def _update_superuser(username, directory='/root', shell='/sbin/nologin', crypt=None, uid=None, gid=None): if crypt is None: crypt = '' if uid is None: uid = 0 users = PasswdFile() users.load() groups = GroupFile() groups.load() if username not in groups: group = GroupEntry() group.group(username) group.crypt("*") if gid is None: gid = users.new_uid() while gid in groups: gid = users.new_uid(gid) group.gid(gid) group.user_list((username, )) groups[username] = group groups.save() gid = groups[username].gid() if username in users: user = users[username] else: user = PasswdEntry() user.crypt(crypt) user.gid(gid) user.uid(uid) user.user(username) user.shell(shell) user.directory(directory) if crypt: user.crypt(crypt) users[username] = user users.save() user = users[username] if user.gid() != gid: user.gid(gid) users[user.user()] = user users.save() return
def _update_superuser(username, directory="/root", shell="/sbin/nologin", crypt=None, uid=None, gid=None): if crypt is None: crypt = "" if uid is None: uid = 0 users = PasswdFile() users.load() groups = GroupFile() groups.load() if username not in groups: group = GroupEntry() group.group(username) group.crypt("*") if gid is None: gid = users.new_uid() while gid in groups: gid = users.new_uid(gid) group.gid(gid) group.user_list((username,)) groups[username] = group groups.save() gid = groups[username].gid() if username in users: user = users[username] else: user = PasswdEntry() user.crypt(crypt) user.gid(gid) user.uid(uid) user.user(username) user.shell(shell) user.directory(directory) if crypt: user.crypt(crypt) users[username] = user users.save() user = users[username] if user.gid() != gid: user.gid(gid) users[user.user()] = user users.save() return
def __synchronize_system(self, usernode, currentname=None, validate=True): system_users = PasswdFile() system_shadow = ShadowFile() system_groups = GroupFile() userchange = False shadowchange = False groupchange = False group_is_private = False system_users.load() system_shadow.load() system_groups.load() flag = 0 #flag will be used to check if system admin is #being demoted. bug CSCth82465 #if system admin is being demoted, #it's entry will be removed and added again if usernode and usernode.name in system_users: userentry = system_users[usernode.name] #user is a system administrator, but not mpxadmin, #and it's current role is not mpxadmin #i.e. a system administrator other than mpxadmin is being demoted if userentry.user_type() == 'mpxadmin' \ and usernode.name != 'mpxadmin' \ and self.role_manager.administrator.name not in usernode.roles: flag = 1 if usernode is None or flag: # If no usernode is provided, the user with name 'currentname' is # being removed. if flag: currentname = usernode.name if currentname is None: raise ValueError('Name must be provided when removing user.') userentry = system_users[currentname] # Loop through all groups to which user belongs, removing user. groups = userentry.groups(system_groups) for groupentry in groups: users = groupentry.user_list() # User is not in user list of private group, so only # groups in to which user *also* belongs are modified. if currentname in users: users.remove(currentname) groupentry.user_list(users) groupchange = True message = 'removed user "%s" from group "%s".' self.output_message(message % (currentname, groupentry.group())) # If a private group was associated with the user--a group # whose name is the same as the user name and whose member # list contains no entries--find and remove it to keep clean. if currentname in system_groups: groupentry = system_groups[currentname] if len(groupentry.user_list()) == 0: # Private group for user entry, remove it. del (system_groups[currentname]) groupchange = True self.output_message('removed private group "%s".' % currentname) # Finally, delete user itself. del (system_users[userentry.user()]) userchange = True # delete user details from /etc/shadow del (system_shadow[userentry.user()]) shadowchange = True self.output_message('removed user "%s" from system.' % currentname) #delete user from the cache as_node('/services/User Manager').remove_user(currentname) if usernode: username = usernode.name # Name may be being changed. Node reference always has correct # name, where 'currentname' is the previous name if the name # is in fact being changed. Rename child operations take # advantage of this. if currentname is None: currentname = username if currentname in system_users: # User already exists, must be being updated. fd = open("/etc/group", "r") userentry = system_users[currentname] userid = userentry.uid() groupid = userentry.gid() flag = 1 for line in fd.readlines(): if re.search(str(groupid), line, re.IGNORECASE) != None: flag = 0 break if flag: cmd = "addgroup -g " cmd += str(groupid) cmd += " " cmd += currentname os.system(cmd) flag = 0 groupentry = system_groups[groupid] shadowentry = system_shadow[currentname] else: # User is completely new and user and private group # must be created. userid = system_users.new_uid() while userid in system_groups: userid = system_users.new_uid(userid) else: groupid = userid userentry = PasswdEntry() groupentry = GroupEntry() shadowentry = ShadowEntry() message = 'creating user "%s" and group "%s".' self.output_message(message % (username, username)) # A private group has the same name as the associated # user account. group_is_private = False if groupentry.group() == userentry.user(): group_is_private = True # If username has changed: change entry and flag. if userentry.user() != username: groups = [] if userentry.user() is not None: # New users cause exception when doing # group lookup before name is set. groups = userentry.groups(system_groups) currentname = userentry.user() userentry.user(username, validate) userchange = True shadowentry.user(username, validate) shadowchange = True message = 'changed user name from "%s" to "%s".' self.output_message(message % (currentname, username)) # Modify groups to which user belongs to reflect updated name. for group in groups: users = group.user_list() if currentname in users and username not in users: users[users.index(currentname)] = username group.user_list(users) groupchange = True message = 'changed user "%s" in group "%s" to "%s".' self.output_message( message % (currentname, group.group(), username)) # If group is only for this user and group name isn't username, # change and flag. if group_is_private and groupentry.group() != username: currentgroup = groupentry.group() groupentry.group(username) groupchange = True message = 'changed group name from "%s" to "%s".' self.output_message(message % (currentgroup, username)) # Change user-entry's password if doesn't match user node's. password = usernode.password if len(password ) and not shadowentry.password_matches_crypt(password): shadowentry.user(username, validate) shadowentry.passwd(password, validate) userentry.passwd('x', False) shadowentry.lstchg() shadowchange = True userchange = True self.output_message('changed password for user "%s".' % username) # Set user-entry UID to calulated UID (used for new entries). if not userentry.uid() == userid: currentuid = userentry.uid() userentry.uid(userid) userchange = True message = 'changed UID for user "%s" from %s to %s.' self.output_message(message % (username, currentuid, userid)) # Set user-entry GID to calculated GID (used for new entries). if userentry.gid() != groupid: currentgid = userentry.gid() userentry.gid(groupid) userchange = True message = 'changed GID for user "%s" from %s to %s.' self.output_message(message % (username, currentgid, groupid)) if not userentry.gecos(): currentgecos = userentry.gecos() userentry.gecos('ROLE=user') userchange = True message = 'changed gecos for user "%s" from %s to %s.' self.output_message(message % (username, currentgecos, 'ROLE=user')) # Set group-entry GID to calculated GID (should match whether private or not). if groupentry.gid() != groupid: currentgid = groupentry.gid() groupentry.gid(groupid) groupchange = True message = 'changed GID for group "%s" from %s to %s.' self.output_message(message % (groupentry.group(), currentgid, groupid)) if userchange: # Passwd file changed, set user into user dicationary # in case user was newly created, and save back file. system_users[userentry.user()] = userentry system_users.save() userchange = False as_node('/services/User Manager').remove_user(usernode.name) if shadowchange: # /etc/shadow file changed, set user into user dicationary # in case user was newly created, and save back file. system_shadow[shadowentry.user()] = shadowentry system_shadow.save() shadowchange = False if groupchange: # Group file changed, set user into groups dicationary # in case group was newly created, and save back file. system_groups[groupentry.group()] = groupentry system_groups.save() groupchange = False roles = usernode.roles[:] if self.role_manager.administrator.name in roles: if userentry.user_type() != 'mpxadmin': userchange = True shadowchange = True groupchange = True userentry.user_type('mpxadmin', system_users, system_groups) self.output_message( 'made user "%s" into "mpxadmin" type.' % username) if username in system_groups: group = system_groups[username] if userentry.gid() != group.gid(): users = group.user_list() if len(users) == 0: del (system_groups[username]) groupchange = True message = 'removed group "%s". ' % username message += 'Group no longer referenced.' else: message = 'not removing group "%s". ' % username message += 'Still has users %s.' % (users, ) self.output_message(message) elif userentry.user_type() == 'mpxadmin': message = 'System Administrator cannot be demoted. ' message += 'User "%s" must be removed in order to demote.' raise TypeError(message % username) if userchange: system_users.save() userchange = False username = usernode.name if usernode else currentname as_node('/services/User Manager').remove_user(username) if shadowchange: system_shadow.save() shadowchange = False if groupchange: system_groups.save() userchange = False return (userchange or groupchange or shadowchange)
def _update_mpxadmin_user(self): # # Ensure the mpxadmin group exists. # passwd = PasswdFile() passwd.load() group = GroupFile() group.load() self.options.normal_message("Checking for mpxadmin group.") if "mpxadmin" not in group: self.options.normal_message("No mpxadmin group, adding.") mpxadmin = GroupEntry() mpxadmin.group("mpxadmin") mpxadmin.crypt("*") mpxadmin.gid(int(MPX_GID)) mpxadmin.user_list((mpxadmin.group(), )) group[mpxadmin.group()] = mpxadmin group.save() self.options.normal_message("Added mpxadmin group(%d) in %s.", mpxadmin.gid(), group._file) else: self.options.normal_message("mpxadmin group already exists.") if int(MPX_GID): # Installing as regular user, presumably in penvironment.d, add # the required "root" group. self.options.normal_message("Checking for root group.") if "root" not in group: self.options.normal_message("No root group, adding.") root = GroupEntry() root.group("root") root.crypt("*") root.gid(int(MPX_GID)) root.user_list((root.group(), )) group[root.group()] = root group.save() self.options.normal_message("Added root group(%d) in %s.", root.gid(), group._file) else: self.options.normal_message("root group already exists.") # # Ensure the mpxadmin user exists. # self.options.normal_message("Checking for mpxadmin user.") #if "mpxadmin" not in passwd: # if there is no mpxadmin type user, create a default if len(filter(lambda pw: pw.user_type() == 'mpxadmin', passwd)) == 0: self.options.normal_message( "No mpxadmin user, checking for mpxadmin group.") gid = group["mpxadmin"].gid() # @fixme This is not pretty, but it will work for now. # A new UID would be uid = passwd.new_uid(gid-1) uid = int(MPX_UID) # Hijacking root for superuser privelidges... mpxadmin = PasswdEntry() mpxadmin.user("mpxadmin") mpxadmin.directory(passwd.default_home(mpxadmin.user())) mpxadmin.crypt(_crypted_password("mpxadmin", "mpxadmin")) mpxadmin.uid(uid) mpxadmin.gid(gid) # @fixme Formalize the Mediator concept of meta-data associated # with users. Also consider moving the meta-data out of # /etc/passwd and into a PDO... # META-DATA: # AKA: Allows us to track renames of key users (pppuser, # mpxadmin, webdev, ...) # CSIK: Configuration Service Initial Key (used to calculate # "classic" Configuration Service Security Keys. mpxadmin.gecos("AKA=mpxadmin,CSIK=%s,ROLE=administrator" % (_csiked_password("mpxadmin"), )) mpxadmin.shell("/bin/bash") passwd[mpxadmin.user()] = mpxadmin passwd.save() self.options.normal_message("Added mpxadmin user(%d.%d) in %s.", mpxadmin.uid(), mpxadmin.gid(), passwd._file) # Create and update the mpxadmin user. self._force_target_directory(mpxadmin.directory()) self.cwd.pushd(mpxadmin.directory()) passwd = PasswdFile() passwd.load() group = GroupFile() group.load() os.system("chmod -R ug+Xrw .", **self._fatal_keywords()) chown(".", "mpxadmin", "mpxadmin", recurse=1, ignore_errors=1) self.cwd.popd() else: self.options.normal_message("mpxadmin user already exists.") # # Ensure mpxadmin is a member of the root group. # group = GroupFile() group.load() root = group["root"] user_list = root.user_list() if "mpxadmin" not in user_list: self.options.normal_message( "Adding mpxadmin user to the root group.") user_list.append("mpxadmin") root.user_list(user_list) group["root"] = root group.save() return
def _update_webdev_user(self): passwd = PasswdFile() passwd.load() group = GroupFile() group.load() if "webdev" not in passwd: if "webdev" not in group: next_id = passwd.new_uid() while next_id in group: next_id = passwd.new_uid(next_id) webdev = GroupEntry() webdev.group("webdev") webdev.crypt("*") webdev.gid(next_id) webdev.user_list((webdev.group(),)) group[webdev.group()] = webdev group.save() gid = group["webdev"].gid() uid = passwd.new_uid(gid-1) while uid in passwd: uid = passwd.new_uid(uid) webdev = PasswdEntry() webdev.user(user="******", validate=False) webdev.crypt(_crypted_password("webdev", "webdev")) webdev.uid(uid) webdev.gid(gid) webdev.gecos("AKA=webdev") webdev.directory(properties.WWW_ROOT) webdev.shell(os.path.join(properties.ETC_DIR,"ftponly")) passwd[webdev.user()] = webdev passwd.save() return
def _update_mpxadmin_user(self): # # Ensure the mpxadmin group exists. # passwd = PasswdFile() passwd.load() group = GroupFile() group.load() self.options.normal_message("Checking for mpxadmin group.") if "mpxadmin" not in group: self.options.normal_message("No mpxadmin group, adding.") mpxadmin = GroupEntry() mpxadmin.group("mpxadmin") mpxadmin.crypt("*") mpxadmin.gid(int(MPX_GID)) mpxadmin.user_list((mpxadmin.group(),)) group[mpxadmin.group()] = mpxadmin group.save() self.options.normal_message("Added mpxadmin group(%d) in %s.", mpxadmin.gid(), group._file) else: self.options.normal_message("mpxadmin group already exists.") if int(MPX_GID): # Installing as regular user, presumably in penvironment.d, add # the required "root" group. self.options.normal_message("Checking for root group.") if "root" not in group: self.options.normal_message("No root group, adding.") root = GroupEntry() root.group("root") root.crypt("*") root.gid(int(MPX_GID)) root.user_list((root.group(),)) group[root.group()] = root group.save() self.options.normal_message("Added root group(%d) in %s.", root.gid(), group._file) else: self.options.normal_message("root group already exists.") # # Ensure the mpxadmin user exists. # self.options.normal_message("Checking for mpxadmin user.") # if "mpxadmin" not in passwd: # if there is no mpxadmin type user, create a default if len(filter(lambda pw: pw.user_type() == "mpxadmin", passwd)) == 0: self.options.normal_message("No mpxadmin user, checking for mpxadmin group.") gid = group["mpxadmin"].gid() # @fixme This is not pretty, but it will work for now. # A new UID would be uid = passwd.new_uid(gid-1) uid = int(MPX_UID) # Hijacking root for superuser privelidges... mpxadmin = PasswdEntry() mpxadmin.user("mpxadmin") mpxadmin.directory(passwd.default_home(mpxadmin.user())) mpxadmin.crypt(_crypted_password("mpxadmin", "mpxadmin")) mpxadmin.uid(uid) mpxadmin.gid(gid) # @fixme Formalize the Mediator concept of meta-data associated # with users. Also consider moving the meta-data out of # /etc/passwd and into a PDO... # META-DATA: # AKA: Allows us to track renames of key users (pppuser, # mpxadmin, webdev, ...) # CSIK: Configuration Service Initial Key (used to calculate # "classic" Configuration Service Security Keys. mpxadmin.gecos("AKA=mpxadmin,CSIK=%s,ROLE=administrator" % (_csiked_password("mpxadmin"),)) mpxadmin.shell("/bin/bash") passwd[mpxadmin.user()] = mpxadmin passwd.save() self.options.normal_message( "Added mpxadmin user(%d.%d) in %s.", mpxadmin.uid(), mpxadmin.gid(), passwd._file ) # Create and update the mpxadmin user. self._force_target_directory(mpxadmin.directory()) self.cwd.pushd(mpxadmin.directory()) passwd = PasswdFile() passwd.load() group = GroupFile() group.load() os.system("chmod -R ug+Xrw .", **self._fatal_keywords()) chown(".", "mpxadmin", "mpxadmin", recurse=1, ignore_errors=1) self.cwd.popd() else: self.options.normal_message("mpxadmin user already exists.") # # Ensure mpxadmin is a member of the root group. # group = GroupFile() group.load() root = group["root"] user_list = root.user_list() if "mpxadmin" not in user_list: self.options.normal_message("Adding mpxadmin user to the root group.") user_list.append("mpxadmin") root.user_list(user_list) group["root"] = root group.save() return