From 14908ffbe8886fdd85bf143ef14200e0171c18cd Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 14 Sep 2008 21:20:14 +0200 Subject: [PATCH] Store a mac with confirmed sudo passwords, so that they cannot be modified by editing ldap directly --- ud-generate | 5 +++-- ud-mailgate | 21 ++++++++------------- userdir_ldap.py | 10 ++++++++++ 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/ud-generate b/ud-generate index 4852003..1782f09 100755 --- a/ud-generate +++ b/ud-generate @@ -223,14 +223,15 @@ def GenShadowSudo(l,File): Pass = None for entry in x[1]['sudoPassword']: - Match = re.compile('^('+UUID_FORMAT+') (confirmed|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower()) + Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower()) if Match == None: continue + uuid = Match.group(1) status = Match.group(2) hosts = Match.group(3) cryptedpass = Match.group(4) - if status != 'confirmed': + if status != 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass): continue for_all = hosts == "*" for_this_host = CurrentHost in hosts.split(',') diff --git a/ud-mailgate b/ud-mailgate index 81d3757..d72cb9e 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -95,14 +95,6 @@ DelItems = {"c": None, "VoIP": None, }; -def make_hmac(str): - F = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r"); - key = F.readline().strip() - F.close(); - - return hmac.new(key, str, sha1_module).hexdigest() - - # Decode a GPS location from some common forms def LocDecode(Str,Dir): @@ -489,7 +481,7 @@ def FinishConfirmSudopassword(l, uid, Attrs): newldap = [] for entry in inldap: - Match = re.compile('^('+UUID_FORMAT+') (confirmed|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower()) + Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower()) if Match == None: raise Error, "Could not parse existing sudopasswd entry" uuid = Match.group(1) @@ -500,13 +492,16 @@ def FinishConfirmSudopassword(l, uid, Attrs): if SudoPasswd.has_key(uuid): confirmedHosts = SudoPasswd[uuid][0] confirmedHmac = SudoPasswd[uuid][1] - if status == "confirmed": - result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts) + if status.startswith('confirmed:'): + if status == 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass): + result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts) + else: + result = result + "Entry %s for sudo password on hosts %s is listed as confirmed, but HMAC does not verify.\n"%(uuid, hosts) elif confirmedHosts != hosts: result = result + "Entry %s hostlist mismatch (%s vs. %s).\n"%(uuid, hosts, confirmedHosts) - elif make_hmac(':'.join([uuid, hosts, cryptedpass])) == confirmedHmac: + elif make_sudopasswd_hmac('confirm-new-password', uuid, hosts, cryptedpass) == confirmedHmac: result = result + "Entry %s for sudo password on hosts %s now confirmed.\n"%(uuid, hosts) - status = 'confirmed' + status = 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass) else: result = result + "Entry %s for sudo password on hosts %s HMAC verify failed.\n"%(uuid, hosts) del SudoPasswd[uuid] diff --git a/userdir_ldap.py b/userdir_ldap.py index e90fffd..0eb4c13 100644 --- a/userdir_ldap.py +++ b/userdir_ldap.py @@ -27,6 +27,10 @@ except: ConfModule = imp.load_source("userdir_config","/etc/userdir-ldap.conf",File); File.close(); +File = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r"); +HmacKey = F.readline().strip() +File.close(); + # Cheap hack BaseDn = ConfModule.basedn; HostBaseDn = ConfModule.hostbasedn; @@ -450,3 +454,9 @@ def Group2GID(l, name): return int(GetAttr(res[0], "gidNumber")) return -1 + +def make_hmac(str): + return hmac.new(HmacKey, str, sha1_module).hexdigest() + +def make_sudopasswd_hmac(purpose, uuid, hosts, cryptedpass): + return make_hmac(':'.join([purpose, uuid, hosts, cryptedpass])) -- 2.20.1