Mageia Bugzilla – Attachment 9068 Details for
Bug 618
Installer and userdrake give different permissions to home directories
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
correctly set permissions on the home directory, v2
userdrake_fix_home_perms.diff (text/plain), 7.36 KB, created by
Frédéric "LpSolit" Buclin
on 2017-03-11 17:20:15 CET
(
hide
)
Description:
correctly set permissions on the home directory, v2
Filename:
MIME Type:
Creator:
Frédéric "LpSolit" Buclin
Created:
2017-03-11 17:20:15 CET
Size:
7.36 KB
patch
obsolete
>From e4f187a0ca17f167c18ef38f43348a29d50f0bf2 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= <LpSolit@netscape.net> >Date: Sat, 11 Mar 2017 17:16:08 +0100 >Subject: [PATCH] Correctly set permissions on the home directory when creating > a new user (mga#618) > >--- > NEWS | 3 ++ > USER/USER.xs | 5 +-- > userdrake | 105 ++++++++++++++++++++++++++++++++++++++++++----------------- > 3 files changed, 81 insertions(+), 32 deletions(-) > >diff --git a/NEWS b/NEWS >index 3f990bd..537816a 100644 >--- a/NEWS >+++ b/NEWS >@@ -1,3 +1,6 @@ >+- Correctly set permissions on the home directory >+ when creating a new user (mga#618) >+ > Version 2.14 - 24 February 2017 > > - Do not encrypt the empty password (mga#19318) >diff --git a/USER/USER.xs b/USER/USER.xs >index 086580b..ff9fc41 100644 >--- a/USER/USER.xs >+++ b/USER/USER.xs >@@ -67,11 +67,12 @@ Admin_DESTROY(self) > if (self) lu_end(self); > > int >-Admin_UserAdd(self, ent, is_system, dont_create_home) >+Admin_UserAdd(self, ent, is_system, dont_create_home, homePermissions) > USER::ADMIN *self > USER::ENT *ent > int is_system > int dont_create_home >+ short homePermissions > CODE: > USER__ERR *error = NULL; > long uidNumber, gidNumber; >@@ -114,7 +115,7 @@ Admin_UserAdd(self, ent, is_system, dont_create_home) > homeDirectory = g_value_get_string(value); > > if (lu_homedir_populate(self, skeleton, homeDirectory, >- uidNumber, gidNumber, 0700, >+ uidNumber, gidNumber, homePermissions, > &error) == 0) { > warn(_("Error creating `%s': %s"), homeDirectory, error ? error->string : "unknown error"); > RETVAL = 2; >diff --git a/userdrake b/userdrake >index 08c36b3..2274013 100755 >--- a/userdrake >+++ b/userdrake >@@ -44,7 +44,6 @@ use log; > $ugtk3::wm_icon = "userdrake"; > > my $conffile = '/etc/sysconfig/userdrake'; >-my $secfile = '/etc/security/msec/security.conf'; > my $pixdir = '/usr/share/userdrake/pixmaps/'; > my @pix = ($pixdir . 'selected.png', $pixdir . 'unselected.png'); > >@@ -76,7 +75,6 @@ my $error = 0; > my $GetValue = -65533; > my $stringsearch = ''; > my %prefs = getVarsFromSh($conffile); >-my %sec = getVarsFromSh($secfile); > my $sysfilter = text2bool($prefs{FILTER}); > > sub HelpSystem() { run_program::raw({ detach => 1 }, 'drakhelp', '--id', 'userdrake') } >@@ -255,50 +253,90 @@ undef $window_splash; > $us->{wnd}->main; > ugtk3->exit(0); > >-#============================================================= >+=head1 NAME > >-=head2 weakPasswordForSecurityLevel >+userdrake - Mageia Users Management Tool > >-=head3 INPUT >+=head1 SYNOPSIS > >- $passwd: password to check >+ userdrake >+ drakuser (alias to userdrake) > >-=head3 OUTPUT >+=head1 DESCRIPTION > >- 1: if the password is too weak for security level >+This script manages user accounts for your Mageia installation. >+It requires the root password. > >-=head3 DESCRIPTION >+=head1 FUNCTIONS > >- Check the security level set if /etc/security/msec/security.conf >- exists and the level is not 'standard' and if the password >- is not at least 6 characters return true >+=over > >- NOTE this function has been ported from ManaTools::Shared::Users >+=item C<get_params($file, @parameters)> > >-=cut >+This function parses and returns data from a text file in the format: > >-#============================================================= >-sub weakPasswordForSecurityLevel { >- my ($password) = shift; >+ # Parameters and values are separated by whitespaces. >+ PARAMETER1 VALUE1 >+ PARAMETER2 VALUE2 >+ ... > >- if (-e $secfile) { >- my $level = $sec{BASE_LEVEL}; >- if ($level eq 'none' or $level eq 'standard') { >- return 0; >- } >- elsif (length($password) < 6) { >- return 1; >- } >- } >+or > >- return 0; >-} >+ # Parameters and values are separated by the '=' symbol. >+ PARAMETER1=VALUE1 >+ PARAMETER2=VALUE2 >+ ... >+ >+It is somehow similar to L<MDK::Common::System::getVarsFromSh> except that >+get_params() is also able to parse files where whitespaces are used as separator. >+Maybe one day both functions will be merged. >+ >+ Params: $file - The name of the text file to parse. >+ @parameters - The list of parameters for which you want their value. >+ >+ Returns: A hashref in the form { PARAMETER1 => VALUE1, PARAMETER2 => VALUE2, ... }. >+ >+=item C<weakPasswordForSecurityLevel($passwd)> >+ >+Make sure that the password is at least 6 characters long if the security level >+specified in /etc/security/msec/security.conf is higher than 'standard'. >+ >+This function is based on ManaTools::Shared::Users >+ >+ Params: $passwd - The password to check. > >+ Returns: TRUE if the password is too weak for the current security level. >+ FALSE otherwise. >+ >+=back >+=cut > > sub is_xguest_installed() { > -e '/etc/security/namespace.d/xguest.conf'; > } > >+sub get_params { >+ my ($file, @parameters) = @_; >+ if (open(my $fh, '<', $file)) { >+ my @lines = <$fh>; >+ close $fh; >+ my $param_list = join('|', @parameters); >+ my %params = map { /^($param_list)\b(?:=|\s+)(.+)$/; $1 => $2 } grep {/^(?:$param_list)\b/} @lines; >+ return \%params; >+ } >+ return {}; >+} >+ >+sub weakPasswordForSecurityLevel { >+ my $password = shift; >+ my $level = get_params('/etc/security/msec/security.conf', qw(BASE_LEVEL))->{BASE_LEVEL}; >+ >+ if (!$level || $level eq 'none' || $level eq 'standard' || length($password) >= 6) { >+ return 0; >+ } >+ return 1; >+} >+ > sub GrayDelEdit() { > foreach ($tbedit, $tbdel, $buttorcheck{edit}, $buttorcheck{delete}) { > defined $_ and $_->set_sensitive(0); >@@ -454,7 +492,10 @@ sub GetFaceIcon { > > sub AddUser() { > my $w = NewWindow(N("Create New User")); >- my $dontcreatehomedir = 0; my $is_system = 0; >+ my $dontcreatehomedir = 0; >+ # Be restrictive by default, and use umask if known. >+ my $homedir_perms = 0700; >+ my $is_system = 0; > my %u; > gtkpack_($w->get_child, > 0, BuildUui(), >@@ -497,6 +538,10 @@ sub AddUser() { > $dontcreatehomedir = 0; > $u{homedir} = $us->{o}{homedir}->get_text; > $userEnt and $userEnt->HomeDir($u{homedir}); >+ # Correctly set permissions on the home directory. >+ if (my $umask = get_params('/etc/login.defs', qw(UMASK))->{UMASK}) { >+ $homedir_perms = 0777 &~ oct($umask); >+ } > } else { > $dontcreatehomedir = 1; > } >@@ -540,7 +585,7 @@ sub AddUser() { > $userEnt->Gid($u{gid}); > $userEnt->ShadowMin(-1); $userEnt->ShadowMax(99999); > $userEnt->ShadowWarn(-1); $userEnt->ShadowInact(-1); >- $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir); >+ $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir, $homedir_perms); > $ctx->UserSetPass($userEnt, $u{passwd}); > defined $us->{o}{iconval} and > any::addKdmIcon($u{username}, $us->{o}{iconval}); >-- >2.10.2 >
From e4f187a0ca17f167c18ef38f43348a29d50f0bf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= <LpSolit@netscape.net> Date: Sat, 11 Mar 2017 17:16:08 +0100 Subject: [PATCH] Correctly set permissions on the home directory when creating a new user (mga#618) --- NEWS | 3 ++ USER/USER.xs | 5 +-- userdrake | 105 ++++++++++++++++++++++++++++++++++++++++++----------------- 3 files changed, 81 insertions(+), 32 deletions(-) diff --git a/NEWS b/NEWS index 3f990bd..537816a 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,6 @@ +- Correctly set permissions on the home directory + when creating a new user (mga#618) + Version 2.14 - 24 February 2017 - Do not encrypt the empty password (mga#19318) diff --git a/USER/USER.xs b/USER/USER.xs index 086580b..ff9fc41 100644 --- a/USER/USER.xs +++ b/USER/USER.xs @@ -67,11 +67,12 @@ Admin_DESTROY(self) if (self) lu_end(self); int -Admin_UserAdd(self, ent, is_system, dont_create_home) +Admin_UserAdd(self, ent, is_system, dont_create_home, homePermissions) USER::ADMIN *self USER::ENT *ent int is_system int dont_create_home + short homePermissions CODE: USER__ERR *error = NULL; long uidNumber, gidNumber; @@ -114,7 +115,7 @@ Admin_UserAdd(self, ent, is_system, dont_create_home) homeDirectory = g_value_get_string(value); if (lu_homedir_populate(self, skeleton, homeDirectory, - uidNumber, gidNumber, 0700, + uidNumber, gidNumber, homePermissions, &error) == 0) { warn(_("Error creating `%s': %s"), homeDirectory, error ? error->string : "unknown error"); RETVAL = 2; diff --git a/userdrake b/userdrake index 08c36b3..2274013 100755 --- a/userdrake +++ b/userdrake @@ -44,7 +44,6 @@ use log; $ugtk3::wm_icon = "userdrake"; my $conffile = '/etc/sysconfig/userdrake'; -my $secfile = '/etc/security/msec/security.conf'; my $pixdir = '/usr/share/userdrake/pixmaps/'; my @pix = ($pixdir . 'selected.png', $pixdir . 'unselected.png'); @@ -76,7 +75,6 @@ my $error = 0; my $GetValue = -65533; my $stringsearch = ''; my %prefs = getVarsFromSh($conffile); -my %sec = getVarsFromSh($secfile); my $sysfilter = text2bool($prefs{FILTER}); sub HelpSystem() { run_program::raw({ detach => 1 }, 'drakhelp', '--id', 'userdrake') } @@ -255,50 +253,90 @@ undef $window_splash; $us->{wnd}->main; ugtk3->exit(0); -#============================================================= +=head1 NAME -=head2 weakPasswordForSecurityLevel +userdrake - Mageia Users Management Tool -=head3 INPUT +=head1 SYNOPSIS - $passwd: password to check + userdrake + drakuser (alias to userdrake) -=head3 OUTPUT +=head1 DESCRIPTION - 1: if the password is too weak for security level +This script manages user accounts for your Mageia installation. +It requires the root password. -=head3 DESCRIPTION +=head1 FUNCTIONS - Check the security level set if /etc/security/msec/security.conf - exists and the level is not 'standard' and if the password - is not at least 6 characters return true +=over - NOTE this function has been ported from ManaTools::Shared::Users +=item C<get_params($file, @parameters)> -=cut +This function parses and returns data from a text file in the format: -#============================================================= -sub weakPasswordForSecurityLevel { - my ($password) = shift; + # Parameters and values are separated by whitespaces. + PARAMETER1 VALUE1 + PARAMETER2 VALUE2 + ... - if (-e $secfile) { - my $level = $sec{BASE_LEVEL}; - if ($level eq 'none' or $level eq 'standard') { - return 0; - } - elsif (length($password) < 6) { - return 1; - } - } +or - return 0; -} + # Parameters and values are separated by the '=' symbol. + PARAMETER1=VALUE1 + PARAMETER2=VALUE2 + ... + +It is somehow similar to L<MDK::Common::System::getVarsFromSh> except that +get_params() is also able to parse files where whitespaces are used as separator. +Maybe one day both functions will be merged. + + Params: $file - The name of the text file to parse. + @parameters - The list of parameters for which you want their value. + + Returns: A hashref in the form { PARAMETER1 => VALUE1, PARAMETER2 => VALUE2, ... }. + +=item C<weakPasswordForSecurityLevel($passwd)> + +Make sure that the password is at least 6 characters long if the security level +specified in /etc/security/msec/security.conf is higher than 'standard'. + +This function is based on ManaTools::Shared::Users + + Params: $passwd - The password to check. + Returns: TRUE if the password is too weak for the current security level. + FALSE otherwise. + +=back +=cut sub is_xguest_installed() { -e '/etc/security/namespace.d/xguest.conf'; } +sub get_params { + my ($file, @parameters) = @_; + if (open(my $fh, '<', $file)) { + my @lines = <$fh>; + close $fh; + my $param_list = join('|', @parameters); + my %params = map { /^($param_list)\b(?:=|\s+)(.+)$/; $1 => $2 } grep {/^(?:$param_list)\b/} @lines; + return \%params; + } + return {}; +} + +sub weakPasswordForSecurityLevel { + my $password = shift; + my $level = get_params('/etc/security/msec/security.conf', qw(BASE_LEVEL))->{BASE_LEVEL}; + + if (!$level || $level eq 'none' || $level eq 'standard' || length($password) >= 6) { + return 0; + } + return 1; +} + sub GrayDelEdit() { foreach ($tbedit, $tbdel, $buttorcheck{edit}, $buttorcheck{delete}) { defined $_ and $_->set_sensitive(0); @@ -454,7 +492,10 @@ sub GetFaceIcon { sub AddUser() { my $w = NewWindow(N("Create New User")); - my $dontcreatehomedir = 0; my $is_system = 0; + my $dontcreatehomedir = 0; + # Be restrictive by default, and use umask if known. + my $homedir_perms = 0700; + my $is_system = 0; my %u; gtkpack_($w->get_child, 0, BuildUui(), @@ -497,6 +538,10 @@ sub AddUser() { $dontcreatehomedir = 0; $u{homedir} = $us->{o}{homedir}->get_text; $userEnt and $userEnt->HomeDir($u{homedir}); + # Correctly set permissions on the home directory. + if (my $umask = get_params('/etc/login.defs', qw(UMASK))->{UMASK}) { + $homedir_perms = 0777 &~ oct($umask); + } } else { $dontcreatehomedir = 1; } @@ -540,7 +585,7 @@ sub AddUser() { $userEnt->Gid($u{gid}); $userEnt->ShadowMin(-1); $userEnt->ShadowMax(99999); $userEnt->ShadowWarn(-1); $userEnt->ShadowInact(-1); - $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir); + $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir, $homedir_perms); $ctx->UserSetPass($userEnt, $u{passwd}); defined $us->{o}{iconval} and any::addKdmIcon($u{username}, $us->{o}{iconval}); -- 2.10.2
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 618
:
9066
|
9067
| 9068