def open(self, argv, command_info):
try:
conv_timeout = 120 # in seconds
sudo.log_info("Please provide your reason "
"for executing {}".format(argv))
# We ask two questions, the second is not visible on screen,
# so the user can hide a hidden message in case of criminals are
# forcing him for running the command.
# You can either specify the arguments in strict order (timeout
# being optional), or use named arguments.
message1 = sudo.ConvMessage(sudo.CONV.PROMPT_ECHO_ON, "Reason: ",
conv_timeout)
message2 = sudo.ConvMessage(msg="Secret reason: ",
timeout=conv_timeout,
msg_type=sudo.CONV.PROMPT_MASK)
reply1, reply2 = sudo.conv(message1,
message2,
on_suspend=self.on_conversation_suspend,
on_resume=self.on_conversation_resume)
with open(self._log_file_path(), "a") as file:
print("Executed", ' '.join(argv), file=file)
print("Reason:", reply1, file=file)
print("Hidden reason:", reply2, file=file)
except sudo.ConversationInterrupted:
sudo.log_error("You did not answer in time")
return sudo.RC.REJECT
def close(self, exit_status: int, error: int) -> None:
if error == 0:
sudo.log_info("The command returned with exit_status {}".format(
exit_status))
else:
error_name = errno.errorcode.get(error, "???")
sudo.log_error(
"Failed to execute command, execve syscall returned "
"{} ({})".format(error, error_name))
def list(self, argv: Tuple[str, ...], is_verbose: int, user: str):
cmd = argv[0] if argv else None
as_user_text = "as user '{}'".format(user) if user else ""
if cmd:
allowed_text = "" if self._is_command_allowed(cmd) else "NOT "
sudo.log_info("You are {}allowed to execute command '{}'{}"
.format(allowed_text, cmd, as_user_text))
if not cmd or is_verbose:
sudo.log_info("Only the following commands are allowed:",
", ".join(self._allowed_commands), as_user_text)
def check(self, command_info: tuple, run_argv: tuple,
run_env: tuple) -> int:
error_msg = ""
now = datetime.now()
if now.weekday() >= 5:
error_msg = "That is not allowed on the weekend!"
if now.hour < 8 or now.hour > 17:
error_msg = "That is not allowed outside the business hours!"
if error_msg:
sudo.log_info(error_msg)
raise sudo.PluginReject(error_msg)
def __init__(self, plugin_options, **kwargs):
sudo.log_info("PATH before: {} (should be empty)".format(sys.path))
sys.path = [sudo.options_as_dict(plugin_options).get("Path")]
sudo.log_info("PATH set: {}".format(sys.path))
def on_conversation_resume(self, signum):
# This is just an example of how to do something on conversation
# resume. You can skip specifying 'on_resume' argument if there
# is no need
sudo.log_info("conversation resume: signal was",
self._signal_name(signum))
def on_conversation_suspend(self, signum):
# This is just an example of how to do something on conversation
# suspend. You can skip specifying 'on_suspend' argument if there
# is no need
sudo.log_info("conversation suspend: signal",
self._signal_name(signum))
def _log(self, string):
# For the example, we just log to output (this could be a file)
sudo.log_info(self._log_line_prefix, string)
def show_version(self, is_verbose: bool) -> int:
version_str = " (version=1.0)" if is_verbose else ""
sudo.log_info("Python Example Audit Plugin" + version_str)
def __init__(self, plugin_options, **kwargs):
id = sudo.options_as_dict(plugin_options).get("Id", "")
super().__init__(plugin_options=plugin_options, **kwargs)
self._id = "(APPROVAL {})".format(id)
sudo.log_info("{} Constructed:".format(self._id))
sudo.log_info(json.dumps(self.__dict__, indent=4))
def show_version(self, *args):
sudo.log_info("{} Show version was called with arguments: "
"{}".format(self._id, args))
def check(self, *args):
sudo.log_info("{} Check was called with arguments: "
"{}".format(self._id, args))
def __del__(self):
sudo.log_info("{} Destructed successfully".format(self._id))
def show_version(self, is_verbose: int):
sudo.log_info("Python Policy Plugin version: {}".format(VERSION))
if is_verbose:
sudo.log_info("Python interpreter version:", sys.version)
def _open_log_file(self, log_path):
sudo.log_info("Example sudo python plugin will log to", log_path)
self._log_file = open(log_path, "a")
def show_version(self, is_verbose: int) -> int:
sudo.log_info("Python Example IO Plugin version: {}".format(VERSION))
if is_verbose:
sudo.log_info("Python interpreter version:", sys.version)
