Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/pynslcd/usermod.py
blob: c957b97a670c2296d91038ee9f73f8547eae35ac (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

# usermod.py - functions for modifying user information
#
# Copyright (C) 2013 Arthur de Jong
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA

import ctypes
import ctypes.util
import logging
import os
import os.path

import ldap

import cache
import cfg
import common
import constants
import pam
import passwd


def list_shells():
    """List the shells from /etc/shells."""
    libc = ctypes.CDLL(ctypes.util.find_library("c"))
    libc.setusershell()
    while True:
        shell = ctypes.c_char_p(libc.getusershell()).value
        if not shell:
            break
        yield shell
    libc.endusershell()


class UserModRequest(pam.PAMRequest):

    action = constants.NSLCD_ACTION_USERMOD

    def read_parameters(self, fp):
        username = fp.read_string()
        asroot = fp.read_int32()
        password = fp.read_string()
        mods = {}
        while True:
            key = fp.read_int32()
            if key == constants.NSLCD_USERMOD_END:
                break
            mods[key] = fp.read_string()
        return dict(username=username,
                    asroot=asroot,
                    password=password,
                    mods=mods)

    def write_result(self, mod, message):
        self.fp.write_int32(mod)
        self.fp.write_string(message)

    def handle_request(self, parameters):
        # fill in any missing userdn, etc.
        self.validate(parameters)
        is_root = (self.calleruid == 0) and parameters['asroot']
        mods = []
        # check if the the user passed the rootpwmoddn
        if parameters['asroot']:
            binddn = cfg.rootpwmoddn
            # check if rootpwmodpw should be used
            if not parameters['password'] and is_root and cfg.rootpwmodpw:
                password = cfg.rootpwmodpw
            else:
                password = parameters['password']
        else:
            binddn = parameters['userdn']
            password = parameters['password']
        # write response header
        self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
        # check home directory modification
        homedir = parameters['mods'].get(constants.NSLCD_USERMOD_HOMEDIR)
        if homedir:
            if is_root:
                mods.append((ldap.MOD_REPLACE, passwd.attmap['homeDirectory'], [homedir]))
            elif not os.path.isabs(homedir):
                self.write_result(constants.NSLCD_USERMOD_HOMEDIR,
                    'should be an absolute path')
            elif not os.path.isdir(homedir):
                self.write_result(constants.NSLCD_USERMOD_HOMEDIR,
                    'not a directory')
            else:
                mods.append((ldap.MOD_REPLACE, passwd.attmap['homeDirectory'], [homedir]))
        # check login shell modification
        shell = parameters['mods'].get(constants.NSLCD_USERMOD_SHELL)
        if shell:
            if is_root:
                mods.append((ldap.MOD_REPLACE, passwd.attmap['loginShell'], [shell]))
            elif shell not in list_shells():
                self.write_result(constants.NSLCD_USERMOD_SHELL,
                    'unlisted shell')
            elif not os.path.isfile(shell) or not os.access(shell, os.X_OK):
                self.write_result(constants.NSLCD_USERMOD_SHELL,
                    'not an executable')
            else:
                mods.append((ldap.MOD_REPLACE, passwd.attmap['loginShell'], [shell]))
        # get a connection and perform the modification
        if mods:
            try:
                conn, authz, msg = pam.authenticate(binddn, password)
                conn.modify_s(parameters['userdn'], mods)
                logging.info('changed information for %s', parameters['userdn'])
            except (ldap.INVALID_CREDENTIALS, ldap.INSUFFICIENT_ACCESS), e:
                try:
                    msg = e[0]['desc']
                except:
                    msg = str(e)
                logging.debug('modification failed: %s', msg)
                self.write_result(constants.NSLCD_USERMOD_RESULT, msg)
        # write closing statement
        self.fp.write_int32(constants.NSLCD_USERMOD_END)
        self.fp.write_int32(constants.NSLCD_RESULT_END)