[Da-tools-commits] ./debian/userdir-ldap r469: ud-generate: do not export sudopassword to untrusted or nopasswd hosts, unless the password is explicitly added for this host and not just for '*'

Peter Palfrader peter at palfrader.org
Fri Oct 3 11:25:43 UTC 2008 

------------------------------------------------------------
revno: 469
committer: Peter Palfrader <peter at palfrader.org>
branch nick: userdir-ldap
timestamp: Fri 2008-10-03 13:25:43 +0200
message:
  ud-generate: do not export sudopassword to untrusted or nopasswd hosts, unless the password is explicitly added for this host and not just for '*'
modified:
  debian/changelog
  ud-generate
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog	2008-09-26 12:21:52 +0000
+++ b/debian/changelog	2008-10-03 11:25:43 +0000
@@ -1,9 +1,11 @@
-userdir-ldap (0.3.XX) unstable; urgency=low
+userdir-ldap (0.3.44) unstable; urgency=low
 
   * ud-mailgate: Do not support del requests for sshDSAAuthKey - there is no
     such attribute.
+  * ud-generate: do not export sudopassword to untrusted or nopasswd hosts,
+    unless the password is explicitly added for this host and not just for '*'.
 
- -- Peter Palfrader <weasel at debian.org>  Fri, 26 Sep 2008 14:21:26 +0200
+ -- Peter Palfrader <weasel at debian.org>  Fri, 03 Oct 2008 13:23:22 +0200
 
 userdir-ldap (0.3.43) unstable; urgency=low
 

=== modified file 'ud-generate'
--- a/ud-generate	2008-10-03 11:20:29 +0000
+++ b/ud-generate	2008-10-03 11:25:43 +0000
@@ -203,7 +203,7 @@
   Done(File,None,F);
 
 # Generate the sudo passwd file
-def GenShadowSudo(l,File):
+def GenShadowSudo(l,File, untrusted):
   F = None;
   try:
    OldMask = os.umask(0077);
@@ -236,6 +236,9 @@
             for_this_host = CurrentHost in hosts.split(',')
             if not (for_all or for_this_host):
                continue
+            # ignore * passwords for untrusted hosts, but copy host specific passwords
+            if for_all and untrusted:
+               continue
             Pass = cryptedpass
             if for_this_host: # this makes sure we take a per-host entry over the for-all entry
               break
@@ -1004,7 +1007,7 @@
       userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
    sys.stdout.flush();
    grouprevmap = GenGroup(l,OutDir+"group");
-   GenShadowSudo(l, OutDir+"sudo-passwd")
+   GenShadowSudo(l, OutDir+"sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
 
    # Now we know who we're allowing on the machine, export
    # the relevant ssh keys

More information about the Da-tools-commits mailing list