security: Allow console login access to user plinth

Fixes #1295 This change is necessary to support sudo 1.8.23+ which came with the following major change: - PAM account management modules and BSD auth approval modules are now run even when no password is required. Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-03-18 09:10:49 +00:00 · 2018-05-07 16:20:33 +05:30 · 2018-05-07 16:20:33 +05:30 · b9c36e41e2
commit b9c36e41e2
parent 0c334b7231
2 changed files with 21 additions and 17 deletions
--- a/actions/security
+++ b/actions/security
@ -21,8 +21,8 @@ Helper for security configuration

 import argparse

-ACCESS_CONF_FILE = '/etc/security/access.conf'
-ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
+from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_SNIPPET,
+                                     ACCESS_CONF_SNIPPETS)


 def parse_arguments():
@ -46,12 +46,19 @@ def subcommand_enable_restricted_access(_):
    with open(ACCESS_CONF_FILE, 'r') as conffile:
        lines = conffile.readlines()

-    for line in lines:
-        if ACCESS_CONF_SNIPPET == line.strip():
-            return
+    is_upgrading = False

-    with open(ACCESS_CONF_FILE, 'a') as conffile:
-        conffile.write(ACCESS_CONF_SNIPPET + '\n')
+    with open(ACCESS_CONF_FILE, 'w') as conffile:
+        for line in lines:
+            if line.strip() in ACCESS_CONF_SNIPPETS:
+                conffile.write(ACCESS_CONF_SNIPPET + '\n')
+                is_upgrading = True
+            else:
+                conffile.write(line)
+
+    if not is_upgrading:
+        with open(ACCESS_CONF_FILE, 'a') as conffile:
+            conffile.write(ACCESS_CONF_SNIPPET + '\n')


 def subcommand_disable_restricted_access(_):
@ -61,7 +68,7 @@ def subcommand_disable_restricted_access(_):

    with open(ACCESS_CONF_FILE, 'w') as conffile:
        for line in lines:
-            if ACCESS_CONF_SNIPPET != line.strip():
+            if line.strip() not in ACCESS_CONF_SNIPPETS:
                conffile.write(line)


--- a/plinth/modules/security/init.py
+++ b/plinth/modules/security/init.py
@ -23,7 +23,7 @@ from django.utils.translation import ugettext_lazy as _
 from plinth import actions
 from plinth.menu import main_menu

-version = 2
+version = 3

 is_essential = True

@ -36,7 +36,9 @@ managed_services = ['fail2ban']
 manual_page = 'Security'

 ACCESS_CONF_FILE = '/etc/security/access.conf'
-ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
+ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL'
+OLD_ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
+ACCESS_CONF_SNIPPETS = [OLD_ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPET]


 def init():
@ -59,13 +61,8 @@ def setup_fail2ban():
 def get_restricted_access_enabled():
    """Return whether restricted access is enabled"""
    with open(ACCESS_CONF_FILE, 'r') as conffile:
-        lines = conffile.readlines()
-
-    for line in lines:
-        if ACCESS_CONF_SNIPPET in line:
-            return True
-
-    return False
+        return any(line.strip() in ACCESS_CONF_SNIPPETS
+                   for line in conffile.readlines())


 def set_restricted_access(enabled):