nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-29 10:10:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Migrate access config to new file

Browse Source 
Fixes #1504

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This commit is contained in:
James Valleroy 2019-03-01 20:39:15 -05:00 committed by Sunil Mohan Adapa
parent f524219387
commit 7ee48da299
No known key found for this signature in database
GPG Key ID: 43EA1CFF0AA7C5F2
3 changed files with 34 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
actions/security
View File

@ -20,9 +20,10 @@ Helper for security configuration
""" """
import argparse import argparse
import os
from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_SNIPPET, from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_FILE_OLD,
ACCESS_CONF_SNIPPETS) ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPETS)
def parse_arguments(): def parse_arguments():
@ -43,34 +44,30 @@ def parse_arguments():
def subcommand_enable_restricted_access(_): def subcommand_enable_restricted_access(_):
"""Restrict console login to users in admin or sudo group.""" """Restrict console login to users in admin or sudo group."""
with open(ACCESS_CONF_FILE, 'r') as conffile: try:
lines = conffile.readlines() os.mkdir(os.path.dirname(ACCESS_CONF_FILE))
except FileExistsError:
is_upgrading = False pass
with open(ACCESS_CONF_FILE, 'w') as conffile: with open(ACCESS_CONF_FILE, 'w') as conffile:
for line in lines: conffile.write(ACCESS_CONF_SNIPPET + '\n')
if line.strip() in ACCESS_CONF_SNIPPETS:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
is_upgrading = True
else:
conffile.write(line)
if not is_upgrading:
with open(ACCESS_CONF_FILE, 'a') as conffile:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
def subcommand_disable_restricted_access(_): def subcommand_disable_restricted_access(_):
"""Don't restrict console login to users in admin or sudo group.""" """Don't restrict console login to users in admin or sudo group."""
with open(ACCESS_CONF_FILE, 'r') as conffile: with open(ACCESS_CONF_FILE_OLD, 'r') as conffile:
lines = conffile.readlines() lines = conffile.readlines()
with open(ACCESS_CONF_FILE, 'w') as conffile: with open(ACCESS_CONF_FILE_OLD, 'w') as conffile:
for line in lines: for line in lines:
if line.strip() not in ACCESS_CONF_SNIPPETS: if line.strip() not in ACCESS_CONF_SNIPPETS:
conffile.write(line) conffile.write(line)
try:
os.remove(ACCESS_CONF_FILE)
except OSError:
pass
def main(): def main():
"""Parse arguments and perform all duties""" """Parse arguments and perform all duties"""

24
plinth/modules/security/__init__.py
View File

@ -25,7 +25,7 @@ from plinth.menu import main_menu
from .manifest import backup from .manifest import backup
version = 5 version = 6
is_essential = True is_essential = True
@ -37,7 +37,8 @@ managed_services = ['fail2ban']
manual_page = 'Security' manual_page = 'Security'
ACCESS_CONF_FILE = '/etc/security/access.conf' ACCESS_CONF_FILE = '/etc/security/access.d/50freedombox.conf'
ACCESS_CONF_FILE_OLD = '/etc/security/access.conf'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL' ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL'
OLD_ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL' OLD_ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
ACCESS_CONF_SNIPPETS = [OLD_ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPET] ACCESS_CONF_SNIPPETS = [OLD_ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPET]
@ -54,7 +55,10 @@ def setup(helper, old_version=None):
helper.install(managed_packages) helper.install(managed_packages)
setup_fail2ban() setup_fail2ban()
if get_restricted_access_enabled(): # Migrate to new config file.
enabled = get_restricted_access_enabled()
set_restricted_access(False)
if enabled:
set_restricted_access(True) set_restricted_access(True)
@ -66,9 +70,17 @@ def setup_fail2ban():
def get_restricted_access_enabled(): def get_restricted_access_enabled():
"""Return whether restricted access is enabled""" """Return whether restricted access is enabled"""
with open(ACCESS_CONF_FILE, 'r') as conffile: with open(ACCESS_CONF_FILE_OLD, 'r') as conffile:
return any(line.strip() in ACCESS_CONF_SNIPPETS if any(line.strip() in ACCESS_CONF_SNIPPETS
for line in conffile.readlines()) for line in conffile.readlines()):
return True
try:
with open(ACCESS_CONF_FILE, 'r') as conffile:
return any(line.strip() in ACCESS_CONF_SNIPPETS
for line in conffile.readlines())
except FileNotFoundError:
return False
def set_restricted_access(enabled): def set_restricted_access(enabled):

2
plinth/modules/security/manifest.py
View File

@ -22,6 +22,6 @@ from plinth.modules.backups.api import validate as validate_backup
backup = validate_backup({ backup = validate_backup({
'config': { 'config': {
'files': ['/etc/security/access.conf'] 'files': ['/etc/security/access.d/50freedombox.conf']
} }
}) })