a hl@sdZddlZddlZddlZddlmZddlmZdgZ z ej Z Wne yddl Z ddl Z e dZe derdZ n^e d erdZ nLe d erd Z n:e d erd Z n(e derdZ ne derdZ ndZ Yn0GdddZdS)zAccess control for setroubleshoot. For now this is only used for determining which users are allowed to connect to the server: see UserServerAccess for more information.N) get_config) syslog_trace ServerAccessz^i\d86z^x86_64z^(ppc|powerpc)z ^(alpha|mips)z^sparc@z^parisci@c@sZeZdZdZddiddidZddZdd Zd d Zd d ZddZ ddZ ddZ dS)rzg Determine if a user should be given access to the server based on the configuration file. wildcardTF)ZclientZfix_cmdcCs.i|_ttjD]}|||j|<qdS)N) privilegeslistrkeysinit_privilegeself privilegerA/usr/lib/python3.9/site-packages/setroubleshoot/access_control.py__init__LszServerAccess.__init__cCs"ddtdd|dD}|S)NcSsg|] }|qSr)strip).0namerrr Xz/ServerAccess.init_privilege..accessz%s_users,)rsplit)rrZ cfg_namesrrrrWszServerAccess.init_privilegecCs(|tjv}|rdSttjd|dS)NTzunknown access privilege (%s)F)rr syslogLOG_ERR)rrZvalidrrrvalid_privilege\s  zServerAccess.valid_privilegecCs.||sdStj|ds dSd|j|vS)NFr *)rrr rrrrunrestricted_privilegecs  z#ServerAccess.unrestricted_privilegecCs6||sdS||rdS||j|vr.dSdSdS)z Determine if the given user name is allowed access. Returns True if access should be given, False if not. FTN)rr!r )rruserrrr user_allowedks  zServerAccess.user_allowedcCsX||sdS||rdSzddl}||}WntyFYdS0|||dS)z Determine if the given uid is allowed access. No error is returned if the uid is invalid (False is returned). Returns True if access should be given, False if not. FTrN)rr!pwdgetpwuidKeyErrorr#)rruidr$Z pwd_entryrrr uid_allowedzs   zServerAccess.uid_allowedc Csd}}}z|j}|tjkr(||fWSWnty<Yn0d}t|}zJ|tjt|}t ||\}}}|dkr|d}|dkrd}|dkrd}WnVt y} z>d}}}ddl } t | ttjd| WYd} ~ n d} ~ 00||fS)zObtain the effective user and group IDs of the process on the other end of a socket. SO_PEERCRED is used so the information returned is generally trustworthy (though root processes can impersonate any uid/gid).NZIIIrzget_credentials(): %s)familySocketZAF_UNIXAttributeErrorstructcalcsizeZ getsockoptZ SOL_SOCKET SO_PEERCREDunpack Exception tracebackr format_excrr) rZsockpidr'gidr*Z format_ucredZ sizeof_ucredZucreder2rrrget_credentialss0      (zServerAccess.get_credentialsN) __name__ __module__ __qualname____doc__r rrrr!r#r(r7rrrrrBs )r;r-Zsocketr+rZsetroubleshoot.configrZsetroubleshoot.utilr__all__r/r,osreunamemachinesearchrrrrrs6