From: kupcevic@sourceware.org <kupcevic@sourceware.org>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] conga/luci site/Makefile site/luci/bin/runzope ...
Date: 18 Aug 2006 13:28:45 -0000 [thread overview]
Message-ID: <20060818132845.24095.qmail@sourceware.org> (raw)
CVSROOT: /cvs/cluster
Module name: conga
Changes by: kupcevic at sourceware.org 2006-08-18 13:28:45
Modified files:
luci/site : Makefile
luci/site/luci/bin: runzope.in
luci/utils : luci_admin
Added files:
luci/site/luci : .admin_password_has_been_set
Log message:
Under certain circumstances, default luci password would not get reset.
Disable luci startup in that case.
Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/Makefile.diff?cvsroot=cluster&r1=1.8&r2=1.9
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/.admin_password_has_been_set.diff?cvsroot=cluster&r1=NONE&r2=1.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/bin/runzope.in.diff?cvsroot=cluster&r1=1.1&r2=1.2
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/utils/luci_admin.diff?cvsroot=cluster&r1=1.45&r2=1.46
--- conga/luci/site/Makefile 2006/08/18 07:21:02 1.8
+++ conga/luci/site/Makefile 2006/08/18 13:28:44 1.9
@@ -39,6 +39,9 @@
install:
+ install -d ${DESTDIR}/var/lib/luci
+ install -m 0640 luci/.admin_password_has_been_set ${DESTDIR}/var/lib/luci/
+
install -d ${DESTDIR}/var/lib/luci/bin
# install `find luci/bin -maxdepth 1 -type f` ${DESTDIR}/var/lib/luci/bin
install luci/bin/runzope ${DESTDIR}/var/lib/luci/bin
/cvs/cluster/conga/luci/site/luci/.admin_password_has_been_set,v --> standard output
revision 1.1
--- conga/luci/site/luci/.admin_password_has_been_set
+++ - 2006-08-18 13:28:45.554587000 +0000
@@ -0,0 +1 @@
+False
--- conga/luci/site/luci/bin/runzope.in 2006/07/24 20:17:02 1.1
+++ conga/luci/site/luci/bin/runzope.in 2006/08/18 13:28:45 1.2
@@ -19,4 +19,16 @@
ZOPE_RUN="$SOFTWARE_HOME/Zope2/Startup/run.py"
-exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@"
+
+if [ "B`cat $INSTANCE_HOME/.admin_password_has_been_set`" == "BTrue" ]; then
+ exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@"
+else
+ echo ""
+ echo ""
+ echo "luci \'admin\' password has to be changed before server is allowed to start"
+ echo "To do so, execute (as root): "
+ echo -e "\tluci_admin password"
+ echo ""
+ echo ""
+ exit 1
+fi
--- conga/luci/utils/luci_admin 2006/08/04 19:19:10 1.45
+++ conga/luci/utils/luci_admin 2006/08/18 13:28:45 1.46
@@ -34,25 +34,27 @@
LUCI_INIT_DEBUG = 0
-LUCI_USER = 'luci'
+LUCI_USER = 'luci'
LUCI_GROUP = 'luci'
-LUCI_BACKUP_DIR = '/var/lib/luci/var'
-LUCI_CERT_DIR = '/var/lib/luci/var/certs/'
-LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml'
-LUCI_DB_PATH = '/var/lib/luci/var/Data.fs'
+LUCI_HOME_DIR = '/var/lib/luci'
+LUCI_DB_PATH = LUCI_HOME_DIR + '/var/Data.fs'
+LUCI_CERT_DIR = LUCI_HOME_DIR + '/var/certs/'
+LUCI_BACKUP_DIR = LUCI_HOME_DIR + '/var'
+LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml'
+LUCI_ADMIN_SET_PATH = LUCI_HOME_DIR + '/.admin_password_has_been_set'
-SSL_PRIVKEY_NAME = 'privkey.pem'
-SSL_PUBKEY_NAME = 'cacert.pem'
+SSL_PRIVKEY_NAME = 'privkey.pem'
+SSL_PUBKEY_NAME = 'cacert.pem'
SSL_HTTPS_PRIVKEY_NAME = 'https.key.pem'
-SSL_HTTPS_PUBKEY_NAME = 'https.pem'
-SSL_KEYCONFIG_NAME = 'cacert.config'
+SSL_HTTPS_PUBKEY_NAME = 'https.pem'
+SSL_KEYCONFIG_NAME = 'cacert.config'
-SSL_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_PRIVKEY_NAME
-SSL_PUBKEY_PATH = LUCI_CERT_DIR + SSL_PUBKEY_NAME
+SSL_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_PRIVKEY_NAME
+SSL_PUBKEY_PATH = LUCI_CERT_DIR + SSL_PUBKEY_NAME
SSL_HTTPS_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PRIVKEY_NAME
-SSL_HTTPS_PUBKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME
-SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME
+SSL_HTTPS_PUBKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME
+SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME
ssl_key_data = [
{ 'id': SSL_PRIVKEY_PATH, 'name': SSL_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 },
@@ -70,6 +72,34 @@
else:
verbose = null
+
+
+def get_luci_uid_gid():
+ try:
+ luci = pwd.getpwnam(LUCI_USER)[2:4]
+ if not luci:
+ raise
+ if len(luci) != 2:
+ raise
+ return luci
+ except:
+ msg = 'Cannot find the \"' + LUCI_USER + '\" user.\n'
+ sys.stderr.write(msg)
+ raise msg
+
+
+def set_default_passwd_reset_flag():
+ # set flag marking admin password has been set
+ uid, gid = get_luci_uid_gid()
+ open(LUCI_ADMIN_SET_PATH, 'w').write('True')
+ os.chown(LUCI_ADMIN_SET_PATH, uid, gid)
+ os.chmod(LUCI_ADMIN_SET_PATH, 0640)
+ return True
+
+def get_default_passwd_reset_flag():
+ return open(LUCI_ADMIN_SET_PATH, 'r').read(16) == 'True'
+
+
def read_passwd(prompt, confirm_prompt):
from getpass import getpass
while True:
@@ -77,6 +107,9 @@
if len(s1) < 6:
print 'Password has to be@least 6 characters long'
continue
+ if ' ' in s1:
+ print 'Spaces are not allowed in passwords'
+ continue
s2 = getpass(confirm_prompt)
if s1 != s2:
print 'Passwords mismatch, try again'
@@ -86,20 +119,18 @@
def restore_luci_db_fsattr():
+ uid, gid = -1, -1
try:
- luci = pwd.getpwnam(LUCI_USER)[2:4]
- if not luci or len(luci) != 2:
- raise
+ uid, gid = get_luci_uid_gid()
except:
- sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n')
return -1
-
+
try:
- os.chown(LUCI_DB_PATH, luci[0], luci[1])
+ os.chown(LUCI_DB_PATH, uid, gid)
os.chmod(LUCI_DB_PATH, 0600)
for i in [ '.tmp', '.old', '.index', '.lock' ]:
try:
- os.chown(LUCI_DB_PATH + i, luci[0], luci[1])
+ os.chown(LUCI_DB_PATH + i, uid, gid)
os.chmod(LUCI_DB_PATH + i, 0600)
except: pass
except:
@@ -181,7 +212,10 @@
if restore_luci_db_fsattr():
return -1
-
+
+ if user == 'admin' and ret == 0:
+ set_default_passwd_reset_flag()
+
return ret
@@ -194,12 +228,10 @@
if not certList or len(certList) < 1:
sys.stderr.write('Your backup file contains no certificate data. Please check that your backup file is not corrupt.\n')
return -1
+ uid, gid = -1, -1
try:
- luci = pwd.getpwnam(LUCI_USER)[2:4]
- if not luci or len(luci) != 2:
- raise
+ uid, gid = get_luci_uid_gid()
except:
- sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n')
return -1
for c in certList:
@@ -235,10 +267,11 @@
os.chmod(path, mode)
f.write(data + '\n')
- os.chown(path, luci[0], luci[1])
+ os.chown(path, uid, gid)
f.close()
return None
+
def luci_restore(argv):
sys.stderr = null
import ZODB
@@ -920,41 +953,43 @@
def luci_initialized():
- # existence of privkey.pem file means that luci is initialized
- return os.access(SSL_PRIVKEY_PATH, os.F_OK)
+ # existence of privkey.pem file and
+ # admin password (not the one Data.fs comes with)
+ # mean that luci has been initialized
+ b1 = get_default_passwd_reset_flag()
+ b2 = os.access(SSL_PRIVKEY_PATH, os.F_OK)
+ return b1 and b2
def generate_ssl_certs():
+ command = '/bin/rm'
+ args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
+ _execWithCaptureErrorStatus(command, args)
+
# /usr/bin/openssl genrsa -out /var/lib/luci/var/certs/privkey.pem 2048 > /dev/null 2>&1
command = '/usr/bin/openssl'
args = [command, 'genrsa', '-out', SSL_PRIVKEY_PATH, '2048']
_execWithCaptureErrorStatus(command, args)
-
+
# /usr/bin/openssl req -new -x509 -key /var/lib/luci/var/certs/privkey.pem -out /var/lib/luci/var/certs/cacert.pem -days 1095 -config /var/lib/luci/var/certs/cacert.config
command = '/usr/bin/openssl'
args = [command, 'req', '-new', '-x509', '-key', SSL_PRIVKEY_PATH, '-out', SSL_PUBKEY_PATH, '-days', '1095', '-config', SSL_KEYCONFIG_PATH]
_execWithCaptureErrorStatus(command, args)
-
- # /bin/chown -R zope:zope /var/lib/luci/var/certs/*
- command = '/bin/chown'
- args = [command, LUCI_USER + ':' + LUCI_GROUP, SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
- _execWithCaptureErrorStatus(command, args)
-
- # /bin/chmod 644 /var/lib/luci/var/certs/*
- command = '/bin/chmod'
- args = [command, '644', SSL_PUBKEY_PATH]
- o, e, s = _execWithCaptureErrorStatus(command, args)
- if s != 0:
- return False
-
- # /bin/chmod 400 /var/lib/luci/var/certs/privkey.pem
- command = '/bin/chmod'
- args = [command, '600', SSL_PRIVKEY_PATH]
- o, e, s = _execWithCaptureErrorStatus(command, args)
- if s != 0:
- return False
-
+
+ # take ownership and restrict access
+ try:
+ uid, gid = get_luci_uid_gid()
+ os.chown(SSL_PRIVKEY_PATH, uid, gid)
+ os.chown(SSL_PUBKEY_PATH, uid, gid)
+ os.chmod(SSL_PRIVKEY_PATH, 0600)
+ os.chmod(SSL_PUBKEY_PATH, 0644)
+ except:
+ command = '/bin/rm'
+ args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
+ _execWithCaptureErrorStatus(command, args)
+ return False
+
return True
@@ -976,12 +1011,9 @@
sys.stderr.write('If you want to reset admin password, execute\n')
sys.stderr.write('\t' + argv[0] + ' password\n')
sys.exit(1)
+
print 'Initializing the Luci server\n'
- print 'Generating SSL certificates...'
- if generate_ssl_certs() == False:
- sys.stderr.write('failed. exiting ...\n')
- sys.exit(1)
-
+
print '\nCreating the \'admin\' user\n'
password = read_passwd('Enter password: ', 'Confirm password: ')
print '\nPlease wait...'
@@ -991,8 +1023,13 @@
else:
sys.stderr.write('Unable to set the admin user\'s password.\n')
sys.exit(1)
-
- print 'The Luci server has been successfully initialized'
+
+ print 'Generating SSL certificates...'
+ if generate_ssl_certs() == False:
+ sys.stderr.write('failed. exiting ...\n')
+ sys.exit(1)
+
+ print 'Luci server has been successfully initialized'
restart_message()
return
@@ -1003,7 +1040,7 @@
if '--random' in argv:
print 'Resetting the admin user\'s password to some random value\n'
try:
- rand = file('/dev/urandom', 'r')
+ rand = open('/dev/urandom', 'r')
password = rand.read(16)
rand.close()
except:
@@ -1095,6 +1132,7 @@
print 'Luci backup was successful.\nThe backup data is contained in the file \"' + LUCI_BACKUP_PATH + '\"'
+
def restore(argv):
print 'Restoring the Luci server...'
@@ -1105,6 +1143,7 @@
ret = False
sys.stderr.write('The Luci restore failed. Try reinstalling Luci, then restoring again.\n')
else:
+ set_default_passwd_reset_flag()
ret = True
print 'Restore was successful.'
restart_message()
@@ -1120,25 +1159,45 @@
print argv[0] + ' [init|backup|restore|password|help]'
print
print '\tinit: initialize Luci site'
+ print '\tpassword: reset admin password'
+ print '\t\tpassword: reset admin password to random value (disable account)'
print '\tbackup: backup Luci site to a file'
print '\trestore: restore Luci site from backup'
- print '\tpassword: reset admin password'
print '\thelp: this help message'
print
+
+def test_luci_installation():
+ # perform basic checks
+ # TODO: do more tests
+
+ # check if luci user and group are present on the system
+ try:
+ get_luci_uid_gid()
+ except:
+ sys.stderr.write('There is a problem with luci installation!\n')
+ sys.stderr.write('Mising luci\'s system account and group')
+ sys.stderr.write('Recommended action: reinstall luci\n\n')
+ sys.exit(3)
+
+ return True
+
+
def main(argv):
if len(argv) < 2:
luci_help(argv)
sys.exit(1)
-
-
- # only root can modify Luci server
+
+ # only root should run this
if os.getuid() != 0:
- sys.stderr.write('Only root can modify Luci server.\n')
+ sys.stderr.write('Only \'root\' can run ' + argv[0] + '\n')
sys.stderr.write('Try again with root privileges.\n')
sys.exit(2)
+ # test if luci installation is OK
+ test_luci_installation()
+
if 'init' in argv:
init(argv)
elif 'backup' in argv:
reply other threads:[~2006-08-18 13:28 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060818132845.24095.qmail@sourceware.org \
--to=kupcevic@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.