def check_create_path(username, filename, strictmodes):
user_pwent = users_ssh_info(username)[1]
root_pwent = users_ssh_info("root")[1]
try:
# check the directories first
directories = filename.split("/")[1:-1]
# scan in order, from root to file name
parent_folder = ""
# this is to comply also with unit tests, and
# strange home directories
home_folder = os.path.dirname(user_pwent.pw_dir)
for directory in directories:
parent_folder += "/" + directory
if home_folder.startswith(parent_folder):
continue
if not os.path.isdir(parent_folder):
# directory does not exist, and permission so far are good:
# create the directory, and make it accessible by everyone
# but owned by root, as it might be used by many users.
with util.SeLinuxGuard(parent_folder):
os.makedirs(parent_folder, mode=0o755, exist_ok=True)
util.chownbyid(parent_folder, root_pwent.pw_uid,
root_pwent.pw_gid)
permissions = check_permissions(username, parent_folder, filename,
False, strictmodes)
if not permissions:
return False
# check the file
if not os.path.exists(filename):
# if file does not exist: we need to create it, since the
# folders at this point exist and have right permissions
util.write_file(filename, '', mode=0o600, ensure_dir_exists=True)
util.chownbyid(filename, user_pwent.pw_uid, user_pwent.pw_gid)
permissions = check_permissions(username, filename, filename, True,
strictmodes)
if not permissions:
return False
except (IOError, OSError) as e:
util.logexc(LOG, str(e))
return False
return True
def setup_user_keys(keys, username, options=None):
# Make sure the users .ssh dir is setup accordingly
(ssh_dir, pwent) = users_ssh_info(username)
if not os.path.isdir(ssh_dir):
util.ensure_dir(ssh_dir, mode=0o700)
util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
# Turn the 'update' keys given into actual entries
parser = AuthKeyLineParser()
key_entries = []
for k in keys:
key_entries.append(parser.parse(str(k), options=options))
# Extract the old and make the new
(auth_key_fn, auth_key_entries) = extract_authorized_keys(username)
with util.SeLinuxGuard(ssh_dir, recursive=True):
content = update_authorized_keys(auth_key_entries, key_entries)
util.ensure_dir(os.path.dirname(auth_key_fn), mode=0o700)
util.write_file(auth_key_fn, content, mode=0o600)
util.chownbyid(auth_key_fn, pwent.pw_uid, pwent.pw_gid)
def setup_user_keys(keys, username, options=None):
# Make sure the users .ssh dir is setup accordingly
(ssh_dir, pwent) = users_ssh_info(username)
if not os.path.isdir(ssh_dir):
util.ensure_dir(ssh_dir, mode=0o700)
util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
# Turn the 'update' keys given into actual entries
parser = AuthKeyLineParser()
key_entries = []
for k in keys:
key_entries.append(parser.parse(str(k), options=options))
# Extract the old and make the new
(auth_key_fn, auth_key_entries) = extract_authorized_keys(username)
with util.SeLinuxGuard(ssh_dir, recursive=True):
content = update_authorized_keys(auth_key_entries, key_entries)
util.ensure_dir(os.path.dirname(auth_key_fn), mode=0o700)
util.write_file(auth_key_fn, content, mode=0o600)
util.chownbyid(auth_key_fn, pwent.pw_uid, pwent.pw_gid)
def check_create_path(username, filename, strictmodes):
user_pwent = users_ssh_info(username)[1]
root_pwent = users_ssh_info("root")[1]
try:
# check the directories first
directories = filename.split("/")[1:-1]
# scan in order, from root to file name
parent_folder = ""
# this is to comply also with unit tests, and
# strange home directories
home_folder = os.path.dirname(user_pwent.pw_dir)
for directory in directories:
parent_folder += "/" + directory
# security check, disallow symlinks in the AuthorizedKeysFile path.
if os.path.islink(parent_folder):
LOG.debug("Invalid directory. Symlink exists in path: %s",
parent_folder)
return False
if os.path.isfile(parent_folder):
LOG.debug("Invalid directory. File exists in path: %s",
parent_folder)
return False
if (home_folder.startswith(parent_folder)
or parent_folder == user_pwent.pw_dir):
continue
if not os.path.exists(parent_folder):
# directory does not exist, and permission so far are good:
# create the directory, and make it accessible by everyone
# but owned by root, as it might be used by many users.
with util.SeLinuxGuard(parent_folder):
mode = 0o755
uid = root_pwent.pw_uid
gid = root_pwent.pw_gid
if parent_folder.startswith(user_pwent.pw_dir):
mode = 0o700
uid = user_pwent.pw_uid
gid = user_pwent.pw_gid
os.makedirs(parent_folder, mode=mode, exist_ok=True)
util.chownbyid(parent_folder, uid, gid)
permissions = check_permissions(username, parent_folder, filename,
False, strictmodes)
if not permissions:
return False
if os.path.islink(filename) or os.path.isdir(filename):
LOG.debug("%s is not a file!", filename)
return False
# check the file
if not os.path.exists(filename):
# if file does not exist: we need to create it, since the
# folders at this point exist and have right permissions
util.write_file(filename, '', mode=0o600, ensure_dir_exists=True)
util.chownbyid(filename, user_pwent.pw_uid, user_pwent.pw_gid)
permissions = check_permissions(username, filename, filename, True,
strictmodes)
if not permissions:
return False
except (IOError, OSError) as e:
util.logexc(LOG, str(e))
return False
return True
