pym/portage/data.py

   1 # data.py -- Calculated/Discovered Data Values
   2 # Copyright 1998-2004 Gentoo Foundation
   3 # Distributed under the terms of the GNU General Public License v2
   4 # $Id$
   5
   6 import os, sys, pwd, grp
   7 from portage.util import writemsg
   8 from portage.output import green,red
   9 from portage.output import create_color_func
  10 bad = create_color_func("BAD")
  11
  12 ostype=os.uname()[0]
  13
  14 userland = None
  15 lchown = getattr(os, "lchown", None)
  16 os.environ.setdefault("XARGS", "xargs")
  17 if ostype == "Linux" or \
  18         ostype.lower().startswith("gnu") or \
  19         ostype.lower().endswith("gnu"):
  20         userland="GNU"
  21 elif ostype == "Darwin":
  22         userland="Darwin"
  23 elif ostype.endswith("BSD") or ostype =="DragonFly":
  24         userland="BSD"
  25
  26 if not lchown:
  27                 try:
  28                         import missingos
  29                         lchown = missingos.lchown
  30                 except ImportError:
  31                         def lchown(*pos_args, **key_args):
  32                                 writemsg(red("!!!") + " It seems that os.lchown does not" + \
  33                                         " exist.  Please rebuild python.\n", noiselevel=-1)
  34                         lchown()
  35
  36 def portage_group_warning():
  37         warn_prefix = bad("*** WARNING ***  ")
  38         mylines = [
  39                 "For security reasons, only system administrators should be",
  40                 "allowed in the portage group.  Untrusted users or processes",
  41                 "can potentially exploit the portage group for attacks such as",
  42                 "local privilege escalation."
  43         ]
  44         for x in mylines:
  45                 writemsg(warn_prefix, noiselevel=-1)
  46                 writemsg(x, noiselevel=-1)
  47                 writemsg("\n", noiselevel=-1)
  48         writemsg("\n", noiselevel=-1)
  49
  50 # Portage has 3 security levels that depend on the uid and gid of the main
  51 # process and are assigned according to the following table:
  52 #
  53 # Privileges  secpass  uid    gid
  54 # normal      0        any    any
  55 # group       1        any    portage_gid
  56 # super       2        0      any
  57 #
  58 # If the "wheel" group does not exist then wheelgid falls back to 0.
  59 # If the "portage" group does not exist then portage_uid falls back to wheelgid.
  60
  61 secpass=0
  62
  63 uid=os.getuid()
  64 wheelgid=0
  65
  66 if uid==0:
  67         secpass=2
  68 try:
  69         wheelgid=grp.getgrnam("wheel")[2]
  70 except KeyError:
  71         pass
  72
  73 #Discover the uid and gid of the portage user/group
  74 try:
  75         portage_uid=pwd.getpwnam("portage")[2]
  76         portage_gid=grp.getgrnam("portage")[2]
  77         if secpass < 1 and portage_gid in os.getgroups():
  78                 secpass=1
  79 except KeyError:
  80         portage_uid=0
  81         portage_gid=0
  82         writemsg("\n")
  83         writemsg(  red("portage: 'portage' user or group missing. Please update baselayout\n"))
  84         writemsg(  red("         and merge portage user(250) and group(250) into your passwd\n"))
  85         writemsg(  red("         and group files. Non-root compilation is disabled until then.\n"))
  86         writemsg(      "         Also note that non-root/wheel users will need to be added to\n")
  87         writemsg(      "         the portage group to do portage commands.\n")
  88         writemsg("\n")
  89         writemsg(      "         For the defaults, line 1 goes into passwd, and 2 into group.\n")
  90         writemsg(green("         portage:x:250:250:portage:/var/tmp/portage:/bin/false\n"))
  91         writemsg(green("         portage::250:portage\n"))
  92         writemsg("\n")
  93         portage_group_warning()
  94
  95 userpriv_groups = [portage_gid]
  96 if secpass >= 2:
  97         # Get a list of group IDs for the portage user.  Do not use grp.getgrall()
  98         # since it is known to trigger spurious SIGPIPE problems with nss_ldap.
  99         from commands import getstatusoutput
 100         mystatus, myoutput = getstatusoutput("id -G portage")
 101         if mystatus == os.EX_OK:
 102                 for x in myoutput.split():
 103                         try:
 104                                 userpriv_groups.append(int(x))
 105                         except ValueError:
 106                                 pass
 107                         del x
 108                 userpriv_groups = list(set(userpriv_groups))
 109         del getstatusoutput, mystatus, myoutput