[Da-tools-commits] ./debian/userdir-ldap r473: Change the hmac that protect sudopassword entries to also hash the purpose

Peter Palfrader peter at palfrader.org
Fri Nov 14 19:34:55 UTC 2008 

------------------------------------------------------------
revno: 473
committer: Peter Palfrader <peter at palfrader.org>
branch nick: userdir-ldap
timestamp: Fri 2008-11-14 20:34:55 +0100
message:
  Change the hmac that protect sudopassword entries to also hash the purpose
  ("sudo") and the owning user's uid into the mac.
added:
  misc/
  misc/ud-update-sudopasswords
modified:
  debian/changelog
  ud-generate
  ud-mailgate
  userdir_ldap.py
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog	2008-10-26 21:32:16 +0000
+++ b/debian/changelog	2008-11-14 19:34:55 +0000
@@ -1,3 +1,11 @@
+userdir-ldap (0.3.46) unstable; urgency=low
+
+  * Change the hmac that protect sudopassword entries to also
+    hash the purpose ("sudo") and the owning user's uid into
+    the mac.
+
+ -- Peter Palfrader <weasel at debian.org>  Fri, 14 Nov 2008 20:27:38 +0100
+
 userdir-ldap (0.3.45) unstable; urgency=low
 
   * ud-generate: Declare [UNTRSUTED] flag as obsolete.

=== added directory 'misc'
=== added file 'misc/ud-update-sudopasswords'
--- a/misc/ud-update-sudopasswords	1970-01-01 00:00:00 +0000
+++ b/misc/ud-update-sudopasswords	2008-11-14 19:34:55 +0000
@@ -0,0 +1,74 @@
+#!/usr/bin/python
+
+#   Copyright (c) 2008 Peter Palfrader <peter at palfrader.org>
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software
+#   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# ud-ldap 0.3.46 changed the format of the sudopasswd lines so that
+# the hmac also includes purpose ("sudo") and userid that owns the
+# entry.  This little script updates an ldap from old to new.
+
+import string, re, time, ldap, getopt, sys, os, pwd, posix, socket, base64, sha, shutil, errno, tarfile, grp
+from userdir_ldap import *;
+
+UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
+
+# Connect to the ldap server
+l = connectLDAP()
+F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
+Pass = F.readline().strip().split(" ")
+F.close();
+l.simple_bind_s("uid="+Pass[0]+","+BaseDn,Pass[1]);
+
+PasswdAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"sudoPassword=*", ["uid","sudoPassword"]);
+if PasswdAttrs == None:
+  raise "No Users";
+
+for x in PasswdAttrs:
+   if not x[1].has_key('sudoPassword'):
+      continue
+
+   uid = x[1]['uid'][0]
+   Rec = []
+   for entry in x[1]['sudoPassword']:
+      Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry)
+      if Match == None:
+         continue
+      uuid = Match.group(1)
+      status = Match.group(2)
+      hosts = Match.group(3)
+      cryptedpass = Match.group(4)
+
+      # ok old format
+      oldformat = 'confirmed:'+make_hmac(':'.join(['password-is-confirmed', uuid, hosts, cryptedpass]))
+      newformat = 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', x[1]['uid'][0], uuid, hosts, cryptedpass);
+
+      if status == oldformat:
+         print "Updating sudo password entry for %s."%(uid)
+         status = newformat
+      elif status == newformat:
+         print "not updating sudo password entry for %s, it's already up to date."%(uid)
+      else:
+         print "NOT Updating sudo password entry for %s, failed check."%(uid)
+
+      line = ' '.join([uuid, status, hosts, cryptedpass])
+      if len(Rec) == 0:
+         Rec.append((ldap.MOD_REPLACE, 'sudoPassword', line))
+      else:
+         Rec.append((ldap.MOD_ADD, 'sudoPassword', line))
+
+   Dn = "uid=" + uid + "," + BaseDn;
+   l.modify_s(Dn,Rec);
+

=== modified file 'ud-generate'
--- a/ud-generate	2008-10-23 18:25:21 +0000
+++ b/ud-generate	2008-11-14 19:34:55 +0000
@@ -230,7 +230,7 @@
             hosts = Match.group(3)
             cryptedpass = Match.group(4)
 
-            if status != 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass):
+            if status != 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', x[1]['uid'][0], uuid, hosts, cryptedpass):
                continue
             for_all = hosts == "*"
             for_this_host = CurrentHost in hosts.split(',')

=== modified file 'ud-mailgate'
--- a/ud-mailgate	2008-09-26 12:21:52 +0000
+++ b/ud-mailgate	2008-11-14 19:34:55 +0000
@@ -490,15 +490,15 @@
          confirmedHosts = SudoPasswd[uuid][0]
          confirmedHmac = SudoPasswd[uuid][1]
          if status.startswith('confirmed:'):
-            if status == 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass):
+            if status == 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', uid, ,uuid, hosts, cryptedpass):
                result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts)
             else:
                result = result + "Entry %s for sudo password on hosts %s is listed as confirmed, but HMAC does not verify.\n"%(uuid, hosts)
          elif confirmedHosts != hosts:
             result = result + "Entry %s hostlist mismatch (%s vs. %s).\n"%(uuid, hosts, confirmedHosts)
-         elif make_sudopasswd_hmac('confirm-new-password', uuid, hosts, cryptedpass) == confirmedHmac:
+         elif make_passwd_hmac('confirm-new-password', 'sudo', uid, uuid, hosts, cryptedpass) == confirmedHmac:
             result = result + "Entry %s for sudo password on hosts %s now confirmed.\n"%(uuid, hosts)
-            status = 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass)
+            status = 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', uid, uuid, hosts, cryptedpass)
          else:
             result = result + "Entry %s for sudo password on hosts %s HMAC verify failed.\n"%(uuid, hosts)
          del SudoPasswd[uuid]

=== modified file 'userdir_ldap.py'
--- a/userdir_ldap.py	2008-09-14 23:12:41 +0000
+++ b/userdir_ldap.py	2008-11-14 19:34:55 +0000
@@ -459,5 +459,5 @@
    File.close();
    return hmac.new(HmacKey, str, sha1_module).hexdigest()
 
-def make_sudopasswd_hmac(purpose, uuid, hosts, cryptedpass):
-   return make_hmac(':'.join([purpose, uuid, hosts, cryptedpass]))
+def make_passwd_hmac(status, purpose, uid, uuid, hosts, cryptedpass):
+   return make_hmac(':'.join([status, purpose, uid, uuid, hosts, cryptedpass]))

More information about the Da-tools-commits mailing list