src/msec/plugins/sudo.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

#!/usr/bin/python3
"""Msec plugin for sudo"""

# main plugin class name
PLUGIN = "sudo"

import os
import re
import gettext
import sys

# configuration
import config

# localization
try:
    gettext.install('msec')
except IOError:
    _ = str

class sudo:
    SUDOERS="/etc/sudoers"
    SUDO_WHEEL_MATCH = re.compile(r"^\s*%wheel\s+ALL\s*=\s*\(ALL\)\s+(NOPASSWD:)?\s*ALL")
    SUDO_WHEEL = "%wheel\tALL=(ALL)\tALL"
    SUDO_WHEEL_NO_PASSWORD="%wheel\tALL=(ALL)\tNOPASSWD: ALL"
    def __init__(self, log=None, configfiles=None, root=None):
        """This plugin provides support for configuring sudo settings"""
        # initializing plugin
        self.log = log
        self.configfiles = configfiles
        self.root = root

        config.SETTINGS['ALLOW_SUDO_TO_WHEEL'] = ("sudo.allow_sudo_to_wheel", ["yes", "without-password", "no"])

        config.SETTINGS_SYSTEM.extend(['ALLOW_SUDO_TO_WHEEL'])

        # defining additional packages that should be installed
        config.REQUIRE_PACKAGES['ALLOW_SUDO_TO_WHEEL'] = (['yes', 'without-password'], ['sudo'])

    def allow_sudo_to_wheel(self, param):
        """Allow users in wheel group to use sudo. If this option is set to 'yes', the users in wheel group are allowed to use sudo and run commands as root by using their passwords. If this option to set to 'without-password', the users can use sudo without being asked for their password. WARNING: using sudo without any password makes your system very vulnerable, and you should only use this setting if you know what you are doing!"""
        sudoers = self.configfiles.get_config_file(self.SUDOERS)
        val = sudoers.get_match(self.SUDO_WHEEL_MATCH)

        if param != val:
            if param == "yes":
                if val and val.find('NOPASSWD:') < 0:
                        return
                self.log.info(_("Allowing users in wheel group to use sudo"))
                sudoers.replace_line_matching(self.SUDO_WHEEL_MATCH, self.SUDO_WHEEL, at_end_if_not_found=1)
            elif param == "without-password":
                if val and val.find('NOPASSWD:') >= 0:
                    return
                self.log.info(_("Allowing users in wheel group to use sudo without password"))
                sudoers.replace_line_matching(self.SUDO_WHEEL_MATCH, self.SUDO_WHEEL_NO_PASSWORD, at_end_if_not_found=1)
            else:
                self.log.info(_("Not allowing users in wheel group to use sudo"))
                sudoers.remove_line_matching(self.SUDO_WHEEL_MATCH)