mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
72fb4e60c8
New classes for user and group names provide a convenient way to access the uid and primary gid of a user / gid of a group. The classes also provide chown() and chgrp() methods to simplify common operations. The wrappers are subclasses of builtin str type and behave like ordinary strings with additional features. The pwd and grp structs are retrieved once and then cached. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
174 lines
4.7 KiB
Python
174 lines
4.7 KiB
Python
#
|
|
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
'''
|
|
This base platform module exports platform dependant constants.
|
|
'''
|
|
import grp
|
|
import os
|
|
import pwd
|
|
import sys
|
|
|
|
|
|
class _Entity(str):
|
|
__slots__ = ("_entity", )
|
|
|
|
def __init__(self, name):
|
|
super().__init__()
|
|
self._entity = None
|
|
|
|
def __str__(self):
|
|
return super().__str__()
|
|
|
|
def __repr__(self):
|
|
return f'<{self.__class__.__name__} "{self!s}">'
|
|
|
|
|
|
class User(_Entity):
|
|
__slots__ = ()
|
|
|
|
@property
|
|
def entity(self):
|
|
"""User information struct
|
|
|
|
:return: pwd.struct_passwd instance
|
|
"""
|
|
entity = self._entity
|
|
if entity is None:
|
|
try:
|
|
self._entity = entity = pwd.getpwnam(self)
|
|
except KeyError:
|
|
raise ValueError(f"user '{self!s}' not found") from None
|
|
return entity
|
|
|
|
@property
|
|
def uid(self):
|
|
"""Numeric user id (int)
|
|
"""
|
|
return self.entity.pw_uid
|
|
|
|
@property
|
|
def pgid(self):
|
|
"""Primary group id (int)"""
|
|
return self.entity.pw_gid
|
|
|
|
def chown(self, path, gid=None, **kwargs):
|
|
"""chown() file by path or file descriptor
|
|
|
|
gid defaults to user's primary gid. Use -1 to keep gid.
|
|
"""
|
|
if gid is None:
|
|
gid = self.pgid
|
|
elif isinstance(gid, Group):
|
|
gid = gid.gid
|
|
os.chown(path, self.uid, gid, **kwargs)
|
|
|
|
|
|
class Group(_Entity):
|
|
__slots__ = ()
|
|
|
|
@property
|
|
def entity(self):
|
|
"""Group information
|
|
|
|
:return: grp.struct_group instance
|
|
"""
|
|
entity = self._entity
|
|
if entity is None:
|
|
try:
|
|
self._entity = entity = grp.getgrnam(self)
|
|
except KeyError:
|
|
raise ValueError(f"group '{self!s}' not found") from None
|
|
return entity
|
|
|
|
@property
|
|
def gid(self):
|
|
"""Numeric group id (int)
|
|
"""
|
|
return self.entity.gr_gid
|
|
|
|
def chgrp(self, path, **kwargs):
|
|
"""change group owner file by path or file descriptor
|
|
"""
|
|
os.chown(path, -1, self.gid, **kwargs)
|
|
|
|
|
|
class BaseConstantsNamespace:
|
|
IS_64BITS = sys.maxsize > 2 ** 32
|
|
DEFAULT_ADMIN_SHELL = '/bin/bash'
|
|
DEFAULT_SHELL = '/bin/sh'
|
|
IPAAPI_USER = User("ipaapi")
|
|
IPAAPI_GROUP = Group("ipaapi")
|
|
DS_USER = User("dirsrv")
|
|
DS_GROUP = Group("dirsrv")
|
|
HTTPD_USER = User("apache")
|
|
HTTPD_GROUP = Group("apache")
|
|
GSSPROXY_USER = User("root")
|
|
IPA_ADTRUST_PACKAGE_NAME = "freeipa-server-trust-ad"
|
|
IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
|
|
KDCPROXY_USER = User("kdcproxy")
|
|
NAMED_USER = User("named")
|
|
NAMED_GROUP = Group("named")
|
|
NAMED_DATA_DIR = "data/"
|
|
NAMED_OPTIONS_VAR = "OPTIONS"
|
|
NAMED_OPENSSL_ENGINE = None
|
|
NAMED_ZONE_COMMENT = ""
|
|
PKI_USER = User("pkiuser")
|
|
PKI_GROUP = Group("pkiuser")
|
|
# ntpd init variable used for daemon options
|
|
NTPD_OPTS_VAR = "OPTIONS"
|
|
# quote used for daemon options
|
|
NTPD_OPTS_QUOTE = "\""
|
|
ODS_USER = User("ods")
|
|
ODS_GROUP = Group("ods")
|
|
# nfsd init variable used to enable kerberized NFS
|
|
SECURE_NFS_VAR = "SECURE_NFS"
|
|
SELINUX_BOOLEAN_ADTRUST = {
|
|
'samba_portmapper': 'on',
|
|
}
|
|
SELINUX_BOOLEAN_HTTPD = {
|
|
'httpd_can_network_connect': 'on',
|
|
'httpd_manage_ipa': 'on',
|
|
'httpd_run_ipa': 'on',
|
|
'httpd_dbus_sssd': 'on',
|
|
}
|
|
# Unlike above, there are multiple use cases for SMB sharing
|
|
# SELINUX_BOOLEAN_SMBSERVICE is a dictionary of dictionaries
|
|
# to define set of booleans for each use case
|
|
SELINUX_BOOLEAN_SMBSERVICE = {
|
|
'share_home_dirs': {
|
|
'samba_enable_home_dirs': 'on',
|
|
},
|
|
'reshare_nfs_with_samba': {
|
|
'samba_share_nfs': 'on',
|
|
},
|
|
}
|
|
SELINUX_MCS_MAX = 1023
|
|
SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
|
|
SELINUX_MLS_MAX = 15
|
|
SELINUX_MLS_REGEX = r"^s(\d+)(-s(\d+))?$"
|
|
SELINUX_USER_REGEX = r"^[a-zA-Z][a-zA-Z_\.]*$"
|
|
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
|
|
SELINUX_USERMAP_ORDER = (
|
|
"guest_u:s0"
|
|
"$xguest_u:s0"
|
|
"$user_u:s0"
|
|
"$staff_u:s0-s0:c0.c1023"
|
|
"$sysadm_u:s0-s0:c0.c1023"
|
|
"$unconfined_u:s0-s0:c0.c1023"
|
|
)
|
|
SSSD_USER = User("sssd")
|
|
# WSGI module override, only used on Fedora
|
|
MOD_WSGI_PYTHON2 = None
|
|
MOD_WSGI_PYTHON3 = None
|
|
# WSGIDaemonProcess process count. On 64bit platforms, each process
|
|
# consumes about 110 MB RSS, from which are about 35 MB shared.
|
|
WSGI_PROCESSES = 4 if IS_64BITS else 2
|
|
# high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
|
|
# remote password, and DSA cert authentication.
|
|
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"
|
|
|
|
|
|
constants = BaseConstantsNamespace()
|