[Da-tools-commits] ./debian/userdir-ldap r469: ud-generate: do not export sudopassword to untrusted or nopasswd hosts, unless the password is explicitly added for this host and not just for '*'
Peter Palfrader
peter at palfrader.org
Fri Oct 3 11:25:43 UTC 2008
------------------------------------------------------------
revno: 469
committer: Peter Palfrader <peter at palfrader.org>
branch nick: userdir-ldap
timestamp: Fri 2008-10-03 13:25:43 +0200
message:
ud-generate: do not export sudopassword to untrusted or nopasswd hosts, unless the password is explicitly added for this host and not just for '*'
modified:
debian/changelog
ud-generate
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog 2008-09-26 12:21:52 +0000
+++ b/debian/changelog 2008-10-03 11:25:43 +0000
@@ -1,9 +1,11 @@
-userdir-ldap (0.3.XX) unstable; urgency=low
+userdir-ldap (0.3.44) unstable; urgency=low
* ud-mailgate: Do not support del requests for sshDSAAuthKey - there is no
such attribute.
+ * ud-generate: do not export sudopassword to untrusted or nopasswd hosts,
+ unless the password is explicitly added for this host and not just for '*'.
- -- Peter Palfrader <weasel at debian.org> Fri, 26 Sep 2008 14:21:26 +0200
+ -- Peter Palfrader <weasel at debian.org> Fri, 03 Oct 2008 13:23:22 +0200
userdir-ldap (0.3.43) unstable; urgency=low
=== modified file 'ud-generate'
--- a/ud-generate 2008-10-03 11:20:29 +0000
+++ b/ud-generate 2008-10-03 11:25:43 +0000
@@ -203,7 +203,7 @@
Done(File,None,F);
# Generate the sudo passwd file
-def GenShadowSudo(l,File):
+def GenShadowSudo(l,File, untrusted):
F = None;
try:
OldMask = os.umask(0077);
@@ -236,6 +236,9 @@
for_this_host = CurrentHost in hosts.split(',')
if not (for_all or for_this_host):
continue
+ # ignore * passwords for untrusted hosts, but copy host specific passwords
+ if for_all and untrusted:
+ continue
Pass = cryptedpass
if for_this_host: # this makes sure we take a per-host entry over the for-all entry
break
@@ -1004,7 +1007,7 @@
userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
sys.stdout.flush();
grouprevmap = GenGroup(l,OutDir+"group");
- GenShadowSudo(l, OutDir+"sudo-passwd")
+ GenShadowSudo(l, OutDir+"sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
# Now we know who we're allowing on the machine, export
# the relevant ssh keys
More information about the Da-tools-commits
mailing list