This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 0a05cc11344a56842d59d5e1167461a33848892d Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Thu Oct 30 06:15:47 2014 +0100 x2gobroker-authservice: Restructure logging. Enable log messages for authentication requests. --- debian/changelog | 2 + sbin/x2gobroker-authservice | 104 ++++++++++++++++++++++--------------------- 2 files changed, 56 insertions(+), 50 deletions(-) diff --git a/debian/changelog b/debian/changelog index b8ecbed..1eeadd9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -185,6 +185,8 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low X2GOBROKER_DEFAULT_BACKEND from x2gobroker.defaults instead. - x2gobroker-testauth: Improve help text of --backend option. Display the current backend default. + - x2gobroker-authservice: Restructure logging. Enable log messages + for authentication requests. * debian/control: + Provide separate bin:package for SSH brokerage: x2gobroker-ssh. + Replace LDAP support with session brokerage support in LONG_DESCRIPTION. diff --git a/sbin/x2gobroker-authservice b/sbin/x2gobroker-authservice index 52b2367..8e21cab 100755 --- a/sbin/x2gobroker-authservice +++ b/sbin/x2gobroker-authservice @@ -59,7 +59,8 @@ from x2gobroker import __AUTHOR__ class AuthClient(asyncore.dispatcher_with_send): - def __init__(self, sock): + def __init__(self, sock, logger=None): + self.logger = logger asyncore.dispatcher_with_send.__init__(self, sock) self._buf = '' @@ -75,11 +76,14 @@ class AuthClient(asyncore.dispatcher_with_send): user, passwd, service = req.split() except: self.send('bad\n') + self.logger.warning('bad authentication data received') else: if pam.authenticate(user, passwd, service): self.send('ok\n') + self.logger.info('successful authentication for \'{user}\' with password \'<hidden>\' against PAM service \'{service}\''.format(user=user, service=service)) else: self.send('fail\n') + self.logger.info('authentication failure for \'{user}\' with password \'<hidden>\' against PAM service \'{service}\''.format(user=user, service=service)) def handle_close(self): self.close() @@ -87,7 +91,8 @@ class AuthClient(asyncore.dispatcher_with_send): class AuthService(asyncore.dispatcher_with_send): - def __init__(self, socketfile, owner='root', group_owner='root', permissions='0660'): + def __init__(self, socketfile, owner='root', group_owner='root', permissions='0660', logger=None): + self.logger = logger asyncore.dispatcher_with_send.__init__(self) self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM) self.set_reuse_addr() @@ -98,7 +103,7 @@ class AuthService(asyncore.dispatcher_with_send): def handle_accept(self): conn, _ = self.accept() - AuthClient(conn) + AuthClient(conn, logger=self.logger) def loop(): @@ -130,14 +135,6 @@ elif iniconfig_loaded and iniconfig.has_option('common', 'X2GOBROKER_DEBUG'): X2GOBROKER_DEBUG=iniconfig.get('common', 'X2GOBROKER_DEBUG') else: X2GOBROKER_DEBUG = False -if os.environ.has_key('X2GOBROKER_TESTSUITE'): - X2GOBROKER_TESTSUITE = ( os.environ['X2GOBROKER_TESTSUITE'].lower() in ('1', 'on', 'true', 'yes', ) ) -elif iniconfig_loaded and iniconfig.has_option(iniconfig_section, 'X2GOBROKER_TESTSUITE'): - X2GOBROKER_TESTSUITE=iniconfig.get(iniconfig_section, 'X2GOBROKER_TESTSUITE') -elif iniconfig_loaded and iniconfig.has_option('common', 'X2GOBROKER_TESTSUITE'): - X2GOBROKER_TESTSUITE=iniconfig.get('common', 'X2GOBROKER_TESTSUITE') -else: - X2GOBROKER_TESTSUITE = False if os.environ.has_key('X2GOBROKER_DAEMON_USER'): X2GOBROKER_DAEMON_USER=os.environ['X2GOBROKER_DAEMON_USER'] @@ -167,41 +164,6 @@ else: X2GOBROKER_AUTHSERVICE_SOCKET="{run}/x2gobroker/x2gobroker-authservice.socket".format(run=RUNDIR) -# standalone daemon mode (x2gobroker-authservice as daemon) or interactive mode (called from the cmdline)? -if getpass.getuser() in (X2GOBROKER_DAEMON_USER, 'root'): - - # we run in standalone daemon mode, so let's use the system configuration for logging - logging.config.fileConfig(X2GOBROKER_AUTHSERVICE_LOGCONFIG) - - # create authservice logger - logger_authservice = logging.getLogger('authservice') - -else: - logger_root = logging.getLogger() - stderr_handler = logging.StreamHandler(sys.stderr) - stderr_handler.setFormatter(logging.Formatter(fmt='%(asctime)s - %(name)s - %(levelname)s - %(message)s', datefmt='')) - - # all loggers stream to stderr... - logger_root.addHandler(stderr_handler) - - logger_authservice = logging.getLogger('authservice') - logger_authservice.addHandler(stderr_handler) - logger_authservice.propagate = 0 - - -# raise log level to DEBUG if requested... -if X2GOBROKER_DEBUG and not X2GOBROKER_TESTSUITE: - logger_authservice.setLevel(logging.DEBUG) - -logger_authservice.info('X2Go Session Broker ({version}), written by {author}'.format(version=__VERSION__, author=__AUTHOR__)) -logger_authservice.info('Setting up the PAM authentication service\'s environment...') -logger_authservice.info(' X2GOBROKER_DEBUG: {value}'.format(value=X2GOBROKER_DEBUG)) -logger_authservice.info(' X2GOBROKER_AUTHSERVICE_SOCKET: {value}'.format(value=X2GOBROKER_AUTHSERVICE_SOCKET)) - -# check effective UID the broker runs as and complain appropriately... -if os.geteuid() != 0: - logger_authservice.warn('X2Go Session Broker\'s PAM authentication service should run with root privileges to guarantee proper access to all PAM modules.') - if __name__ == '__main__': common_options = [ @@ -209,7 +171,9 @@ if __name__ == '__main__': {'args':['-o','--owner'], 'default': 'root', 'help': 'owner of the AuthService socket file', }, {'args':['-g','--group'], 'default': 'root', 'help': 'group ownership of the AuthService socket file', }, {'args':['-p','--permissions'], 'default': '0660', 'help': 'set these file permissions for the AuthService socket file', }, - + {'args':['-d','--debug'], 'default': False, 'action': 'store_true', 'help': 'enable debugging code', }, + {'args':['-i','--debug-interactively'], 'default': False, 'action': 'store_true', 'help': 'force output of log message to the stderr (rather than to the log files)', }, + ] if CAN_DAEMONIZE: common_options.extend([ @@ -230,6 +194,43 @@ if __name__ == '__main__': cmdline_args = p.parse_args() + # standalone daemon mode (x2gobroker-authservice as daemon) or interactive mode (called from the cmdline)? + if getpass.getuser() in (X2GOBROKER_DAEMON_USER, 'root') and not cmdline_args.debug_interactively: + + # we run in standalone daemon mode, so let's use the system configuration for logging + logging.config.fileConfig(X2GOBROKER_AUTHSERVICE_LOGCONFIG) + + # create authservice logger + logger_authservice = logging.getLogger('authservice') + + else: + logger_root = logging.getLogger() + stderr_handler = logging.StreamHandler(sys.stderr) + stderr_handler.setFormatter(logging.Formatter(fmt='%(asctime)s - %(name)s - %(levelname)s - %(message)s', datefmt='')) + + # all loggers stream to stderr... + logger_root.addHandler(stderr_handler) + + logger_authservice = logging.getLogger('authservice') + logger_authservice.addHandler(stderr_handler) + logger_authservice.propagate = 0 + + if cmdline_args.debug_interactively: + cmdline_args.debug = True + + # raise log level to DEBUG if requested... + if cmdline_args.debug or X2GOBROKER_DEBUG: + logger_authservice.setLevel(logging.DEBUG) + + logger_authservice.info('X2Go Session Broker ({version}), written by {author}'.format(version=__VERSION__, author=__AUTHOR__)) + logger_authservice.info('Setting up the PAM authentication service\'s environment...') + logger_authservice.info(' X2GOBROKER_DEBUG: {value}'.format(value=X2GOBROKER_DEBUG)) + logger_authservice.info(' X2GOBROKER_AUTHSERVICE_SOCKET: {value}'.format(value=X2GOBROKER_AUTHSERVICE_SOCKET)) + + # check effective UID the broker runs as and complain appropriately... + if os.geteuid() != 0: + logger_authservice.warn('X2Go Session Broker\'s PAM authentication service should run with root privileges to guarantee proper access to all PAM modules.') + if CAN_DAEMONIZE and cmdline_args.daemonize: # create directory for the PID file @@ -271,10 +272,13 @@ if __name__ == '__main__': if not os.path.exists(os.path.dirname(socket_file)): os.makedirs(os.path.dirname(socket_file)) - os.chown(os.path.dirname(socket_file), getpwnam(cmdline_args.owner).pw_uid, getpwnam(cmdline_args.group).pw_gid) - os.chmod(os.path.dirname(socket_file), int(cmdline_args.permissions, 8)) + try: + os.chown(os.path.dirname(socket_file), getpwnam(cmdline_args.owner).pw_uid, getpwnam(cmdline_args.group).pw_gid) + os.chmod(os.path.dirname(socket_file), int(cmdline_args.permissions, 8)) + except OSError: + pass - AuthService(socket_file, owner=cmdline_args.owner, group_owner=cmdline_args.group, permissions=cmdline_args.permissions) + AuthService(socket_file, owner=cmdline_args.owner, group_owner=cmdline_args.group, permissions=cmdline_args.permissions, logger=logger_authservice) atexit.register(cleanup_on_exit) try: if CAN_DAEMONIZE and cmdline_args.daemonize: -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git