mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
8626910c0e
If a user has manually removed a policy, the extension should not crash in an unapply removing it. Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
110 lines
4.5 KiB
Python
110 lines
4.5 KiB
Python
# gp_sudoers_ext samba gpo policy
|
|
# Copyright (C) David Mulder <dmulder@suse.com> 2020
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import os
|
|
from samba.gpclass import gp_pol_ext
|
|
from base64 import b64encode
|
|
from tempfile import NamedTemporaryFile
|
|
from subprocess import Popen, PIPE
|
|
|
|
def find_executable(executable, path):
|
|
paths = path.split(os.pathsep)
|
|
for p in paths:
|
|
f = os.path.join(p, executable)
|
|
if os.path.isfile(f):
|
|
return f
|
|
return None
|
|
|
|
intro = '''
|
|
### autogenerated by samba
|
|
#
|
|
# This file is generated by the gp_sudoers_ext Group Policy
|
|
# Client Side Extension. To modify the contents of this file,
|
|
# modify the appropriate Group Policy objects which apply
|
|
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
|
|
#
|
|
|
|
'''
|
|
visudo = find_executable('visudo',
|
|
path='%s:%s' % (os.environ['PATH'], '/usr/sbin'))
|
|
|
|
class gp_sudoers_ext(gp_pol_ext):
|
|
def __str__(self):
|
|
return 'Unix Settings/Sudo Rights'
|
|
|
|
def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
|
|
sdir='/etc/sudoers.d'):
|
|
for guid, settings in deleted_gpo_list:
|
|
self.gp_db.set_guid(guid)
|
|
if str(self) in settings:
|
|
for attribute, sudoers in settings[str(self)].items():
|
|
if os.path.exists(sudoers):
|
|
os.unlink(sudoers)
|
|
self.gp_db.delete(str(self), attribute)
|
|
self.gp_db.commit()
|
|
|
|
for gpo in changed_gpo_list:
|
|
if gpo.file_sys_path:
|
|
section = 'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
|
|
self.gp_db.set_guid(gpo.name)
|
|
pol_file = 'MACHINE/Registry.pol'
|
|
path = os.path.join(gpo.file_sys_path, pol_file)
|
|
pol_conf = self.parse(path)
|
|
if not pol_conf:
|
|
continue
|
|
for e in pol_conf.entries:
|
|
if e.keyname == section and e.data.strip():
|
|
attribute = b64encode(e.data.encode()).decode()
|
|
old_val = self.gp_db.retrieve(str(self), attribute)
|
|
if not old_val:
|
|
contents = intro
|
|
contents += '%s\n' % e.data
|
|
with NamedTemporaryFile() as f:
|
|
with open(f.name, 'w') as w:
|
|
w.write(contents)
|
|
sudo_validation = \
|
|
Popen([visudo, '-c', '-f', f.name],
|
|
stdout=PIPE, stderr=PIPE).wait()
|
|
if sudo_validation == 0:
|
|
with NamedTemporaryFile(prefix='gp_',
|
|
delete=False,
|
|
dir=sdir) as f:
|
|
with open(f.name, 'w') as w:
|
|
w.write(contents)
|
|
self.gp_db.store(str(self),
|
|
attribute,
|
|
f.name)
|
|
else:
|
|
self.logger.warn('Sudoers apply "%s" failed'
|
|
% e.data)
|
|
self.gp_db.commit()
|
|
|
|
def rsop(self, gpo):
|
|
output = {}
|
|
pol_file = 'MACHINE/Registry.pol'
|
|
if gpo.file_sys_path:
|
|
path = os.path.join(gpo.file_sys_path, pol_file)
|
|
pol_conf = self.parse(path)
|
|
if not pol_conf:
|
|
return output
|
|
for e in pol_conf.entries:
|
|
key = e.keyname.split('\\')[-1]
|
|
if key.endswith('Sudo Rights') and e.data.strip():
|
|
if key not in output.keys():
|
|
output[key] = []
|
|
output[key].append(e.data)
|
|
return output
|