search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/auth_log: adjust expected authDescription for test_smb_bad_user
[Samba.git] / python / samba / gp_sudoers_ext.py
bloba693fc960a2f8177d9af051574158505f9956b41
1 # gp_sudoers_ext samba gpo policy
2 # Copyright (C) David Mulder <dmulder@suse.com> 2020
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16
17 import os
18 from samba.gpclass import gp_pol_ext
19 from base64 import b64encode
20 from tempfile import NamedTemporaryFile
21 from subprocess import Popen, PIPE
22
23 def find_executable(executable, path):
24 paths = path.split(os.pathsep)
25 for p in paths:
26 f = os.path.join(p, executable)
27 if os.path.isfile(f):
28 return f
29 return None
30
31 intro = '''
32 ### autogenerated by samba
33 #
34 # This file is generated by the gp_sudoers_ext Group Policy
35 # Client Side Extension. To modify the contents of this file,
36 # modify the appropriate Group Policy objects which apply
37 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
38 #
39
40 '''
41 visudo = find_executable('visudo',
42 path='%s:%s' % (os.environ['PATH'], '/usr/sbin'))
43
44 class gp_sudoers_ext(gp_pol_ext):
45 def __str__(self):
46 return 'Unix Settings/Sudo Rights'
47
48 def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
49 sdir='/etc/sudoers.d'):
50 for guid, settings in deleted_gpo_list:
51 self.gp_db.set_guid(guid)
52 if str(self) in settings:
53 for attribute, sudoers in settings[str(self)].items():
54 if os.path.exists(sudoers):
55 os.unlink(sudoers)
56 self.gp_db.delete(str(self), attribute)
57 self.gp_db.commit()
58
59 for gpo in changed_gpo_list:
60 if gpo.file_sys_path:
61 section = 'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
62 self.gp_db.set_guid(gpo.name)
63 pol_file = 'MACHINE/Registry.pol'
64 path = os.path.join(gpo.file_sys_path, pol_file)
65 pol_conf = self.parse(path)
66 if not pol_conf:
67 continue
68 for e in pol_conf.entries:
69 if e.keyname == section and e.data.strip():
70 attribute = b64encode(e.data.encode()).decode()
71 old_val = self.gp_db.retrieve(str(self), attribute)
72 if not old_val:
73 contents = intro
74 contents += '%s\n' % e.data
75 with NamedTemporaryFile() as f:
76 with open(f.name, 'w') as w:
77 w.write(contents)
78 sudo_validation = \
79 Popen([visudo, '-c', '-f', f.name],
80 stdout=PIPE, stderr=PIPE).wait()
81 if sudo_validation == 0:
82 with NamedTemporaryFile(prefix='gp_',
83 delete=False,
84 dir=sdir) as f:
85 with open(f.name, 'w') as w:
86 w.write(contents)
87 self.gp_db.store(str(self),
88 attribute,
89 f.name)
90 else:
91 self.logger.warn('Sudoers apply "%s" failed'
92 % e.data)
93 self.gp_db.commit()
94
95 def rsop(self, gpo):
96 output = {}
97 pol_file = 'MACHINE/Registry.pol'
98 if gpo.file_sys_path:
99 path = os.path.join(gpo.file_sys_path, pol_file)
100 pol_conf = self.parse(path)
101 if not pol_conf:
102 return output
103 for e in pol_conf.entries:
104 key = e.keyname.split('\\')[-1]
105 if key.endswith('Sudo Rights') and e.data.strip():
106 if key not in output.keys():
107 output[key] = []
108 output[key].append(e.data)
109 return output
Samba GIT mirror