From 7ee48da299065b1f2daa332d217017baa6c610a4 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Fri, 1 Mar 2019 20:39:15 -0500
Subject: [PATCH] security: Migrate access config to new file

Fixes #1504

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 actions/security                    | 33 +++++++++++++----------------
 plinth/modules/security/__init__.py | 24 +++++++++++++++------
 plinth/modules/security/manifest.py |  2 +-
 3 files changed, 34 insertions(+), 25 deletions(-)

diff --git a/actions/security b/actions/security
index c67edf9ea..cc4efdb2b 100755
--- a/actions/security
+++ b/actions/security
@@ -20,9 +20,10 @@ Helper for security configuration
 """
 
 import argparse
+import os
 
-from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_SNIPPET,
-                                     ACCESS_CONF_SNIPPETS)
+from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_FILE_OLD,
+                                     ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPETS)
 
 
 def parse_arguments():
@@ -43,34 +44,30 @@ def parse_arguments():
 
 def subcommand_enable_restricted_access(_):
     """Restrict console login to users in admin or sudo group."""
-    with open(ACCESS_CONF_FILE, 'r') as conffile:
-        lines = conffile.readlines()
-
-    is_upgrading = False
+    try:
+        os.mkdir(os.path.dirname(ACCESS_CONF_FILE))
+    except FileExistsError:
+        pass
 
     with open(ACCESS_CONF_FILE, 'w') as conffile:
-        for line in lines:
-            if line.strip() in ACCESS_CONF_SNIPPETS:
-                conffile.write(ACCESS_CONF_SNIPPET + '\n')
-                is_upgrading = True
-            else:
-                conffile.write(line)
-
-    if not is_upgrading:
-        with open(ACCESS_CONF_FILE, 'a') as conffile:
-            conffile.write(ACCESS_CONF_SNIPPET + '\n')
+        conffile.write(ACCESS_CONF_SNIPPET + '\n')
 
 
 def subcommand_disable_restricted_access(_):
     """Don't restrict console login to users in admin or sudo group."""
-    with open(ACCESS_CONF_FILE, 'r') as conffile:
+    with open(ACCESS_CONF_FILE_OLD, 'r') as conffile:
         lines = conffile.readlines()
 
-    with open(ACCESS_CONF_FILE, 'w') as conffile:
+    with open(ACCESS_CONF_FILE_OLD, 'w') as conffile:
         for line in lines:
             if line.strip() not in ACCESS_CONF_SNIPPETS:
                 conffile.write(line)
 
+    try:
+        os.remove(ACCESS_CONF_FILE)
+    except OSError:
+        pass
+
 
 def main():
     """Parse arguments and perform all duties"""
diff --git a/plinth/modules/security/__init__.py b/plinth/modules/security/__init__.py
index fe1094081..4eea8e386 100644
--- a/plinth/modules/security/__init__.py
+++ b/plinth/modules/security/__init__.py
@@ -25,7 +25,7 @@ from plinth.menu import main_menu
 
 from .manifest import backup
 
-version = 5
+version = 6
 
 is_essential = True
 
@@ -37,7 +37,8 @@ managed_services = ['fail2ban']
 
 manual_page = 'Security'
 
-ACCESS_CONF_FILE = '/etc/security/access.conf'
+ACCESS_CONF_FILE = '/etc/security/access.d/50freedombox.conf'
+ACCESS_CONF_FILE_OLD = '/etc/security/access.conf'
 ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL'
 OLD_ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
 ACCESS_CONF_SNIPPETS = [OLD_ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPET]
@@ -54,7 +55,10 @@ def setup(helper, old_version=None):
     helper.install(managed_packages)
     setup_fail2ban()
 
-    if get_restricted_access_enabled():
+    # Migrate to new config file.
+    enabled = get_restricted_access_enabled()
+    set_restricted_access(False)
+    if enabled:
         set_restricted_access(True)
 
 
@@ -66,9 +70,17 @@ def setup_fail2ban():
 
 def get_restricted_access_enabled():
     """Return whether restricted access is enabled"""
-    with open(ACCESS_CONF_FILE, 'r') as conffile:
-        return any(line.strip() in ACCESS_CONF_SNIPPETS
-                   for line in conffile.readlines())
+    with open(ACCESS_CONF_FILE_OLD, 'r') as conffile:
+        if any(line.strip() in ACCESS_CONF_SNIPPETS
+               for line in conffile.readlines()):
+            return True
+
+    try:
+        with open(ACCESS_CONF_FILE, 'r') as conffile:
+            return any(line.strip() in ACCESS_CONF_SNIPPETS
+                       for line in conffile.readlines())
+    except FileNotFoundError:
+        return False
 
 
 def set_restricted_access(enabled):
diff --git a/plinth/modules/security/manifest.py b/plinth/modules/security/manifest.py
index ba414444b..606e75da4 100644
--- a/plinth/modules/security/manifest.py
+++ b/plinth/modules/security/manifest.py
@@ -22,6 +22,6 @@ from plinth.modules.backups.api import validate as validate_backup
 
 backup = validate_backup({
     'config': {
-        'files': ['/etc/security/access.conf']
+        'files': ['/etc/security/access.d/50freedombox.conf']
     }
 })