#!/usr/bin/python """ Subversion pre-commit hook which checks that all files named sudoers are indeed valid sudoers files by running visudo over them @author Joel Heenan 7/1/2009 """ import sys, os, string, logging, commands, tempfile SVNLOOK='/usr/bin/svnlook' VISUDO ='/usr/sbin/visudo' def getFileContents(repos, txn, path): cat_cmd = '%s cat -t "%s" "%s" "%s"' % (SVNLOOK, txn, repos, path) (status,output) = commands.getstatusoutput(cat_cmd) return output def visudoCheck(filename): visudo_cmd = '%s -cf "%s"' % (VISUDO, filename) (visudo_status, visudo_output) = commands.getstatusoutput(visudo_cmd) # this issue is not fixed in RHEL4 subversion at time of writing # http://subversion.tigris.org/issues/show_bug.cgi?id=2078 sys.stderr.write(visudo_output[:1024]) return visudo_status def main(repos, txn): changed_cmd = '%s changed -t "%s" "%s"' % (SVNLOOK, txn, repos) (status,output) = commands.getstatusoutput(changed_cmd) paths = output.split('\n') for path in paths: if(str(os.path.basename(path)).strip() == 'sudoers'): contents = getFileContents(repos, txn, path.split(' ')[1]) tmpfile = tempfile.NamedTemporaryFile() tmpfile.write(contents) tmpfile.flush() status = visudoCheck(tmpfile.name) if(status == 0): sys.exit(0) else: sys.exit(1) if __name__ == '__main__': if len(sys.argv) < 3: sys.stderr.write("Usage: %s REPOS TXN\n" % (sys.argv[0])) else: main(sys.argv[1], sys.argv[2])