
users = groupentry.user_list()
# User is not in user list of private group, so only
# groups in to which user *also* belongs are modified.
if currentname in users:
users.remove(currentname)
groupentry.user_list(users)
groupchange = True
message = 'removed user "%s" from group "%s".'
self.output_message(message %
(currentname, groupentry.group()))
# If a private group was associated with the user--a group
# whose name is the same as the user name and whose member
# list contains no entries--find and remove it to keep clean.
if currentname in system_groups:
groupentry = system_groups[currentname]
if len(groupentry.user_list()) == 0:
# Private group for user entry, remove it.
del (system_groups[currentname])
groupchange = True
self.output_message('removed private group "%s".' %
currentname)
# Finally, delete user itself.
del (system_users[userentry.user()])
userchange = True
# delete user details from /etc/shadow
del (system_shadow[userentry.user()])
shadowchange = True
self.output_message('removed user "%s" from system.' % currentname)
#delete user from the cache
as_node('/services/User Manager').remove_user(currentname)
if usernode:
username = usernode.name
# Name may be being changed. Node reference always has correct
# name, where 'currentname' is the previous name if the name
# is in fact being changed. Rename child operations take
# advantage of this.
if currentname is None:
currentname = username
if currentname in system_users:
# User already exists, must be being updated.
fd = open("/etc/group", "r")
userentry = system_users[currentname]
userid = userentry.uid()
groupid = userentry.gid()
flag = 1
for line in fd.readlines():
if re.search(str(groupid), line, re.IGNORECASE) != None:
flag = 0
break
if flag:
cmd = "addgroup -g "
cmd += str(groupid)
cmd += " "
cmd += currentname
os.system(cmd)
flag = 0
groupentry = system_groups[groupid]
shadowentry = system_shadow[currentname]
else:
# User is completely new and user and private group
# must be created.
userid = system_users.new_uid()
while userid in system_groups:
userid = system_users.new_uid(userid)
else:
groupid = userid
userentry = PasswdEntry()
groupentry = GroupEntry()
shadowentry = ShadowEntry()
message = 'creating user "%s" and group "%s".'
self.output_message(message % (username, username))
# A private group has the same name as the associated
# user account.
group_is_private = False
if groupentry.group() == userentry.user():
group_is_private = True
# If username has changed: change entry and flag.
if userentry.user() != username:
groups = []
if userentry.user() is not None:
# New users cause exception when doing
# group lookup before name is set.
groups = userentry.groups(system_groups)
currentname = userentry.user()
userentry.user(username, validate)
userchange = True
shadowentry.user(username, validate)
shadowchange = True
message = 'changed user name from "%s" to "%s".'
self.output_message(message % (currentname, username))
# Modify groups to which user belongs to reflect updated name.
for group in groups:
users = group.user_list()
if currentname in users and username not in users:
users[users.index(currentname)] = username
group.user_list(users)
groupchange = True
message = 'changed user "%s" in group "%s" to "%s".'
self.output_message(
message % (currentname, group.group(), username))
# If group is only for this user and group name isn't username,
# change and flag.
if group_is_private and groupentry.group() != username:
currentgroup = groupentry.group()
groupentry.group(username)
groupchange = True
message = 'changed group name from "%s" to "%s".'
self.output_message(message % (currentgroup, username))
# Change user-entry's password if doesn't match user node's.
password = usernode.password
if len(password
) and not shadowentry.password_matches_crypt(password):
shadowentry.user(username, validate)
shadowentry.passwd(password, validate)
userentry.passwd('x', False)
shadowentry.lstchg()
shadowchange = True
userchange = True
self.output_message('changed password for user "%s".' %
username)
# Set user-entry UID to calulated UID (used for new entries).
if not userentry.uid() == userid:
currentuid = userentry.uid()
userentry.uid(userid)
userchange = True
message = 'changed UID for user "%s" from %s to %s.'
self.output_message(message % (username, currentuid, userid))
# Set user-entry GID to calculated GID (used for new entries).
if userentry.gid() != groupid:
currentgid = userentry.gid()
userentry.gid(groupid)
userchange = True
message = 'changed GID for user "%s" from %s to %s.'
self.output_message(message % (username, currentgid, groupid))
if not userentry.gecos():
currentgecos = userentry.gecos()
userentry.gecos('ROLE=user')
userchange = True
message = 'changed gecos for user "%s" from %s to %s.'
self.output_message(message %
(username, currentgecos, 'ROLE=user'))
# Set group-entry GID to calculated GID (should match whether private or not).
if groupentry.gid() != groupid:
currentgid = groupentry.gid()
groupentry.gid(groupid)
groupchange = True
message = 'changed GID for group "%s" from %s to %s.'
self.output_message(message %
(groupentry.group(), currentgid, groupid))
if userchange:
# Passwd file changed, set user into user dicationary
# in case user was newly created, and save back file.
system_users[userentry.user()] = userentry
system_users.save()
userchange = False
as_node('/services/User Manager').remove_user(usernode.name)
if shadowchange:
# /etc/shadow file changed, set user into user dicationary
# in case user was newly created, and save back file.
system_shadow[shadowentry.user()] = shadowentry
system_shadow.save()
shadowchange = False
if groupchange:
# Group file changed, set user into groups dicationary
# in case group was newly created, and save back file.
system_groups[groupentry.group()] = groupentry
system_groups.save()
groupchange = False
roles = usernode.roles[:]
if self.role_manager.administrator.name in roles:
if userentry.user_type() != 'mpxadmin':
userchange = True
shadowchange = True
groupchange = True
userentry.user_type('mpxadmin', system_users,
system_groups)
self.output_message(
'made user "%s" into "mpxadmin" type.' % username)
if username in system_groups:
group = system_groups[username]
if userentry.gid() != group.gid():
users = group.user_list()
if len(users) == 0:
del (system_groups[username])
groupchange = True
message = 'removed group "%s". ' % username
message += 'Group no longer referenced.'
else:
message = 'not removing group "%s". ' % username
message += 'Still has users %s.' % (users, )
self.output_message(message)
elif userentry.user_type() == 'mpxadmin':
message = 'System Administrator cannot be demoted. '
message += 'User "%s" must be removed in order to demote.'
raise TypeError(message % username)
if userchange:
system_users.save()
userchange = False
username = usernode.name if usernode else currentname
as_node('/services/User Manager').remove_user(username)
if shadowchange:
system_shadow.save()
shadowchange = False
if groupchange:
system_groups.save()
userchange = False
return (userchange or groupchange or shadowchange)
def _update_mpxadmin_user(self):
#
# Ensure the mpxadmin group exists.
#
passwd = PasswdFile()
passwd.load()
group = GroupFile()
group.load()
self.options.normal_message("Checking for mpxadmin group.")
if "mpxadmin" not in group:
self.options.normal_message("No mpxadmin group, adding.")
mpxadmin = GroupEntry()
mpxadmin.group("mpxadmin")
mpxadmin.crypt("*")
mpxadmin.gid(int(MPX_GID))
mpxadmin.user_list((mpxadmin.group(), ))
group[mpxadmin.group()] = mpxadmin
group.save()
self.options.normal_message("Added mpxadmin group(%d) in %s.",
mpxadmin.gid(), group._file)
else:
self.options.normal_message("mpxadmin group already exists.")
if int(MPX_GID):
# Installing as regular user, presumably in penvironment.d, add
# the required "root" group.
self.options.normal_message("Checking for root group.")
if "root" not in group:
self.options.normal_message("No root group, adding.")
root = GroupEntry()
root.group("root")
root.crypt("*")
root.gid(int(MPX_GID))
root.user_list((root.group(), ))
group[root.group()] = root
group.save()
self.options.normal_message("Added root group(%d) in %s.",
root.gid(), group._file)
else:
self.options.normal_message("root group already exists.")
#
# Ensure the mpxadmin user exists.
#
self.options.normal_message("Checking for mpxadmin user.")
#if "mpxadmin" not in passwd:
# if there is no mpxadmin type user, create a default
if len(filter(lambda pw: pw.user_type() == 'mpxadmin', passwd)) == 0:
self.options.normal_message(
"No mpxadmin user, checking for mpxadmin group.")
gid = group["mpxadmin"].gid()
# @fixme This is not pretty, but it will work for now.
# A new UID would be uid = passwd.new_uid(gid-1)
uid = int(MPX_UID) # Hijacking root for superuser privelidges...
mpxadmin = PasswdEntry()
mpxadmin.user("mpxadmin")
mpxadmin.directory(passwd.default_home(mpxadmin.user()))
mpxadmin.crypt(_crypted_password("mpxadmin", "mpxadmin"))
mpxadmin.uid(uid)
mpxadmin.gid(gid)
# @fixme Formalize the Mediator concept of meta-data associated
# with users. Also consider moving the meta-data out of
# /etc/passwd and into a PDO...
# META-DATA:
# AKA: Allows us to track renames of key users (pppuser,
# mpxadmin, webdev, ...)
# CSIK: Configuration Service Initial Key (used to calculate
# "classic" Configuration Service Security Keys.
mpxadmin.gecos("AKA=mpxadmin,CSIK=%s,ROLE=administrator" %
(_csiked_password("mpxadmin"), ))
mpxadmin.shell("/bin/bash")
passwd[mpxadmin.user()] = mpxadmin
passwd.save()
self.options.normal_message("Added mpxadmin user(%d.%d) in %s.",
mpxadmin.uid(), mpxadmin.gid(),
passwd._file)
# Create and update the mpxadmin user.
self._force_target_directory(mpxadmin.directory())
self.cwd.pushd(mpxadmin.directory())
passwd = PasswdFile()
passwd.load()
group = GroupFile()
group.load()
os.system("chmod -R ug+Xrw .", **self._fatal_keywords())
chown(".", "mpxadmin", "mpxadmin", recurse=1, ignore_errors=1)
self.cwd.popd()
else:
self.options.normal_message("mpxadmin user already exists.")
#
# Ensure mpxadmin is a member of the root group.
#
group = GroupFile()
group.load()
root = group["root"]
user_list = root.user_list()
if "mpxadmin" not in user_list:
self.options.normal_message(
"Adding mpxadmin user to the root group.")
user_list.append("mpxadmin")
root.user_list(user_list)
group["root"] = root
group.save()
return
def _update_webdev_user(self):
passwd = PasswdFile()
passwd.load()
group = GroupFile()
group.load()
if "webdev" not in passwd:
if "webdev" not in group:
next_id = passwd.new_uid()
while next_id in group:
next_id = passwd.new_uid(next_id)
webdev = GroupEntry()
webdev.group("webdev")
webdev.crypt("*")
webdev.gid(next_id)
webdev.user_list((webdev.group(),))
group[webdev.group()] = webdev
group.save()
gid = group["webdev"].gid()
uid = passwd.new_uid(gid-1)
while uid in passwd:
uid = passwd.new_uid(uid)
webdev = PasswdEntry()
webdev.user(user="******", validate=False)
webdev.crypt(_crypted_password("webdev", "webdev"))
webdev.uid(uid)
webdev.gid(gid)
webdev.gecos("AKA=webdev")
webdev.directory(properties.WWW_ROOT)
webdev.shell(os.path.join(properties.ETC_DIR,"ftponly"))
passwd[webdev.user()] = webdev
passwd.save()
return
def _update_mpxadmin_user(self):
#
# Ensure the mpxadmin group exists.
#
passwd = PasswdFile()
passwd.load()
group = GroupFile()
group.load()
self.options.normal_message("Checking for mpxadmin group.")
if "mpxadmin" not in group:
self.options.normal_message("No mpxadmin group, adding.")
mpxadmin = GroupEntry()
mpxadmin.group("mpxadmin")
mpxadmin.crypt("*")
mpxadmin.gid(int(MPX_GID))
mpxadmin.user_list((mpxadmin.group(),))
group[mpxadmin.group()] = mpxadmin
group.save()
self.options.normal_message("Added mpxadmin group(%d) in %s.", mpxadmin.gid(), group._file)
else:
self.options.normal_message("mpxadmin group already exists.")
if int(MPX_GID):
# Installing as regular user, presumably in penvironment.d, add
# the required "root" group.
self.options.normal_message("Checking for root group.")
if "root" not in group:
self.options.normal_message("No root group, adding.")
root = GroupEntry()
root.group("root")
root.crypt("*")
root.gid(int(MPX_GID))
root.user_list((root.group(),))
group[root.group()] = root
group.save()
self.options.normal_message("Added root group(%d) in %s.", root.gid(), group._file)
else:
self.options.normal_message("root group already exists.")
#
# Ensure the mpxadmin user exists.
#
self.options.normal_message("Checking for mpxadmin user.")
# if "mpxadmin" not in passwd:
# if there is no mpxadmin type user, create a default
if len(filter(lambda pw: pw.user_type() == "mpxadmin", passwd)) == 0:
self.options.normal_message("No mpxadmin user, checking for mpxadmin group.")
gid = group["mpxadmin"].gid()
# @fixme This is not pretty, but it will work for now.
# A new UID would be uid = passwd.new_uid(gid-1)
uid = int(MPX_UID) # Hijacking root for superuser privelidges...
mpxadmin = PasswdEntry()
mpxadmin.user("mpxadmin")
mpxadmin.directory(passwd.default_home(mpxadmin.user()))
mpxadmin.crypt(_crypted_password("mpxadmin", "mpxadmin"))
mpxadmin.uid(uid)
mpxadmin.gid(gid)
# @fixme Formalize the Mediator concept of meta-data associated
# with users. Also consider moving the meta-data out of
# /etc/passwd and into a PDO...
# META-DATA:
# AKA: Allows us to track renames of key users (pppuser,
# mpxadmin, webdev, ...)
# CSIK: Configuration Service Initial Key (used to calculate
# "classic" Configuration Service Security Keys.
mpxadmin.gecos("AKA=mpxadmin,CSIK=%s,ROLE=administrator" % (_csiked_password("mpxadmin"),))
mpxadmin.shell("/bin/bash")
passwd[mpxadmin.user()] = mpxadmin
passwd.save()
self.options.normal_message(
"Added mpxadmin user(%d.%d) in %s.", mpxadmin.uid(), mpxadmin.gid(), passwd._file
)
# Create and update the mpxadmin user.
self._force_target_directory(mpxadmin.directory())
self.cwd.pushd(mpxadmin.directory())
passwd = PasswdFile()
passwd.load()
group = GroupFile()
group.load()
os.system("chmod -R ug+Xrw .", **self._fatal_keywords())
chown(".", "mpxadmin", "mpxadmin", recurse=1, ignore_errors=1)
self.cwd.popd()
else:
self.options.normal_message("mpxadmin user already exists.")
#
# Ensure mpxadmin is a member of the root group.
#
group = GroupFile()
group.load()
root = group["root"]
user_list = root.user_list()
if "mpxadmin" not in user_list:
self.options.normal_message("Adding mpxadmin user to the root group.")
user_list.append("mpxadmin")
root.user_list(user_list)
group["root"] = root
group.save()
return
