nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-20 10:34:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Allow console login access to user plinth

Browse Source 
Fixes #1295

This change is necessary to support sudo 1.8.23+ which came with the following
major change:
- PAM account management modules and BSD auth approval modules are now run even
	when no password is required.

Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Joseph Nuthalapati 2018-05-07 16:20:33 +05:30 committed by James Valleroy
parent 0c334b7231
commit b9c36e41e2
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
2 changed files with 21 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
actions/security
View File

@ -21,8 +21,8 @@ Helper for security configuration
import argparse import argparse
ACCESS_CONF_FILE = '/etc/security/access.conf' from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_SNIPPET,
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL' ACCESS_CONF_SNIPPETS)
def parse_arguments(): def parse_arguments():
@ -46,12 +46,19 @@ def subcommand_enable_restricted_access(_):
with open(ACCESS_CONF_FILE, 'r') as conffile: with open(ACCESS_CONF_FILE, 'r') as conffile:
lines = conffile.readlines() lines = conffile.readlines()
for line in lines: is_upgrading = False
if ACCESS_CONF_SNIPPET == line.strip():
return
with open(ACCESS_CONF_FILE, 'a') as conffile: with open(ACCESS_CONF_FILE, 'w') as conffile:
conffile.write(ACCESS_CONF_SNIPPET + '\n') for line in lines:
if line.strip() in ACCESS_CONF_SNIPPETS:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
is_upgrading = True
else:
conffile.write(line)
if not is_upgrading:
with open(ACCESS_CONF_FILE, 'a') as conffile:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
def subcommand_disable_restricted_access(_): def subcommand_disable_restricted_access(_):
@ -61,7 +68,7 @@ def subcommand_disable_restricted_access(_):
with open(ACCESS_CONF_FILE, 'w') as conffile: with open(ACCESS_CONF_FILE, 'w') as conffile:
for line in lines: for line in lines:
if ACCESS_CONF_SNIPPET != line.strip(): if line.strip() not in ACCESS_CONF_SNIPPETS:
conffile.write(line) conffile.write(line)

15
plinth/modules/security/__init__.py
View File

@ -23,7 +23,7 @@ from django.utils.translation import ugettext_lazy as _
from plinth import actions from plinth import actions
from plinth.menu import main_menu from plinth.menu import main_menu
version = 2 version = 3
is_essential = True is_essential = True
@ -36,7 +36,9 @@ managed_services = ['fail2ban']
manual_page = 'Security' manual_page = 'Security'
ACCESS_CONF_FILE = '/etc/security/access.conf' ACCESS_CONF_FILE = '/etc/security/access.conf'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL' ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL'
OLD_ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
ACCESS_CONF_SNIPPETS = [OLD_ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPET]
def init(): def init():
@ -59,13 +61,8 @@ def setup_fail2ban():
def get_restricted_access_enabled(): def get_restricted_access_enabled():
"""Return whether restricted access is enabled""" """Return whether restricted access is enabled"""
with open(ACCESS_CONF_FILE, 'r') as conffile: with open(ACCESS_CONF_FILE, 'r') as conffile:
lines = conffile.readlines() return any(line.strip() in ACCESS_CONF_SNIPPETS
for line in conffile.readlines())
for line in lines:
if ACCESS_CONF_SNIPPET in line:
return True
return False
def set_restricted_access(enabled): def set_restricted_access(enabled):