* [Cluster-devel] conga/luci site/Makefile site/luci/bin/runzope ...
@ 2006-08-18 13:28 kupcevic
0 siblings, 0 replies; only message in thread
From: kupcevic @ 2006-08-18 13:28 UTC (permalink / raw)
To: cluster-devel.redhat.com
CVSROOT: /cvs/cluster
Module name: conga
Changes by: kupcevic at sourceware.org 2006-08-18 13:28:45
Modified files:
luci/site : Makefile
luci/site/luci/bin: runzope.in
luci/utils : luci_admin
Added files:
luci/site/luci : .admin_password_has_been_set
Log message:
Under certain circumstances, default luci password would not get reset.
Disable luci startup in that case.
Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/Makefile.diff?cvsroot=cluster&r1=1.8&r2=1.9
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/.admin_password_has_been_set.diff?cvsroot=cluster&r1=NONE&r2=1.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/bin/runzope.in.diff?cvsroot=cluster&r1=1.1&r2=1.2
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/utils/luci_admin.diff?cvsroot=cluster&r1=1.45&r2=1.46
--- conga/luci/site/Makefile 2006/08/18 07:21:02 1.8
+++ conga/luci/site/Makefile 2006/08/18 13:28:44 1.9
@@ -39,6 +39,9 @@
install:
+ install -d ${DESTDIR}/var/lib/luci
+ install -m 0640 luci/.admin_password_has_been_set ${DESTDIR}/var/lib/luci/
+
install -d ${DESTDIR}/var/lib/luci/bin
# install `find luci/bin -maxdepth 1 -type f` ${DESTDIR}/var/lib/luci/bin
install luci/bin/runzope ${DESTDIR}/var/lib/luci/bin
/cvs/cluster/conga/luci/site/luci/.admin_password_has_been_set,v --> standard output
revision 1.1
--- conga/luci/site/luci/.admin_password_has_been_set
+++ - 2006-08-18 13:28:45.554587000 +0000
@@ -0,0 +1 @@
+False
--- conga/luci/site/luci/bin/runzope.in 2006/07/24 20:17:02 1.1
+++ conga/luci/site/luci/bin/runzope.in 2006/08/18 13:28:45 1.2
@@ -19,4 +19,16 @@
ZOPE_RUN="$SOFTWARE_HOME/Zope2/Startup/run.py"
-exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@"
+
+if [ "B`cat $INSTANCE_HOME/.admin_password_has_been_set`" == "BTrue" ]; then
+ exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@"
+else
+ echo ""
+ echo ""
+ echo "luci \'admin\' password has to be changed before server is allowed to start"
+ echo "To do so, execute (as root): "
+ echo -e "\tluci_admin password"
+ echo ""
+ echo ""
+ exit 1
+fi
--- conga/luci/utils/luci_admin 2006/08/04 19:19:10 1.45
+++ conga/luci/utils/luci_admin 2006/08/18 13:28:45 1.46
@@ -34,25 +34,27 @@
LUCI_INIT_DEBUG = 0
-LUCI_USER = 'luci'
+LUCI_USER = 'luci'
LUCI_GROUP = 'luci'
-LUCI_BACKUP_DIR = '/var/lib/luci/var'
-LUCI_CERT_DIR = '/var/lib/luci/var/certs/'
-LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml'
-LUCI_DB_PATH = '/var/lib/luci/var/Data.fs'
+LUCI_HOME_DIR = '/var/lib/luci'
+LUCI_DB_PATH = LUCI_HOME_DIR + '/var/Data.fs'
+LUCI_CERT_DIR = LUCI_HOME_DIR + '/var/certs/'
+LUCI_BACKUP_DIR = LUCI_HOME_DIR + '/var'
+LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml'
+LUCI_ADMIN_SET_PATH = LUCI_HOME_DIR + '/.admin_password_has_been_set'
-SSL_PRIVKEY_NAME = 'privkey.pem'
-SSL_PUBKEY_NAME = 'cacert.pem'
+SSL_PRIVKEY_NAME = 'privkey.pem'
+SSL_PUBKEY_NAME = 'cacert.pem'
SSL_HTTPS_PRIVKEY_NAME = 'https.key.pem'
-SSL_HTTPS_PUBKEY_NAME = 'https.pem'
-SSL_KEYCONFIG_NAME = 'cacert.config'
+SSL_HTTPS_PUBKEY_NAME = 'https.pem'
+SSL_KEYCONFIG_NAME = 'cacert.config'
-SSL_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_PRIVKEY_NAME
-SSL_PUBKEY_PATH = LUCI_CERT_DIR + SSL_PUBKEY_NAME
+SSL_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_PRIVKEY_NAME
+SSL_PUBKEY_PATH = LUCI_CERT_DIR + SSL_PUBKEY_NAME
SSL_HTTPS_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PRIVKEY_NAME
-SSL_HTTPS_PUBKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME
-SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME
+SSL_HTTPS_PUBKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME
+SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME
ssl_key_data = [
{ 'id': SSL_PRIVKEY_PATH, 'name': SSL_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 },
@@ -70,6 +72,34 @@
else:
verbose = null
+
+
+def get_luci_uid_gid():
+ try:
+ luci = pwd.getpwnam(LUCI_USER)[2:4]
+ if not luci:
+ raise
+ if len(luci) != 2:
+ raise
+ return luci
+ except:
+ msg = 'Cannot find the \"' + LUCI_USER + '\" user.\n'
+ sys.stderr.write(msg)
+ raise msg
+
+
+def set_default_passwd_reset_flag():
+ # set flag marking admin password has been set
+ uid, gid = get_luci_uid_gid()
+ open(LUCI_ADMIN_SET_PATH, 'w').write('True')
+ os.chown(LUCI_ADMIN_SET_PATH, uid, gid)
+ os.chmod(LUCI_ADMIN_SET_PATH, 0640)
+ return True
+
+def get_default_passwd_reset_flag():
+ return open(LUCI_ADMIN_SET_PATH, 'r').read(16) == 'True'
+
+
def read_passwd(prompt, confirm_prompt):
from getpass import getpass
while True:
@@ -77,6 +107,9 @@
if len(s1) < 6:
print 'Password has to be@least 6 characters long'
continue
+ if ' ' in s1:
+ print 'Spaces are not allowed in passwords'
+ continue
s2 = getpass(confirm_prompt)
if s1 != s2:
print 'Passwords mismatch, try again'
@@ -86,20 +119,18 @@
def restore_luci_db_fsattr():
+ uid, gid = -1, -1
try:
- luci = pwd.getpwnam(LUCI_USER)[2:4]
- if not luci or len(luci) != 2:
- raise
+ uid, gid = get_luci_uid_gid()
except:
- sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n')
return -1
-
+
try:
- os.chown(LUCI_DB_PATH, luci[0], luci[1])
+ os.chown(LUCI_DB_PATH, uid, gid)
os.chmod(LUCI_DB_PATH, 0600)
for i in [ '.tmp', '.old', '.index', '.lock' ]:
try:
- os.chown(LUCI_DB_PATH + i, luci[0], luci[1])
+ os.chown(LUCI_DB_PATH + i, uid, gid)
os.chmod(LUCI_DB_PATH + i, 0600)
except: pass
except:
@@ -181,7 +212,10 @@
if restore_luci_db_fsattr():
return -1
-
+
+ if user == 'admin' and ret == 0:
+ set_default_passwd_reset_flag()
+
return ret
@@ -194,12 +228,10 @@
if not certList or len(certList) < 1:
sys.stderr.write('Your backup file contains no certificate data. Please check that your backup file is not corrupt.\n')
return -1
+ uid, gid = -1, -1
try:
- luci = pwd.getpwnam(LUCI_USER)[2:4]
- if not luci or len(luci) != 2:
- raise
+ uid, gid = get_luci_uid_gid()
except:
- sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n')
return -1
for c in certList:
@@ -235,10 +267,11 @@
os.chmod(path, mode)
f.write(data + '\n')
- os.chown(path, luci[0], luci[1])
+ os.chown(path, uid, gid)
f.close()
return None
+
def luci_restore(argv):
sys.stderr = null
import ZODB
@@ -920,41 +953,43 @@
def luci_initialized():
- # existence of privkey.pem file means that luci is initialized
- return os.access(SSL_PRIVKEY_PATH, os.F_OK)
+ # existence of privkey.pem file and
+ # admin password (not the one Data.fs comes with)
+ # mean that luci has been initialized
+ b1 = get_default_passwd_reset_flag()
+ b2 = os.access(SSL_PRIVKEY_PATH, os.F_OK)
+ return b1 and b2
def generate_ssl_certs():
+ command = '/bin/rm'
+ args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
+ _execWithCaptureErrorStatus(command, args)
+
# /usr/bin/openssl genrsa -out /var/lib/luci/var/certs/privkey.pem 2048 > /dev/null 2>&1
command = '/usr/bin/openssl'
args = [command, 'genrsa', '-out', SSL_PRIVKEY_PATH, '2048']
_execWithCaptureErrorStatus(command, args)
-
+
# /usr/bin/openssl req -new -x509 -key /var/lib/luci/var/certs/privkey.pem -out /var/lib/luci/var/certs/cacert.pem -days 1095 -config /var/lib/luci/var/certs/cacert.config
command = '/usr/bin/openssl'
args = [command, 'req', '-new', '-x509', '-key', SSL_PRIVKEY_PATH, '-out', SSL_PUBKEY_PATH, '-days', '1095', '-config', SSL_KEYCONFIG_PATH]
_execWithCaptureErrorStatus(command, args)
-
- # /bin/chown -R zope:zope /var/lib/luci/var/certs/*
- command = '/bin/chown'
- args = [command, LUCI_USER + ':' + LUCI_GROUP, SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
- _execWithCaptureErrorStatus(command, args)
-
- # /bin/chmod 644 /var/lib/luci/var/certs/*
- command = '/bin/chmod'
- args = [command, '644', SSL_PUBKEY_PATH]
- o, e, s = _execWithCaptureErrorStatus(command, args)
- if s != 0:
- return False
-
- # /bin/chmod 400 /var/lib/luci/var/certs/privkey.pem
- command = '/bin/chmod'
- args = [command, '600', SSL_PRIVKEY_PATH]
- o, e, s = _execWithCaptureErrorStatus(command, args)
- if s != 0:
- return False
-
+
+ # take ownership and restrict access
+ try:
+ uid, gid = get_luci_uid_gid()
+ os.chown(SSL_PRIVKEY_PATH, uid, gid)
+ os.chown(SSL_PUBKEY_PATH, uid, gid)
+ os.chmod(SSL_PRIVKEY_PATH, 0600)
+ os.chmod(SSL_PUBKEY_PATH, 0644)
+ except:
+ command = '/bin/rm'
+ args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
+ _execWithCaptureErrorStatus(command, args)
+ return False
+
return True
@@ -976,12 +1011,9 @@
sys.stderr.write('If you want to reset admin password, execute\n')
sys.stderr.write('\t' + argv[0] + ' password\n')
sys.exit(1)
+
print 'Initializing the Luci server\n'
- print 'Generating SSL certificates...'
- if generate_ssl_certs() == False:
- sys.stderr.write('failed. exiting ...\n')
- sys.exit(1)
-
+
print '\nCreating the \'admin\' user\n'
password = read_passwd('Enter password: ', 'Confirm password: ')
print '\nPlease wait...'
@@ -991,8 +1023,13 @@
else:
sys.stderr.write('Unable to set the admin user\'s password.\n')
sys.exit(1)
-
- print 'The Luci server has been successfully initialized'
+
+ print 'Generating SSL certificates...'
+ if generate_ssl_certs() == False:
+ sys.stderr.write('failed. exiting ...\n')
+ sys.exit(1)
+
+ print 'Luci server has been successfully initialized'
restart_message()
return
@@ -1003,7 +1040,7 @@
if '--random' in argv:
print 'Resetting the admin user\'s password to some random value\n'
try:
- rand = file('/dev/urandom', 'r')
+ rand = open('/dev/urandom', 'r')
password = rand.read(16)
rand.close()
except:
@@ -1095,6 +1132,7 @@
print 'Luci backup was successful.\nThe backup data is contained in the file \"' + LUCI_BACKUP_PATH + '\"'
+
def restore(argv):
print 'Restoring the Luci server...'
@@ -1105,6 +1143,7 @@
ret = False
sys.stderr.write('The Luci restore failed. Try reinstalling Luci, then restoring again.\n')
else:
+ set_default_passwd_reset_flag()
ret = True
print 'Restore was successful.'
restart_message()
@@ -1120,25 +1159,45 @@
print argv[0] + ' [init|backup|restore|password|help]'
print
print '\tinit: initialize Luci site'
+ print '\tpassword: reset admin password'
+ print '\t\tpassword: reset admin password to random value (disable account)'
print '\tbackup: backup Luci site to a file'
print '\trestore: restore Luci site from backup'
- print '\tpassword: reset admin password'
print '\thelp: this help message'
print
+
+def test_luci_installation():
+ # perform basic checks
+ # TODO: do more tests
+
+ # check if luci user and group are present on the system
+ try:
+ get_luci_uid_gid()
+ except:
+ sys.stderr.write('There is a problem with luci installation!\n')
+ sys.stderr.write('Mising luci\'s system account and group')
+ sys.stderr.write('Recommended action: reinstall luci\n\n')
+ sys.exit(3)
+
+ return True
+
+
def main(argv):
if len(argv) < 2:
luci_help(argv)
sys.exit(1)
-
-
- # only root can modify Luci server
+
+ # only root should run this
if os.getuid() != 0:
- sys.stderr.write('Only root can modify Luci server.\n')
+ sys.stderr.write('Only \'root\' can run ' + argv[0] + '\n')
sys.stderr.write('Try again with root privileges.\n')
sys.exit(2)
+ # test if luci installation is OK
+ test_luci_installation()
+
if 'init' in argv:
init(argv)
elif 'backup' in argv:
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-08-18 13:28 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-18 13:28 [Cluster-devel] conga/luci site/Makefile site/luci/bin/runzope kupcevic
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).