mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-28 08:03:36 +00:00
995365f3df
- Install mod_auth_pubtkt and generate public/private key-pair. - Redirect user to login page if no cookie is presented. - Add check for authenticated user for login page. - Temporarily switched to DSA because of a bug in mod_auth_pubtkt which causes it to accept only DSA and not RSA. Also had to use SHA1 instead of SHA256. - Enabled SSO for Syncthing, Repro and TT-RSS. - Using tokens to authorize by user groups. - Generate keys during first boot.
80 lines
2.4 KiB
Python
Executable File
80 lines
2.4 KiB
Python
Executable File
#!/usr/bin/python3
|
|
# -*- mode: python -*-
|
|
#
|
|
# This file is part of Plinth.
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
"""
|
|
Helper for security configuration
|
|
"""
|
|
|
|
import argparse
|
|
|
|
ACCESS_CONF_FILE = '/etc/security/access.conf'
|
|
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
|
|
|
|
|
|
def parse_arguments():
|
|
"""Return parsed command line arguments as dictionary"""
|
|
parser = argparse.ArgumentParser()
|
|
subparsers = parser.add_subparsers(dest='subcommand', help='Sub command')
|
|
|
|
subparsers.add_parser(
|
|
'enable-restricted-access',
|
|
help='Restrict console login to users in admin or sudo group')
|
|
subparsers.add_parser(
|
|
'disable-restricted-access',
|
|
help='Don\'t restrict console login to users in admin or sudo group')
|
|
|
|
subparsers.required = True
|
|
return parser.parse_args()
|
|
|
|
|
|
def subcommand_enable_restricted_access(_):
|
|
"""Restrict console login to users in admin or sudo group."""
|
|
with open(ACCESS_CONF_FILE, 'r') as conffile:
|
|
lines = conffile.readlines()
|
|
|
|
for line in lines:
|
|
if ACCESS_CONF_SNIPPET == line.strip():
|
|
return
|
|
|
|
with open(ACCESS_CONF_FILE, 'a') as conffile:
|
|
conffile.write(ACCESS_CONF_SNIPPET + '\n')
|
|
|
|
|
|
def subcommand_disable_restricted_access(_):
|
|
"""Don't restrict console login to users in admin or sudo group."""
|
|
with open(ACCESS_CONF_FILE, 'r') as conffile:
|
|
lines = conffile.readlines()
|
|
|
|
with open(ACCESS_CONF_FILE, 'w') as conffile:
|
|
for line in lines:
|
|
if ACCESS_CONF_SNIPPET != line.strip():
|
|
conffile.write(line)
|
|
|
|
|
|
def main():
|
|
"""Parse arguments and perform all duties"""
|
|
arguments = parse_arguments()
|
|
|
|
subcommand = arguments.subcommand.replace('-', '_')
|
|
subcommand_method = globals()['subcommand_' + subcommand]
|
|
subcommand_method(arguments)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|