Verified Commit b9c36e41 authored by Joseph Nuthalapati's avatar Joseph Nuthalapati Committed by James Valleroy

security: Allow console login access to user plinth

Fixes #1295

This change is necessary to support sudo 1.8.23+ which came with the following
major change:
- PAM account management modules and BSD auth approval modules are now run even
	when no password is required.
Signed-off-by: Joseph Nuthalapati's avatarJoseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy's avatarJames Valleroy <jvalleroy@mailbox.org>
parent 0c334b72
......@@ -21,8 +21,8 @@ Helper for security configuration
import argparse
ACCESS_CONF_FILE = '/etc/security/access.conf'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
from plinth.modules.security import (ACCESS_CONF_FILE, ACCESS_CONF_SNIPPET,
ACCESS_CONF_SNIPPETS)
def parse_arguments():
......@@ -46,12 +46,19 @@ def subcommand_enable_restricted_access(_):
with open(ACCESS_CONF_FILE, 'r') as conffile:
lines = conffile.readlines()
for line in lines:
if ACCESS_CONF_SNIPPET == line.strip():
return
is_upgrading = False
with open(ACCESS_CONF_FILE, 'a') as conffile:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
with open(ACCESS_CONF_FILE, 'w') as conffile:
for line in lines:
if line.strip() in ACCESS_CONF_SNIPPETS:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
is_upgrading = True
else:
conffile.write(line)
if not is_upgrading:
with open(ACCESS_CONF_FILE, 'a') as conffile:
conffile.write(ACCESS_CONF_SNIPPET + '\n')
def subcommand_disable_restricted_access(_):
......@@ -61,7 +68,7 @@ def subcommand_disable_restricted_access(_):
with open(ACCESS_CONF_FILE, 'w') as conffile:
for line in lines:
if ACCESS_CONF_SNIPPET != line.strip():
if line.strip() not in ACCESS_CONF_SNIPPETS:
conffile.write(line)
......
......@@ -23,7 +23,7 @@ from django.utils.translation import ugettext_lazy as _
from plinth import actions
from plinth.menu import main_menu
version = 2
version = 3
is_essential = True
......@@ -36,7 +36,9 @@ managed_services = ['fail2ban']
manual_page = 'Security'
ACCESS_CONF_FILE = '/etc/security/access.conf'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL'
OLD_ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
ACCESS_CONF_SNIPPETS = [OLD_ACCESS_CONF_SNIPPET, ACCESS_CONF_SNIPPET]
def init():
......@@ -59,13 +61,8 @@ def setup_fail2ban():
def get_restricted_access_enabled():
"""Return whether restricted access is enabled"""
with open(ACCESS_CONF_FILE, 'r') as conffile:
lines = conffile.readlines()
for line in lines:
if ACCESS_CONF_SNIPPET in line:
return True
return False
return any(line.strip() in ACCESS_CONF_SNIPPETS
for line in conffile.readlines())
def set_restricted_access(enabled):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment