[Server-devel] [PATCH] Restrict XO users using rssh
Douglas Bagnall
douglas at paradise.net.nz
Mon Aug 11 19:24:09 EDT 2008
As per ticket #7606, until now XO users have had full shell access
over ssh. This (with related commits in ds-backup and xs-config),
confines them to rsync over ssh only.
The update_users.py script fixes existing users, while create_user
will now set the shell of new users.
The users' group is also set to "xousers", which will allow further
restrictions in due course.
diff --git a/Makefile b/Makefile
index c87dd6f..59b425d 100644
--- a/Makefile
+++ b/Makefile
@@ -20,16 +20,17 @@ CREATE_REGISTRATION = create_registration
LIST_REGISTRATION = list_registration
IDMGR_INIT = idmgr
IDMGR_CONFIG = idmgr.conf
+UPDATE_USERS = update_users.py
# This is a directory (w. subdirectories)
SERVER = idmgr/
# All scripts
SRC_FILES = $(CONF_SRC)/$(CREATE_USER) $(CONF_SRC)/$(CREATE_REGISTRATION) \
$(CONF_SRC)/$(LIST_REGISTRATION) $(CONF_SRC)/$(IDMGR_INIT) \
- $(CONF_SRC)/$(IDMGR_CONFIG)
+ $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS)
FILES = $(BIN_DST)/$(CREATE_USER) $(BIN_DST)/$(CREATE_REGISTRATION) \
$(BIN_DST)/$(LIST_REGISTRATION) $(INIT_DST)/$(IDMGR_INIT) \
- $(CONFIG_DST)/$(IDMGR_CONFIG)
+ $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS)
# install rules
$(DESTDIR):
@@ -47,6 +48,9 @@ $(CONFIG_DST): $(DESTDIR)
$(BIN_DST)/$(CREATE_USER): $(CONF_SRC)/$(CREATE_USER) $(BIN_DST)
cp $(CONF_SRC)/$(CREATE_USER) $(BIN_DST)
+$(BIN_DST)/$(UPDATE_USERS): $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST)
+ cp $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST)
+
$(BIN_DST)/$(CREATE_REGISTRATION): $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST)
cp $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST)
diff --git a/conf.schoolserver/create_user b/conf.schoolserver/create_user
index 55e5cfe..40f63e3 100755
--- a/conf.schoolserver/create_user
+++ b/conf.schoolserver/create_user
@@ -38,11 +38,17 @@ read uuid
read pubkey
homedir=/library/users/$username
+XO_USERS_GROUP=xousers
+
+#make sure the xousers group exists
+getent group $XO_USERS_GROUP > /dev/null 2>&1 || groupadd $XO_USERS_GROUP
if getent passwd "$username" > /dev/null 2>&1; then
true # User exists
-else
- /usr/sbin/adduser -c "$full_name" -d $homedir "$username" || die "Unable to
create user"
+else
+ /usr/sbin/useradd -c "$full_name" -d "$homedir" \
+ -G $XO_USERS_GROUP -s /usr/bin/rssh "$username" \
+ || die "Unable to create user"
echo $uuid | passwd --stdin "$username" || die "Unable to set password"
fi
diff --git a/conf.schoolserver/update_users.py b/conf.schoolserver/update_users.py
new file mode 100755
index 0000000..3684f08
--- /dev/null
+++ b/conf.schoolserver/update_users.py
@@ -0,0 +1,62 @@
+#!/usr/bin/python
+#
+# update_users.py
+#
+# In the past, when an XO user registered, they were given their own
+# group and no more. Now we want them to all be in the same group
+# because it makes the management of restricted ssh access (and
+# possibly other things) easier.
+
+#The group we are using is "xousers", and we're finding the XO users
+# by the location of their home directories.
+
+
+import os
+import sys
+import pwd, grp
+import subprocess
+
+XO_USER_HOME = '/library/users'
+XO_USER_GROUP = 'xousers'
+RSSH_PATH = '/usr/bin/rssh'
+
+# first, make sure the group is there
+# much like `getent group xousers || groupadd xousers`
+try:
+ group = grp.getgrnam(XO_USER_GROUP)
+except KeyError, e:
+ print >> sys.stderr, e
+ result = subprocess.call(['groupadd', XO_USER_GROUP])
+ if result:
+ raise RuntimeError("couldn't add %s group" % XO_USER_GROUP)
+
+# just make sure the rssh executable is there
+if not os.access(RSSH_PATH, os.F_OK | os.R_OK | os.X_OK):
+ raise RuntimeError("%s seems to be missing or otherwise inaccessable" %
RSSH_PATH)
+
+
+# now find each user who has a /library/users/* home directory and try
+# to change their group.
+# Execution will stop when one fails BUT any users who's groups have
+# been changed will not be changed back.
+
+users = [ x for x in pwd.getpwall()
+ if os.path.dirname(x.pw_dir) == XO_USER_HOME ]
+
+for user in users:
+ #if for some reason the user's name isn't already a group (e.g.,
+ #they were created with `usermod -g some-other-group`.
+ try:
+ group = grp.getgrnam(user.pw_name)
+ except KeyError, e:
+ print >> sys.stderr, e
+ result = subprocess.call(['groupadd', user.pw_name])
+ if result:
+ raise RuntimeError("couldn't add %s group" % XO_USER_GROUP)
+
+ result = subprocess.call(['usermod', '-g', user.pw_name, '-G', XO_USER_GROUP,
+ '-s', RSSH_PATH, user.pw_name])
+ if result:
+ raise RuntimeError("couldn't change group for user %s (out of %s)"
+ % (user.pw_name, users))
+
diff --git a/idmgr.spec b/idmgr.spec
index 5616a7f..bc00da0 100644
--- a/idmgr.spec
+++ b/idmgr.spec
@@ -35,6 +35,8 @@ fi
if [ ! -d /library/users/ ] ; then
mkdir -p /library/users
fi
+# Make sure the xousers group exists
+getent group xousers > /dev/null 2>&1 || groupadd xousers
%post
# Make the server script executable
@@ -46,6 +48,9 @@ fi
/sbin/chkconfig --add idmgr
/sbin/service idmgr condrestart
+# Existing users might not be in the xousers group. Fix that.
+/home/idmgr/update_users.py
+
%preun
if [ $1 -eq 0 ]; then
/sbin/service idmgr stop &>/dev/null || :
@@ -69,6 +74,7 @@ rm -rf $RPM_BUILD_ROOT
/etc/idmgr.conf
/home/idmgr/create_registration
/home/idmgr/create_user
+/home/idmgr/update_users.py
/home/idmgr/idmgr/CONFIG.py
/home/idmgr/idmgr/CONFIG.pyc
/home/idmgr/idmgr/CONFIG.pyo
diff --git a/idmgr/server.py b/idmgr/server.py
old mode 100644
new mode 100755
More information about the Server-devel
mailing list