sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-24 04:23:53 +03:00
Code Activity

gp: Modify Sudoers CSEs to use new files applier

Browse Source 
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
David Mulder
2022-11-28 13:37:52 -07:00
committed by Jeremy Allison
parent 81dbcae9df
commit 2953329ba0
3 changed files with 69 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
python/samba/gp/gp_centrify_sudoers_ext.py
View File

@@ -15,11 +15,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from samba.gp.gpclass import gp_pol_ext
from base64 import b64encode
from tempfile import NamedTemporaryFile
from subprocess import Popen, PIPE
from samba.gp.gp_sudoers_ext import visudo, intro
from samba.gp.gpclass import gp_pol_ext, gp_file_applier
from samba.gp.gp_sudoers_ext import sudo_applier_func
from samba.gp.util.logging import log
def ext_enabled(entries):
@@ -29,57 +26,41 @@ def ext_enabled(entries):
return e.data == 1
return False
class gp_centrify_sudoers_ext(gp_pol_ext):
class gp_centrify_sudoers_ext(gp_pol_ext, gp_file_applier):
def __str__(self):
return 'Centrify/Sudo Rights'
def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
sdir='/etc/sudoers.d'):
for guid, settings in deleted_gpo_list:
self.gp_db.set_guid(guid)
if str(self) in settings:
for attribute, sudoers in settings[str(self)].items():
if os.path.exists(sudoers):
os.unlink(sudoers)
self.gp_db.delete(str(self), attribute)
self.gp_db.commit()
self.unapply(guid, attribute, sudoers)
for gpo in changed_gpo_list:
if gpo.file_sys_path:
section = 'Software\\Policies\\Centrify\\UnixSettings\\SuDo'
self.gp_db.set_guid(gpo.name)
pol_file = 'MACHINE/Registry.pol'
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
if not pol_conf or not ext_enabled(pol_conf.entries):
continue
sudo_entries = []
for e in pol_conf.entries:
if e.keyname == section and e.data.strip():
if '**delvals.' in e.valuename:
continue
attribute = b64encode(e.data.encode()).decode()
old_val = self.gp_db.retrieve(str(self), attribute)
if not old_val:
contents = intro
contents += '%s\n' % e.data
with NamedTemporaryFile() as f:
with open(f.name, 'w') as w:
w.write(contents)
sudo_validation = \
Popen([visudo, '-c', '-f', f.name],
stdout=PIPE, stderr=PIPE).wait()
if sudo_validation == 0:
with NamedTemporaryFile(prefix='gp_',
delete=False,
dir=sdir) as f:
with open(f.name, 'w') as w:
w.write(contents)
self.gp_db.store(str(self),
attribute,
f.name)
else:
log.error('Sudoers apply failed', e.data)
self.gp_db.commit()
sudo_entries.append(e.data)
# Each GPO applies only one set of sudoers, in a
# set of files, so the attribute does not need uniqueness.
attribute = self.generate_attribute(gpo.name, *sudo_entries)
# The value hash is generated from the sudo_entries, ensuring
# any changes to this GPO will cause the files to be rewritten.
value_hash = self.generate_value_hash(*sudo_entries)
self.apply(gpo.name, attribute, value_hash, sudo_applier_func,
sdir, sudo_entries)
# Cleanup any old entries that are no longer part of the policy
self.clean(gpo.name, keep=[attribute])
def rsop(self, gpo):
output = {}