[Server-devel] [PATCH] No passwords for XO users, and packaging improvements
Douglas Bagnall
douglas at paradise.net.nz
Mon Aug 11 19:24:41 EDT 2008
XO users were being given their UUIDs as passwords, which was
unnecessary.
In case the user storage system changes again in the future, the post
installation scripts reference /home/idmgr/storage_format_version to
decide what to do.
diff --git a/Makefile b/Makefile
index 59b425d..fad74be 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
# This Makefile installs the OLPC ID Management Service
NAME = idmgr
-VERSION = 0.1.1
-RELEASE = 2
+VERSION = 0.1.2
+RELEASE = 3
ARCH = noarch
# install root
@@ -20,17 +20,17 @@ CREATE_REGISTRATION = create_registration
LIST_REGISTRATION = list_registration
IDMGR_INIT = idmgr
IDMGR_CONFIG = idmgr.conf
-UPDATE_USERS = update_users.py
+UPDATE_USERS_01 = update_users_0_to_1.py
# This is a directory (w. subdirectories)
SERVER = idmgr/
# All scripts
SRC_FILES = $(CONF_SRC)/$(CREATE_USER) $(CONF_SRC)/$(CREATE_REGISTRATION) \
$(CONF_SRC)/$(LIST_REGISTRATION) $(CONF_SRC)/$(IDMGR_INIT) \
- $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS)
+ $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS_01)
FILES = $(BIN_DST)/$(CREATE_USER) $(BIN_DST)/$(CREATE_REGISTRATION) \
$(BIN_DST)/$(LIST_REGISTRATION) $(INIT_DST)/$(IDMGR_INIT) \
- $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS)
+ $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS_01)
# install rules
$(DESTDIR):
@@ -48,8 +48,8 @@ $(CONFIG_DST): $(DESTDIR)
$(BIN_DST)/$(CREATE_USER): $(CONF_SRC)/$(CREATE_USER) $(BIN_DST)
cp $(CONF_SRC)/$(CREATE_USER) $(BIN_DST)
-$(BIN_DST)/$(UPDATE_USERS): $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST)
- cp $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST)
+$(BIN_DST)/$(UPDATE_USERS_01): $(CONF_SRC)/$(UPDATE_USERS_01) $(BIN_DST)
+ cp $(CONF_SRC)/$(UPDATE_USERS_01) $(BIN_DST)
$(BIN_DST)/$(CREATE_REGISTRATION): $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST)
cp $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST)
@@ -69,7 +69,7 @@ $(CONFIG_DST)/$(IDMGR_CONFIG): $(CONF_SRC)/$(IDMGR_CONFIG)
$(CONFIG_DST)
install: $(FILES) $(BIN_DST)/$(SERVER)
# rpm target directory
-RPMDIR = /usr/src/redhat
+RPMDIR = $(PWD)/rpm
NV = $(NAME)-$(VERSION)
@@ -82,7 +82,7 @@ SOURCES: Makefile $(SRC_FILES)
rm -rf $(NV)
rpm: SOURCES
- rpmbuild -ba --target $(ARCH) $(NAME).spec
+ rpmbuild -v --define "_topdir $(RPMDIR)" -ba --target $(ARCH) $(NAME).spec
rm -f $(NV)-*.$(ARCH).rpm
cp -p $(RPMDIR)/RPMS/$(ARCH)/$(NV)-$(RELEASE).$(ARCH).rpm .
diff --git a/conf.schoolserver/create_user b/conf.schoolserver/create_user
index 40f63e3..90d9315 100755
--- a/conf.schoolserver/create_user
+++ b/conf.schoolserver/create_user
@@ -44,12 +44,12 @@ XO_USERS_GROUP=xousers
getent group $XO_USERS_GROUP > /dev/null 2>&1 || groupadd $XO_USERS_GROUP
if getent passwd "$username" > /dev/null 2>&1; then
- true # User exists
+ # $fullname may have changed.
+ /usr/sbin/usermod -c "$full_name" "$username" || die "unable to change full
name"
else
/usr/sbin/useradd -c "$full_name" -d "$homedir" \
-G $XO_USERS_GROUP -s /usr/bin/rssh "$username" \
|| die "Unable to create user"
- echo $uuid | passwd --stdin "$username" || die "Unable to set password"
fi
userhome=`getent passwd "$username" | awk -F: '{print $6}'`
diff --git a/conf.schoolserver/update_users.py b/conf.schoolserver/update_users.py
deleted file mode 100755
index 3684f08..0000000
--- a/conf.schoolserver/update_users.py
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/usr/bin/python
-#
-# update_users.py
-#
-# In the past, when an XO user registered, they were given their own
-# group and no more. Now we want them to all be in the same group
-# because it makes the management of restricted ssh access (and
-# possibly other things) easier.
-
-#The group we are using is "xousers", and we're finding the XO users
-# by the location of their home directories.
-
-
-import os
-import sys
-import pwd, grp
-import subprocess
-
-XO_USER_HOME = '/library/users'
-XO_USER_GROUP = 'xousers'
-RSSH_PATH = '/usr/bin/rssh'
-
-# first, make sure the group is there
-# much like `getent group xousers || groupadd xousers`
-try:
- group = grp.getgrnam(XO_USER_GROUP)
-except KeyError, e:
- print >> sys.stderr, e
- result = subprocess.call(['groupadd', XO_USER_GROUP])
- if result:
- raise RuntimeError("couldn't add %s group" % XO_USER_GROUP)
-
-# just make sure the rssh executable is there
-if not os.access(RSSH_PATH, os.F_OK | os.R_OK | os.X_OK):
- raise RuntimeError("%s seems to be missing or otherwise inaccessable" %
RSSH_PATH)
-
-
-# now find each user who has a /library/users/* home directory and try
-# to change their group.
-# Execution will stop when one fails BUT any users who's groups have
-# been changed will not be changed back.
-
-users = [ x for x in pwd.getpwall()
- if os.path.dirname(x.pw_dir) == XO_USER_HOME ]
-
-for user in users:
- #if for some reason the user's name isn't already a group (e.g.,
- #they were created with `usermod -g some-other-group`.
- try:
- group = grp.getgrnam(user.pw_name)
- except KeyError, e:
- print >> sys.stderr, e
- result = subprocess.call(['groupadd', user.pw_name])
- if result:
- raise RuntimeError("couldn't add %s group" % XO_USER_GROUP)
-
- result = subprocess.call(['usermod', '-g', user.pw_name, '-G', XO_USER_GROUP,
- '-s', RSSH_PATH, user.pw_name])
- if result:
- raise RuntimeError("couldn't change group for user %s (out of %s)"
- % (user.pw_name, users))
-
diff --git a/conf.schoolserver/update_users_0_to_1.py
b/conf.schoolserver/update_users_0_to_1.py
new file mode 100755
index 0000000..f199b80
--- /dev/null
+++ b/conf.schoolserver/update_users_0_to_1.py
@@ -0,0 +1,68 @@
+#!/usr/bin/python
+#
+# update_users.py
+#
+# In the past, when an XO user registered, they were given their own
+# group and no more. Now we want them to all be in the same group
+# because it makes the management of restricted ssh access (and
+# possibly other things) easier.
+
+#The group we are using is "xousers", and we're finding the XO users
+# by the location of their home directories.
+
+
+import os
+import sys
+import pwd, grp
+import subprocess
+
+XO_USER_HOME = '/library/users'
+XO_USER_GROUP = 'xousers'
+RSSH_PATH = '/usr/bin/rssh'
+
+# first, make sure the group is there
+# much like `getent group xousers || groupadd xousers`
+try:
+ group = grp.getgrnam(XO_USER_GROUP)
+except KeyError, e:
+ print >> sys.stderr, e
+ result = subprocess.call(['groupadd', XO_USER_GROUP])
+ if result:
+ raise RuntimeError("couldn't add %s group" % XO_USER_GROUP)
+
+# just make sure the rssh executable is there
+if not os.access(RSSH_PATH, os.F_OK | os.R_OK | os.X_OK):
+ raise RuntimeError("%s seems to be missing or otherwise inaccessable" %
RSSH_PATH)
+
+
+# now find each user who has a /library/users/* home directory and try
+# to change their group.
+# Execution will stop when one fails BUT any users who's groups have
+# been changed will not be changed back.
+
+users = [ x for x in pwd.getpwall()
+ if os.path.dirname(x.pw_dir) == XO_USER_HOME ]
+
+for user in users:
+ #if for some reason the user's name isn't already a group (e.g.,
+ #they were created with `usermod -g some-other-group`.
+ try:
+ group = grp.getgrnam(user.pw_name)
+ except KeyError, e:
+ print >> sys.stderr, e
+ result = subprocess.call(['groupadd', user.pw_name])
+ if result:
+ raise RuntimeError("couldn't add %s group" % XO_USER_GROUP)
+
+ result = subprocess.call(['usermod', '-g', user.pw_name, '-G', XO_USER_GROUP,
+ '-s', RSSH_PATH, user.pw_name])
+ if result:
+ raise RuntimeError("couldn't change group for user %s (out of %s)"
+ % (user.pw_name, users))
+
+ # remove the user's password.
+ result = subprocess.call(['passwd', '-d', user.pw_name])
+ if result:
+ raise RuntimeError("couldn't remove password for user %s (out of %s)"
+ % (user.pw_name, users))
+
diff --git a/idmgr.spec b/idmgr.spec
index bc00da0..b405560 100644
--- a/idmgr.spec
+++ b/idmgr.spec
@@ -3,8 +3,8 @@
Summary: XS Registration Manager
Name: idmgr
-Version: 0.1.1
-Release: 2
+Version: 0.1.2
+Release: 3
License: GPL
Group: Base System/System Tools
URL: http://dev.laptop.org/git.do?p=projects/idmgr;a=summary
@@ -45,12 +45,17 @@ chmod a+x /home/idmgr/idmgr/server.py*
if [ ! -r /home/idmgr/identity.db ] ; then
/home/idmgr/create_registration
fi
+
+if [ ! -r /home/idmgr/storage_format_version ] || \
+ [ `cat /home/idmgr/storage_format_version` == 0 ] ; then
+ # Existing users might not be in the xousers group. Fix that.
+ /home/idmgr/update_users_0_to_1.py
+ echo 1 > /home/idmgr/storage_format_version
+fi
+
/sbin/chkconfig --add idmgr
/sbin/service idmgr condrestart
-# Existing users might not be in the xousers group. Fix that.
-/home/idmgr/update_users.py
-
%preun
if [ $1 -eq 0 ]; then
/sbin/service idmgr stop &>/dev/null || :
@@ -74,7 +79,9 @@ rm -rf $RPM_BUILD_ROOT
/etc/idmgr.conf
/home/idmgr/create_registration
/home/idmgr/create_user
-/home/idmgr/update_users.py
+/home/idmgr/update_users_0_to_1.py
+/home/idmgr/update_users_0_to_1.pyo
+/home/idmgr/update_users_0_to_1.pyc
/home/idmgr/idmgr/CONFIG.py
/home/idmgr/idmgr/CONFIG.pyc
/home/idmgr/idmgr/CONFIG.pyo
More information about the Server-devel
mailing list