global CurrentHost
PasswdAttrs = None
+DebianUsers = None
DisabledUsers = []
-RetiredUsers = []
GroupIDMap = {}
SubGroupMap = {}
Allowed = None
UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
EmailCheck = re.compile("^([^ <>@]+@[^ ,<>@]+)?$")
-BSMTPCheck = re.compile(".*mx 0 (gluck)\.debian\.org\..*",re.DOTALL)
-PurposeHostField = re.compile(r"\[\[([\*\-]?[a-z0-9.\-]*)(?:\|.*)?\]\]")
+BSMTPCheck = re.compile(".*mx 0 (gluck|master)\.debian\.org\..*",re.DOTALL)
+PurposeHostField = re.compile(r".*\[\[([\*\-]?[a-z0-9.\-]*)(?:\|.*)?\]\]")
DNSZone = ".debian.net"
Keyrings = ConfModule.sync_keyrings.split(":")
# We'll give them a few extra days over what we said
age = 6 * 31 * 24 * 60 * 60
try:
- if (time.time() - time.mktime(time.strptime(line[1], "%Y-%m-%d"))) > age:
- return True
+ return (time.time() - time.mktime(time.strptime(line[1], "%Y-%m-%d"))) > age
except IndexError:
return False
+ except ValueError:
+ return False
return False
+def IsGidDebian(x):
+ try:
+ return int(GetAttr(x, "gidNumber", 0)) == 800
+ except ValueError:
+ return False
+
# See if this user is in the group list
def IsInGroup(DnRecord):
- if Allowed == None:
- return 1
+ if Allowed is None:
+ return True
# See if the primary group is in the list
if Allowed.has_key(GetAttr(DnRecord, "gidNumber")) != 0:
- return 1
+ return True
# Check the host based ACL
if DnRecord[1].has_key("allowedHost") != 0:
- for I in DnRecord[1]["allowedHost"]:
- if CurrentHost == I:
- return 1
+ if CurrentHost in DnRecord[1]["allowedHost"]:
+ return True
# See if there are supplementary groups
if DnRecord[1].has_key("supplementaryGid") == 0:
- return 0
+ return False
supgroups=[]
addGroups(supgroups, DnRecord[1]["supplementaryGid"], GetAttr(DnRecord, "uid"))
for g in supgroups:
if Allowed.has_key(g):
- return 1
- return 0
+ return True
+ return False
def Die(File, F, Fdb):
if F != None:
os.rename(File + ".tdb.tmp", File + ".tdb")
# Generate the password list
-def GenPasswd(l, File, HomePrefix, PwdMarker):
+def GenPasswd(File, HomePrefix, PwdMarker):
F = None
try:
F = open(File + ".tdb.tmp", "w")
I = 0
for x in PasswdAttrs:
- if x[1].has_key("uidNumber") == 0 or IsInGroup(x) == 0:
+ if x[1].has_key("uidNumber") == 0 or not IsInGroup(x):
continue
# Do not let people try to buffer overflow some busted passwd parser.
return userlist
# Generate the shadow list
-def GenShadow(l, File):
+def GenShadow(File):
F = None
try:
OldMask = os.umask(0077)
I = 0
for x in PasswdAttrs:
- if x[1].has_key("uidNumber") == 0 or IsInGroup(x) == 0:
+ if x[1].has_key("uidNumber") == 0 or not IsInGroup(x):
continue
Pass = GetAttr(x, "userPassword")
Done(File, None, F)
# Generate the sudo passwd file
-def GenShadowSudo(l, File, untrusted):
+def GenShadowSudo(File, untrusted):
F = None
try:
OldMask = os.umask(0077)
for x in PasswdAttrs:
Pass = '*'
- if x[1].has_key("uidNumber") == 0 or IsInGroup(x) == 0:
+ if x[1].has_key("uidNumber") == 0 or not IsInGroup(x):
continue
if x[1].has_key('sudoPassword'):
continue
Pass = cryptedpass
if for_this_host: # this makes sure we take a per-host entry over the for-all entry
- break
+ break
if len(Pass) > 50:
Pass = '*'
Done(File, F, None)
# Generate the shadow list
-def GenSSHShadow(l):
+def GenSSHShadow():
# Fetch all the users
- singlefile = None
userfiles = []
global PasswdAttrs
for x in PasswdAttrs:
- if x in DisabledUsers:
- continue
-
if x[1].has_key("uidNumber") == 0 or \
x[1].has_key("sshRSAAuthKey") == 0:
continue
# Oops, something unspeakable happened.
except IOError:
- Die(File, F, None)
- Die(masterFileName, masterFile, None)
- raise
+ Die(File, F, None)
+ Die(masterFileName, masterFile, None)
+ raise
return userfiles
# let's see if we handled this group already
if group in existingGroups:
- continue
+ continue
if not GroupIDMap.has_key(group):
print "Group", group, "does not exist but", uid, "is in it"
addGroups(existingGroups, SubGroupMap[group], uid)
# Generate the group list
-def GenGroup(l, File):
+def GenGroup(File):
grouprevmap = {}
F = None
try:
# Sort them into a list of groups having a set of users
for x in PasswdAttrs:
uid = GetAttr(x, "uid")
- if x[1].has_key("uidNumber") == 0 or IsInGroup(x) == 0:
+ if x[1].has_key("uidNumber") == 0 or not IsInGroup(x):
continue
if x[1].has_key("supplementaryGid") == 0:
continue
Line = "%s:x:%u:" % (x, GroupIDMap[x])
Comma = ''
for I in GroupMap[x]:
- Line = Line + ("%s%s" % (Comma, I))
- Comma = ','
+ Line = Line + ("%s%s" % (Comma, I))
+ Comma = ','
Line = Sanitize(Line) + "\n"
F.write("0%u %s" % (J, Line))
F.write(".%s %s" % (x, Line))
return grouprevmap
def CheckForward():
- global PasswdAttrs
- for x in PasswdAttrs:
+ global DebianUsers
+ for x in DebianUsers:
if x[1].has_key("emailForward") == 0:
continue
- if IsInGroup(x) == 0:
+ if not IsInGroup(x):
x[1].pop("emailForward")
continue
x[1].pop("emailForward")
# Generate the email forwarding list
-def GenForward(l, File):
+def GenForward(File):
F = None
try:
OldMask = os.umask(0022)
os.umask(OldMask)
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
# Write out the email address for each user
- for x in PasswdAttrs:
+ for x in DebianUsers:
if x[1].has_key("emailForward") == 0:
continue
raise
Done(File, F, None)
-def GenAllForward(l, File):
+def GenAllForward(File):
Fdb = None
try:
OldMask = os.umask(0022)
os.umask(OldMask)
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
# Write out the email address for each user
- for x in PasswdAttrs:
+ for x in DebianUsers:
if x[1].has_key("emailForward") == 0:
continue
- # Do not allow people to try to buffer overflow busted parsers
Forward = GetAttr(x, "emailForward")
User = GetAttr(x, "uid")
raise "cdbmake gave an error"
# Generate the anon XEarth marker file
-def GenMarkers(l, File):
+def GenMarkers(File):
F = None
try:
F = open(File + ".tmp", "w")
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
# Write out the position for each user
- for x in PasswdAttrs:
+ for x in DebianUsers:
if x[1].has_key("latitude") == 0 or x[1].has_key("longitude") == 0:
continue
try:
Done(File, F, None)
# Generate the debian-private subscription list
-def GenPrivate(l, File):
+def GenPrivate(File):
F = None
try:
F = open(File + ".tmp", "w")
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
# Write out the position for each user
- for x in PasswdAttrs:
+ for x in DebianUsers:
if x[1].has_key("privateSub") == 0:
continue
if x[1].has_key("keyFingerPrint") == 0:
continue
- # Must be in the Debian group (yuk, hard coded for now)
- if GetAttr(x, "gidNumber") != "800":
- continue
-
try:
Line = "%s"%(GetAttr(x, "privateSub"))
Line = Sanitize(Line) + "\n"
Done(File, F, None)
# Generate a list of locked accounts
-def GenDisabledAccounts(l, File):
+def GenDisabledAccounts(File):
F = None
try:
F = open(File + ".tmp", "w")
if Pass.find("*LK*") != -1 or Pass.startswith("!"):
# Format is <login>:<reason>
Line = "%s:%s" % (GetAttr(x, "uid"), "Account is locked")
+ DisabledUsers.append(x)
if Line != "":
F.write(Sanitize(Line) + "\n")
- DisabledUsers.append(x)
# Oops, something unspeakable happened.
except:
Done(File, F, None)
# Generate the list of local addresses that refuse all mail
-def GenMailDisable(l, File):
+def GenMailDisable(File):
F = None
try:
F = open(File + ".tmp", "w")
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
- for x in PasswdAttrs:
+ for x in DebianUsers:
Reason = None
if x[1].has_key("mailDisableMessage"):
else:
continue
- # Must be in the Debian group (yuk, hard coded for now)
- if GetAttr(x, "gidNumber") != "800":
- continue
-
try:
Line = "%s: %s"%(GetAttr(x, "uid"), Reason)
Line = Sanitize(Line) + "\n"
Done(File, F, None)
# Generate a list of uids that should have boolean affects applied
-def GenMailBool(l, File, Key):
+def GenMailBool(File, Key):
F = None
try:
F = open(File + ".tmp", "w")
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
- for x in PasswdAttrs:
+ for x in DebianUsers:
Reason = None
if x[1].has_key(Key) == 0:
continue
- # Must be in the Debian group (yuk, hard coded for now)
- if GetAttr(x, "gidNumber") != "800":
- continue
-
if GetAttr(x, Key) != "TRUE":
continue
Done(File, F, None)
# Generate a list of hosts for RBL or whitelist purposes.
-def GenMailList(l, File, Key):
+def GenMailList(File, Key):
F = None
try:
F = open(File + ".tmp", "w")
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
- for x in PasswdAttrs:
+ for x in DebianUsers:
Reason = None
if x[1].has_key(Key) == 0:
continue
- # Must be in the Debian group (yuk, hard coded for now)
- if GetAttr(x, "gidNumber") != "800":
- continue
-
try:
found = 0
Line = None
for z in x[1][Key]:
if Key == "mailWhitelist":
- if re.match('^[-\w.]+(/[\d]+)?$', z) == None:
- continue
+ if re.match('^[-\w.]+(/[\d]+)?$', z) == None:
+ continue
else:
- if re.match('^[-\w.]+$', z) == None:
- continue
+ if re.match('^[-\w.]+$', z) == None:
+ continue
if found == 0:
- found = 1
- Line = GetAttr(x, "uid")
+ found = 1
+ Line = GetAttr(x, "uid")
else:
Line += " "
Line += ": " + z
if Key == "mailRHSBL":
- Line += "/$sender_address_domain"
+ Line += "/$sender_address_domain"
if Line != None:
- Line = Sanitize(Line) + "\n"
- F.write(Line)
+ Line = Sanitize(Line) + "\n"
+ F.write(Line)
except:
pass
return False
# Generate the DNS Zone file
-def GenDNS(l, File, HomePrefix):
+def GenDNS(File, HomePrefix):
F = None
try:
F = open(File + ".tmp", "w")
Host = Split[0] + DNSZone
if BSMTPCheck.match(Line) != None:
- F.write("; Has BSMTP\n")
+ F.write("; Has BSMTP\n")
# Write some identification information
if Split[2].lower() == "a":
Done(File, F, None)
# Generate the DNS SSHFP records
-def GenSSHFP(l, File, HomePrefix):
+def GenSSHFP(File, HomePrefix):
F = None
try:
F = open(File + ".tmp", "w")
Done(File, F, None)
# Generate the BSMTP file
-def GenBSMTP(l, File, HomePrefix):
+def GenBSMTP(File, HomePrefix):
F = None
try:
F = open(File + ".tmp", "w")
# Fetch all the users
- global PasswdAttrs
+ global DebianUsers
# Write out the zone file entry for each user
- for x in PasswdAttrs:
+ for x in DebianUsers:
if x[1].has_key("dnsZoneEntry") == 0:
continue
return HostToIPCache[Host]
# Generate the ssh known hosts file
-def GenSSHKnown(l, File, mode=None):
+def GenSSHKnown(File, mode=None):
F = None
try:
OldMask = os.umask(0022)
os.umask(OldMask)
global HostAttrs
- if HostAttrs == None:
+ if HostAttrs is None:
raise UDEmptyList, "No Hosts"
for x in HostAttrs:
hostnames = l.search_s(HostBaseDn, ldap.SCOPE_ONELEVEL, "hostname=*",
["hostname"])
- if hostnames == None:
+ if hostnames is None:
raise UDEmptyList, "No Hosts"
seen = set()
seen.add(addr)
# Oops, something unspeakable happened.
except:
- Die(File, F, None)
- raise
+ Die(File, F, None)
+ raise
Done(File, F, None)
-def GenKeyrings(l, OutDir):
+def GenKeyrings(OutDir):
for k in Keyrings:
shutil.copy(k, OutDir)
-
# Connect to the ldap server
l = connectLDAP()
F = open(PassDir + "/pass-" + pwd.getpwuid(os.getuid())[0], "r")
# Generate global things
GlobalDir = GenerateDir + "/"
-GenMailDisable(l, GlobalDir + "mail-disable")
-
-for x in PasswdAttrs:
- if IsRetired(x):
- RetiredUsers.append(x)
+GenDisabledAccounts(GlobalDir + "disabled-accounts")
-PasswdAttrs = filter(lambda x: not x in RetiredUsers, PasswdAttrs)
+PasswdAttrs = filter(lambda x: not IsRetired(x), PasswdAttrs)
+#DebianUsers = filter(lambda x: IsGidDebian(x), PasswdAttrs)
+DebianUsers = PasswdAttrs
CheckForward()
-SSHFiles = GenSSHShadow(l)
-GenAllForward(l, GlobalDir + "mail-forward.cdb")
-GenMarkers(l, GlobalDir + "markers")
-GenPrivate(l, GlobalDir + "debian-private")
-GenDisabledAccounts(l, GlobalDir + "disabled-accounts")
-GenSSHKnown(l, GlobalDir + "ssh_known_hosts")
+GenMailDisable(GlobalDir + "mail-disable")
+GenAllForward(GlobalDir + "mail-forward.cdb")
+GenPrivate(GlobalDir + "debian-private")
#GenSSHKnown(l,GlobalDir+"authorized_keys", 'authorized_keys')
-GenHosts(l, GlobalDir + "debianhosts")
-GenMailBool(l, GlobalDir + "mail-greylist", "mailGreylisting")
-GenMailBool(l, GlobalDir + "mail-callout", "mailCallout")
-GenMailList(l, GlobalDir + "mail-rbl", "mailRBL")
-GenMailList(l, GlobalDir + "mail-rhsbl", "mailRHSBL")
-GenMailList(l, GlobalDir + "mail-whitelist", "mailWhitelist")
-GenKeyrings(l, GlobalDir)
+GenMailBool(GlobalDir + "mail-greylist", "mailGreylisting")
+GenMailBool(GlobalDir + "mail-callout", "mailCallout")
+GenMailList(GlobalDir + "mail-rbl", "mailRBL")
+GenMailList(GlobalDir + "mail-rhsbl", "mailRHSBL")
+GenMailList(GlobalDir + "mail-whitelist", "mailWhitelist")
+GenKeyrings(GlobalDir)
# Compatibility.
-GenForward(l, GlobalDir + "forward-alias")
+GenForward(GlobalDir + "forward-alias")
PasswdAttrs = filter(lambda x: not x in DisabledUsers, PasswdAttrs)
+SSHFiles = GenSSHShadow()
+GenMarkers(GlobalDir + "markers")
+GenSSHKnown(GlobalDir + "ssh_known_hosts")
+GenHosts(l, GlobalDir + "debianhosts")
+
while(1):
Line = F.readline()
if Line == "":
Allowed = GroupList
if Allowed == {}:
- Allowed = None
+ Allowed = None
CurrentHost = Split[0]
DoLink(GlobalDir, OutDir, "debianhosts")
sys.stdout.flush()
if ExtraList.has_key("[NOPASSWD]"):
- userlist = GenPasswd(l, OutDir + "passwd", Split[1], "*")
+ userlist = GenPasswd(OutDir + "passwd", Split[1], "*")
else:
- userlist = GenPasswd(l, OutDir + "passwd", Split[1], "x")
+ userlist = GenPasswd(OutDir + "passwd", Split[1], "x")
sys.stdout.flush()
- grouprevmap = GenGroup(l, OutDir + "group")
- GenShadowSudo(l, OutDir + "sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
+ grouprevmap = GenGroup(OutDir + "group")
+ GenShadowSudo(OutDir + "sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
# Now we know who we're allowing on the machine, export
# the relevant ssh keys
print "[UNTRUSTED] tag is obsolete and may be removed in the future."
continue
if not ExtraList.has_key("[NOPASSWD]"):
- GenShadow(l, OutDir + "shadow")
+ GenShadow(OutDir + "shadow")
# Link in global things
if not ExtraList.has_key("[NOMARKERS]"):
DoLink(GlobalDir, OutDir, "forward-alias")
if ExtraList.has_key("[DNS]"):
- GenDNS(l, OutDir + "dns-zone", Split[1])
- GenSSHFP(l, OutDir + "dns-sshfp", Split[1])
+ GenDNS(OutDir + "dns-zone", Split[1])
+ GenSSHFP(OutDir + "dns-sshfp", Split[1])
if ExtraList.has_key("[BSMTP]"):
- GenBSMTP(l, OutDir + "bsmtp", Split[1])
+ GenBSMTP(OutDir + "bsmtp", Split[1])
if ExtraList.has_key("[PRIVATE]"):
DoLink(GlobalDir, OutDir, "debian-private")