aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@netscape.net>2017-03-11 17:16:08 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2017-03-13 16:51:07 +0100
commit53b16d4a8286033edd1a9532a88a5bb2ef35b8ae (patch)
tree9d695732411ad1b209da9a418643bb4c1b8e6e4f
parent31585b2a413e0d4e385bcc1209609f708377ad06 (diff)
downloaduserdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar
userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar.gz
userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar.bz2
userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar.xz
userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.zip
Correctly set permissions on the home directory when creating a new user (mga#618)
-rw-r--r--NEWS3
-rw-r--r--USER/USER.xs5
-rwxr-xr-xuserdrake105
3 files changed, 81 insertions, 32 deletions
diff --git a/NEWS b/NEWS
index 3f990bd..537816a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,6 @@
+- Correctly set permissions on the home directory
+ when creating a new user (mga#618)
+
Version 2.14 - 24 February 2017
- Do not encrypt the empty password (mga#19318)
diff --git a/USER/USER.xs b/USER/USER.xs
index 086580b..ff9fc41 100644
--- a/USER/USER.xs
+++ b/USER/USER.xs
@@ -67,11 +67,12 @@ Admin_DESTROY(self)
if (self) lu_end(self);
int
-Admin_UserAdd(self, ent, is_system, dont_create_home)
+Admin_UserAdd(self, ent, is_system, dont_create_home, homePermissions)
USER::ADMIN *self
USER::ENT *ent
int is_system
int dont_create_home
+ short homePermissions
CODE:
USER__ERR *error = NULL;
long uidNumber, gidNumber;
@@ -114,7 +115,7 @@ Admin_UserAdd(self, ent, is_system, dont_create_home)
homeDirectory = g_value_get_string(value);
if (lu_homedir_populate(self, skeleton, homeDirectory,
- uidNumber, gidNumber, 0700,
+ uidNumber, gidNumber, homePermissions,
&error) == 0) {
warn(_("Error creating `%s': %s"), homeDirectory, error ? error->string : "unknown error");
RETVAL = 2;
diff --git a/userdrake b/userdrake
index 08c36b3..2274013 100755
--- a/userdrake
+++ b/userdrake
@@ -44,7 +44,6 @@ use log;
$ugtk3::wm_icon = "userdrake";
my $conffile = '/etc/sysconfig/userdrake';
-my $secfile = '/etc/security/msec/security.conf';
my $pixdir = '/usr/share/userdrake/pixmaps/';
my @pix = ($pixdir . 'selected.png', $pixdir . 'unselected.png');
@@ -76,7 +75,6 @@ my $error = 0;
my $GetValue = -65533;
my $stringsearch = '';
my %prefs = getVarsFromSh($conffile);
-my %sec = getVarsFromSh($secfile);
my $sysfilter = text2bool($prefs{FILTER});
sub HelpSystem() { run_program::raw({ detach => 1 }, 'drakhelp', '--id', 'userdrake') }
@@ -255,50 +253,90 @@ undef $window_splash;
$us->{wnd}->main;
ugtk3->exit(0);
-#=============================================================
+=head1 NAME
-=head2 weakPasswordForSecurityLevel
+userdrake - Mageia Users Management Tool
-=head3 INPUT
+=head1 SYNOPSIS
- $passwd: password to check
+ userdrake
+ drakuser (alias to userdrake)
-=head3 OUTPUT
+=head1 DESCRIPTION
- 1: if the password is too weak for security level
+This script manages user accounts for your Mageia installation.
+It requires the root password.
-=head3 DESCRIPTION
+=head1 FUNCTIONS
- Check the security level set if /etc/security/msec/security.conf
- exists and the level is not 'standard' and if the password
- is not at least 6 characters return true
+=over
- NOTE this function has been ported from ManaTools::Shared::Users
+=item C<get_params($file, @parameters)>
-=cut
+This function parses and returns data from a text file in the format:
-#=============================================================
-sub weakPasswordForSecurityLevel {
- my ($password) = shift;
+ # Parameters and values are separated by whitespaces.
+ PARAMETER1 VALUE1
+ PARAMETER2 VALUE2
+ ...
- if (-e $secfile) {
- my $level = $sec{BASE_LEVEL};
- if ($level eq 'none' or $level eq 'standard') {
- return 0;
- }
- elsif (length($password) < 6) {
- return 1;
- }
- }
+or
- return 0;
-}
+ # Parameters and values are separated by the '=' symbol.
+ PARAMETER1=VALUE1
+ PARAMETER2=VALUE2
+ ...
+
+It is somehow similar to L<MDK::Common::System::getVarsFromSh> except that
+get_params() is also able to parse files where whitespaces are used as separator.
+Maybe one day both functions will be merged.
+
+ Params: $file - The name of the text file to parse.
+ @parameters - The list of parameters for which you want their value.
+
+ Returns: A hashref in the form { PARAMETER1 => VALUE1, PARAMETER2 => VALUE2, ... }.
+
+=item C<weakPasswordForSecurityLevel($passwd)>
+
+Make sure that the password is at least 6 characters long if the security level
+specified in /etc/security/msec/security.conf is higher than 'standard'.
+
+This function is based on ManaTools::Shared::Users
+
+ Params: $passwd - The password to check.
+ Returns: TRUE if the password is too weak for the current security level.
+ FALSE otherwise.
+
+=back
+=cut
sub is_xguest_installed() {
-e '/etc/security/namespace.d/xguest.conf';
}
+sub get_params {
+ my ($file, @parameters) = @_;
+ if (open(my $fh, '<', $file)) {
+ my @lines = <$fh>;
+ close $fh;
+ my $param_list = join('|', @parameters);
+ my %params = map { /^($param_list)\b(?:=|\s+)(.+)$/; $1 => $2 } grep {/^(?:$param_list)\b/} @lines;
+ return \%params;
+ }
+ return {};
+}
+
+sub weakPasswordForSecurityLevel {
+ my $password = shift;
+ my $level = get_params('/etc/security/msec/security.conf', qw(BASE_LEVEL))->{BASE_LEVEL};
+
+ if (!$level || $level eq 'none' || $level eq 'standard' || length($password) >= 6) {
+ return 0;
+ }
+ return 1;
+}
+
sub GrayDelEdit() {
foreach ($tbedit, $tbdel, $buttorcheck{edit}, $buttorcheck{delete}) {
defined $_ and $_->set_sensitive(0);
@@ -454,7 +492,10 @@ sub GetFaceIcon {
sub AddUser() {
my $w = NewWindow(N("Create New User"));
- my $dontcreatehomedir = 0; my $is_system = 0;
+ my $dontcreatehomedir = 0;
+ # Be restrictive by default, and use umask if known.
+ my $homedir_perms = 0700;
+ my $is_system = 0;
my %u;
gtkpack_($w->get_child,
0, BuildUui(),
@@ -497,6 +538,10 @@ sub AddUser() {
$dontcreatehomedir = 0;
$u{homedir} = $us->{o}{homedir}->get_text;
$userEnt and $userEnt->HomeDir($u{homedir});
+ # Correctly set permissions on the home directory.
+ if (my $umask = get_params('/etc/login.defs', qw(UMASK))->{UMASK}) {
+ $homedir_perms = 0777 &~ oct($umask);
+ }
} else {
$dontcreatehomedir = 1;
}
@@ -540,7 +585,7 @@ sub AddUser() {
$userEnt->Gid($u{gid});
$userEnt->ShadowMin(-1); $userEnt->ShadowMax(99999);
$userEnt->ShadowWarn(-1); $userEnt->ShadowInact(-1);
- $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir);
+ $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir, $homedir_perms);
$ctx->UserSetPass($userEnt, $u{passwd});
defined $us->{o}{iconval} and
any::addKdmIcon($u{username}, $us->{o}{iconval});