Commit 0bb581dd authored by Jondy Zhao's avatar Jondy Zhao

Add account slaproot used by slapos service

parent effbe160
...@@ -73,24 +73,11 @@ More information refer to <ulink url="http://community.slapos.org/wiki/osoe-Lect ...@@ -73,24 +73,11 @@ More information refer to <ulink url="http://community.slapos.org/wiki/osoe-Lect
<programlisting> <programlisting>
/etc/opt/slapos/scripts/slapos-configure.sh /etc/opt/slapos/scripts/slapos-configure.sh
</programlisting> </programlisting>
The configure script will guide you to configure slapos slave node, first, your need configure cron service: The configure script will guide you to configure slapos slave node, first, a super account "slaproot" will be created, you need type the password for this account
<programlisting>
</programlisting>
Then the configure script will ask you whether start cron service:
<programlisting> <programlisting>
You must decide under what account the cron daemon will run.
If you are the only user on this machine, the daemon can run as yourself.
This gives access to all network drives but only allows you as user.
Otherwise cron should run under the local system account.
It will be capable of changing to other users without requiring a
password, using one of the three methods detailed in
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
Do you want the cron daemon to run as yourself? (yes/no) no
Running cron_diagnose ...
WARNING: Your computer does not appear to have a cron table for Administrator.
Please generate a cron table for Administrator using 'crontab -e'
... no problem found.
Do you want to start the cron daemon as a service now? (yes/no) yes Do you want to start the cron daemon as a service now? (yes/no) yes
</programlisting> </programlisting>
Next configure script need certificate and key information: Next configure script need certificate and key information:
......
...@@ -77,19 +77,19 @@ mkdir -p /etc/re6stnet ...@@ -77,19 +77,19 @@ mkdir -p /etc/re6stnet
# ----------------------------------------------------------- # -----------------------------------------------------------
# Create account: slaproot # Create account: slaproot
# ----------------------------------------------------------- # -----------------------------------------------------------
# if csih_privileged_account_exists $slapos_administrator if csih_privileged_account_exists $slapos_administrator
# then then
# echo $slapos_administrator has been existsed. echo $slapos_administrator has been existed.
# csih_account_has_necessary_privileges $slapos_administrator csih_account_has_necessary_privileges $slapos_administrator
# else else
# echo create account $slapos_administrator echo create account $slapos_administrator
# csih_FORCE_PRIVILEGED_USER=yes csih_FORCE_PRIVILEGED_USER=yes
# csih_create_privileged_user $slapos_administrator || slapos_create_privileged_user || exit 1
# (echo Error: failed to create account. ; exit 1) _password=$csih_PRIVILEGED_PASSWORD
# fi fi
# Start seclogon service in the Windows XP # Start seclogon service in the Windows XP
# sc config seclogon start= auto # sc config seclogon start=auto
# In the later, it's RunAs service, and will start by default # In the later, it's RunAs service, and will start by default
# ----------------------------------------------------------- # -----------------------------------------------------------
...@@ -118,7 +118,8 @@ check_cygwin_service syslog-ng ...@@ -118,7 +118,8 @@ check_cygwin_service syslog-ng
if ! cygrunsrv --query sshd > /dev/null 2>&1 ; then if ! cygrunsrv --query sshd > /dev/null 2>&1 ; then
echo Run ssh-host-config ... echo Run ssh-host-config ...
/usr/bin/ssh-host-config --yes --cygwin ntsec || \ /usr/bin/ssh-host-config --yes --cygwin ntsec \
--user $slapos_administrator --pwd ${_password} ||
show_error_exit "Failed to run ssh-host-config" show_error_exit "Failed to run ssh-host-config"
else else
echo The sshd service has been installed. echo The sshd service has been installed.
...@@ -132,11 +133,18 @@ slapos_cron_config=/usr/local/bin/slapos-cron-config ...@@ -132,11 +133,18 @@ slapos_cron_config=/usr/local/bin/slapos-cron-config
if [[ ! -r $slapos_cron_config ]] ; then if [[ ! -r $slapos_cron_config ]] ; then
cp -a /usr/bin/cron-config $slapos_cron_config cp -a /usr/bin/cron-config $slapos_cron_config
sed -i -e "s%elif request \"Do you want to install the cron daemon as a service.*$%else%g" \ sed -i -e "s%elif request \"Do you want to install the cron daemon as a service.*$%else%g" \
-e 's/getcygenv " "/cygenv="ntsec"/g' $slapos_cron_config -e 's/getcygenv " "/cygenv="ntsec"/g' \
-e "s/request \"Do you want the cron daemon to run as yourself\?\"/username=$slapos_administrator/g" \
$slapos_cron_config
fi fi
if ! cygrunsrv --query cron > /dev/null 2>&1 ; then if ! cygrunsrv --query cron > /dev/null 2>&1 ; then
echo Run cron-config ... echo Run cron-config ...
$slapos_cron_config || show_error_exit "Failed to run cron-config" if [[ -z "${_password}" ]] ; then
csih_inform "Install cron service need the password of $slapos_administrator."
csih_get_value "Please enter the password:" -s
_password="${csih_value}"
fi
$slapos_cron_config "${_password}" || show_error_exit "Failed to run cron-config"
else else
echo The cron service has been installed. echo The cron service has been installed.
fi fi
...@@ -284,50 +292,6 @@ echo ...@@ -284,50 +292,6 @@ echo
echo Configure section config OK. echo Configure section config OK.
echo echo
# -----------------------------------------------------------
# taps: Install openvpn tap-windows drivers used by re6stnet
# -----------------------------------------------------------
#
# Adding tap-windows driver will break others, so we add all drivers
# here. Get re6stnet client count, then remove extra drivers and add
# required drivers.
if check_re6stnet_needed ; then
echo
echo Starting configure section taps ...
echo
client_count=$(sed -n -e "s/^client-count *//p" $re6stnet_configure_file)
[[ -z "$client_count" ]] && client_count=10
echo " Client count: $client_count"
re6stnet_name_list="re6stnet-tcp re6stnet-udp"
for (( i=1; i<=client_count; i=i+1 )) ; do
re6stnet_name_list="$re6stnet_name_list re6stnet$i"
done
filename=$(cygpath -w $openvpn_tap_driver_inf)
for name in $re6stnet_name_list ; do
echo "Checking interface $name ..."
if ! netsh interface ipv6 show interface | grep -q "\\b$name\\b" ; then
[[ -r $openvpn_tap_driver_inf ]] ||
show_error_exit "Failed to install OpenVPN Tap-Windows Driver, missing driver inf file: $filename"
echo "Installing interface $name ..."
# ipwin install \"$filename\" $openvpn_tap_driver_hwid $name; ||
ip vpntap add dev $name ||
show_error_exit "Failed to install OpenVPN Tap-Windows Driver."
echo "Interface $name installed."
else
echo "$name has been installed."
fi
done
#
# Remove OpenVPN Tap-Windows Driver
#
# ip vpntap del dev re6stnet-x
#
echo
echo Configure section taps OK.
echo
fi
# ----------------------------------------------------------- # -----------------------------------------------------------
# re6stnet: Install required packages and register to nexedi # re6stnet: Install required packages and register to nexedi
# ----------------------------------------------------------- # -----------------------------------------------------------
...@@ -409,22 +373,66 @@ if [[ ! -r $re6stnet_configure_file ]] ; then ...@@ -409,22 +373,66 @@ if [[ ! -r $re6stnet_configure_file ]] ; then
>> $re6stnet_configure_file >> $re6stnet_configure_file
fi fi
# Run re6stnet if no native ipv6 echo
echo Configure section re6stnet OK.
echo
# -----------------------------------------------------------
# taps: Install openvpn tap-windows drivers used by re6stnet
# -----------------------------------------------------------
#
# Adding tap-windows driver will break others, so we add all drivers
# here. Get re6stnet client count, then remove extra drivers and add
# required drivers.
echo
echo Starting configure section taps ...
echo
if check_re6stnet_needed ; then if check_re6stnet_needed ; then
client_count=$(sed -n -e "s/^client-count *//p" $re6stnet_configure_file)
[[ -z "$client_count" ]] && client_count=10
echo " Client count: $client_count"
re6stnet_name_list="re6stnet-tcp re6stnet-udp"
for (( i=1; i<=client_count; i=i+1 )) ; do
re6stnet_name_list="$re6stnet_name_list re6stnet$i"
done
filename=$(cygpath -w $openvpn_tap_driver_inf)
for name in $re6stnet_name_list ; do
echo "Checking interface $name ..."
if ! netsh interface ipv6 show interface | grep -q "\\b$name\\b" ; then
[[ -r $openvpn_tap_driver_inf ]] ||
show_error_exit "Failed to install OpenVPN Tap-Windows Driver, missing driver inf file: $filename"
echo "Installing interface $name ..."
# ipwin install \"$filename\" $openvpn_tap_driver_hwid $name; ||
ip vpntap add dev $name ||
show_error_exit "Failed to install OpenVPN Tap-Windows Driver."
echo "Interface $name installed."
else
echo "$name has been installed."
fi
done
# Run re6stnet if no native ipv6
check_re6stnet_configure || exit 1 check_re6stnet_configure || exit 1
if ! cygrunsrv --query $re6stnet_service_name >/dev/null 2>&1 ; then if ! cygrunsrv --query $re6stnet_service_name >/dev/null 2>&1 ; then
if [[ -z "${_password}" ]] ; then
csih_inform "Install re6stnet service need the password of $slapos_administrator."
csih_get_value "Please enter the password:" -s
_password="${csih_value}"
fi
cygrunsrv -I $re6stnet_service_name -c $(dirname $re6stnet_configure_file) \ cygrunsrv -I $re6stnet_service_name -c $(dirname $re6stnet_configure_file) \
-p $(which re6stnet) -a "@re6stnet.conf" -d "CYGWIN re6stnet" || \ -p $(which re6stnet) -a "@re6stnet.conf" -d "CYGWIN re6stnet" \
-u $slapos_administrator -w ${_password} ||
show_error_exit "Failed to install cygwin service $re6stnet_service_name." show_error_exit "Failed to install cygwin service $re6stnet_service_name."
fi fi
echo "You can check log files in the /var/log/re6stnet/*.log" echo "You can check log files in the /var/log/re6stnet/*.log"
check_cygwin_service $re6stnet_service_name || exit 1 check_cygwin_service $re6stnet_service_name || exit 1
else else
echo "Native IPv6 found, no re6stnet required." echo "Native IPv6 found, no taps required."
fi fi
echo echo
echo Configure section re6stnet OK. echo Configure section taps OK.
echo echo
# ----------------------------------------------------------- # -----------------------------------------------------------
...@@ -518,8 +526,8 @@ echo ...@@ -518,8 +526,8 @@ echo
echo echo
echo Starting configure section cron ... echo Starting configure section cron ...
echo echo
cron_user=SYSTEM cron_user=$slapos_administrator
crontab_file="/var/cron/tabs/${USER}" crontab_file="/var/cron/tabs/$(whoami)"
if [[ ! -r $crontab_file ]] ; then if [[ ! -r $crontab_file ]] ; then
cat <<EOF > $crontab_file cat <<EOF > $crontab_file
SHELL=/bin/bash SHELL=/bin/bash
......
...@@ -199,6 +199,164 @@ function start_cygwin_service() ...@@ -199,6 +199,164 @@ function start_cygwin_service()
[[ "$state" == "Running" ]] || return 1 [[ "$state" == "Running" ]] || return 1
} # === start_cygwin_service() === # } # === start_cygwin_service() === #
# ======================================================================
# Routine: slapos_create_privileged_user
#
# Copied from csih_create_privileged_user, just create fix account:
# slaproot
# ======================================================================
slapos_create_privileged_user()
{
csih_stacktrace "${@}"
$_csih_trace
local username_in_sam
local username
local admingroup
local dos_var_empty
local _password
local password_value="$1"
local passwd_has_expiry_flags
local ret=0
local username_in_admingroup
local username_got_all_rights
local pwd_entry
local username_in_passwd
local entry_in_passwd
local tmpfile1
local tmpfile2
_csih_setup
csih_select_privileged_username -f -u $slapos_administrator
username="${csih_PRIVILEGED_USERNAME}"
if ! csih_privileged_account_exists "$csih_PRIVILEGED_USERNAME"
then
username_in_sam=no
dos_var_empty=$(/usr/bin/cygpath -w ${LOCALSTATEDIR}/empty)
while [ "${username_in_sam}" != "yes" ]
do
if [ -n "${password_value}" ]
then
_password="${password_value}"
csih_inform "Please enter a password for new user ${username}. Please be sure"
csih_inform "that this password matches the password rules given on your system."
csih_inform "Entering no password will exit the configuration."
csih_get_value "Please enter the password:" -s
_password="${csih_value}"
if [ -z "${_password}" ]
then
csih_error_multi "Exiting configuration. No user ${username} has been created," \
"and no services have been installed."
fi
fi
tmpfile1=$(csih_mktemp) || csih_error "Could not create temp file"
csih_call_winsys32 net user "${username}" "${_password}" /add /fullname:"SlapOS Administraoter" \
"/homedir:${dos_var_empty}" /yes > "${tmpfile1}" 2>&1 && username_in_sam=yes
if [ "${username_in_sam}" != "yes" ]
then
csih_warning "Creating the user '${username}' failed! Reason:"
/usr/bin/cat "${tmpfile1}"
echo
fi
/usr/bin/rm -f "${tmpfile1}"
done
csih_PRIVILEGED_PASSWORD="${_password}"
csih_inform "User '${username}' has been created with password '${_password}'."
csih_inform "If you change the password, please remember also to change the"
csih_inform "password for the installed services which use (or will soon use)"
csih_inform "the '${username}' account."
echo ""
csih_inform "Also keep in mind that the user '${username}' needs read permissions"
csih_inform "on all users' relevant files for the services running as '${username}'."
csih_inform "In particular, for the sshd server all users' .ssh/authorized_keys"
csih_inform "files must have appropriate permissions to allow public key"
csih_inform "authentication. (Re-)running ssh-user-config for each user will set"
csih_inform "these permissions correctly. [Similar restrictions apply, for"
csih_inform "instance, for .rhosts files if the rshd server is running, etc]."
echo ""
if ! passwd -e "${username}"
then
csih_warning "Setting password expiry for user '${username}' failed!"
csih_warning "Please check that password never expires or set it to your needs."
fi
else
# ${username} already exists. Use it, and make no changes.
# use passed-in value as first guess
csih_PRIVILEGED_PASSWORD="${password_value}"
return 0
fi
# username did NOT previously exist, but has been successfully created.
# set group memberships, privileges, and passwd timeout.
if [ "$username_in_sam" = "yes" ]
then
# always try to set group membership and privileges
admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}')
if [ -z "${admingroup}" ]
then
csih_warning "Cannot obtain the Administrators group name from 'mkgroup -l'."
ret=1
elif csih_call_winsys32 net localgroup "${admingroup}" | /usr/bin/grep -Eiq "^${username}.?$"
then
true
else
csih_call_winsys32 net localgroup "${admingroup}" "${username}" /add > /dev/null 2>&1 && username_in_admingroup=yes
if [ "${username_in_admingroup}" != "yes" ]
then
csih_warning "Adding user '${username}' to local group '${admingroup}' failed!"
csih_warning "Please add '${username}' to local group '${admingroup}' before"
csih_warning "starting any of the services which depend upon this user!"
ret=1
fi
fi
if ! csih_check_program_or_warn /usr/bin/editrights editrights
then
csih_warning "The 'editrights' program cannot be found or is not executable."
csih_warning "Unable to ensure that '${username}' has the appropriate privileges."
ret=1
else
/usr/bin/editrights -a SeAssignPrimaryTokenPrivilege -u ${username} &&
/usr/bin/editrights -a SeCreateTokenPrivilege -u ${username} &&
/usr/bin/editrights -a SeTcbPrivilege -u ${username} &&
/usr/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
/usr/bin/editrights -a SeServiceLogonRight -u ${username} &&
username_got_all_rights="yes"
if [ "${username_got_all_rights}" != "yes" ]
then
csih_warning "Assigning the appropriate privileges to user '${username}' failed!"
ret=1
fi
fi
# we just created the user, so of course it's in the local SAM,
# and mkpasswd -l is appropriate
pwd_entry="$(/usr/bin/mkpasswd -l -u "${username}" | /usr/bin/sed -n -e '/^'${username}'/s?\(^[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:\).*?\1'${LOCALSTATEDIR}'/empty:/bin/false?p')"
/usr/bin/grep -Eiq "^${username}:" "${SYSCONFDIR}/passwd" && username_in_passwd=yes &&
/usr/bin/grep -Fiq "${pwd_entry}" "${SYSCONFDIR}/passwd" && entry_in_passwd=yes
if [ "${entry_in_passwd}" != "yes" ]
then
if [ "${username_in_passwd}" = "yes" ]
then
tmpfile2=$(csih_mktemp) || csih_error "Could not create temp file"
/usr/bin/chmod --reference="${SYSCONFDIR}/passwd" "${tmpfile2}"
/usr/bin/chown --reference="${SYSCONFDIR}/passwd" "${tmpfile2}"
/usr/bin/getfacl "${SYSCONFDIR}/passwd" | /usr/bin/setfacl -f - "${tmpfile2}"
# use >> instead of > to preserve permissions and acls
/usr/bin/grep -Ev "^${username}:" "${SYSCONFDIR}/passwd" >> "${tmpfile2}" &&
/usr/bin/mv -f "${tmpfile2}" "${SYSCONFDIR}/passwd" || return 1
fi
echo "${pwd_entry}" >> "${SYSCONFDIR}/passwd" || ret=1
fi
return "${ret}"
fi # ! username_in_sam
return 1
} # === End of csih_create_privileged_user() === #
readonly -f slapos_create_privileged_user
# ====================================================================== # ======================================================================
# Routine: create_template_configure_file # Routine: create_template_configure_file
# Generate the template file for node and client # Generate the template file for node and client
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment