aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorEugeni Dodonov <eugeni@mandriva.org>2010-02-23 01:01:49 +0000
committerEugeni Dodonov <eugeni@mandriva.org>2010-02-23 01:01:49 +0000
commitcba5c58e0ae694a5d63e7529d5226b711d612b9c (patch)
tree4ee6469069642be2f6d29255230f6fb06de70cee /src
parentb8c70aeed2952e8c24414b278b0290e191371a72 (diff)
downloadmsec-cba5c58e0ae694a5d63e7529d5226b711d612b9c.tar
msec-cba5c58e0ae694a5d63e7529d5226b711d612b9c.tar.gz
msec-cba5c58e0ae694a5d63e7529d5226b711d612b9c.tar.bz2
msec-cba5c58e0ae694a5d63e7529d5226b711d612b9c.tar.xz
msec-cba5c58e0ae694a5d63e7529d5226b711d612b9c.zip
added sudo plugin
Diffstat (limited to 'src')
-rw-r--r--src/msec/plugins/sudo.py58
1 files changed, 58 insertions, 0 deletions
diff --git a/src/msec/plugins/sudo.py b/src/msec/plugins/sudo.py
new file mode 100644
index 0000000..f90cf5b
--- /dev/null
+++ b/src/msec/plugins/sudo.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python
+"""Msec plugin for sudo"""
+
+# main plugin class name
+PLUGIN = "sudo"
+
+import os
+import re
+import gettext
+import sys
+
+# configuration
+import config
+
+# localization
+try:
+ gettext.install('msec')
+except IOError:
+ _ = str
+
+class sudo:
+ SUDOERS="/etc/sudoers"
+ SUDO_WHEEL_MATCH = re.compile("^\s*%wheel\s+ALL\s*=\s*\(ALL\)\s+(NOPASSWD:)?\s*ALL")
+ SUDO_WHEEL = "%wheel\tALL=(ALL)\tALL"
+ SUDO_WHEEL_NO_PASSWORD="%wheel\tALL=(ALL)\tNOPASSWD: ALL"
+ def __init__(self, log=None, configfiles=None, root=None):
+ """This plugin provides support for configuring sudo settings"""
+ # initializing plugin
+ self.log = log
+ self.configfiles = configfiles
+ self.root = root
+
+ config.SETTINGS['ALLOW_SUDO_TO_WHEEL'] = ("sudo.allow_sudo_to_wheel", ["yes", "without-password", "no"])
+
+ config.SETTINGS_SYSTEM.extend(['ALLOW_SUDO_TO_WHEEL'])
+
+ # defining additional packages that should be installed
+ config.REQUIRE_PACKAGES['ALLOW_SUDO_TO_WHEEL'] = (['yes', 'without-password'], ['sudo'])
+
+ def allow_sudo_to_wheel(self, param):
+ """Allow users in wheel group to use sudo. If this option is set to 'yes', the users in wheel group are allowed to use sudo and run commands as root by using their passwords. If this option to set to 'without-password', the users can use sudo without being asked for their password. WARNING: using sudo without any password makes your system very vulnerable, and you should only use this setting if you know what you are doing!"""
+ sudoers = self.configfiles.get_config_file(self.SUDOERS)
+ val = sudoers.get_match(self.SUDO_WHEEL_MATCH)
+
+ if param != val:
+ if param == "yes":
+ if val and val.find('NOPASSWD:') < 0:
+ return
+ self.log.info(_("Allowing users in wheel group to use sudo"))
+ sudoers.replace_line_matching(self.SUDO_WHEEL_MATCH, self.SUDO_WHEEL, at_end_if_not_found=1)
+ elif param == "without-password":
+ if val and val.find('NOPASSWD:') >= 0:
+ return
+ self.log.info(_("Allowing users in wheel group to use sudo without password"))
+ sudoers.replace_line_matching(self.SUDO_WHEEL_MATCH, self.SUDO_WHEEL_NO_PASSWORD, at_end_if_not_found=1)
+ else:
+ self.log.info(_("Not allowing users in wheel group to use sudo"))
+ sudoers.remove_line_matching(self.SUDO_WHEEL_MATCH)