commit 73184e85c931774e9bc432c6d08af69ca7695584 Author: Florian Best Date: Fri Jul 12 16:00:29 2019 +0200 YAML Bug #35173 diff --git a/doc/errata/staging/univention-pam.yaml b/doc/errata/staging/univention-pam.yaml new file mode 100644 index 0000000000..f55f0dcacd --- /dev/null +++ b/doc/errata/staging/univention-pam.yaml @@ -0,0 +1,11 @@ +product: ucs +release: "4.4" +version: [1] +scope: ucs_4.4-0-errata4.4-1 +src: univention-pam +fix: +desc: | + This update addresses the following issue(s): + * A locking mechanism for ldap-group-to-file.py has been implemented + so that it is ensured the process only runs once at a time. +bug: [35173] commit c9e9b4459086358939b37fa6778672d94a812f4c Author: Florian Best Date: Fri Jul 12 15:59:23 2019 +0200 Bug #35173: add locking for ldap-group-to-file diff --git a/base/univention-pam/debian/changelog b/base/univention-pam/debian/changelog index 4db4328ebe..79e3325d41 100644 --- a/base/univention-pam/debian/changelog +++ b/base/univention-pam/debian/changelog @@ -1,3 +1,9 @@ +univention-pam (12.0.2-2) unstable; urgency=medium + + * Bug #35173: add locking for ldap-group-to-file + + -- Florian Best Fri, 12 Jul 2019 15:59:01 +0200 + univention-pam (12.0.2-1) unstable; urgency=medium * Bug #47233: close ssh connection properly when shutting down diff --git a/base/univention-pam/ldap-group-to-file.py b/base/univention-pam/ldap-group-to-file.py index 409a3b6225..3aecb5906d 100755 --- a/base/univention-pam/ldap-group-to-file.py +++ b/base/univention-pam/ldap-group-to-file.py @@ -42,6 +42,9 @@ import tempfile import subprocess +LOCKFILE = '/var/run/ldap-group-to-file.pid' + + def _get_members(lo, g, recursion_list, check_member=False): result = [] for m in g[1].get('uniqueMember', []): @@ -76,7 +79,7 @@ def _get_members(lo, g, recursion_list, check_member=False): if 'univentionGroup' in member[1].get('objectClass', []): if member[0] not in recursion_list: recursion_list.append(g[0]) - result += _get_members(lo, member, recursion_list, options.check_member) + result += _get_members(lo, member, recursion_list, check_member) else: # Recursion !!! pass @@ -96,10 +99,10 @@ def _run_hooks(options): p = subprocess.Popen(cmd, stdin=null, stdout=null, stderr=null, shell=False) _stdout, _stderr = p.communicate() elif options.verbose: - print '%s does not exist' % HOOK_DIR + print('%s does not exist' % HOOK_DIR) -if __name__ == '__main__': +def main(): parser = optparse.OptionParser() parser.add_option("--file", dest="file", default='/var/lib/extrausers/group', action="store", help="write result to the given file, default is /var/lib/extrausers/group") parser.add_option("--verbose", dest="verbose", default=False, action="store_true", help="verbose output") @@ -109,16 +112,23 @@ if __name__ == '__main__': try: lo = univention.uldap.getMachineConnection(ldap_master=False) except ldap.SERVER_DOWN: - print "Abort: Can't contact LDAP server." + print("Abort: Can't contact LDAP server.") sys.exit(1) - result = [] + _lock() + try: + return doit(options, lo) + finally: + _release_lock() + + +def doit(options, lo): groups = lo.search('objectClass=univentionGroup', attr=['uniqueMember', 'cn', 'gidNumber']) if options.verbose: - print 'Found %d ldap groups' % len(groups) + print('Found %d ldap groups' % len(groups)) if len(groups) < 1: - print 'Abort: Did not found any LDAP group.' + print('Abort: Did not found any LDAP group.') sys.exit(1) # Write to a temporary file @@ -138,8 +148,27 @@ if __name__ == '__main__': # Move the file shutil.move(fdname, options.file) if options.verbose: - print 'The file %s was created.' % options.file + print('The file %s was created.' % options.file) _run_hooks(options) sys.exit(0) + + +def _lock(): + if os.path.exists(LOCKFILE): + print('Process is locked by PID: %s' % (open(LOCKFILE).read()),) + sys.exit(2) + with open(LOCKFILE, 'w') as fd: + fd.write(str(os.getpid())) + + +def _release_lock(): + try: + os.remove(LOCKFILE) + except EnvironmentError: + pass + + +if __name__ == '__main__': + main()