Skip to content

feature/impersonator: handles additional groups, optionally reject system users #361

Open
leo9800 wants to merge 2 commits into
mar10:masterfrom
leo9800:impersonator-patch
Open

feature/impersonator: handles additional groups, optionally reject system users #361
leo9800 wants to merge 2 commits into
mar10:masterfrom
leo9800:impersonator-patch

Conversation

@leo9800

@leo9800 leo9800 commented Apr 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

summary

this patch adds 2 major features for the impersonator middleware plus refactoring:

  1. the admin of an impersonator-enabled WsgiDAV server could now prevent a system user (unix uid <= 999) being impersonated, which add some security hardenings to some extend especially on some misconfigured setup with pam-based authentication
  2. the impersonator now also call initgroups() to initialize supplementary groups for the impersonated user, without this feature, the server may not correctly handle unix filesystem permission in some cases (explained below)
  3. the impersonator got its code refactored to avoid huge amount of raw uids/gids, but use passwd structs (classes) instead

the case that wsgidav with impersonator could not handle without initgroups():

#/etc/passwd
john:x:1000:1000::/home/john:/usr/bin/bash
jane:x:1001:1001::/home/jane:/usr/bin/bash

#/etc/groups
john:x:1000:
jane:x:1001:
dept1:x:6000:jane,john

# ls -l /path/to/davroot
drwxrwx--- 1 root  dept1 4874 Apr  8 14:10 department_1_root

in unix context, both jane and john should have access to /path/to/davroot/department_1_root because they are member of group dept1 and the mode of this directory is 0770

but if initgroups() is not called in wsgidav context and jane or john is impersonated, none of them would become member of group dept1, rendering them having no access to /path/to/davroot/department_1_root.

leo9800 added 2 commits April 12, 2026 23:32
@leo9800
wsgidav/mw/impersonator.py: refactor, handles additional groups
b430969 
Signed-off-by: Leo <i@hardrain980.com>
@leo9800
wsgidav/mw/impersonator.py: allow admins to reject impersonating unix…
d6047e2 
… system users (uid <= 999)

sample_wsgidav.yaml: configuration entry for the feature above

Signed-off-by: Leo <i@hardrain980.com>
@codecov

codecov Bot commented Apr 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.66%. Comparing base (513b90d) to head (d6047e2).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #361   +/-   ##
=======================================
  Coverage   43.66%   43.66%           
=======================================
  Files          31       31           
  Lines        4967     4967           
=======================================
  Hits         2169     2169           
  Misses       2798     2798

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@FlyGoat

FlyGoat commented May 26, 2026

Copy link
Copy Markdown

+1 for 2, this is necessary for LDAP as sssd backend as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leo9800 @FlyGoat