ud-generate: do not export sudopassword to untrusted or nopasswd hosts, unless the...

[mirror/userdir-ldap.git] / ud-generate

diff --git a/ud-generate b/ud-generate
index 06435a4..deaf8c0 100755 (executable)
--- a/ud-generate
+++ b/ud-generate
@@ -203,7 +203,7 @@ def GenShadow(l,File):
   Done(File,None,F);
 
 # Generate the sudo passwd file
-def GenShadowSudo(l,File):
+def GenShadowSudo(l,File, untrusted):
   F = None;
   try:
    OldMask = os.umask(0077);
@@ -236,6 +236,9 @@ def GenShadowSudo(l,File):
             for_this_host = CurrentHost in hosts.split(',')
             if not (for_all or for_this_host):
                continue
+            # ignore * passwords for untrusted hosts, but copy host specific passwords
+            if for_all and untrusted:
+               continue
             Pass = cryptedpass
             if for_this_host: # this makes sure we take a per-host entry over the for-all entry
               break
@@ -1004,7 +1007,7 @@ while(1):
       userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
    sys.stdout.flush();
    grouprevmap = GenGroup(l,OutDir+"group");
-   GenShadowSudo(l, OutDir+"sudo-passwd")
+   GenShadowSudo(l, OutDir+"sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
 
    # Now we know who we're allowing on the machine, export
    # the relevant ssh keys