Add account slaproot used by slapos service

windows/docs/using-slapos-in-windows.xml

@@ -73,24 +73,11 @@ More information refer to <ulink url="http://community.slapos.org/wiki/osoe-Lect
 <programlisting>
 /etc/opt/slapos/scripts/slapos-configure.sh
 </programlisting>
-The configure script will guide you to configure slapos slave node, first, your need configure cron service:
+The configure script will guide you to configure slapos slave node, first, a super account "slaproot" will be created, you need type the password for this account
+<programlisting>
+</programlisting>
+Then the configure script will ask you whether start cron service:
 <programlisting>
-You must decide under what account the cron daemon will run.
-If you are the only user on this machine, the daemon can run as yourself.
-   This gives access to all network drives but only allows you as user.
-Otherwise cron should run under the local system account.
-  It will be capable of changing to other users without requiring a
-  password, using one of the three methods detailed in
-  http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
-Do you want the cron daemon to run as yourself? (yes/no) no
-
-
-Running cron_diagnose ...
-WARNING: Your computer does not appear to have a cron table for Administrator.
-Please generate a cron table for Administrator using 'crontab -e'
-
-... no problem found.
-
 Do you want to start the cron daemon as a service now? (yes/no) yes
 </programlisting>
 Next configure script need certificate and key information:

windows/scripts/slapos-configure.sh

@@ -77,19 +77,19 @@ mkdir -p /etc/re6stnet
 # -----------------------------------------------------------
 # Create account: slaproot
 # -----------------------------------------------------------
-# if csih_privileged_account_exists $slapos_administrator
-# then
-#     echo $slapos_administrator has been existsed.
-#     csih_account_has_necessary_privileges $slapos_administrator
-# else
-#     echo create account $slapos_administrator
-#     csih_FORCE_PRIVILEGED_USER=yes
-#     csih_create_privileged_user $slapos_administrator ||
-#     (echo Error: failed to create account. ; exit 1)
-# fi
+if csih_privileged_account_exists $slapos_administrator
+then
+    echo $slapos_administrator has been existed.
+    csih_account_has_necessary_privileges $slapos_administrator
+else
+    echo create account $slapos_administrator
+    csih_FORCE_PRIVILEGED_USER=yes
+    slapos_create_privileged_user || exit 1
+    _password=$csih_PRIVILEGED_PASSWORD
+fi
 
 # Start seclogon service in the Windows XP
-# sc config seclogon start= auto
+# sc config seclogon start=auto
 # In the later, it's RunAs service, and will start by default
 
 # -----------------------------------------------------------
@@ -118,8 +118,9 @@ check_cygwin_service syslog-ng
 
 if ! cygrunsrv --query sshd > /dev/null 2>&1 ; then
     echo Run ssh-host-config ...
-    /usr/bin/ssh-host-config --yes --cygwin ntsec || \
-        show_error_exit "Failed to run ssh-host-config"
+    /usr/bin/ssh-host-config --yes --cygwin ntsec \
+        --user $slapos_administrator --pwd ${_password} ||
+    show_error_exit "Failed to run ssh-host-config"
 else
     echo The sshd service has been installed.
 fi
@@ -132,11 +133,18 @@ slapos_cron_config=/usr/local/bin/slapos-cron-config
 if [[ ! -r $slapos_cron_config ]] ; then
     cp -a /usr/bin/cron-config $slapos_cron_config
     sed -i -e "s%elif request \"Do you want to install the cron daemon as a service.*$%else%g" \
-        -e 's/getcygenv " "/cygenv="ntsec"/g' $slapos_cron_config
+        -e 's/getcygenv " "/cygenv="ntsec"/g' \
+        -e "s/request \"Do you want the cron daemon to run as yourself\?\"/username=$slapos_administrator/g" \
+        $slapos_cron_config
 fi
 if ! cygrunsrv --query cron > /dev/null 2>&1 ; then
     echo Run cron-config ...
-    $slapos_cron_config || show_error_exit "Failed to run cron-config"
+    if [[ -z "${_password}" ]] ; then
+        csih_inform "Install cron service need the password of $slapos_administrator."
+        csih_get_value "Please enter the password:" -s
+        _password="${csih_value}"
+    fi
+    $slapos_cron_config "${_password}" || show_error_exit "Failed to run cron-config"
 else
     echo The cron service has been installed.
 fi
@@ -218,7 +226,7 @@ if [[ ! -f $node_configure_file ]] ; then
     cp $node_template_file $node_configure_file
 fi
 
-interface_guid=$(ipwin guid *msloop $slapos_ifname) || 
+interface_guid=$(ipwin guid *msloop $slapos_ifname) ||
 show_error_exit "Failed to get guid of interface: $slapos_ifname."
 [[ "$interface_guid" == {*-*-*-*} ]] ||
 show_error_exit "Invalid interface guid $interface_guid specified."
@@ -284,50 +292,6 @@ echo
 echo Configure section config OK.
 echo
 
-# -----------------------------------------------------------
-# taps: Install openvpn tap-windows drivers used by re6stnet
-# -----------------------------------------------------------
-#
-# Adding tap-windows driver will break others, so we add all drivers
-# here. Get re6stnet client count, then remove extra drivers and add
-# required drivers.
-if check_re6stnet_needed ; then
-echo
-echo Starting configure section taps ...
-echo
-client_count=$(sed -n -e "s/^client-count *//p" $re6stnet_configure_file)
-[[ -z "$client_count" ]] && client_count=10
-echo "  Client count: $client_count"
-re6stnet_name_list="re6stnet-tcp re6stnet-udp"
-for (( i=1; i<=client_count; i=i+1 )) ; do
-    re6stnet_name_list="$re6stnet_name_list re6stnet$i"
-done
-filename=$(cygpath -w $openvpn_tap_driver_inf)
-for name in $re6stnet_name_list ; do
-    echo "Checking interface $name ..."
-    if ! netsh interface ipv6 show interface | grep -q "\\b$name\\b" ; then
-        [[ -r $openvpn_tap_driver_inf ]] ||
-        show_error_exit "Failed to install OpenVPN Tap-Windows Driver, missing driver inf file: $filename"
-            
-        echo "Installing  interface $name ..."
-        # ipwin install \"$filename\" $openvpn_tap_driver_hwid $name; ||
-        ip vpntap add dev $name || 
-        show_error_exit "Failed to install OpenVPN Tap-Windows Driver."
-        echo "Interface $name installed."
-    else
-        echo "$name has been installed."
-    fi
-done
-#
-# Remove OpenVPN Tap-Windows Driver
-#
-# ip vpntap del dev re6stnet-x
-#
-echo
-echo Configure section taps OK.
-echo
-fi
-
 # -----------------------------------------------------------
 # re6stnet: Install required packages and register to nexedi
 # -----------------------------------------------------------
@@ -409,22 +373,66 @@ if [[ ! -r $re6stnet_configure_file ]] ; then
         >> $re6stnet_configure_file
 fi
 
-# Run re6stnet if no native ipv6
+echo
+echo Configure section re6stnet OK.
+echo
+
+# -----------------------------------------------------------
+# taps: Install openvpn tap-windows drivers used by re6stnet
+# -----------------------------------------------------------
+#
+# Adding tap-windows driver will break others, so we add all drivers
+# here. Get re6stnet client count, then remove extra drivers and add
+# required drivers.
+echo
+echo Starting configure section taps ...
+echo
 if check_re6stnet_needed ; then
+    client_count=$(sed -n -e "s/^client-count *//p" $re6stnet_configure_file)
+    [[ -z "$client_count" ]] && client_count=10
+    echo "  Client count: $client_count"
+    re6stnet_name_list="re6stnet-tcp re6stnet-udp"
+    for (( i=1; i<=client_count; i=i+1 )) ; do
+        re6stnet_name_list="$re6stnet_name_list re6stnet$i"
+    done
+    filename=$(cygpath -w $openvpn_tap_driver_inf)
+    for name in $re6stnet_name_list ; do
+        echo "Checking interface $name ..."
+        if ! netsh interface ipv6 show interface | grep -q "\\b$name\\b" ; then
+            [[ -r $openvpn_tap_driver_inf ]] ||
+            show_error_exit "Failed to install OpenVPN Tap-Windows Driver, missing driver inf file: $filename"
+
+            echo "Installing  interface $name ..."
+        # ipwin install \"$filename\" $openvpn_tap_driver_hwid $name; ||
+            ip vpntap add dev $name ||
+            show_error_exit "Failed to install OpenVPN Tap-Windows Driver."
+            echo "Interface $name installed."
+        else
+            echo "$name has been installed."
+        fi
+    done
+
+    # Run re6stnet if no native ipv6
     check_re6stnet_configure || exit 1
     if ! cygrunsrv --query $re6stnet_service_name >/dev/null 2>&1 ; then
+        if [[ -z "${_password}" ]] ; then
+            csih_inform "Install re6stnet service need the password of $slapos_administrator."
+            csih_get_value "Please enter the password:" -s
+            _password="${csih_value}"
+        fi
         cygrunsrv -I $re6stnet_service_name -c $(dirname $re6stnet_configure_file) \
-            -p $(which re6stnet) -a "@re6stnet.conf" -d "CYGWIN re6stnet" || \
-            show_error_exit "Failed to install cygwin service $re6stnet_service_name."
+            -p $(which re6stnet) -a "@re6stnet.conf" -d "CYGWIN re6stnet" \
+            -u $slapos_administrator -w ${_password} ||
+        show_error_exit "Failed to install cygwin service $re6stnet_service_name."
     fi
     echo "You can check log files in the /var/log/re6stnet/*.log"
     check_cygwin_service $re6stnet_service_name || exit 1
 else
-    echo "Native IPv6 found, no re6stnet required."
+    echo "Native IPv6 found, no taps required."
 fi
 
 echo
-echo Configure section re6stnet OK.
+echo Configure section taps OK.
 echo
 
 # -----------------------------------------------------------
@@ -518,8 +526,8 @@ echo
 echo
 echo Starting configure section cron ...
 echo
-cron_user=SYSTEM
-crontab_file="/var/cron/tabs/${USER}"
+cron_user=$slapos_administrator
+crontab_file="/var/cron/tabs/$(whoami)"
 if [[ ! -r $crontab_file ]] ; then
     cat <<EOF  > $crontab_file
 SHELL=/bin/bash

windows/scripts/slapos-include.sh

@@ -199,6 +199,164 @@ function start_cygwin_service()
     [[ "$state" == "Running" ]] || return 1
 }  # === start_cygwin_service() === #
 
+# ======================================================================
+# Routine: slapos_create_privileged_user
+#
+# Copied from csih_create_privileged_user, just create fix account:
+#   slaproot
+# ======================================================================
+slapos_create_privileged_user()
+{
+  csih_stacktrace "${@}"
+  $_csih_trace
+  local username_in_sam
+  local username
+  local admingroup
+  local dos_var_empty
+  local _password
+  local password_value="$1"
+  local passwd_has_expiry_flags
+  local ret=0
+  local username_in_admingroup
+  local username_got_all_rights
+  local pwd_entry
+  local username_in_passwd
+  local entry_in_passwd
+  local tmpfile1
+  local tmpfile2
+
+  _csih_setup
+  csih_select_privileged_username -f -u $slapos_administrator
+
+  username="${csih_PRIVILEGED_USERNAME}"
+
+  if ! csih_privileged_account_exists "$csih_PRIVILEGED_USERNAME" 
+  then
+      username_in_sam=no
+      dos_var_empty=$(/usr/bin/cygpath -w ${LOCALSTATEDIR}/empty)
+      while [ "${username_in_sam}" != "yes" ]
+      do
+          if [ -n "${password_value}" ]
+          then
+              _password="${password_value}"
+              csih_inform "Please enter a password for new user ${username}.  Please be sure"
+              csih_inform "that this password matches the password rules given on your system."
+              csih_inform "Entering no password will exit the configuration."
+              csih_get_value "Please enter the password:" -s
+              _password="${csih_value}"
+              if [ -z "${_password}" ]
+              then
+                  csih_error_multi "Exiting configuration.  No user ${username} has been created," \
+                      "and no services have been installed."
+              fi
+          fi
+          tmpfile1=$(csih_mktemp) || csih_error "Could not create temp file"
+          csih_call_winsys32 net user "${username}" "${_password}" /add /fullname:"SlapOS Administraoter" \
+              "/homedir:${dos_var_empty}" /yes > "${tmpfile1}" 2>&1 && username_in_sam=yes
+          if [ "${username_in_sam}" != "yes" ]
+          then
+              csih_warning "Creating the user '${username}' failed!  Reason:"
+              /usr/bin/cat "${tmpfile1}"
+              echo
+          fi
+          /usr/bin/rm -f "${tmpfile1}"
+      done
+          
+      csih_PRIVILEGED_PASSWORD="${_password}"
+      csih_inform "User '${username}' has been created with password '${_password}'."
+      csih_inform "If you change the password, please remember also to change the"
+      csih_inform "password for the installed services which use (or will soon use)"
+      csih_inform "the '${username}' account."
+      echo ""
+      csih_inform "Also keep in mind that the user '${username}' needs read permissions"
+      csih_inform "on all users' relevant files for the services running as '${username}'."
+      csih_inform "In particular, for the sshd server all users' .ssh/authorized_keys"
+      csih_inform "files must have appropriate permissions to allow public key"
+      csih_inform "authentication. (Re-)running ssh-user-config for each user will set"
+      csih_inform "these permissions correctly. [Similar restrictions apply, for"
+      csih_inform "instance, for .rhosts files if the rshd server is running, etc]."
+      echo ""
+
+      if ! passwd -e "${username}"
+      then
+          csih_warning "Setting password expiry for user '${username}' failed!"
+          csih_warning "Please check that password never expires or set it to your needs."
+      fi
+  else
+      # ${username} already exists. Use it, and make no changes.
+      # use passed-in value as first guess
+      csih_PRIVILEGED_PASSWORD="${password_value}"
+      return 0
+  fi
+
+  # username did NOT previously exist, but has been successfully created.
+  # set group memberships, privileges, and passwd timeout.
+  if [ "$username_in_sam" = "yes" ]
+  then
+      # always try to set group membership and privileges
+      admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}')
+      if [ -z "${admingroup}" ]
+      then
+        csih_warning "Cannot obtain the Administrators group name from 'mkgroup -l'."
+        ret=1
+      elif csih_call_winsys32 net localgroup "${admingroup}" | /usr/bin/grep -Eiq "^${username}.?$"
+      then
+          true
+      else
+          csih_call_winsys32 net localgroup "${admingroup}" "${username}" /add > /dev/null 2>&1 && username_in_admingroup=yes
+          if [ "${username_in_admingroup}" != "yes" ]
+          then
+              csih_warning "Adding user '${username}' to local group '${admingroup}' failed!"
+              csih_warning "Please add '${username}' to local group '${admingroup}' before"
+              csih_warning "starting any of the services which depend upon this user!"
+              ret=1
+          fi
+      fi
+  
+      if ! csih_check_program_or_warn /usr/bin/editrights editrights
+      then
+          csih_warning "The 'editrights' program cannot be found or is not executable."
+          csih_warning "Unable to ensure that '${username}' has the appropriate privileges."
+          ret=1
+      else
+          /usr/bin/editrights -a SeAssignPrimaryTokenPrivilege -u ${username} &&
+          /usr/bin/editrights -a SeCreateTokenPrivilege -u ${username} &&
+          /usr/bin/editrights -a SeTcbPrivilege -u ${username} &&
+          /usr/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
+          /usr/bin/editrights -a SeServiceLogonRight -u ${username} &&
+          username_got_all_rights="yes"
+          if [ "${username_got_all_rights}" != "yes" ]
+          then
+              csih_warning "Assigning the appropriate privileges to user '${username}' failed!"
+              ret=1
+          fi
+      fi
+ 
+      # we just created the user, so of course it's in the local SAM,
+      # and mkpasswd -l is appropriate 
+      pwd_entry="$(/usr/bin/mkpasswd -l -u "${username}" | /usr/bin/sed -n -e '/^'${username}'/s?\(^[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:\).*?\1'${LOCALSTATEDIR}'/empty:/bin/false?p')"
+      /usr/bin/grep -Eiq "^${username}:" "${SYSCONFDIR}/passwd" && username_in_passwd=yes &&
+      /usr/bin/grep -Fiq "${pwd_entry}" "${SYSCONFDIR}/passwd" && entry_in_passwd=yes
+      if [ "${entry_in_passwd}" != "yes" ]
+      then
+          if [ "${username_in_passwd}" = "yes" ]
+          then
+              tmpfile2=$(csih_mktemp) || csih_error "Could not create temp file"
+	      /usr/bin/chmod --reference="${SYSCONFDIR}/passwd" "${tmpfile2}"
+	      /usr/bin/chown --reference="${SYSCONFDIR}/passwd" "${tmpfile2}"
+              /usr/bin/getfacl "${SYSCONFDIR}/passwd" | /usr/bin/setfacl -f - "${tmpfile2}"
+	      # use >> instead of > to preserve permissions and acls
+              /usr/bin/grep -Ev "^${username}:" "${SYSCONFDIR}/passwd" >> "${tmpfile2}" &&
+              /usr/bin/mv -f "${tmpfile2}" "${SYSCONFDIR}/passwd" || return 1
+          fi
+          echo "${pwd_entry}" >> "${SYSCONFDIR}/passwd" || ret=1
+      fi
+      return "${ret}"
+  fi # ! username_in_sam
+  return 1
+} # === End of csih_create_privileged_user() === #
+readonly -f slapos_create_privileged_user
+
 # ======================================================================
 # Routine: create_template_configure_file
 # Generate the template file for node and client