<string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1">Hourly</string>\r
<string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6">Monthly</string>\r
<string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674">Weekly</string>\r
+ <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3">Sudo Rights</string>\r
<string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help">This policy setting allows you to execute commands, either local or on remote storage, daily.</string>\r
<string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help">This policy setting allows you to execute commands, either local or on remote storage, hourly.</string>\r
<string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help">This policy setting allows you to execute commands, either local or on remote storage, monthly.</string>\r
<string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help">This policy setting allows you to execute commands, either local or on remote storage, weekly.</string>\r
+ <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help">This policy configures the sudoers file with the lines specified.</string>\r
</stringTable>\r
<presentationTable>\r
<presentation id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">\r
<presentation id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674">\r
<listBox refId="LST_1E7198A6_7850_4CAB_B656_BC18752564FC">Script and arguments</listBox>\r
</presentation>\r
+ <presentation id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3">\r
+ <listBox refId="LST_4F4BA073_4F7B_4B64_A61D_8E75257A4B9F">Sudoers commands</listBox>\r
+ </presentation>\r
</presentationTable>\r
</resources>\r
</policyDefinitionResources>\r
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
from samba.gpclass import gp_pol_ext
+from base64 import b64encode
+from tempfile import NamedTemporaryFile
+from subprocess import Popen, PIPE
+from distutils.spawn import find_executable
+
+intro = '''
+### autogenerated by samba
+#
+# This file is generated by the gp_sudoers_ext Group Policy
+# Client Side Extension. To modify the contents of this file,
+# modify the appropriate Group Policy objects which apply
+# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
+#
+
+'''
+visudo = find_executable('visudo',
+ path='%s:%s' % (os.environ['PATH'], '/usr/sbin'))
class gp_sudoers_ext(gp_pol_ext):
+ def __str__(self):
+ return 'Unix Settings/Sudo Rights'
+
def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
sdir='/etc/sudoers.d'):
- pass
+ for gpo in deleted_gpo_list:
+ self.gp_db.set_guid(gpo[0])
+ if str(self) in gpo[1]:
+ for attribute, sudoers in gpo[1][str(self)].items():
+ os.unlink(sudoers)
+ self.gp_db.delete(str(self), attribute)
+ self.gp_db.commit()
+
+ for gpo in changed_gpo_list:
+ if gpo.file_sys_path:
+ section = 'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
+ self.gp_db.set_guid(gpo.name)
+ pol_file = 'MACHINE/Registry.pol'
+ path = os.path.join(gpo.file_sys_path, pol_file)
+ pol_conf = self.parse(path)
+ if not pol_conf:
+ continue
+ for e in pol_conf.entries:
+ if e.keyname == section and e.data.strip():
+ attribute = b64encode(e.data.encode()).decode()
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ if not old_val:
+ contents = intro
+ contents += '%s\n' % e.data
+ with NamedTemporaryFile() as f:
+ with open(f.name, 'w') as w:
+ w.write(contents)
+ sudo_validation = \
+ Popen([visudo, '-c', '-f', f.name],
+ stdout=PIPE, stderr=PIPE).wait()
+ if sudo_validation == 0:
+ with NamedTemporaryFile(prefix='gp_',
+ delete=False,
+ dir=sdir) as f:
+ with open(f.name, 'w') as w:
+ w.write(contents)
+ self.gp_db.store(str(self),
+ attribute,
+ f.name)
+ else:
+ self.logger.warn('Sudoers apply "%s" failed'
+ % e.data)
+ self.gp_db.commit()
from samba.gp_sec_ext import gp_sec_ext
from samba.gp_ext_loader import get_gp_client_side_extensions
from samba.gp_scripts_ext import gp_scripts_ext
+from samba.gp_sudoers_ext import gp_sudoers_ext
import logging
if __name__ == "__main__":
if opts.target == 'Computer':
gp_extensions.append(gp_sec_ext(logger, lp, creds, store))
gp_extensions.append(gp_scripts_ext(logger, lp, creds, store))
+ gp_extensions.append(gp_sudoers_ext(logger, lp, creds, store))
for ext in machine_exts:
gp_extensions.append(ext(logger, lp, creds, store))
elif opts.target == 'User':