From mboxrd@z Thu Jan 1 00:00:00 1970 From: kupcevic@sourceware.org Date: 18 Aug 2006 13:28:45 -0000 Subject: [Cluster-devel] conga/luci site/Makefile site/luci/bin/runzope ... Message-ID: <20060818132845.24095.qmail@sourceware.org> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit CVSROOT: /cvs/cluster Module name: conga Changes by: kupcevic at sourceware.org 2006-08-18 13:28:45 Modified files: luci/site : Makefile luci/site/luci/bin: runzope.in luci/utils : luci_admin Added files: luci/site/luci : .admin_password_has_been_set Log message: Under certain circumstances, default luci password would not get reset. Disable luci startup in that case. Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/Makefile.diff?cvsroot=cluster&r1=1.8&r2=1.9 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/.admin_password_has_been_set.diff?cvsroot=cluster&r1=NONE&r2=1.1 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/bin/runzope.in.diff?cvsroot=cluster&r1=1.1&r2=1.2 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/utils/luci_admin.diff?cvsroot=cluster&r1=1.45&r2=1.46 --- conga/luci/site/Makefile 2006/08/18 07:21:02 1.8 +++ conga/luci/site/Makefile 2006/08/18 13:28:44 1.9 @@ -39,6 +39,9 @@ install: + install -d ${DESTDIR}/var/lib/luci + install -m 0640 luci/.admin_password_has_been_set ${DESTDIR}/var/lib/luci/ + install -d ${DESTDIR}/var/lib/luci/bin # install `find luci/bin -maxdepth 1 -type f` ${DESTDIR}/var/lib/luci/bin install luci/bin/runzope ${DESTDIR}/var/lib/luci/bin /cvs/cluster/conga/luci/site/luci/.admin_password_has_been_set,v --> standard output revision 1.1 --- conga/luci/site/luci/.admin_password_has_been_set +++ - 2006-08-18 13:28:45.554587000 +0000 @@ -0,0 +1 @@ +False --- conga/luci/site/luci/bin/runzope.in 2006/07/24 20:17:02 1.1 +++ conga/luci/site/luci/bin/runzope.in 2006/08/18 13:28:45 1.2 @@ -19,4 +19,16 @@ ZOPE_RUN="$SOFTWARE_HOME/Zope2/Startup/run.py" -exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@" + +if [ "B`cat $INSTANCE_HOME/.admin_password_has_been_set`" == "BTrue" ]; then + exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@" +else + echo "" + echo "" + echo "luci \'admin\' password has to be changed before server is allowed to start" + echo "To do so, execute (as root): " + echo -e "\tluci_admin password" + echo "" + echo "" + exit 1 +fi --- conga/luci/utils/luci_admin 2006/08/04 19:19:10 1.45 +++ conga/luci/utils/luci_admin 2006/08/18 13:28:45 1.46 @@ -34,25 +34,27 @@ LUCI_INIT_DEBUG = 0 -LUCI_USER = 'luci' +LUCI_USER = 'luci' LUCI_GROUP = 'luci' -LUCI_BACKUP_DIR = '/var/lib/luci/var' -LUCI_CERT_DIR = '/var/lib/luci/var/certs/' -LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml' -LUCI_DB_PATH = '/var/lib/luci/var/Data.fs' +LUCI_HOME_DIR = '/var/lib/luci' +LUCI_DB_PATH = LUCI_HOME_DIR + '/var/Data.fs' +LUCI_CERT_DIR = LUCI_HOME_DIR + '/var/certs/' +LUCI_BACKUP_DIR = LUCI_HOME_DIR + '/var' +LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml' +LUCI_ADMIN_SET_PATH = LUCI_HOME_DIR + '/.admin_password_has_been_set' -SSL_PRIVKEY_NAME = 'privkey.pem' -SSL_PUBKEY_NAME = 'cacert.pem' +SSL_PRIVKEY_NAME = 'privkey.pem' +SSL_PUBKEY_NAME = 'cacert.pem' SSL_HTTPS_PRIVKEY_NAME = 'https.key.pem' -SSL_HTTPS_PUBKEY_NAME = 'https.pem' -SSL_KEYCONFIG_NAME = 'cacert.config' +SSL_HTTPS_PUBKEY_NAME = 'https.pem' +SSL_KEYCONFIG_NAME = 'cacert.config' -SSL_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_PRIVKEY_NAME -SSL_PUBKEY_PATH = LUCI_CERT_DIR + SSL_PUBKEY_NAME +SSL_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_PRIVKEY_NAME +SSL_PUBKEY_PATH = LUCI_CERT_DIR + SSL_PUBKEY_NAME SSL_HTTPS_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PRIVKEY_NAME -SSL_HTTPS_PUBKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME -SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME +SSL_HTTPS_PUBKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME +SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME ssl_key_data = [ { 'id': SSL_PRIVKEY_PATH, 'name': SSL_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 }, @@ -70,6 +72,34 @@ else: verbose = null + + +def get_luci_uid_gid(): + try: + luci = pwd.getpwnam(LUCI_USER)[2:4] + if not luci: + raise + if len(luci) != 2: + raise + return luci + except: + msg = 'Cannot find the \"' + LUCI_USER + '\" user.\n' + sys.stderr.write(msg) + raise msg + + +def set_default_passwd_reset_flag(): + # set flag marking admin password has been set + uid, gid = get_luci_uid_gid() + open(LUCI_ADMIN_SET_PATH, 'w').write('True') + os.chown(LUCI_ADMIN_SET_PATH, uid, gid) + os.chmod(LUCI_ADMIN_SET_PATH, 0640) + return True + +def get_default_passwd_reset_flag(): + return open(LUCI_ADMIN_SET_PATH, 'r').read(16) == 'True' + + def read_passwd(prompt, confirm_prompt): from getpass import getpass while True: @@ -77,6 +107,9 @@ if len(s1) < 6: print 'Password has to be@least 6 characters long' continue + if ' ' in s1: + print 'Spaces are not allowed in passwords' + continue s2 = getpass(confirm_prompt) if s1 != s2: print 'Passwords mismatch, try again' @@ -86,20 +119,18 @@ def restore_luci_db_fsattr(): + uid, gid = -1, -1 try: - luci = pwd.getpwnam(LUCI_USER)[2:4] - if not luci or len(luci) != 2: - raise + uid, gid = get_luci_uid_gid() except: - sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n') return -1 - + try: - os.chown(LUCI_DB_PATH, luci[0], luci[1]) + os.chown(LUCI_DB_PATH, uid, gid) os.chmod(LUCI_DB_PATH, 0600) for i in [ '.tmp', '.old', '.index', '.lock' ]: try: - os.chown(LUCI_DB_PATH + i, luci[0], luci[1]) + os.chown(LUCI_DB_PATH + i, uid, gid) os.chmod(LUCI_DB_PATH + i, 0600) except: pass except: @@ -181,7 +212,10 @@ if restore_luci_db_fsattr(): return -1 - + + if user == 'admin' and ret == 0: + set_default_passwd_reset_flag() + return ret @@ -194,12 +228,10 @@ if not certList or len(certList) < 1: sys.stderr.write('Your backup file contains no certificate data. Please check that your backup file is not corrupt.\n') return -1 + uid, gid = -1, -1 try: - luci = pwd.getpwnam(LUCI_USER)[2:4] - if not luci or len(luci) != 2: - raise + uid, gid = get_luci_uid_gid() except: - sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n') return -1 for c in certList: @@ -235,10 +267,11 @@ os.chmod(path, mode) f.write(data + '\n') - os.chown(path, luci[0], luci[1]) + os.chown(path, uid, gid) f.close() return None + def luci_restore(argv): sys.stderr = null import ZODB @@ -920,41 +953,43 @@ def luci_initialized(): - # existence of privkey.pem file means that luci is initialized - return os.access(SSL_PRIVKEY_PATH, os.F_OK) + # existence of privkey.pem file and + # admin password (not the one Data.fs comes with) + # mean that luci has been initialized + b1 = get_default_passwd_reset_flag() + b2 = os.access(SSL_PRIVKEY_PATH, os.F_OK) + return b1 and b2 def generate_ssl_certs(): + command = '/bin/rm' + args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH] + _execWithCaptureErrorStatus(command, args) + # /usr/bin/openssl genrsa -out /var/lib/luci/var/certs/privkey.pem 2048 > /dev/null 2>&1 command = '/usr/bin/openssl' args = [command, 'genrsa', '-out', SSL_PRIVKEY_PATH, '2048'] _execWithCaptureErrorStatus(command, args) - + # /usr/bin/openssl req -new -x509 -key /var/lib/luci/var/certs/privkey.pem -out /var/lib/luci/var/certs/cacert.pem -days 1095 -config /var/lib/luci/var/certs/cacert.config command = '/usr/bin/openssl' args = [command, 'req', '-new', '-x509', '-key', SSL_PRIVKEY_PATH, '-out', SSL_PUBKEY_PATH, '-days', '1095', '-config', SSL_KEYCONFIG_PATH] _execWithCaptureErrorStatus(command, args) - - # /bin/chown -R zope:zope /var/lib/luci/var/certs/* - command = '/bin/chown' - args = [command, LUCI_USER + ':' + LUCI_GROUP, SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH] - _execWithCaptureErrorStatus(command, args) - - # /bin/chmod 644 /var/lib/luci/var/certs/* - command = '/bin/chmod' - args = [command, '644', SSL_PUBKEY_PATH] - o, e, s = _execWithCaptureErrorStatus(command, args) - if s != 0: - return False - - # /bin/chmod 400 /var/lib/luci/var/certs/privkey.pem - command = '/bin/chmod' - args = [command, '600', SSL_PRIVKEY_PATH] - o, e, s = _execWithCaptureErrorStatus(command, args) - if s != 0: - return False - + + # take ownership and restrict access + try: + uid, gid = get_luci_uid_gid() + os.chown(SSL_PRIVKEY_PATH, uid, gid) + os.chown(SSL_PUBKEY_PATH, uid, gid) + os.chmod(SSL_PRIVKEY_PATH, 0600) + os.chmod(SSL_PUBKEY_PATH, 0644) + except: + command = '/bin/rm' + args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH] + _execWithCaptureErrorStatus(command, args) + return False + return True @@ -976,12 +1011,9 @@ sys.stderr.write('If you want to reset admin password, execute\n') sys.stderr.write('\t' + argv[0] + ' password\n') sys.exit(1) + print 'Initializing the Luci server\n' - print 'Generating SSL certificates...' - if generate_ssl_certs() == False: - sys.stderr.write('failed. exiting ...\n') - sys.exit(1) - + print '\nCreating the \'admin\' user\n' password = read_passwd('Enter password: ', 'Confirm password: ') print '\nPlease wait...' @@ -991,8 +1023,13 @@ else: sys.stderr.write('Unable to set the admin user\'s password.\n') sys.exit(1) - - print 'The Luci server has been successfully initialized' + + print 'Generating SSL certificates...' + if generate_ssl_certs() == False: + sys.stderr.write('failed. exiting ...\n') + sys.exit(1) + + print 'Luci server has been successfully initialized' restart_message() return @@ -1003,7 +1040,7 @@ if '--random' in argv: print 'Resetting the admin user\'s password to some random value\n' try: - rand = file('/dev/urandom', 'r') + rand = open('/dev/urandom', 'r') password = rand.read(16) rand.close() except: @@ -1095,6 +1132,7 @@ print 'Luci backup was successful.\nThe backup data is contained in the file \"' + LUCI_BACKUP_PATH + '\"' + def restore(argv): print 'Restoring the Luci server...' @@ -1105,6 +1143,7 @@ ret = False sys.stderr.write('The Luci restore failed. Try reinstalling Luci, then restoring again.\n') else: + set_default_passwd_reset_flag() ret = True print 'Restore was successful.' restart_message() @@ -1120,25 +1159,45 @@ print argv[0] + ' [init|backup|restore|password|help]' print print '\tinit: initialize Luci site' + print '\tpassword: reset admin password' + print '\t\tpassword: reset admin password to random value (disable account)' print '\tbackup: backup Luci site to a file' print '\trestore: restore Luci site from backup' - print '\tpassword: reset admin password' print '\thelp: this help message' print + +def test_luci_installation(): + # perform basic checks + # TODO: do more tests + + # check if luci user and group are present on the system + try: + get_luci_uid_gid() + except: + sys.stderr.write('There is a problem with luci installation!\n') + sys.stderr.write('Mising luci\'s system account and group') + sys.stderr.write('Recommended action: reinstall luci\n\n') + sys.exit(3) + + return True + + def main(argv): if len(argv) < 2: luci_help(argv) sys.exit(1) - - - # only root can modify Luci server + + # only root should run this if os.getuid() != 0: - sys.stderr.write('Only root can modify Luci server.\n') + sys.stderr.write('Only \'root\' can run ' + argv[0] + '\n') sys.stderr.write('Try again with root privileges.\n') sys.exit(2) + # test if luci installation is OK + test_luci_installation() + if 'init' in argv: init(argv) elif 'backup' in argv: