ud-generate: do not export sudopassword to untrusted or nopasswd hosts, unless the...

diff --git a/debian/changelog b/debian/changelog
index 1ce12b9..7d48a72 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,11 @@
-userdir-ldap (0.3.XX) unstable; urgency=low
+userdir-ldap (0.3.44) unstable; urgency=low
 
   * ud-mailgate: Do not support del requests for sshDSAAuthKey - there is no
     such attribute.
+  * ud-generate: do not export sudopassword to untrusted or nopasswd hosts,
+    unless the password is explicitly added for this host and not just for '*'.
 
- -- Peter Palfrader <weasel@debian.org>  Fri, 26 Sep 2008 14:21:26 +0200
+ -- Peter Palfrader <weasel@debian.org>  Fri, 03 Oct 2008 13:23:22 +0200
 
 userdir-ldap (0.3.43) unstable; urgency=low
 

diff --git a/ud-generate b/ud-generate
index 06435a4..deaf8c0 100755 (executable)
--- a/ud-generate
+++ b/ud-generate
@@ -203,7 +203,7 @@ def GenShadow(l,File):
   Done(File,None,F);
 
 # Generate the sudo passwd file
-def GenShadowSudo(l,File):
+def GenShadowSudo(l,File, untrusted):
   F = None;
   try:
    OldMask = os.umask(0077);
@@ -236,6 +236,9 @@ def GenShadowSudo(l,File):
             for_this_host = CurrentHost in hosts.split(',')
             if not (for_all or for_this_host):
                continue
+            # ignore * passwords for untrusted hosts, but copy host specific passwords
+            if for_all and untrusted:
+               continue
             Pass = cryptedpass
             if for_this_host: # this makes sure we take a per-host entry over the for-all entry
               break
@@ -1004,7 +1007,7 @@ while(1):
       userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
    sys.stdout.flush();
    grouprevmap = GenGroup(l,OutDir+"group");
-   GenShadowSudo(l, OutDir+"sudo-passwd")
+   GenShadowSudo(l, OutDir+"sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
 
    # Now we know who we're allowing on the machine, export
    # the relevant ssh keys