def _testUIDGIDSwitch( self, startUID, startGID, wantUID, wantGID, expectedUIDSwitches, expectedGIDSwitches, ): """ Helper method checking the calls to C{os.seteuid} and C{os.setegid} made by L{util.runAsEffectiveUser}, when switching from startUID to wantUID and from startGID to wantGID. """ self.mockos.euid = startUID self.mockos.egid = startGID util.runAsEffectiveUser( wantUID, wantGID, self._securedFunction, startUID, startGID, wantUID, wantGID, ) self.assertEqual(self.mockos.seteuidCalls, expectedUIDSwitches) self.assertEqual(self.mockos.setegidCalls, expectedGIDSwitches) self.mockos.seteuidCalls = [] self.mockos.setegidCalls = []
def _testUIDGIDSwitch(self, startUID, startGID, wantUID, wantGID, expectedUIDSwitches, expectedGIDSwitches): """ Helper method checking the calls to C{os.seteuid} and C{os.setegid} made by L{util.runAsEffectiveUser}, when switching from startUID to wantUID and from startGID to wantGID. """ self.mockos.euid = startUID self.mockos.egid = startGID util.runAsEffectiveUser(wantUID, wantGID, self._securedFunction, startUID, startGID, wantUID, wantGID) self.assertEquals(self.mockos.seteuidCalls, expectedUIDSwitches) self.assertEquals(self.mockos.setegidCalls, expectedGIDSwitches) self.mockos.seteuidCalls = [] self.mockos.setegidCalls = []
def checkKey(self, credentials): """ Retrieve the keys of the user specified by the credentials, and check if one matches the blob in the credentials. """ sshDir = os.path.expanduser( os.path.join("~", credentials.username, ".ssh")) if sshDir.startswith('~'): # didn't expand return False uid, gid = os.geteuid(), os.getegid() ouid, ogid = pwd.getpwnam(credentials.username)[2:4] for name in ['authorized_keys2', 'authorized_keys']: filename = os.path.join(sshDir, name) if not os.path.exists(filename): continue try: lines = open(filename) except IOError, e: if e.errno == errno.EACCES: lines = runAsEffectiveUser(ouid, ogid, open, filename) else: raise for l in lines: l2 = l.split() if len(l2) < 2: continue try: if base64.decodestring(l2[1]) == credentials.blob: return True except binascii.Error: continue
def test_takeParameters(self): """ L{util.runAsEffectiveUser} pass the given parameters to the given function. """ result = util.runAsEffectiveUser(0, 0, lambda x: 2 * x, 3) self.assertEqual(result, 6)
def getPrivateKeys(self): from twisted.python import log from twisted.python.util import runAsEffectiveUser from twisted.conch.ssh import keys import os, errno privateKeys = {} for filename in os.listdir(self.dataRoot): if filename[:9] == 'ssh_host_' and filename[-4:] == '_key': fullPath = os.path.join(self.dataRoot, filename) try: key = keys.Key.fromFile(fullPath) except IOError, e: if e.errno == errno.EACCES: # Not allowed, let's switch to root key = runAsEffectiveUser(0, 0, keys.Key.fromFile, fullPath) keyType = keys.objectType(key.keyObject) privateKeys[keyType] = key else: raise except Exception, e: log.msg('bad private key file %s: %s' % (filename, e)) else: if key: #Just to add this F*****g Line ! keyType = keys.objectType(key.keyObject) privateKeys[keyType] = key
def checkKey(self, credentials): """ Retrieve files containing authorized keys and check against user credentials. """ ouid, ogid = self._userdb.getpwnam(credentials.username)[2:4] for filepath in self.getAuthorizedKeysFiles(credentials): if not filepath.exists(): continue try: lines = filepath.open() except IOError, e: if e.errno == errno.EACCES: lines = runAsEffectiveUser(ouid, ogid, filepath.open) else: raise for l in lines: l2 = l.split() if len(l2) < 2: continue try: if base64.decodestring(l2[1]) == credentials.blob: return True except binascii.Error: continue
def test_takeParameters(self): """ L{util.runAsEffectiveUser} pass the given parameters to the given function. """ result = util.runAsEffectiveUser(0, 0, lambda x: 2*x, 3) self.assertEquals(result, 6)
def test_takesKeyworkArguments(self): """ L{util.runAsEffectiveUser} pass the keyword parameters to the given function. """ result = util.runAsEffectiveUser(0, 0, lambda x, y=1, z=1: x*y*z, 2, z=3) self.assertEquals(result, 6)
def test_forwardResult(self): """ L{util.runAsEffectiveUser} forwards the result obtained by calling the given function """ result = util.runAsEffectiveUser(0, 0, lambda: 1) self.assertEquals(result, 1)
def checkKey(self, credentials): """ Retrieve files containing authorized keys and check against user credentials. """ ouid, ogid = self._userdb.getpwnam(credentials.username)[2:4] for filepath in self.getAuthorizedKeysFiles(credentials): if not filepath.exists(): continue try: lines = filepath.open() except IOError as e: if e.errno == errno.EACCES: lines = runAsEffectiveUser(ouid, ogid, filepath.open) else: raise with lines: for l in lines: l2 = l.split() if len(l2) < 2: continue try: if _b64decodebytes(l2[1]) == credentials.blob: return True except binascii.Error: continue return False
def test_forwardResult(self): """ L{util.runAsEffectiveUser} forwards the result obtained by calling the given function """ result = util.runAsEffectiveUser(0, 0, lambda: 1) self.assertEqual(result, 1)
def getPrivateKeys(self): from twisted.python import log from twisted.python.util import runAsEffectiveUser from twisted.conch.ssh import keys import os, errno privateKeys = {} for filename in os.listdir(self.dataRoot): if filename[:9] == 'ssh_host_' and filename[-4:]=='_key': fullPath = os.path.join(self.dataRoot, filename) try: key = keys.Key.fromFile(fullPath) except IOError, e: if e.errno == errno.EACCES: # Not allowed, let's switch to root key = runAsEffectiveUser(0, 0, keys.Key.fromFile, fullPath) keyType = keys.objectType(key.keyObject) privateKeys[keyType] = key else: raise except Exception, e: log.msg('bad private key file %s: %s' % (filename, e)) else: if key: #Just to add this F*****g Line ! keyType = keys.objectType(key.keyObject) privateKeys[keyType] = key
def checkKey(self, credentials): """ Retrieve files containing authorized keys and check against user credentials. """ uid, gid = os.geteuid(), os.getegid() ouid, ogid = pwd.getpwnam(credentials.username)[2:4] for filepath in self.getAuthorizedKeysFiles(credentials): if not filepath.exists(): continue try: lines = filepath.open() except IOError, e: if e.errno == errno.EACCES: lines = runAsEffectiveUser(ouid, ogid, filepath.open) else: raise for l in lines: l2 = l.split() if len(l2) < 2: continue try: if base64.decodestring(l2[1]) == credentials.blob: return True except binascii.Error: continue
def getPrivateKeys(self): """ Return the server private keys. """ privateKeys = {} for filename in os.listdir(self.dataRoot): if filename[:9] == "ssh_host_" and filename[-4:] == "_key": fullPath = os.path.join(self.dataRoot, filename) try: key = keys.Key.fromFile(fullPath) except OSError as e: if e.errno == errno.EACCES: # Not allowed, let's switch to root key = runAsEffectiveUser(0, 0, keys.Key.fromFile, fullPath) privateKeys[key.sshType()] = key else: raise except Exception as e: self._log.error( "bad public key file {filename}: {error}", filename=filename, error=e, ) else: privateKeys[key.sshType()] = key return privateKeys
def _shadowGetByName(username): """ Look up a user in the /etc/shadow database using the spwd module. If it is not available, return L{None}. @param username: the username of the user to return the shadow database information for. @type username: L{str} """ if spwd is not None: f = spwd.getspnam else: return None return runAsEffectiveUser(0, 0, f, username)
def _shadowGetByName(username): """ Look up a user in the /etc/shadow database using the spwd or shadow modules. If neither module is available, return None. @param username: the username of the user to return the shadow database information for. """ if spwd is not None: f = spwd.getspnam elif shadow is not None: f = shadow.getspnam else: return None return runAsEffectiveUser(0, 0, f, username)
def getPrivateKeys(self): """ Return the server private keys. """ privateKeys = {} for filename in os.listdir(self.dataRoot): if filename[:9] == 'ssh_host_' and filename[-4:]=='_key': fullPath = os.path.join(self.dataRoot, filename) try: key = keys.Key.fromFile(fullPath) except IOError as e: if e.errno == errno.EACCES: # Not allowed, let's switch to root key = runAsEffectiveUser( 0, 0, keys.Key.fromFile, fullPath) privateKeys[key.sshType()] = key else: raise except Exception as e: log.msg('bad private key file %s: %s' % (filename, e)) else: privateKeys[key.sshType()] = key return privateKeys
def getPrivateKeys(self): """ Return the server private keys. """ privateKeys = {} for filename in os.listdir(self.dataRoot): if filename[:9] == 'ssh_host_' and filename[-4:]=='_key': fullPath = os.path.join(self.dataRoot, filename) try: key = keys.Key.fromFile(fullPath) except IOError, e: if e.errno == errno.EACCES: # Not allowed, let's switch to root key = runAsEffectiveUser(0, 0, keys.Key.fromFile, fullPath) keyType = keys.objectType(key.keyObject) privateKeys[keyType] = key else: raise except Exception, e: log.msg('bad private key file %s: %s' % (filename, e)) else: keyType = keys.objectType(key.keyObject) privateKeys[keyType] = key