From fe0977123345a6f5ad3d222da2514572d24ce759 Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank.brehm@pixelpark.com>
Date: Mon, 20 Mar 2017 13:59:26 +0100
Subject: [PATCH] Don't considering home dirs outside /home

---
 etc/mk-home.ini.default |  3 ++-
 pp_lib/mk_home_app.py   | 30 +++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/etc/mk-home.ini.default b/etc/mk-home.ini.default
index 23d9e05..3c3fbe9 100644
--- a/etc/mk-home.ini.default
+++ b/etc/mk-home.ini.default
@@ -11,6 +11,7 @@ bind_dn = cn=admin
 
 [mk-home]
 initial_uid = 999999999
-chroot_homedir = '/mnt/nfs'
+chroot_homedir = /mnt/nfs
+home_root = /home
 
 # vim: filetype=dosini
diff --git a/pp_lib/mk_home_app.py b/pp_lib/mk_home_app.py
index dab2979..05f4c62 100644
--- a/pp_lib/mk_home_app.py
+++ b/pp_lib/mk_home_app.py
@@ -39,7 +39,7 @@ from .merge import merge_structure
 
 from .ldap_app import PpLdapAppError, PpLdapApplication
 
-__version__ = '0.3.3'
+__version__ = '0.3.4'
 LOG = logging.getLogger(__name__)
 
 
@@ -57,14 +57,18 @@ class PpMkHomeApp(PpLdapApplication):
 
     default_initial_uid = 999999999
     default_chroot_homedir = os.sep + os.path.join('mnt', 'nfs')
+    default_home_root = os.sep + 'home'
 
     # -------------------------------------------------------------------------
     def __init__(self, appname=None, version=__version__):
 
         self.initial_uid = self.default_initial_uid
         self.chroot_homedir = self.default_chroot_homedir
+        self.home_root_abs = default_chroot_homedir
+        self.home_root_rel = os.path.relpath(self.home_root_abs, os.sep)
         self.simulate = False
         self.user_entries = []
+        self.home_root_real = os.path.join(self.chroot_homedir, self.home_root)
 
         description = textwrap.dedent('''\
             Home Directory and UIDNumber generation - this script will search for
@@ -156,6 +160,19 @@ class PpMkHomeApp(PpLdapApplication):
                     raise PpMkHomeError(msg)
                 self.chroot_homedir = v
 
+            if 'home_root' in section:
+                v = section['home_root']
+                if not os.path.isabs(v):
+                    msg = (
+                        "The root path of the home directories must be an "
+                        "absolute pathname (found [{s}]/home_root "
+                        "=> {v!r} in configuration.").format(s=section_name, v=v)
+                    raise PpMkHomeError(msg)
+                self.home_root_abs = v
+
+        self.home_root_rel = os.path.relpath(self.home_root_abs, os.sep)
+        self.home_root_real = os.path.join(self.chroot_homedir, self.home_root)
+
     # -------------------------------------------------------------------------
     def pre_run(self):
         """
@@ -216,6 +233,7 @@ class PpMkHomeApp(PpLdapApplication):
     def check_home_dirs(self):
 
         LOG.info("Checking home directories ...")
+        upper_dir = os.pardir + os.sep
 
         i = 0
         for entry in self.user_entries:
@@ -233,6 +251,16 @@ class PpMkHomeApp(PpLdapApplication):
 
             home = entry['homeDirectory'][0]
             LOG.debug("Checking home directory {!r} ...".format(home))
+            if not os.path.isabs(home):
+                LOG.warn("Home directory {h!r} of user {u!r} is not absolute.".format(
+                    h=home, u=dn))
+                continue
+            home_relative = os.path.relpath(home, self.home_root_abs)
+            if home_relative.startswith(upper_dir):
+                if self.verbose:
+                    LOG.warn("Home directory {h!r} outside {r!r} is not considered.".format(
+                        h=home, r=self.home_root_abs))
+                continue
 
             chroot_dir = os.path.join(
                 self.chroot_homedir, os.path.relpath(home, os.sep))
-- 
2.39.5