From 1413006b5b3bbb80ff017c2a966454e530c0e9aa Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 10 Jul 2018 18:32:20 +0100 Subject: [PATCH] aws: Create "setup" user to run setup Amazon does not permit that a user logs in as root directly. Instead they insist on using sudo. Signed-off-by: Michael Tremer --- config/rootfiles/common/setup | 2 ++ src/initscripts/helper/aws-setup | 32 ++++++++++++++++++++------------ src/setup/Makefile.am | 8 ++++++++ src/setup/run-setup | 4 ++++ src/setup/sudo/setup | 2 ++ 5 files changed, 36 insertions(+), 12 deletions(-) create mode 100644 src/setup/run-setup create mode 100644 src/setup/sudo/setup diff --git a/config/rootfiles/common/setup b/config/rootfiles/common/setup index c5bd361a55..5da99c1cf8 100644 --- a/config/rootfiles/common/setup +++ b/config/rootfiles/common/setup @@ -1,4 +1,6 @@ +etc/sudoers.d/setup usr/bin/probenic.sh +usr/bin/run-setup usr/sbin/setup usr/share/locale/ar/LC_MESSAGES/setup.mo usr/share/locale/ca/LC_MESSAGES/setup.mo diff --git a/src/initscripts/helper/aws-setup b/src/initscripts/helper/aws-setup index f4ec45d902..0ae727c3ff 100644 --- a/src/initscripts/helper/aws-setup +++ b/src/initscripts/helper/aws-setup @@ -84,19 +84,27 @@ import_aws_configuration() { echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings fi - # Import SSH keys - local line - for line in $(get "public-keys/"); do - local key_no="${line%=*}" - - local key="$(get public-keys/${key_no}/openssh-key)" - if [ -n "${key}" ] && ! grep -q "^${key}$" /root/.ssh/authorized_keys 2>/dev/null; then - mkdir -p /root/.ssh - chmod 700 /root/.ssh + # Create setup user + if ! getent passwd setup &>/dev/null; then + useradd -r setup -s /usr/bin/run-setup -g nobody -m + fi - echo "${key}" >> /root/.ssh/authorized_keys - chmod 600 /root/.ssh/authorized_keys - fi + # Import SSH keys + local user + for user in /root /home/setup; do + local line + for line in $(get "public-keys/"); do + local key_no="${line%=*}" + + local key="$(get public-keys/${key_no}/openssh-key)" + if [ -n "${key}" ] && ! grep -q "^${key}$" "${user}/.ssh/authorized_keys" 2>/dev/null; then + mkdir -p "${user}/.ssh" + chmod 700 "${user}/.ssh" + + echo "${key}" >> "${user}/.ssh/authorized_keys" + chmod 600 "${user}/.ssh/authorized_keys" + fi + done done # Import any DNS server settings diff --git a/src/setup/Makefile.am b/src/setup/Makefile.am index 0ead631954..b06d20bf16 100644 --- a/src/setup/Makefile.am +++ b/src/setup/Makefile.am @@ -25,11 +25,16 @@ AM_CFLAGS = $(OUR_CFLAGS) AM_CXXFLAGS = $(OUR_CXXFLAGS) AM_LDFLAGS = $(OUR_LDFLAGS) +sudodir = /etc/sudoers.d + bin_SCRIPTS = sbin_PROGRAMS = #- setup ----------------------------------------------------------------------- +bin_SCRIPTS += \ + run-setup + sbin_PROGRAMS += \ setup @@ -56,3 +61,6 @@ setup_LDADD = \ bin_SCRIPTS += \ probenic.sh + +sudo_DATA = \ + sudo/setup diff --git a/src/setup/run-setup b/src/setup/run-setup new file mode 100644 index 0000000000..07b04cf438 --- /dev/null +++ b/src/setup/run-setup @@ -0,0 +1,4 @@ +#!/bin/bash + +# Runs setup and tries to gain root privileges +exec sudo setup diff --git a/src/setup/sudo/setup b/src/setup/sudo/setup new file mode 100644 index 0000000000..a3bbd7b628 --- /dev/null +++ b/src/setup/sudo/setup @@ -0,0 +1,2 @@ +# The setup is allowed to run the setup command +setup ALL=(ALL) NOPASSWD: /usr/sbin/setup -- 2.39.2