YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Be more robust against re-running the migration

Browse source
This commit is contained in:
Alexandre Aubin 2021-04-17 00:58:12 +02:00
parent aae7c6e296
commit 72e4a584ed
1 changed files with 20 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
View file

@ -30,26 +30,32 @@ class MyMigration(Migration):
from yunohost.utils.ldap import _get_ldap_interface from yunohost.utils.ldap import _get_ldap_interface
ldap = _get_ldap_interface() ldap = _get_ldap_interface()
existing_perms_raw = ldap.search("ou=permission,dc=yunohost,dc=org", "(objectclass=permissionYnh)", ["cn"])
existing_perms = [perm['cn'][0] for perm in existing_perms_raw]
# Add SSH and SFTP permissions # Add SSH and SFTP permissions
ldap_map = read_yaml('/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml') ldap_map = read_yaml('/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml')
ldap.add("cn=ssh.main,ou=permission", ldap_map['depends_children']["cn=ssh.main,ou=permission"]) if "sftp.main" not in existing_perms:
ldap.add("cn=sftp.main,ou=permission", ldap_map['depends_children']["cn=sftp.main,ou=permission"]) ldap.add("cn=sftp.main,ou=permission", ldap_map['depends_children']["cn=sftp.main,ou=permission"])
# Add a bash terminal to each users if "ssh.main" not in existing_perms:
users = ldap.search('ou=users,dc=yunohost,dc=org', filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"]) ldap.add("cn=ssh.main,ou=permission", ldap_map['depends_children']["cn=ssh.main,ou=permission"])
for user in users:
if user['loginShell'][0] == '/bin/false':
dn = user['dn'][0].replace(',dc=yunohost,dc=org', '')
ldap.update(dn, {'loginShell': ['/bin/bash']})
else:
user_permission_update("ssh.main", add=user["uid"][0], sync_perm=False)
permission_sync_to_user() # Add a bash terminal to each users
users = ldap.search('ou=users,dc=yunohost,dc=org', filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"])
for user in users:
if user['loginShell'][0] == '/bin/false':
dn = user['dn'][0].replace(',dc=yunohost,dc=org', '')
ldap.update(dn, {'loginShell': ['/bin/bash']})
else:
user_permission_update("ssh.main", add=user["uid"][0], sync_perm=False)
# Somehow this is needed otherwise the PAM thing doesn't forget about the permission_sync_to_user()
# old loginShell value ?
subprocess.call(['nscd', '-i', 'passwd']) # Somehow this is needed otherwise the PAM thing doesn't forget about the
# old loginShell value ?
subprocess.call(['nscd', '-i', 'passwd'])
if '/etc/ssh/sshd_config' in manually_modified_files() \ if '/etc/ssh/sshd_config' in manually_modified_files() \
and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: