nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-02-04 08:13:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Migrate access config to new file

Browse Source 
Fixes #1504

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This commit is contained in:
James Valleroy 2019-03-01 20:39:15 -05:00 committed by Sunil Mohan Adapa
parent f524219387
commit 7ee48da299
No known key found for this signature in database
GPG Key ID: 43EA1CFF0AA7C5F2
3 changed files with 34 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
actions/security
View File

@ -20,9 +20,10 @@ Helper for security configuration
"""
import argparse
import os
from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_SNIPPET,
ACCESS_CONF_SNIPPETS)
from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_FILE_OLD,
ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPETS)
def parse_arguments():
@ -43,34 +44,30 @@ def parse_arguments():
def subcommand_enable_restricted_access(_):
"""Restrict console login to users in admin or sudo group."""
with open(ACCESS_CONF_FILE, 'r') as conffile:
lines = conffile.readlines()
is_upgrading = False
try:
os.mkdir(os.path.dirname(ACCESS_CONF_FILE))
except FileExistsError:
pass
with open(ACCESS_CONF_FILE, 'w') as conffile:
for line in lines:
if line.strip() in ACCESS_CONF_SNIPPETS:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
is_upgrading = True
else:
conffile.write(line)
if not is_upgrading:
with open(ACCESS_CONF_FILE, 'a') as conffile:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
conffile.write(ACCESS_CONF_SNIPPET + '\n')
def subcommand_disable_restricted_access(_):
"""Don't restrict console login to users in admin or sudo group."""
with open(ACCESS_CONF_FILE, 'r') as conffile:
with open(ACCESS_CONF_FILE_OLD, 'r') as conffile:
lines = conffile.readlines()
with open(ACCESS_CONF_FILE, 'w') as conffile:
with open(ACCESS_CONF_FILE_OLD, 'w') as conffile:
for line in lines:
if line.strip() not in ACCESS_CONF_SNIPPETS:
conffile.write(line)
try:
os.remove(ACCESS_CONF_FILE)
except OSError:
pass
def main():
"""Parse arguments and perform all duties"""

24
plinth/modules/security/__init__.py
View File

@ -25,7 +25,7 @@ from plinth.menu import main_menu
from .manifest import backup
version = 5
version = 6
is_essential = True
@ -37,7 +37,8 @@ managed_services = ['fail2ban']
manual_page = 'Security'
ACCESS_CONF_FILE = '/etc/security/access.conf'
ACCESS_CONF_FILE = '/etc/security/access.d/50freedombox.conf'
ACCESS_CONF_FILE_OLD = '/etc/security/access.conf'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL'
OLD_ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
ACCESS_CONF_SNIPPETS = [OLD_ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPET]
@ -54,7 +55,10 @@ def setup(helper, old_version=None):
helper.install(managed_packages)
setup_fail2ban()
if get_restricted_access_enabled():
# Migrate to new config file.
enabled = get_restricted_access_enabled()
set_restricted_access(False)
if enabled:
set_restricted_access(True)
@ -66,9 +70,17 @@ def setup_fail2ban():
def get_restricted_access_enabled():
"""Return whether restricted access is enabled"""
with open(ACCESS_CONF_FILE, 'r') as conffile:
return any(line.strip() in ACCESS_CONF_SNIPPETS
for line in conffile.readlines())
with open(ACCESS_CONF_FILE_OLD, 'r') as conffile:
if any(line.strip() in ACCESS_CONF_SNIPPETS
for line in conffile.readlines()):
return True
try:
with open(ACCESS_CONF_FILE, 'r') as conffile:
return any(line.strip() in ACCESS_CONF_SNIPPETS
for line in conffile.readlines())
except FileNotFoundError:
return False
def set_restricted_access(enabled):

2
plinth/modules/security/manifest.py
View File

@ -22,6 +22,6 @@ from plinth.modules.backups.api import validate as validate_backup
backup = validate_backup({
'config': {
'files': ['/etc/security/access.conf']
'files': ['/etc/security/access.d/50freedombox.conf']
}
})