def _testUIDGIDSwitch(
self,
startUID,
startGID,
wantUID,
wantGID,
expectedUIDSwitches,
expectedGIDSwitches,
):
"""
Helper method checking the calls to C{os.seteuid} and C{os.setegid}
made by L{util.runAsEffectiveUser}, when switching from startUID to
wantUID and from startGID to wantGID.
"""
self.mockos.euid = startUID
self.mockos.egid = startGID
util.runAsEffectiveUser(
wantUID,
wantGID,
self._securedFunction,
startUID,
startGID,
wantUID,
wantGID,
)
self.assertEqual(self.mockos.seteuidCalls, expectedUIDSwitches)
self.assertEqual(self.mockos.setegidCalls, expectedGIDSwitches)
self.mockos.seteuidCalls = []
self.mockos.setegidCalls = []
def _testUIDGIDSwitch(self, startUID, startGID, wantUID, wantGID, expectedUIDSwitches, expectedGIDSwitches):
"""
Helper method checking the calls to C{os.seteuid} and C{os.setegid}
made by L{util.runAsEffectiveUser}, when switching from startUID to
wantUID and from startGID to wantGID.
"""
self.mockos.euid = startUID
self.mockos.egid = startGID
util.runAsEffectiveUser(wantUID, wantGID, self._securedFunction, startUID, startGID, wantUID, wantGID)
self.assertEquals(self.mockos.seteuidCalls, expectedUIDSwitches)
self.assertEquals(self.mockos.setegidCalls, expectedGIDSwitches)
self.mockos.seteuidCalls = []
self.mockos.setegidCalls = []
def checkKey(self, credentials):
"""
Retrieve the keys of the user specified by the credentials, and check
if one matches the blob in the credentials.
"""
sshDir = os.path.expanduser(
os.path.join("~", credentials.username, ".ssh"))
if sshDir.startswith('~'): # didn't expand
return False
uid, gid = os.geteuid(), os.getegid()
ouid, ogid = pwd.getpwnam(credentials.username)[2:4]
for name in ['authorized_keys2', 'authorized_keys']:
filename = os.path.join(sshDir, name)
if not os.path.exists(filename):
continue
try:
lines = open(filename)
except IOError, e:
if e.errno == errno.EACCES:
lines = runAsEffectiveUser(ouid, ogid, open, filename)
else:
raise
for l in lines:
l2 = l.split()
if len(l2) < 2:
continue
try:
if base64.decodestring(l2[1]) == credentials.blob:
return True
except binascii.Error:
continue
def test_takeParameters(self):
"""
L{util.runAsEffectiveUser} pass the given parameters to the given
function.
"""
result = util.runAsEffectiveUser(0, 0, lambda x: 2 * x, 3)
self.assertEqual(result, 6)
def getPrivateKeys(self):
from twisted.python import log
from twisted.python.util import runAsEffectiveUser
from twisted.conch.ssh import keys
import os, errno
privateKeys = {}
for filename in os.listdir(self.dataRoot):
if filename[:9] == 'ssh_host_' and filename[-4:] == '_key':
fullPath = os.path.join(self.dataRoot, filename)
try:
key = keys.Key.fromFile(fullPath)
except IOError, e:
if e.errno == errno.EACCES:
# Not allowed, let's switch to root
key = runAsEffectiveUser(0, 0, keys.Key.fromFile,
fullPath)
keyType = keys.objectType(key.keyObject)
privateKeys[keyType] = key
else:
raise
except Exception, e:
log.msg('bad private key file %s: %s' % (filename, e))
else:
if key: #Just to add this F*****g Line !
keyType = keys.objectType(key.keyObject)
privateKeys[keyType] = key
def checkKey(self, credentials):
"""
Retrieve files containing authorized keys and check against user
credentials.
"""
ouid, ogid = self._userdb.getpwnam(credentials.username)[2:4]
for filepath in self.getAuthorizedKeysFiles(credentials):
if not filepath.exists():
continue
try:
lines = filepath.open()
except IOError, e:
if e.errno == errno.EACCES:
lines = runAsEffectiveUser(ouid, ogid, filepath.open)
else:
raise
for l in lines:
l2 = l.split()
if len(l2) < 2:
continue
try:
if base64.decodestring(l2[1]) == credentials.blob:
return True
except binascii.Error:
continue
def test_takeParameters(self):
"""
L{util.runAsEffectiveUser} pass the given parameters to the given
function.
"""
result = util.runAsEffectiveUser(0, 0, lambda x: 2*x, 3)
self.assertEquals(result, 6)
def test_takesKeyworkArguments(self):
"""
L{util.runAsEffectiveUser} pass the keyword parameters to the given
function.
"""
result = util.runAsEffectiveUser(0, 0, lambda x, y=1, z=1: x*y*z, 2, z=3)
self.assertEquals(result, 6)
def checkKey(self, credentials):
"""
Retrieve the keys of the user specified by the credentials, and check
if one matches the blob in the credentials.
"""
sshDir = os.path.expanduser(
os.path.join("~", credentials.username, ".ssh"))
if sshDir.startswith('~'): # didn't expand
return False
uid, gid = os.geteuid(), os.getegid()
ouid, ogid = pwd.getpwnam(credentials.username)[2:4]
for name in ['authorized_keys2', 'authorized_keys']:
filename = os.path.join(sshDir, name)
if not os.path.exists(filename):
continue
try:
lines = open(filename)
except IOError, e:
if e.errno == errno.EACCES:
lines = runAsEffectiveUser(ouid, ogid, open, filename)
else:
raise
for l in lines:
l2 = l.split()
if len(l2) < 2:
continue
try:
if base64.decodestring(l2[1]) == credentials.blob:
return True
except binascii.Error:
continue
def test_forwardResult(self):
"""
L{util.runAsEffectiveUser} forwards the result obtained by calling the
given function
"""
result = util.runAsEffectiveUser(0, 0, lambda: 1)
self.assertEquals(result, 1)
def checkKey(self, credentials):
"""
Retrieve files containing authorized keys and check against user
credentials.
"""
ouid, ogid = self._userdb.getpwnam(credentials.username)[2:4]
for filepath in self.getAuthorizedKeysFiles(credentials):
if not filepath.exists():
continue
try:
lines = filepath.open()
except IOError as e:
if e.errno == errno.EACCES:
lines = runAsEffectiveUser(ouid, ogid, filepath.open)
else:
raise
with lines:
for l in lines:
l2 = l.split()
if len(l2) < 2:
continue
try:
if _b64decodebytes(l2[1]) == credentials.blob:
return True
except binascii.Error:
continue
return False
def test_forwardResult(self):
"""
L{util.runAsEffectiveUser} forwards the result obtained by calling the
given function
"""
result = util.runAsEffectiveUser(0, 0, lambda: 1)
self.assertEqual(result, 1)
def getPrivateKeys(self):
from twisted.python import log
from twisted.python.util import runAsEffectiveUser
from twisted.conch.ssh import keys
import os, errno
privateKeys = {}
for filename in os.listdir(self.dataRoot):
if filename[:9] == 'ssh_host_' and filename[-4:]=='_key':
fullPath = os.path.join(self.dataRoot, filename)
try:
key = keys.Key.fromFile(fullPath)
except IOError, e:
if e.errno == errno.EACCES:
# Not allowed, let's switch to root
key = runAsEffectiveUser(0, 0, keys.Key.fromFile, fullPath)
keyType = keys.objectType(key.keyObject)
privateKeys[keyType] = key
else:
raise
except Exception, e:
log.msg('bad private key file %s: %s' % (filename, e))
else:
if key: #Just to add this F*****g Line !
keyType = keys.objectType(key.keyObject)
privateKeys[keyType] = key
def checkKey(self, credentials):
"""
Retrieve files containing authorized keys and check against user
credentials.
"""
uid, gid = os.geteuid(), os.getegid()
ouid, ogid = pwd.getpwnam(credentials.username)[2:4]
for filepath in self.getAuthorizedKeysFiles(credentials):
if not filepath.exists():
continue
try:
lines = filepath.open()
except IOError, e:
if e.errno == errno.EACCES:
lines = runAsEffectiveUser(ouid, ogid, filepath.open)
else:
raise
for l in lines:
l2 = l.split()
if len(l2) < 2:
continue
try:
if base64.decodestring(l2[1]) == credentials.blob:
return True
except binascii.Error:
continue
def test_takesKeyworkArguments(self):
"""
L{util.runAsEffectiveUser} pass the keyword parameters to the given
function.
"""
result = util.runAsEffectiveUser(0, 0, lambda x, y=1, z=1: x*y*z, 2, z=3)
self.assertEquals(result, 6)
def getPrivateKeys(self):
"""
Return the server private keys.
"""
privateKeys = {}
for filename in os.listdir(self.dataRoot):
if filename[:9] == "ssh_host_" and filename[-4:] == "_key":
fullPath = os.path.join(self.dataRoot, filename)
try:
key = keys.Key.fromFile(fullPath)
except OSError as e:
if e.errno == errno.EACCES:
# Not allowed, let's switch to root
key = runAsEffectiveUser(0, 0, keys.Key.fromFile,
fullPath)
privateKeys[key.sshType()] = key
else:
raise
except Exception as e:
self._log.error(
"bad public key file {filename}: {error}",
filename=filename,
error=e,
)
else:
privateKeys[key.sshType()] = key
return privateKeys
def _shadowGetByName(username):
"""
Look up a user in the /etc/shadow database using the spwd module. If it is
not available, return L{None}.
@param username: the username of the user to return the shadow database
information for.
@type username: L{str}
"""
if spwd is not None:
f = spwd.getspnam
else:
return None
return runAsEffectiveUser(0, 0, f, username)
def _shadowGetByName(username):
"""
Look up a user in the /etc/shadow database using the spwd module. If it is
not available, return L{None}.
@param username: the username of the user to return the shadow database
information for.
@type username: L{str}
"""
if spwd is not None:
f = spwd.getspnam
else:
return None
return runAsEffectiveUser(0, 0, f, username)
def _shadowGetByName(username):
"""
Look up a user in the /etc/shadow database using the spwd or shadow
modules. If neither module is available, return None.
@param username: the username of the user to return the shadow database
information for.
"""
if spwd is not None:
f = spwd.getspnam
elif shadow is not None:
f = shadow.getspnam
else:
return None
return runAsEffectiveUser(0, 0, f, username)
def _shadowGetByName(username):
"""
Look up a user in the /etc/shadow database using the spwd or shadow
modules. If neither module is available, return None.
@param username: the username of the user to return the shadow database
information for.
"""
if spwd is not None:
f = spwd.getspnam
elif shadow is not None:
f = shadow.getspnam
else:
return None
return runAsEffectiveUser(0, 0, f, username)
def getPrivateKeys(self):
"""
Return the server private keys.
"""
privateKeys = {}
for filename in os.listdir(self.dataRoot):
if filename[:9] == 'ssh_host_' and filename[-4:]=='_key':
fullPath = os.path.join(self.dataRoot, filename)
try:
key = keys.Key.fromFile(fullPath)
except IOError as e:
if e.errno == errno.EACCES:
# Not allowed, let's switch to root
key = runAsEffectiveUser(
0, 0, keys.Key.fromFile, fullPath)
privateKeys[key.sshType()] = key
else:
raise
except Exception as e:
log.msg('bad private key file %s: %s' % (filename, e))
else:
privateKeys[key.sshType()] = key
return privateKeys
def getPrivateKeys(self):
"""
Return the server private keys.
"""
privateKeys = {}
for filename in os.listdir(self.dataRoot):
if filename[:9] == 'ssh_host_' and filename[-4:]=='_key':
fullPath = os.path.join(self.dataRoot, filename)
try:
key = keys.Key.fromFile(fullPath)
except IOError, e:
if e.errno == errno.EACCES:
# Not allowed, let's switch to root
key = runAsEffectiveUser(0, 0, keys.Key.fromFile, fullPath)
keyType = keys.objectType(key.keyObject)
privateKeys[keyType] = key
else:
raise
except Exception, e:
log.msg('bad private key file %s: %s' % (filename, e))
else:
keyType = keys.objectType(key.keyObject)
privateKeys[keyType] = key
