aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorEugeni Dodonov <eugeni@mandriva.org>2010-04-07 19:31:41 +0000
committerEugeni Dodonov <eugeni@mandriva.org>2010-04-07 19:31:41 +0000
commit7e6b498905ced17a46f47131c15882795219ea89 (patch)
tree1e9ca227c03e2a2b4cddef6aae8f65297a448301 /src
parent1fc6a3dd659cee5ca38fca27f24d06998562d356 (diff)
downloadmsec-7e6b498905ced17a46f47131c15882795219ea89.tar
msec-7e6b498905ced17a46f47131c15882795219ea89.tar.gz
msec-7e6b498905ced17a46f47131c15882795219ea89.tar.bz2
msec-7e6b498905ced17a46f47131c15882795219ea89.tar.xz
msec-7e6b498905ced17a46f47131c15882795219ea89.zip
Add support for ACL (based on patch from Tiago Marques
<tiago.marques@caixamagica.pt>, #58640)
Diffstat (limited to 'src')
-rw-r--r--src/msec/config.py15
-rwxr-xr-xsrc/msec/libmsec.py33
-rwxr-xr-xsrc/msec/msecgui.py56
3 files changed, 81 insertions, 23 deletions
diff --git a/src/msec/config.py b/src/msec/config.py
index b5b1ace..2fe0050 100644
--- a/src/msec/config.py
+++ b/src/msec/config.py
@@ -393,7 +393,7 @@ class PermConfig(MsecConfig):
self.options_order = []
self.comments = []
self.log = log
- self.regexp = re.compile("^([^\s]*)\s*([a-z]*)\.([a-z]*)\s*([\d]?\d\d\d|current)\s*(force)?$")
+ self.regexp = re.compile("^([^\s]*)\s*([a-z]*)\.([a-z]*)\s*([\d]?\d\d\d|current)\s*(force)?\s?([^\s]*)$")
def merge(self, newconfig, overwrite=False):
"""Merges parameters from newconfig to current config"""
@@ -433,12 +433,9 @@ class PermConfig(MsecConfig):
try:
res = self.regexp.findall(line)
if res:
- if len(res[0]) == 5:
- file, user, group, perm, force = res[0]
- else:
- force = None
- file, user, group, perm = res[0]
- self.options[file] = (user, group, perm, force)
+ if len(res[0]) == 6:
+ file, user, group, perm, force, acl = res[0]
+ self.options[file] = (user, group, perm, force, acl)
self.options_order.append(file)
except:
traceback.print_exc()
@@ -484,11 +481,11 @@ class PermConfig(MsecConfig):
if not value:
# the option was removed
continue
- user, group, perm, force = value
+ user, group, perm, force, acl = self.options[file]
if force:
force = "\tforce"
else:
force = ""
- print >>fd, "%s\t%s.%s\t%s%s" % (file, user, group, perm, force)
+ print >>fd, "%s\t%s.%s\t%s%s\t%s" % (file, user, group, perm, force, acl)
return True
# }}}
diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py
index bcd7e7b..f43ee4c 100755
--- a/src/msec/libmsec.py
+++ b/src/msec/libmsec.py
@@ -861,7 +861,7 @@ class PERMS:
self.log.info(config.MODIFICATIONS_NOT_FOUND)
for file in self.files:
- newperm, newuser, newgroup, force = self.files[file]
+ newperm, newuser, newgroup, force, newacl = self.files[file]
# are we in enforcing mode?
if enforce:
force = True
@@ -896,13 +896,35 @@ class PERMS:
else:
self.log.warn(_("Wrong permissions of %s: should be %o") % (file, newperm))
+ if newacl != None:
+ if force and really_commit:
+ self.log.warn(_("Enforcing acl on %s") % (file))
+ try:
+ # TODO: only change ACL if it differs from actual
+ # TODO: and use python code instead of os.system
+ os.system('setfacl -b %s' % (file))
+ users = newacl.split(",")
+ for acluser in users :
+ if acluser.split(":")[0] == "": # clean root from list
+ print acluser
+ continue
+ # make the acl rule stick
+ ret = os.system('setfacl -m u:%s %s' % (acluser, file))
+ if ret != 0:
+ # problem setting setfacl
+ self.log.error(_("Unable to add filesystem-specific ACL %s to %s") % (acluser, file))
+ except:
+ self.log.error(_("Error changing acl on %s: %s") % (file, sys.exc_value))
+ else:
+ self.log.warn(_("Wrong acl of %s") % (file))
+
def check_perms(self, perms, files_to_check=[]):
'''Checks permissions for all entries in perms (PermConfig).
If files_to_check is specified, only the specified files are checked.'''
for file in perms.list_options():
- user_s, group_s, perm_s, force = perms.get(file)
+ user_s, group_s, perm_s, force, acl = perms.get(file)
# permission
if perm_s == 'current':
@@ -962,14 +984,17 @@ class PERMS:
newperm = None
newuser = None
newgroup = None
+ newacl = None
if perm != -1 and perm != curperm:
newperm = perm
if user != -1 and user != curuser:
newuser = user
if group != -1 and group != curgroup:
newgroup = group
- if newperm != None or newuser != None or newgroup != None:
- self.files[f] = (newperm, newuser, newgroup, force)
+ if acl != "":
+ newacl = acl
+ if newperm != None or newuser != None or newgroup != None or newacl != None:
+ self.files[f] = (newperm, newuser, newgroup, force, newacl)
self.log.debug("Updating %s (matched by '%s')" % (f, file))
else:
# see if any other rule put this file into the list
diff --git a/src/msec/msecgui.py b/src/msec/msecgui.py
index 643bbfb..aa69dc7 100755
--- a/src/msec/msecgui.py
+++ b/src/msec/msecgui.py
@@ -109,7 +109,7 @@ class MsecGui:
# common columns
(COLUMN_LEVEL, COLUMN_LEVEL_DESCR, COLUMN_LEVEL_CURRENT) = range(3)
(COLUMN_OPTION, COLUMN_DESCR, COLUMN_VALUE, COLUMN_CUSTOM) = range(4)
- (COLUMN_PATH, COLUMN_USER, COLUMN_GROUP, COLUMN_PERM, COLUMN_FORCE) = range(5)
+ (COLUMN_PATH, COLUMN_USER, COLUMN_GROUP, COLUMN_PERM, COLUMN_FORCE, COLUMN_ACL) = range(6)
(COLUMN_EXCEPTION, COLUMN_EXCEPTION_VALUE, COLUMN_POS) = range(3)
def __init__(self, log, msec, perms, msecconfig, permconfig, exceptions, embed=None):
@@ -1084,7 +1084,8 @@ class MsecGui:
gobject.TYPE_STRING,
gobject.TYPE_STRING,
gobject.TYPE_STRING,
- gobject.TYPE_BOOLEAN)
+ gobject.TYPE_BOOLEAN,
+ gobject.TYPE_STRING)
# treeview
treeview = gtk.TreeView(lstore)
@@ -1130,10 +1131,16 @@ class MsecGui:
column.set_expand(True)
treeview.append_column(column)
+ # column for Acl
+ column = gtk.TreeViewColumn(_('Acl'), gtk.CellRendererText(), text=self.COLUMN_ACL)
+ column.set_sort_column_id(self.COLUMN_ACL)
+ column.set_expand(True)
+ treeview.append_column(column)
+
sw.add(treeview)
for file in self.permconfig.list_options():
- user_s, group_s, perm_s, force = self.permconfig.get(file)
+ user_s, group_s, perm_s, force, acl = self.permconfig.get(file)
# convert to boolean
if force:
@@ -1149,6 +1156,7 @@ class MsecGui:
self.COLUMN_GROUP, group_s,
self.COLUMN_PERM, perm_s,
self.COLUMN_FORCE, force,
+ self.COLUMN_ACL, acl,
)
vbox.pack_start(sw)
self.current_options_view[id] = (lstore, self.permconfig)
@@ -1199,7 +1207,7 @@ class MsecGui:
else:
defperms = self.perm_defaults[level]
for file in defperms.list_options():
- user_s, group_s, perm_s, force_s = defperms.get(file)
+ user_s, group_s, perm_s, force_s, acls = defperms.get(file)
# convert to boolean
if force_s:
@@ -1215,9 +1223,10 @@ class MsecGui:
self.COLUMN_GROUP, group_s,
self.COLUMN_PERM, perm_s,
self.COLUMN_FORCE, force_val,
+ self.COLUMN_ACL, acls,
)
# changing back force value
- self.permconfig.set(file, (user_s, group_s, perm_s, force_s))
+ self.permconfig.set(file, (user_s, group_s, perm_s, force_s, acls))
def remove_exception(self, widget, treeview):
"""Removes an exception from list"""
@@ -1248,7 +1257,7 @@ class MsecGui:
file = model.get_value(iter, self.COLUMN_PATH)
fixed = model.get_value(iter, self.COLUMN_FORCE)
- user, group, perm, force = self.permconfig.get(file)
+ user, group, perm, force, acl = self.permconfig.get(file)
# do something with the value
fixed = not fixed
@@ -1259,7 +1268,7 @@ class MsecGui:
force = "force"
else:
force = ""
- self.permconfig.set(file, (user, group, perm, force))
+ self.permconfig.set(file, (user, group, perm, force, acl))
def add_permission_check(self, widget, model):
"""Adds a permission check"""
@@ -1345,6 +1354,7 @@ class MsecGui:
group = model.get_value(iter, self.COLUMN_GROUP)
perm = model.get_value(iter, self.COLUMN_PERM)
force = model.get_value(iter, self.COLUMN_FORCE)
+ acl = model.get_value(iter, self.COLUMN_ACL)
title = _("Changing permissions for %s") % file
else:
file = ""
@@ -1352,6 +1362,7 @@ class MsecGui:
group = ""
perm = ""
force = ""
+ acl = ""
title = _("Adding new permission check")
if not force:
@@ -1364,10 +1375,10 @@ class MsecGui:
self.window, 0,
(gtk.STOCK_OK, gtk.RESPONSE_OK,
gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL))
- label = gtk.Label(_("Changing permissions on <b>%s</b>\nPlease specify new permissions, or use 'current' to keep current permissions.\n") % (file or _("new file")))
+ label = gtk.Label(_("Changing permissions on <b>%s</b>") % (file or _("new file")))
label.set_line_wrap(True)
label.set_use_markup(True)
- dialog.vbox.pack_start(label, False, False)
+ dialog.vbox.pack_start(label, False, False, padding=5)
if not path:
# file
@@ -1378,6 +1389,11 @@ class MsecGui:
hbox.pack_start(entry_file)
dialog.vbox.pack_start(hbox, False, False)
+ label = gtk.Label(_("Please specify new file owner and permissions, or use 'current' to keep current settings."))
+ label.set_line_wrap(True)
+ label.set_use_markup(True)
+ dialog.vbox.pack_start(label, False, False, padding=5)
+
# user
hbox = gtk.HBox()
hbox.pack_start(gtk.Label(_("User: ")))
@@ -1402,6 +1418,19 @@ class MsecGui:
hbox.pack_start(entry_perm)
dialog.vbox.pack_start(hbox, False, False)
+ label = gtk.Label(_("To enforce additional ACL on file, specify them in the following format:\nuser1:acl,user2:acl\nRefer to 'man setfacl' for details."))
+ label.set_line_wrap(True)
+ label.set_use_markup(True)
+ dialog.vbox.pack_start(label, False, False, padding=5)
+
+ # acl
+ hbox = gtk.HBox()
+ hbox.pack_start(gtk.Label(_("ACL: ")))
+ entry_acl = gtk.Entry()
+ entry_acl.set_text(acl)
+ hbox.pack_start(entry_acl)
+ dialog.vbox.pack_start(hbox, False, False)
+
dialog.show_all()
response = dialog.run()
if response != gtk.RESPONSE_OK:
@@ -1415,9 +1444,14 @@ class MsecGui:
newuser = entry_user.get_text()
newgroup = entry_group.get_text()
newperm = entry_perm.get_text()
+ newacl = entry_acl.get_text()
dialog.destroy()
- self.permconfig.set(newfile, (newuser, newgroup, newperm, force))
+ # if acl is specified, the permissions will be enforced
+ if newacl != "":
+ force = "force"
+
+ self.permconfig.set(newfile, (newuser, newgroup, newperm, force, newacl))
if not path:
# adding new entry
iter = model.append()
@@ -1425,6 +1459,8 @@ class MsecGui:
model.set(iter, self.COLUMN_USER, newuser)
model.set(iter, self.COLUMN_GROUP, newgroup)
model.set(iter, self.COLUMN_PERM, newperm)
+ model.set(iter, self.COLUMN_FORCE, True if force == "force" else False)
+ model.set(iter, self.COLUMN_ACL, newacl)
def option_changed(self, treeview, path, col, model):
"""Processes an option change"""