- if MultipleSSHFiles:
- OldMask = os.umask(0077);
- tf = tarfile.open(name=os.path.join(GlobalDir, 'ssh-keys-%s.tar.gz' % CurrentHost), mode='w:gz')
- os.umask(OldMask);
- for f in userlist.keys():
- if f not in SSHFiles:
- continue
- # If we're not exporting their primary group, don't export
- # the key and warn
- grname = None
- if userlist[f] in grouprevmap.keys():
- grname = grouprevmap[userlist[f]]
- else:
- try:
- if int(userlist[f]) <= 100:
- # In these cases, look it up in the normal way so we
- # deal with cases where, for instance, users are in group
- # users as their primary group.
- grname = grp.getgrgid(userlist[f])[0]
- except Exception, e:
- pass
-
- if grname is None:
- print "User %s is supposed to have their key exported to host %s but their primary group (gid: %d) isn't in LDAP" % (f, CurrentHost, userlist[f])
- continue
-
- to = tf.gettarinfo(os.path.join(GlobalDir, 'userkeys', f), f)
- # These will only be used where the username doesn't
- # exist on the target system for some reason; hence,
- # in those cases, the safest thing is for the file to
- # be owned by root but group nobody. This deals with
- # the bloody obscure case where the group fails to exist
- # whilst the user does (in which case we want to avoid
- # ending up with a file which is owned user:root to avoid
- # a fairly obvious attack vector)
- to.uid = 0
- to.gid = 65534
- # Using the username / groupname fields avoids any need
- # to give a shit^W^W^Wcare about the UIDoffset stuff.
- to.uname = f
- to.gname = grname
- to.mode = 0400
- tf.addfile(to, file(os.path.join(GlobalDir, 'userkeys', f)))
-
- tf.close()
- os.rename(os.path.join(GlobalDir, 'ssh-keys-%s.tar.gz' % CurrentHost),
- os.path.join(OutDir, 'ssh-keys.tar.gz'))