Commit d7f33445 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Change to elabman handling, to setup an account that we can use for

helping remote sites setup and update.

* Added a V2 (DSA) key to the install directory that us inserted into
  the pubkeys table for the elabman. This key is encrypted and stored in
  /root/.ssh/elabman_dsa on Utah's boss.

* elabman now starts out as webonly=0,status='active' with a real
  shell on both boss and ops.

* freeze/thaw user now treat elabman as special, giving elabman a real
  account on boss and ops when thawed.

* Addeda "notes" entry to the user profile that indicates the account
  can be frozen once the remote emulab is up and running.
parent 5a0de1d0
...@@ -699,7 +699,7 @@ sub UpdateUser(;$) ...@@ -699,7 +699,7 @@ sub UpdateUser(;$)
} }
# Shell is different on local vs control node. # Shell is different on local vs control node.
if ((defined($freezeopt) && $freezeopt) || $user eq $PROTOUSER) { if (defined($freezeopt) && $freezeopt) {
$locshellarg = "-s $NOLOGIN"; $locshellarg = "-s $NOLOGIN";
$remshellarg = "-s $NOLOGIN"; $remshellarg = "-s $NOLOGIN";
} }
...@@ -707,6 +707,9 @@ sub UpdateUser(;$) ...@@ -707,6 +707,9 @@ sub UpdateUser(;$)
# Leave local shell alone if an admin. # Leave local shell alone if an admin.
$locshellarg = "-s $PBAG" $locshellarg = "-s $PBAG"
if (!$usr_admin); if (!$usr_admin);
# Special treatment for PROTUSER
$locshellarg = "-s " . $shellpaths{"tcsh"} . " "
if ($usr_admin && $user eq $PROTOUSER);
if (!defined($usr_shell) || if (!defined($usr_shell) ||
!exists($shellpaths{$usr_shell})) { !exists($shellpaths{$usr_shell})) {
......
...@@ -95,6 +95,8 @@ my $SYSLOG_CONF = "/etc/syslog.conf"; ...@@ -95,6 +95,8 @@ my $SYSLOG_CONF = "/etc/syslog.conf";
my $NEWSYSLOG_CONF = "/etc/newsyslog.conf"; my $NEWSYSLOG_CONF = "/etc/newsyslog.conf";
my $INETD_CONF = "/etc/inetd.conf"; my $INETD_CONF = "/etc/inetd.conf";
my $PROTOUSER = "elabman";
my $PROTOUSER_KEY = "$TOP_SRCDIR/install/elabman_dsa.pub";
my $ROOT_PRIVKEY = "/root/.ssh/id_rsa"; my $ROOT_PRIVKEY = "/root/.ssh/id_rsa";
my $ROOT_PUBKEY = "$ROOT_PRIVKEY.pub"; my $ROOT_PUBKEY = "$ROOT_PRIVKEY.pub";
my $ROOT_AUTHKEY = "/root/.ssh/authorized_keys"; my $ROOT_AUTHKEY = "/root/.ssh/authorized_keys";
...@@ -110,6 +112,8 @@ my $DHCPD_MAKECONF = "$PREFIX/sbin/dhcpd_makeconf"; ...@@ -110,6 +112,8 @@ my $DHCPD_MAKECONF = "$PREFIX/sbin/dhcpd_makeconf";
my $BATCHEXP = "$PREFIX/bin/batchexp"; my $BATCHEXP = "$PREFIX/bin/batchexp";
my $WAP = "$PREFIX/sbin/withadminprivs"; my $WAP = "$PREFIX/sbin/withadminprivs";
my $NAMED_SETUP = "$PREFIX/sbin/named_setup"; my $NAMED_SETUP = "$PREFIX/sbin/named_setup";
my $ADDPUBKEY = "$PREFIX/sbin/addpubkey";
my $TBACCT = "$PREFIX/sbin/tbacct";
my $CRACKLIB_DICT = "/usr/local/lib/pw_dict.pwd"; my $CRACKLIB_DICT = "/usr/local/lib/pw_dict.pwd";
...@@ -310,6 +314,8 @@ if ($UID != 0) { ...@@ -310,6 +314,8 @@ if ($UID != 0) {
die "This script must be run as root.\n"; die "This script must be run as root.\n";
} }
goto skipall;
Phase "usersgroups", "Creating users and groups", sub { Phase "usersgroups", "Creating users and groups", sub {
Phase "tbadmin", "Creating tbadmin group", sub { Phase "tbadmin", "Creating tbadmin group", sub {
if (getgrnam("tbadmin")) { if (getgrnam("tbadmin")) {
...@@ -1195,13 +1201,64 @@ if ($BUGDBSUPPORT) { ...@@ -1195,13 +1201,64 @@ if ($BUGDBSUPPORT) {
}; };
} }
Phase "firstuser", "Setting up initial user (elabman)", sub { skipall:
PhaseSkip("elabman already created")
if (-d "$USERROOT/elabman"); Phase "firstuser", "Setting up initial user ($PROTOUSER)", sub {
ExecQuietFatal("perl $TOP_OBJDIR/utils/firstuser -b ". Phase "firstuser", "Calling 'firstuser' to create account", sub {
(defined($password) ? " -p $password" : "")); PhaseSkip("$PROTOUSER already created")
if (-d "$USERROOT/$PROTOUSER");
ExecQuietFatal("perl $TOP_OBJDIR/utils/firstuser -b ".
(defined($password) ? " -p $password" : ""));
};
Phase "Fixing", "Fixing up DB state for $PROTOUSER", sub {
my ($exitval, @rows) =
ExecQuiet("echo 'select uid from users ".
" where uid=\"$PROTOUSER\" and webonly=0' ".
"| $MYSQL -s $DBNAME");
if ($exitval) {
PhaseFail("Error running query");
}
if (scalar @rows) {
PhaseSkip("Already done");
}
ExecQuietFatal("echo 'update users set webonly=0 ".
" where uid=\"$PROTOUSER\"' | $MYSQL -s $DBNAME");
};
Phase "Thawing", "Thawing $PROTOUSER", sub {
my ($exitval, @rows) =
ExecQuiet("echo 'select uid from users ".
" where uid=\"$PROTOUSER\" and status=\"active\"' ".
"| $MYSQL -s $DBNAME");
if ($exitval) {
PhaseFail("Error running query");
}
if (scalar @rows) {
PhaseSkip("Already done");
}
ExecQuietFatal("echo 'update users set status=\"active\" ".
" where uid=\"$PROTOUSER\"' | $MYSQL -s $DBNAME");
ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $TBACCT -b thaw $PROTOUSER");
};
Phase "DSAKey", "Adding DSA key to $PROTOUSER account", sub {
my ($exitval, @rows) =
ExecQuiet("echo 'select * from user_pubkeys ".
" where uid=\"$PROTOUSER\"' | $MYSQL -s $DBNAME");
if ($exitval) {
PhaseFail("Error running query");
}
if (scalar @rows) {
PhaseSkip("Already done");
}
ExecQuietFatal("$SUDO -u $PROTOUSER $WAP ".
" $ADDPUBKEY -f -u $PROTOUSER $PROTOUSER_KEY");
};
Phase "authkeys", "Generating authorized_keys for $PROTOUSER", sub {
ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $ADDPUBKEY -w $PROTOUSER");
};
}; };
exit(0);
Phase "chkupuser", "Setting up checkup user (elabckup)", sub { Phase "chkupuser", "Setting up checkup user (elabckup)", sub {
PhaseSkip("elabckup already created") PhaseSkip("elabckup already created")
if (-d "$USERROOT/elabckup"); if (-d "$USERROOT/elabckup");
...@@ -1219,7 +1276,7 @@ Phase "experiments", "Setting up system experiments", sub { ...@@ -1219,7 +1276,7 @@ Phase "experiments", "Setting up system experiments", sub {
Phase "$pid/$eid", "$pid/$eid", sub { Phase "$pid/$eid", "$pid/$eid", sub {
PhaseSkip("Experiment Created") PhaseSkip("Experiment Created")
if (-d "$PROJROOT/$pid/exp/$eid"); if (-d "$PROJROOT/$pid/exp/$eid");
ExecQuietFatal("$SUDO -u elabman $WAP $BATCHEXP ". ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $BATCHEXP ".
" -q -i -w -f -n -S 'System Experiment' ". " -q -i -w -f -n -S 'System Experiment' ".
" -L 'System Experiment' ". " -L 'System Experiment' ".
" -E '$desc - DO NOT DELETE' ". " -E '$desc - DO NOT DELETE' ".
......
ssh-dss AAAAB3NzaC1kc3MAAACBALZW2gdjByaRsaohoN9tV/xCl+hRpAvwgsvTq60xXpZZDFP2EUI+L+k7RH3vDeEza8jQl9xoNb/Jj+olVWhrg8hlNCAXvzqt+b7AsuclAWIzsSi//AaEhg5onumDgeq2nvwJYYgjEeYw7lWQfThnN7FOV2TqDXLlnGU39FtTg2pnAAAAFQDSckd+7/wBEIsAmuXIMBOd+zfEsQAAAIB/FksTXKNymz/FulhYa9RbcRXSPYvPi74CuV42vxOtT1iLH8L2WA93HoOM4RXzI/ybMAd/ihcrpp4Cb3fUklrvL3sGZfnn2AxGAMXEnaGCmNBDxiCgIgs0xWiIuxrCEWFDEvqanHnjL5O5e38g8AoouqlwdbiFIgLClVkSyWQcZQAAAIBEvmLTh+Suzh9pFSvcBqJ/duuvYGzgd0J27+KhMVBIdLpsnPBx7baaSiyL999s0cpySf+LlVGI73j61BSPOAD+YHem56pM+ZG4A6Q1yrCZ2jsGCBYA71AT/5q8u2XfNMXRz3P09huarj9oZVl6mIVfrflkf7X1w+n2M5hEHhtGag== elabman@emulab.net
...@@ -31,14 +31,14 @@ my $protouser = 'elabman'; ...@@ -31,14 +31,14 @@ my $protouser = 'elabman';
my $protouser_name = 'Emulab Manager'; my $protouser_name = 'Emulab Manager';
my $protouser_email = '@TBOPSEMAIL@'; my $protouser_email = '@TBOPSEMAIL@';
my $protouser_shell = 'tcsh'; my $protouser_shell = 'tcsh';
my $protouser_notes = "DO NOT DELETE THIS ACCOUNT!";
my $HOMEDIR = USERROOT(); my $HOMEDIR = USERROOT();
my $protoproj = 'emulab-ops'; my $protoproj = 'emulab-ops';
my $protoproj_desc = 'Operations Meta-Project'; my $protoproj_desc = 'Operations Meta-Project';
my $batchmode = 0; my $batchmode = 0;
my $webonly = 1;
my $uid_idx = 1; # Initial IDX for protouser.
my $pid_idx = 1; # Initial IDX for protoproj. my $pid_idx = 1; # Initial IDX for protoproj.
my $trust = "project_root"; my $trust = "project_root";
my $binshell = "/bin/nologin";
my $password; my $password;
my $encpass; my $encpass;
my %opts; my %opts;
...@@ -65,7 +65,6 @@ if (defined($opts{p})) { ...@@ -65,7 +65,6 @@ if (defined($opts{p})) {
} }
if (defined($opts{u})) { if (defined($opts{u})) {
$protouser = $opts{u}; $protouser = $opts{u};
$webonly = 0;
$trust = "local_root"; $trust = "local_root";
} }
if (defined($opts{n})) { if (defined($opts{n})) {
...@@ -151,10 +150,20 @@ if (!$batchmode) { ...@@ -151,10 +150,20 @@ if (!$batchmode) {
} }
} }
# Initial protouser gets a real shell until actively frozen later.
# Also setup a notes entry.
if (!defined($opts{u})) {
$binshell = "/bin/tcsh";
$protouser_notes = "This account can be frozen after your Emulab ".
"is fully setup and running. DO NOT DELETE THIS ACCOUNT!";
}
print "Creating user on boss...\n"; print "Creating user on boss...\n";
if (system "/usr/sbin/pw useradd $protouser -u $uid -g $agid -G \"$Ggid\" -h - " . if (system("/usr/sbin/pw useradd $protouser -u $uid -g $agid ".
"-m -d $HOMEDIR/$protouser -s /bin/nologin -c \"$protouser_name\"\n") { "-G \"$Ggid\" -h - " .
die "Unable to add user to the password file!\n"; "-m -d $HOMEDIR/$protouser -s $binshell ".
"-c \"$protouser_name\"")) {
die "Unable to add user to the password file!\n";
} }
if ($CONTROL ne $BOSSNODE) { if ($CONTROL ne $BOSSNODE) {
...@@ -162,7 +171,7 @@ if ($CONTROL ne $BOSSNODE) { ...@@ -162,7 +171,7 @@ if ($CONTROL ne $BOSSNODE) {
if (system("ssh $CONTROL ". if (system("ssh $CONTROL ".
"'/usr/sbin/pw useradd $protouser -u $uid -g $agid ". "'/usr/sbin/pw useradd $protouser -u $uid -g $agid ".
"-G \"$Ggid\" -h - -d $HOMEDIR/$protouser -s /bin/nologin ". "-G \"$Ggid\" -h - -d $HOMEDIR/$protouser -s $binshell ".
"-c \"$protouser_name\"'")) { "-c \"$protouser_name\"'")) {
die "Unable to add user to the ops password file!\n"; die "Unable to add user to the ops password file!\n";
} }
...@@ -173,10 +182,12 @@ DBQueryFatal("replace into emulab_indicies set name='next_uid',idx=$uid+1"); ...@@ -173,10 +182,12 @@ DBQueryFatal("replace into emulab_indicies set name='next_uid',idx=$uid+1");
print "Creating user in database...\n"; print "Creating user in database...\n";
DBQueryFatal("insert into users set uid='$protouser', usr_created=now(), " . DBQueryFatal("insert into users set uid='$protouser', usr_created=now(), " .
"usr_name='$protouser_name', usr_pswd='$encpass', unix_uid=$uid, ". "usr_name='$protouser_name', ".
"usr_modified=now(), admin=1, webonly=$webonly, status='active', ". "usr_addr='DO NOT DELETE THIS ACCOUNT', ".
"usr_shell='$protouser_shell', usr_email='$protouser_email', ". "usr_pswd='$encpass', unix_uid=$uid, notes='$protouser_notes', ".
"mailman_password='$mailman_password',uid_idx=$uid"); "usr_modified=now(), admin=1, webonly=0, status='active',".
"usr_shell='$protouser_shell', usr_email='$protouser_email', ".
"mailman_password='$mailman_password',uid_idx=$uid");
DBQueryFatal("insert into user_stats set uid='$protouser',uid_idx=$uid"); DBQueryFatal("insert into user_stats set uid='$protouser',uid_idx=$uid");
if (!defined($opts{u})) { if (!defined($opts{u})) {
......
...@@ -263,12 +263,6 @@ elseif (strcmp($approval, "approve") == 0) { ...@@ -263,12 +263,6 @@ elseif (strcmp($approval, "approve") == 0) {
using the account you just using the account you just
created so that you can continue setting up your new Emulab! created so that you can continue setting up your new Emulab!
</font><br>\n"; </font><br>\n";
#
# Freeze the initial user.
#
DBQueryFatal("update users set ".
" status='" . TBDB_USERSTATUS_FROZEN . "' ".
"where uid='$FIRSTUSER'");
# #
# Move to next phase. # Move to next phase.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment