Changeset 1087

Timestamp:

07/16/03 23:53:08 (21 years ago)

Author:

jalet

Message:

Really big modifications wrt new configuration file's location and content.

Location:

pykota/trunk

Files:

• conf/pykota.conf.sample (modified) (3 diffs)
• conf/pykotadmin.conf.sample (added)
• initscripts/postgresql/pykota-postgresql.sql (modified) (3 diffs)
• initscripts/postgresql/upgrade-to-1.14.sql (modified) (2 diffs)
• NEWS (modified) (1 diff)
• pykota/config.py (modified) (2 diffs)
• pykota/storage.py (modified) (2 diffs)
• pykota/storages/pgstorage.py (modified) (2 diffs)
• pykota/tool.py (modified) (2 diffs)
• pykota/version.py (modified) (1 diff)
• SECURITY (modified) (1 diff)
• setup.py (modified) (3 diffs)

pykota/trunk/conf/pykota.conf.sample

@@ -1 +1 @@
 # PyKota sample configuration file
 #
-# Copy this file in cups' configuration directory
-# usually /etc/cups under the name pykota.conf
+# Copy this file into the /etc/pykota/ directory
+# under the name /etc/pykota/pykota.conf
 #
 # PyKota - Print Quotas for CUPS and LPRng
@@ -40 +40 @@
 storagename: pykota
 
-# Quota Storage administrator's and normal user's names and passwords
-storageadmin: pykotaadmin
-# storageadminpw: Comment out if unused, or set to Quota Storage admin password
+# 
+# Quota Storage normal user's name and password
+# These two fields contain a username and optional password 
+# which may give readonly access to your print quota database.
+# 
+# PLEASE ENSURE THAT THIS USER CAN'T WRITE TO YOUR PRINT QUOTA
+# DATABASE, OTHERWISE ANY USER WHO COULD READ THIS CONFIGURATION
+# FILE COULD CHANGE HIS PRINT QUOTA.
+#
+storageuser: pykotauser
+# storageuserpw: Comment out if unused, or set to Quota Storage user password
 
 # NB : storageuser and storageuserpw are not used anymore
@@ -50 +58 @@
 #storageserver: ldap://ldap.librelogiciel.com:389
 #storagename: dc=librelogiciel,dc=com
-#storageadmin: cn=admin,dc=librelogiciel,dc=com
-#storageadminpw: abc.123
+#storageuser: cn=notadmin,dc=librelogiciel,dc=com
+#storageuserpw: abc.123
 #
 # Here we define some helpers to know where 

pykota/trunk/initscripts/postgresql/pykota-postgresql.sql

@@ -20 +20 @@
 --
 -- $Log$
+-- Revision 1.4  2003/07/16 21:53:07  jalet
+-- Really big modifications wrt new configuration file's location and content.
+--
 -- Revision 1.3  2003/07/09 20:17:07  jalet
 -- Email field added to PostgreSQL schema
@@ -51 +54 @@
 -- 
 CREATE USER pykotaadmin;
+CREATE USER pykotauser;
 
 -- 
@@ -127 +131 @@
 --
 REVOKE ALL ON users, groups, printers, userpquota, grouppquota, groupsmembers, jobhistory FROM public;                        
+REVOKE ALL ON users_id_seq, groups_id_seq, printers_id_seq, userpquota_id_seq, grouppquota_id_seq, jobhistory_id_seq FROM public;
+
 GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES ON users, groups, printers, userpquota, grouppquota, groupsmembers, jobhistory TO pykotaadmin;
 GRANT SELECT, UPDATE ON users_id_seq, groups_id_seq, printers_id_seq, userpquota_id_seq, grouppquota_id_seq, jobhistory_id_seq TO pykotaadmin;
+GRANT SELECT ON users, groups, printers, userpquota, grouppquota, groupsmembers, jobhistory TO pykotauser;
 

pykota/trunk/initscripts/postgresql/upgrade-to-1.14.sql

@@ -20 +20 @@
 --
 -- $Log$
+-- Revision 1.2  2003/07/16 21:53:07  jalet
+-- Really big modifications wrt new configuration file's location and content.
+--
 -- Revision 1.1  2003/07/09 20:17:07  jalet
 -- Email field added to PostgreSQL schema
@@ -40 +43 @@
 --
 ALTER TABLE users ADD COLUMN email TEXT;
+CREATE USER pykotauser;
+REVOKE ALL ON users, groups, printers, userpquota, grouppquota, groupsmembers, jobhistory FROM pykotauser;
+REVOKE ALL ON users_id_seq, groups_id_seq, printers_id_seq, userpquota_id_seq, grouppquota_id_seq, jobhistory_id_seq FROM pykotauser;
+GRANT SELECT ON users, groups, printers, userpquota, grouppquota, groupsmembers, jobhistory TO pykotauser;

pykota/trunk/NEWS

@@ -22 +22 @@
 PyKota NEWS :
 
+    - 1.14alpha6 :
+    
+        - Configuration file split and moved to /etc/pykota/pykota.conf
+          and /etc/pykota/pykotadmin.conf to prevent simple users to
+          have Read/Write access to the Quota Database.
+          Don't forget to :
+          
+                $ chmod 640 /etc/pykota/pykotadmin.conf
+                
+        - storageuser and storageuserpw configuration fields reintroduced
+          for the same reason.
+          
+        - Code cleaning for future implementation of email addresses 
+          support in the PostgreSQL and LDAP backends.
+          
     - 1.14alpha5 :
         

pykota/trunk/pykota/config.py

@@ -21 +21 @@
 #
 # $Log$
+# Revision 1.33  2003/07/16 21:53:07  jalet
+# Really big modifications wrt new configuration file's location and content.
+#
 # Revision 1.32  2003/07/08 19:43:51  jalet
 # Configurable warning messages.
@@ -200 +203 @@
         backendinfo = {}
         for option in [ "storagebackend", "storageserver", \
-                        "storagename", "storageadmin", \
+                        "storagename", "storageuser", \
                       ] :
             backendinfo[option] = self.getGlobalOption(option)
-        backendinfo["storageadminpw"] = self.getGlobalOption("storageadminpw", ignore=1)
+        backendinfo["storageuserpw"] = self.getGlobalOption("storageuserpw", ignore=1)  # password is optional
+        backendinfo["storageadmin"] = None
+        backendinfo["storageadminpw"] = None
+        adminconf = ConfigParser.ConfigParser()
+        adminconf.read(["/etc/pykota/pykotadmin.conf"])
+        if adminconf.sections() : # were we able to read the file ?
+            try :
+                backendinfo["storageadmin"] = adminconf.get("global", "storageadmin", raw=1)
+            except (ConfigParser.NoSectionError, ConfigParser.NoOptionError) :    
+                raise PyKotaConfigError, _("Option %s not found in section global of %s") % ("storageadmin", "/etc/pykota/pykotadmin.conf")
+            try :
+                backendinfo["storageadminpw"] = adminconf.get("global", "storageadminpw", raw=1)
+            except (ConfigParser.NoSectionError, ConfigParser.NoOptionError) :    
+                pass # Password is optional
         return backendinfo
         

pykota/trunk/pykota/storage.py

@@ -21 +21 @@
 #
 # $Log$
+# Revision 1.19  2003/07/16 21:53:07  jalet
+# Really big modifications wrt new configuration file's location and content.
+#
 # Revision 1.18  2003/07/07 08:33:18  jalet
 # Bug fix due to a typo in LDAP code
@@ -314 +317 @@
         host = backendinfo["storageserver"]
         database = backendinfo["storagename"]
-        admin = backendinfo["storageadmin"]
-        adminpw = backendinfo["storageadminpw"]
+        admin = backendinfo["storageadmin"] or backendinfo["storageuser"]
+        adminpw = backendinfo["storageadminpw"] or backendinfo["storageuserpw"]
         return getattr(storagebackend, "Storage")(pykotatool, host, database, admin, adminpw)
 

pykota/trunk/pykota/storages/pgstorage.py

@@ -21 +21 @@
 #
 # $Log$
+# Revision 1.10  2003/07/16 21:53:08  jalet
+# Really big modifications wrt new configuration file's location and content.
+#
 # Revision 1.9  2003/07/14 17:20:15  jalet
 # Bug in postgresql storage when modifying the prices for a printer
@@ -333 +336 @@
     def addUser(self, user) :        
         """Adds a user to the quota storage, returns its id."""
-        self.doModify("INSERT INTO users (username, limitby, balance, lifetimepaid) VALUES (%s, %s, %s, %s)" % (self.doQuote(user.Name), self.doQuote(user.LimitBy), self.doQuote(user.AccountBalance), self.doQuote(user.LifeTimePaid)))
+        self.doModify("INSERT INTO users (username, limitby, balance, lifetimepaid, email) VALUES (%s, %s, %s, %s, %s)" % (self.doQuote(user.Name), self.doQuote(user.LimitBy), self.doQuote(user.AccountBalance), self.doQuote(user.LifeTimePaid), self.doQuote(user.Email)))
         return self.getUser(user.Name)
         

pykota/trunk/pykota/tool.py

@@ -21 +21 @@
 #
 # $Log$
+# Revision 1.47  2003/07/16 21:53:08  jalet
+# Really big modifications wrt new configuration file's location and content.
+#
 # Revision 1.46  2003/07/09 20:17:07  jalet
 # Email field added to PostgreSQL schema
@@ -223 +226 @@
         # pykota specific stuff
         self.documentation = doc
-        self.config = config.PyKotaConfig("/etc")
+        self.config = config.PyKotaConfig("/etc/pykota")
         self.logger = logger.openLogger(self)
         self.storage = storage.openConnection(self)

pykota/trunk/pykota/version.py

@@ -21 +21 @@
 #
 
-__version__ = "1.14alpha5_unofficial"
+__version__ = "1.14alpha6_unofficial"
 
 __doc__ = """PyKota : a complete Printing Quota Solution for CUPS and LPRng."""

pykota/trunk/SECURITY

@@ -63 +63 @@
     PyKota and/or your printing system completely inoperative.
     
-  - Ensure that no regular user can read PyKota's configuration file,
-    but that both the print quota administrator and the user the
-    printing system is run as can read it. Depending on your system's
-    configuration, this may give something like :
+  - Ensure that no regular user can read PyKota administrator's 
+    configuration file, but that both the print quota administrator and 
+    the user the printing system is run as can read it. Depending on 
+    your system's configuration, this may give something like : 
     
-      $ chown lp.lpadmin /etc/pykota.conf
-      $ chmod 640 /etc/pykota.conf
+      $ chown lp.lpadmin /etc/pykota/pykotadmin.conf
+      $ chmod 640 /etc/pykota/pykotadmin.conf
     
     If the print quota administrator is root then he will always be
     able to read PyKota's configuration file.
     
-    Letting any user read PyKota's configuration file may expose
-    passwords or database information which would allow direct
-    connections to it if the user can write and execute his own
-    scripts or download and execute his own version of PyKota.
+    Letting any user read PyKota administrator's configuration file may 
+    expose passwords or database information which would allow direct 
+    connections to it if the user can write and execute his own scripts 
+    or download and execute his own version of PyKota. 
   
+    If you want to let users generate their own print quota reports, 
+    then ensure that /etc/pykota/pykota.conf is readable by
+    everyone, but writeable only by the root user :
+    
+      $ chown root.root /etc/pykota/pykota.conf
+      $ chmod 644 /etc/pykota/pykota.conf
+      
     NB : If you use the printquota.cgi CGI script, ensure that
          the user this script is run as (e.g. nobody or www-data)
-         can read PyKota's configuration file too, for example
-         by putting www-data in the lpadmin group.
-         WARNING : putting www-data in the lpadmin group so that
-         the CGI script can read the /etc/pykota.conf file is
-         dangerous. If any user can create CGI scripts launchable
-         as www-data then he could steal a copy of the /etc/pykota.conf 
-         file and learn database and database users' name and passwords.
-         The best solution is probably to create a pykota system
-         account and run the CGI script as this user using Apache's SuEXEC
-         facility. Refer to Apache's documentation for details.
+         can read PyKota's configuration file /etc/pykota/pykota.conf
+         BUT can't read PyKota administrator's configuration file
+         /etc/pykota/pykotadmin.conf
+         Refer to Apache's documentation for details.
   
   - Secure your database connection :

pykota/trunk/setup.py

@@ -23 +23 @@
 #
 # $Log$
+# Revision 1.19  2003/07/16 21:53:07  jalet
+# Really big modifications wrt new configuration file's location and content.
+#
 # Revision 1.18  2003/07/03 09:44:00  jalet
 # Now includes the pykotme utility
@@ -90 +93 @@
 import os
 import shutil
-import ConfigParser
 try :
     from distutils.core import setup
@@ -149 +151 @@
         sys.exit(-1)
         
-    # checks if a configuration file is present in the old location
-    if os.path.isfile("/etc/cups/pykota.conf") :
-        if not os.path.isfile("/etc/pykota.conf") :
-            sys.stdout.write("From version 1.02 on, PyKota expects to find its configuration\nfile in /etc instead of /etc/cups.\n")
+    # checks if a configuration file is present in the new location
+    if not os.path.isfile("/etc/pykota/pykota.conf") :
+        if not os.path.isdir("/etc/pykota") :
+            try :
+                os.mkdir("/etc/pykota")
+            except OSError, msg :    
+                sys.stderr.write("An error occured while creating the /etc/pykota directory.\n%s\n" % msg)
+                sys.exit(-1)
+                
+        if os.path.isfile("/etc/pykota.conf") :
+            # upgrade from pre-1.14 to 1.14 and above
+            sys.stdout.write("From version 1.14 on, PyKota expects to find its configuration\nfile in /etc/pykota/ instead of /etc/\n")
             sys.stdout.write("It seems that you've got a configuration file in the old location,\nso it will not be used anymore,\nand there's no configuration file in the new location.\n")
-            answer = raw_input("Do you want to move /etc/cups/pykota.conf to /etc/pykota.conf (y/N) ? ")
+            answer = raw_input("Do you want to move /etc/pykota.conf to /etc/pykota/pykota.conf (y/N) ? ")
             if answer[0:1].upper() == 'Y' :
                 try :
-                    os.rename("/etc/cups/pykota.conf", "/etc/pykota.conf")
+                    os.rename("/etc/pykota.conf", "/etc/pykota/pykota.conf")
                 except OSError :    
-                    sys.stderr.write("ERROR : An error occured while moving /etc/cups/pykota.conf to /etc/pykota.conf\nAborted !\n")
+                    sys.stderr.write("ERROR : An error occured while moving /etc/pykota.conf to /etc/pykota/pykota.conf\nAborted !\n")
                     sys.exit(-1)
+                else :    
+                    sys.stdout.write("Configuration file /etc/pykota.conf moved to /etc/pykota/pykota.conf.\n")
             else :
-                sys.stderr.write("WARNING : Configuration file /etc/cups/pykota.conf won't be used ! Move it to /etc instead.\n")
-                sys.stderr.write("PyKota installation will continue anyway, but the software won't run until you put a proper configuration file in /etc\n")
-        else :        
-            sys.stderr.write("WARNING : Configuration file /etc/cups/pykota.conf will not be used !\nThe file /etc/pykota.conf will be used instead.\n")
-    elif not os.path.isfile("/etc/pykota.conf") :        
-        # no configuration file, first installation it seems.
-        if os.path.isfile("conf/pykota.conf.sample") :
-            answer = raw_input("Do you want to install conf/pykota.conf.sample as /etc/pykota.conf (y/N) ? ")
-            if answer[0:1].upper() == 'Y' :
-                try :
-                    shutil.copy("conf/pykota.conf.sample", "/etc/pykota.conf")        
-                except IOError :    
-                    sys.stderr.write("WARNING : Problem while installing /etc/pykota.conf, please do it manually.\n")
-                else :    
-                    sys.stdout.write("Configuration file /etc/pykota.conf installed.\nDon't forget to adapt /etc/pykota.conf to your needs.\n")
+                sys.stderr.write("WARNING : Configuration file /etc/pykota.conf won't be used ! Move it to /etc/pykota/ instead.\n")
+                sys.stderr.write("PyKota installation will continue anyway,\nbut the software won't run until you put a proper configuration file in /etc/pykota/\n")
+            dummy = raw_input("Please press ENTER when you have read the message above. ")
+        else :
+            # first installation
+            if os.path.isfile("conf/pykota.conf.sample") :
+                answer = raw_input("Do you want to install\n\tconf/pykota.conf.sample as /etc/pykota/pykota.conf (y/N) ? ")
+                if answer[0:1].upper() == 'Y' :
+                    try :
+                        shutil.copy("conf/pykota.conf.sample", "/etc/pykota/pykota.conf")        
+                        shutil.copy("conf/pykotadmin.conf.sample", "/etc/pykota/pykotadmin.conf")        
+                    except IOError, msg :    
+                        sys.stderr.write("WARNING : Problem while installing sample configuration files in /etc/pykota/, please do it manually.\n%s\n" % msg)
+                    else :    
+                        sys.stdout.write("Configuration file /etc/pykota/pykota.conf and /etc/pykota/pykotadmin.conf installed.\nDon't forget to adapt these files to your needs.\n")
+                else :        
+                    sys.stderr.write("WARNING : PyKota won't run without a configuration file !\n")
             else :        
-                sys.stderr.write("WARNING : PyKota won't run without a configuration file !\n")
-    else :            
-        # Configuration file already exists. Check if this is an old version or not
-        # if the 'method: lazy' line is present, then the configuration file
-        # has to be updated.
-        oldconf = ConfigParser.ConfigParser()
-        oldconf.read(["/etc/pykota.conf"])
-        try :
-            if oldconf.get("global", "method", raw=1).lower().strip() == "lazy" :
-                sys.stdout.write("You have got an OLD PyKota configuration file !\n")
-                sys.stdout.write("The 'method' statement IS NOT SUPPORTED ANYMORE\nand was replaced with the 'accounter' statement.\n") 
-                sys.stdout.write("You have to manually set an 'accounter' statement,\neither globally or for each printer.\n")
-                sys.stdout.write("Please read the sample configuration file conf/pykota.conf.sample\n")
-                sys.stdout.write("to learn how to MANUALLY apply the modifications needed,\nafter the installation is done.\n")
-                sys.stdout.write("If you don't do this, then PyKota will stop working !\n")
-                answer = raw_input("Please, press ENTER when you'll have read the above paragraph.")
-        except ConfigParser.NoOptionError :
-            # New configuration file, OK
-            pass
+                # Problem ?
+                sys.stderr.write("WARNING : PyKota's sample configuration file cannot be found.\nWhat you have downloaded seems to be incomplete,\nor you are not in the pykota directory.\nPlease double check, and restart the installation procedure.\n")
+            dummy = raw_input("Please press ENTER when you have read the message above. ")
+    else :    
+        # already at 1.14 or above, nothing to be done.
+        pass
+        
+    # Second stage, we will fail if onfiguration is incorrect for security reasons
+    from pykota.config import PyKotaConfig,PyKotaConfigError
+    try :
+        conf = PyKotaConfig("/etc/pykota/")
+    except PyKotaConfigError, msg :    
+        sys.stedrr.write("%s\nINSTALLATION ABORTED !\nPlease restart installation.\n" % msg)
+        sys.exit(-1)
+    else :
+        hasadmin = conf.getGlobalOption("storageadmin", ignore=1)
+        hasadminpw = conf.getGlobalOption("storageadminpw", ignore=1)
+        hasuser = conf.getGlobalOption("storageuser", ignore=1)
+        if hasadmin or hasadminpw : 
+            sys.stderr.write("From version 1.14 on, PyKota expects that /etc/pykota/pykota.conf doesn't contain the Quota Storage Administrator's name and optional password.\n")
+            sys.stderr.write("Please put these in a [global] section in /etc/pykota/pykotadmin.conf\n")
+            sys.stderr.write("Then replace these values with 'storageuser' and 'storageuserpw' in /etc/pykota/pykota.conf\n")
+            sys.stderr.write("These two fields were re-introduced to allow any user to read to his own quota, without allowing them to modify it.\n")
+            sys.stderr.write("You can look at the conf/pykota.conf.sample and conf/pykotadmin.conf.sample files for examples.\n")
+            sys.stderr.write("YOU HAVE TO DO THESE MODIFICATIONS MANUALLY, AND RESTART THE INSTALLATION.\n")
+            sys.stderr.write("INSTALLATION ABORTED FOR SECURITY REASONS.\n")
+            sys.exit(-1)
+        if not hasuser :
+            sys.stderr.write("From version 1.14 on, PyKota expects that /etc/pykota/pykota.conf contains the Quota Storage Normal User's name and optional password.\n")
+            sys.stderr.write("Please put these in a [global] section in /etc/pykota/pykota.conf\n")
+            sys.stderr.write("These fields are respectively named 'storageuser' and 'storageuserpw'.\n")
+            sys.stderr.write("These two fields were re-introduced to allow any user to read to his own quota, without allowing them to modify it.\n")
+            sys.stderr.write("You can look at the conf/pykota.conf.sample and conf/pykotadmin.conf.sample files for examples.\n")
+            sys.stderr.write("YOU HAVE TO DO THESE MODIFICATIONS MANUALLY, AND RESTART THE INSTALLATION.\n")
+            sys.stderr.write("INSTALLATION ABORTED FOR SECURITY REASONS.\n")
+            sys.exit(-1)
+            
+        sb = conf.getStorageBackend()
+        if (sb.get("storageadmin") is None) or (sb.get("storageuser") is None) :
+            sys.stderr.write("From version 1.14 on, PyKota expects that /etc/pykota/pykota.conf contains the Quota Storage Normal User's name and optional password which gives READONLY access to the Print Quota DataBase,")
+            sys.stderr.write("and that /etc/pykota/pykotadmin.conf contains the Quota Storage Administrator's name and optional password which gives READ/WRITE access to the Print Quota DataBase.\n")
+            sys.stderr.write("Your configuration doesn't seem to be OK, please modify your configuration files in /etc/pykota/\n")
+            sys.stderr.write("AND RESTART THE INSTALLATION.\n")
+            sys.stderr.write("INSTALLATION ABORTED FOR SECURITY REASONS.\n")
+            sys.exit(-1)
+        
+    # change files permissions    
+    os.chmod("/etc/pykota/pykota.conf", 0644)
+    os.chmod("/etc/pykota/pykotadmin.conf", 0640)
+    
+    # WARNING MESSAGE    
+    sys.stdout.write("WARNING : IF YOU ARE UPGRADING FROM A PRE-1.14 TO 1.14 OR ABOVE\n")
+    sys.stdout.write("AND USE THE POSTGRESQL BACKEND, THEN YOU HAVE TO MODIFY YOUR\n")
+    sys.stdout.write("DATABASE SCHEMA USING initscripts/postgresql/upgrade-to-1.14.sql\n")
+    sys.stdout.write("PLEASE READ DOCUMENTATION IN initscripts/postgresql/ TO LEARN HOW TO DO.\n")
+    sys.stdout.write("\n\nYOU DON'T HAVE ANYTHING SPECIAL TO DO IF THIS IS YOUR FIRST INSTALLATION.\n\n")
+    dummy = raw_input("Please press ENTER when you have read the message above. ")
     
     # checks if some needed Python modules are there or not.