diff options
author | Frédéric Buclin <LpSolit@netscape.net> | 2017-03-11 17:16:08 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2017-03-13 16:51:07 +0100 |
commit | 53b16d4a8286033edd1a9532a88a5bb2ef35b8ae (patch) | |
tree | 9d695732411ad1b209da9a418643bb4c1b8e6e4f | |
parent | 31585b2a413e0d4e385bcc1209609f708377ad06 (diff) | |
download | userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar.gz userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar.bz2 userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.tar.xz userdrake-53b16d4a8286033edd1a9532a88a5bb2ef35b8ae.zip |
Correctly set permissions on the home directory when creating a new user (mga#618)
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | USER/USER.xs | 5 | ||||
-rwxr-xr-x | userdrake | 105 |
3 files changed, 81 insertions, 32 deletions
@@ -1,3 +1,6 @@ +- Correctly set permissions on the home directory + when creating a new user (mga#618) + Version 2.14 - 24 February 2017 - Do not encrypt the empty password (mga#19318) diff --git a/USER/USER.xs b/USER/USER.xs index 086580b..ff9fc41 100644 --- a/USER/USER.xs +++ b/USER/USER.xs @@ -67,11 +67,12 @@ Admin_DESTROY(self) if (self) lu_end(self); int -Admin_UserAdd(self, ent, is_system, dont_create_home) +Admin_UserAdd(self, ent, is_system, dont_create_home, homePermissions) USER::ADMIN *self USER::ENT *ent int is_system int dont_create_home + short homePermissions CODE: USER__ERR *error = NULL; long uidNumber, gidNumber; @@ -114,7 +115,7 @@ Admin_UserAdd(self, ent, is_system, dont_create_home) homeDirectory = g_value_get_string(value); if (lu_homedir_populate(self, skeleton, homeDirectory, - uidNumber, gidNumber, 0700, + uidNumber, gidNumber, homePermissions, &error) == 0) { warn(_("Error creating `%s': %s"), homeDirectory, error ? error->string : "unknown error"); RETVAL = 2; @@ -44,7 +44,6 @@ use log; $ugtk3::wm_icon = "userdrake"; my $conffile = '/etc/sysconfig/userdrake'; -my $secfile = '/etc/security/msec/security.conf'; my $pixdir = '/usr/share/userdrake/pixmaps/'; my @pix = ($pixdir . 'selected.png', $pixdir . 'unselected.png'); @@ -76,7 +75,6 @@ my $error = 0; my $GetValue = -65533; my $stringsearch = ''; my %prefs = getVarsFromSh($conffile); -my %sec = getVarsFromSh($secfile); my $sysfilter = text2bool($prefs{FILTER}); sub HelpSystem() { run_program::raw({ detach => 1 }, 'drakhelp', '--id', 'userdrake') } @@ -255,50 +253,90 @@ undef $window_splash; $us->{wnd}->main; ugtk3->exit(0); -#============================================================= +=head1 NAME -=head2 weakPasswordForSecurityLevel +userdrake - Mageia Users Management Tool -=head3 INPUT +=head1 SYNOPSIS - $passwd: password to check + userdrake + drakuser (alias to userdrake) -=head3 OUTPUT +=head1 DESCRIPTION - 1: if the password is too weak for security level +This script manages user accounts for your Mageia installation. +It requires the root password. -=head3 DESCRIPTION +=head1 FUNCTIONS - Check the security level set if /etc/security/msec/security.conf - exists and the level is not 'standard' and if the password - is not at least 6 characters return true +=over - NOTE this function has been ported from ManaTools::Shared::Users +=item C<get_params($file, @parameters)> -=cut +This function parses and returns data from a text file in the format: -#============================================================= -sub weakPasswordForSecurityLevel { - my ($password) = shift; + # Parameters and values are separated by whitespaces. + PARAMETER1 VALUE1 + PARAMETER2 VALUE2 + ... - if (-e $secfile) { - my $level = $sec{BASE_LEVEL}; - if ($level eq 'none' or $level eq 'standard') { - return 0; - } - elsif (length($password) < 6) { - return 1; - } - } +or - return 0; -} + # Parameters and values are separated by the '=' symbol. + PARAMETER1=VALUE1 + PARAMETER2=VALUE2 + ... + +It is somehow similar to L<MDK::Common::System::getVarsFromSh> except that +get_params() is also able to parse files where whitespaces are used as separator. +Maybe one day both functions will be merged. + + Params: $file - The name of the text file to parse. + @parameters - The list of parameters for which you want their value. + + Returns: A hashref in the form { PARAMETER1 => VALUE1, PARAMETER2 => VALUE2, ... }. + +=item C<weakPasswordForSecurityLevel($passwd)> + +Make sure that the password is at least 6 characters long if the security level +specified in /etc/security/msec/security.conf is higher than 'standard'. + +This function is based on ManaTools::Shared::Users + + Params: $passwd - The password to check. + Returns: TRUE if the password is too weak for the current security level. + FALSE otherwise. + +=back +=cut sub is_xguest_installed() { -e '/etc/security/namespace.d/xguest.conf'; } +sub get_params { + my ($file, @parameters) = @_; + if (open(my $fh, '<', $file)) { + my @lines = <$fh>; + close $fh; + my $param_list = join('|', @parameters); + my %params = map { /^($param_list)\b(?:=|\s+)(.+)$/; $1 => $2 } grep {/^(?:$param_list)\b/} @lines; + return \%params; + } + return {}; +} + +sub weakPasswordForSecurityLevel { + my $password = shift; + my $level = get_params('/etc/security/msec/security.conf', qw(BASE_LEVEL))->{BASE_LEVEL}; + + if (!$level || $level eq 'none' || $level eq 'standard' || length($password) >= 6) { + return 0; + } + return 1; +} + sub GrayDelEdit() { foreach ($tbedit, $tbdel, $buttorcheck{edit}, $buttorcheck{delete}) { defined $_ and $_->set_sensitive(0); @@ -454,7 +492,10 @@ sub GetFaceIcon { sub AddUser() { my $w = NewWindow(N("Create New User")); - my $dontcreatehomedir = 0; my $is_system = 0; + my $dontcreatehomedir = 0; + # Be restrictive by default, and use umask if known. + my $homedir_perms = 0700; + my $is_system = 0; my %u; gtkpack_($w->get_child, 0, BuildUui(), @@ -497,6 +538,10 @@ sub AddUser() { $dontcreatehomedir = 0; $u{homedir} = $us->{o}{homedir}->get_text; $userEnt and $userEnt->HomeDir($u{homedir}); + # Correctly set permissions on the home directory. + if (my $umask = get_params('/etc/login.defs', qw(UMASK))->{UMASK}) { + $homedir_perms = 0777 &~ oct($umask); + } } else { $dontcreatehomedir = 1; } @@ -540,7 +585,7 @@ sub AddUser() { $userEnt->Gid($u{gid}); $userEnt->ShadowMin(-1); $userEnt->ShadowMax(99999); $userEnt->ShadowWarn(-1); $userEnt->ShadowInact(-1); - $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir); + $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir, $homedir_perms); $ctx->UserSetPass($userEnt, $u{passwd}); defined $us->{o}{iconval} and any::addKdmIcon($u{username}, $us->{o}{iconval}); |