15
15
# along with this program; if not, write to the Free Software
16
16
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
22
# Allows creation of users. This sets up the following:
23
# * User's jail and home directory within the jail.
24
# * Subversion repository (TODO)
25
# * Check out Subversion workspace into jail (TODO)
26
# * Database details for user
29
# TODO: Sanitize login name and other fields.
30
# Users must not be called "temp" or "template".
32
# TODO: When creating a new home directory, chown it to its owner
34
# TODO: In chown_to_webserver:
35
# Do not call os.system("chown www-data") - use Python lib
36
# and use the web server uid given in conf. (Several places).
18
"""User and group filesystem management helpers."""
48
import ivle.pulldown_subj
50
from ivle.database import ProjectGroup
31
from ivle.database import ProjectGroup, User
52
33
def chown_to_webserver(filename):
54
Chowns a file so the web server user owns it.
55
(This is useful in setting up Subversion conf files).
34
"""chown a directory and its contents to the web server.
36
Recursively chowns a file or directory so the web server user owns it.
59
os.system("chown -R www-data:www-data %s" % filename)
39
subprocess.call(['chown', '-R', 'www-data:www-data', filename])
63
41
def make_svn_repo(path, throw_on_error=True):
64
"""Create a Subversion repository at the given path.
42
"""Create a Subversion repository at the given path."""
67
res = os.system("svnadmin create '%s'" % path)
44
res = subprocess.call(['svnadmin', 'create', path])
68
45
if res != 0 and throw_on_error:
69
46
raise Exception("Cannot create repository: %s" % path)
70
47
except Exception, exc:
75
52
chown_to_webserver(path)
77
def rebuild_svn_config(store):
54
def rebuild_svn_config(store, config):
78
55
"""Build the complete SVN configuration file.
57
@param config: An ivle.config.Config object.
80
users = store.find(ivle.database.User)
84
if role not in groups:
86
groups[role].append(u.login)
87
f = open(ivle.conf.svn_conf + ".new", "w")
88
f.write("# IVLE SVN Repositories Configuration\n")
89
f.write("# Auto-generated on %s\n" % time.asctime())
92
for (g,ls) in groups.iteritems():
93
f.write("%s = %s\n" % (g, ",".join(ls)))
96
f.write("[%s:/]\n" % u.login)
97
f.write("%s = rw\n" % u.login)
98
#f.write("@tutor = r\n")
99
#f.write("@lecturer = rw\n")
100
#f.write("@admin = rw\n")
59
users = store.find(User)
60
conf_name = config['paths']['svn']['conf']
61
temp_name = conf_name + ".new"
62
f = open(temp_name, "w")
64
# IVLE SVN repository authorisation configuration
66
""" % {'time': time.asctime()})
72
""" % {'login': u.login})
103
os.rename(ivle.conf.svn_conf + ".new", ivle.conf.svn_conf)
104
chown_to_webserver(ivle.conf.svn_conf)
75
os.rename(temp_name, conf_name)
76
chown_to_webserver(conf_name)
106
def rebuild_svn_group_config(store):
78
def rebuild_svn_group_config(store, config):
107
79
"""Build the complete SVN configuration file for groups
81
@param config: An ivle.config.Config object.
109
f = open(ivle.conf.svn_group_conf + ".new", "w")
110
f.write("# IVLE SVN Group Repositories Configuration\n")
111
f.write("# Auto-generated on %s\n" % time.asctime())
83
conf_name = config['paths']['svn']['group_conf']
84
temp_name = conf_name + ".new"
85
f = open(temp_name, "w")
88
# IVLE SVN group repository authorisation configuration
91
""" % {'time': time.asctime()})
113
93
for group in store.find(ProjectGroup):
114
94
offering = group.project_set.offering
115
95
reponame = "_".join([offering.subject.short_name,
116
96
offering.semester.year,
117
97
offering.semester.semester,
119
f.write("[%s:/]\n"%reponame)
100
f.write("[%s:/]\n" % reponame)
120
101
for user in group.members:
121
102
f.write("%s = rw\n" % user.login)
124
os.rename(ivle.conf.svn_group_conf + ".new", ivle.conf.svn_group_conf)
125
chown_to_webserver(ivle.conf.svn_group_conf)
127
def make_svn_auth(store, login, throw_on_error=True):
128
"""Setup svn authentication for the given user.
129
Uses the given DB store object. Does not commit to the db.
106
os.rename(temp_name, conf_name)
107
chown_to_webserver(conf_name)
109
def make_svn_auth(store, login, config, throw_on_error=True):
110
"""Create a Subversion password for a user.
112
Generates a new random Subversion password, and assigns it to the user.
113
The password is added to Apache's Subversion authentication file.
131
passwd = md5.new(uuid.uuid4().bytes).digest().encode('hex')
132
if os.path.exists(ivle.conf.svn_auth_ivle):
115
# filename is, eg, /var/lib/ivle/svn/ivle.auth
116
filename = config['paths']['svn']['auth_ivle']
117
passwd = hashlib.md5(uuid.uuid4().bytes).hexdigest()
118
if os.path.exists(filename):
137
user = ivle.database.User.get_by_login(store, login)
123
user = User.get_by_login(store, login)
138
124
user.svn_pass = unicode(passwd)
140
res = os.system("htpasswd -%smb %s %s %s" % (create,
141
ivle.conf.svn_auth_ivle,
126
res = subprocess.call(['htpasswd', '-%smb' % create,
127
filename, login, passwd])
143
128
if res != 0 and throw_on_error:
144
129
raise Exception("Unable to create ivle-auth for %s" % login)
146
131
# Make sure the file is owned by the web server
147
132
if create == "c":
148
chown_to_webserver(ivle.conf.svn_auth_ivle)
133
chown_to_webserver(filename)
152
def generate_manifest(basedir, targetdir, parent=''):
153
""" From a basedir and a targetdir work out which files are missing or out
154
of date and need to be added/updated and which files are redundant and need
157
parent: This is used for the recursive call to track the relative paths
158
that we have decended.
161
cmp = filecmp.dircmp(basedir, targetdir)
163
# Add all new files and files that have changed
164
to_add = [os.path.join(parent,x) for x in (cmp.left_only + cmp.diff_files)]
166
# Remove files that are redundant
167
to_remove = [os.path.join(parent,x) for x in cmp.right_only]
170
for d in cmp.common_dirs:
171
newbasedir = os.path.join(basedir, d)
172
newtargetdir = os.path.join(targetdir, d)
173
newparent = os.path.join(parent, d)
174
(sadd,sremove) = generate_manifest(newbasedir, newtargetdir, newparent)
178
return (to_add, to_remove)
181
def make_jail(user, force=True):
182
"""Creates a new user's jail space, in the jail directory as configured in
185
This only creates things within /home - everything else is expected to be
186
part of another UnionFS branch.
137
def make_jail(user, config, force=True):
138
"""Create or update a user's jail.
140
Only the user-specific parts of the jail are created here - everything
141
else is expected to be part of another aufs branch.
188
143
Returns the path to the user's home directory.
190
145
Chowns the user's directory within the jail to the given UID.
192
force: If false, exception if jail already exists for this user.
193
If true (default), overwrites it, but preserves home directory.
147
@param force: If False, raise an exception if the user already has a jail.
148
If True (default), rebuild the jail preserving /home.
195
150
# MUST run as root or some of this may fail
196
151
if os.getuid() != 0:
197
152
raise Exception("Must run make_jail as root")
199
154
# tempdir is for putting backup homes in
200
tempdir = os.path.join(ivle.conf.jail_base, '__temp__')
155
jail_src_base = config['paths']['jails']['src']
156
tempdir = os.path.join(jail_src_base, '__temp__')
201
157
if not os.path.exists(tempdir):
202
158
os.makedirs(tempdir)
203
159
elif not os.path.isdir(tempdir):
204
160
os.unlink(tempdir)
205
161
os.mkdir(tempdir)
206
userdir = os.path.join(ivle.conf.jail_src_base, user.login)
162
userdir = os.path.join(jail_src_base, user.login)
207
163
homedir = os.path.join(userdir, 'home')
208
164
userhomedir = os.path.join(homedir, user.login) # Return value
217
173
warnings.simplefilter('ignore')
218
174
homebackup = os.tempnam(tempdir)
219
175
warnings.resetwarnings()
220
# Note: shutil.move does not behave like "mv" - it does not put a file
221
# into a directory if it already exists, just fails. Therefore it is
222
# not susceptible to tmpnam symlink attack.
176
# Back up the /home directory, delete the entire jail, recreate the
177
# jail directory tree, then copy the /home back
178
# NOTE that shutil.move changed in Python 2.6, it now moves a
179
# directory INTO the target (like `mv`), which it didn't use to do.
180
# This code works regardless.
223
181
shutil.move(homedir, homebackup)
224
182
shutil.rmtree(userdir)
226
184
shutil.move(homebackup, homedir)
227
185
# Change the ownership of all the files to the right unixid
228
186
logging.debug("chown %s's home directory files to uid %d"
229
187
%(user.login, user.unixid))
230
os.chown(userhomedir, user.unixid, user.unixid)
231
for root, dirs, files in os.walk(userhomedir):
232
for fsobj in dirs + files:
233
os.chown(os.path.join(root, fsobj), user.unixid, user.unixid)
188
os.spawnvp(os.P_WAIT, 'chown', ['chown', '-R', '%d:%d' % (user.unixid,
189
user.unixid), userhomedir])
235
191
# No user jail exists
236
192
# Set up the user's home directory
240
196
# Chmod to rwxr-xr-x (755)
241
197
os.chmod(userhomedir, 0755)
243
make_conf_py(user.login, userdir, user.svn_pass)
244
make_etc_passwd(user.login, userdir, ivle.conf.jail_system, user.unixid)
199
make_ivle_conf(user.login, userdir, user.svn_pass, config)
200
make_etc_passwd(user.login, userdir, config['paths']['jails']['template'],
246
203
return userhomedir
248
def make_conf_py(username, user_jail_dir, svn_pass):
205
def make_ivle_conf(username, user_jail_dir, svn_pass, sys_config):
206
"""Generate an ivle.conf for a user's jail.
250
208
Creates (overwriting any existing file, and creating directories) a
251
file ${python_site_packages}/ivle/conf/conf.py in a given user's jail.
253
user_jail_dir: User's jail dir, ie. ivle.conf.jail_base + username
254
svn_pass: User's SVN password.
209
file /etc/ivle/ivle.conf in a given user's jail.
211
@param username: Username.
212
@param user_jail_dir: User's jail dir, ie. ['jails']['src'] + username
213
@param svn_pass: User's SVN password.
214
@param sys_config: An ivle.config.Config object (the system-wide config).
256
conf_path = os.path.join(user_jail_dir,
257
ivle.conf.python_site_packages[1:], "ivle/conf/conf.py")
216
conf_path = os.path.join(user_jail_dir, "etc/ivle/ivle.conf")
258
217
os.makedirs(os.path.dirname(conf_path))
260
219
# In the "in-jail" version of conf, we don't need MOST of the details
261
220
# (it would be a security risk to have them here).
262
# So we just write root_dir, and jail_base is "/".
263
# (jail_base being "/" means "jail-relative" paths are relative to "/"
264
# when inside the jail.)
266
# XXX: jail_base is wrong and shouldn't be here. Unfortunately, jail code
267
# uses ivle.studpath.url_to_{local,jailpaths}, both of which use
268
# jail_base. Note that they don't use the bits of the return value
269
# that depend on jail_base, so it can be any string.
270
conf_file = open(conf_path, "w")
271
conf_file.write("""# IVLE jail configuration
273
# In URL space, where in the site is IVLE located. (All URLs will be prefixed
275
# eg. "/" or "/ivle".
276
root_dir = %(root_dir)r
278
# This value is not relevant inside the jail, but must remain for now. See
279
# the XXX in ivle.makeuser.make_conf_py.
282
# The hostname for serving publicly accessible pages
283
public_host = %(public_host)r
285
# The URL under which the Subversion repositories are located.
286
svn_addr = %(svn_addr)r
288
# The login name for the owner of the jail
291
# The subversion-only password for the owner of the jail
292
svn_pass = %(svn_pass)r
293
""" % {'root_dir': ivle.conf.root_dir,
294
'public_host': ivle.conf.public_host,
295
'svn_addr': ivle.conf.svn_addr,
296
'username': username,
297
'svn_pass': svn_pass,
221
# So we just write root_dir.
222
conf_obj = ivle.config.Config(blank=True)
223
conf_obj.filename = conf_path
224
conf_obj['urls']['root'] = sys_config['urls']['root']
225
conf_obj['urls']['public_host'] = sys_config['urls']['public_host']
226
conf_obj['urls']['svn_addr'] = sys_config['urls']['svn_addr']
227
conf_obj['user_info']['login'] = username
228
conf_obj['user_info']['svn_pass'] = svn_pass
301
231
# Make this file world-readable
302
232
# (chmod 644 conf_path)
added
removed
ivle/makeuser.py
