Commit d7f33445 authored by Leigh Stoller's avatar Leigh Stoller

Change to elabman handling, to setup an account that we can use for

helping remote sites setup and update.

* Added a V2 (DSA) key to the install directory that us inserted into
  the pubkeys table for the elabman. This key is encrypted and stored in
  /root/.ssh/elabman_dsa on Utah's boss.

* elabman now starts out as webonly=0,status='active' with a real
  shell on both boss and ops.

* freeze/thaw user now treat elabman as special, giving elabman a real
  account on boss and ops when thawed.

* Addeda "notes" entry to the user profile that indicates the account
  can be frozen once the remote emulab is up and running.
parent 5a0de1d0
......@@ -699,7 +699,7 @@ sub UpdateUser(;$)
}
# Shell is different on local vs control node.
if ((defined($freezeopt) && $freezeopt) || $user eq $PROTOUSER) {
if (defined($freezeopt) && $freezeopt) {
$locshellarg = "-s $NOLOGIN";
$remshellarg = "-s $NOLOGIN";
}
......@@ -707,6 +707,9 @@ sub UpdateUser(;$)
# Leave local shell alone if an admin.
$locshellarg = "-s $PBAG"
if (!$usr_admin);
# Special treatment for PROTUSER
$locshellarg = "-s " . $shellpaths{"tcsh"} . " "
if ($usr_admin && $user eq $PROTOUSER);
if (!defined($usr_shell) ||
!exists($shellpaths{$usr_shell})) {
......
......@@ -95,6 +95,8 @@ my $SYSLOG_CONF = "/etc/syslog.conf";
my $NEWSYSLOG_CONF = "/etc/newsyslog.conf";
my $INETD_CONF = "/etc/inetd.conf";
my $PROTOUSER = "elabman";
my $PROTOUSER_KEY = "$TOP_SRCDIR/install/elabman_dsa.pub";
my $ROOT_PRIVKEY = "/root/.ssh/id_rsa";
my $ROOT_PUBKEY = "$ROOT_PRIVKEY.pub";
my $ROOT_AUTHKEY = "/root/.ssh/authorized_keys";
......@@ -110,6 +112,8 @@ my $DHCPD_MAKECONF = "$PREFIX/sbin/dhcpd_makeconf";
my $BATCHEXP = "$PREFIX/bin/batchexp";
my $WAP = "$PREFIX/sbin/withadminprivs";
my $NAMED_SETUP = "$PREFIX/sbin/named_setup";
my $ADDPUBKEY = "$PREFIX/sbin/addpubkey";
my $TBACCT = "$PREFIX/sbin/tbacct";
my $CRACKLIB_DICT = "/usr/local/lib/pw_dict.pwd";
......@@ -310,6 +314,8 @@ if ($UID != 0) {
die "This script must be run as root.\n";
}
goto skipall;
Phase "usersgroups", "Creating users and groups", sub {
Phase "tbadmin", "Creating tbadmin group", sub {
if (getgrnam("tbadmin")) {
......@@ -1195,13 +1201,64 @@ if ($BUGDBSUPPORT) {
};
}
Phase "firstuser", "Setting up initial user (elabman)", sub {
PhaseSkip("elabman already created")
if (-d "$USERROOT/elabman");
ExecQuietFatal("perl $TOP_OBJDIR/utils/firstuser -b ".
(defined($password) ? " -p $password" : ""));
skipall:
Phase "firstuser", "Setting up initial user ($PROTOUSER)", sub {
Phase "firstuser", "Calling 'firstuser' to create account", sub {
PhaseSkip("$PROTOUSER already created")
if (-d "$USERROOT/$PROTOUSER");
ExecQuietFatal("perl $TOP_OBJDIR/utils/firstuser -b ".
(defined($password) ? " -p $password" : ""));
};
Phase "Fixing", "Fixing up DB state for $PROTOUSER", sub {
my ($exitval, @rows) =
ExecQuiet("echo 'select uid from users ".
" where uid=\"$PROTOUSER\" and webonly=0' ".
"| $MYSQL -s $DBNAME");
if ($exitval) {
PhaseFail("Error running query");
}
if (scalar @rows) {
PhaseSkip("Already done");
}
ExecQuietFatal("echo 'update users set webonly=0 ".
" where uid=\"$PROTOUSER\"' | $MYSQL -s $DBNAME");
};
Phase "Thawing", "Thawing $PROTOUSER", sub {
my ($exitval, @rows) =
ExecQuiet("echo 'select uid from users ".
" where uid=\"$PROTOUSER\" and status=\"active\"' ".
"| $MYSQL -s $DBNAME");
if ($exitval) {
PhaseFail("Error running query");
}
if (scalar @rows) {
PhaseSkip("Already done");
}
ExecQuietFatal("echo 'update users set status=\"active\" ".
" where uid=\"$PROTOUSER\"' | $MYSQL -s $DBNAME");
ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $TBACCT -b thaw $PROTOUSER");
};
Phase "DSAKey", "Adding DSA key to $PROTOUSER account", sub {
my ($exitval, @rows) =
ExecQuiet("echo 'select * from user_pubkeys ".
" where uid=\"$PROTOUSER\"' | $MYSQL -s $DBNAME");
if ($exitval) {
PhaseFail("Error running query");
}
if (scalar @rows) {
PhaseSkip("Already done");
}
ExecQuietFatal("$SUDO -u $PROTOUSER $WAP ".
" $ADDPUBKEY -f -u $PROTOUSER $PROTOUSER_KEY");
};
Phase "authkeys", "Generating authorized_keys for $PROTOUSER", sub {
ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $ADDPUBKEY -w $PROTOUSER");
};
};
exit(0);
Phase "chkupuser", "Setting up checkup user (elabckup)", sub {
PhaseSkip("elabckup already created")
if (-d "$USERROOT/elabckup");
......@@ -1219,7 +1276,7 @@ Phase "experiments", "Setting up system experiments", sub {
Phase "$pid/$eid", "$pid/$eid", sub {
PhaseSkip("Experiment Created")
if (-d "$PROJROOT/$pid/exp/$eid");
ExecQuietFatal("$SUDO -u elabman $WAP $BATCHEXP ".
ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $BATCHEXP ".
" -q -i -w -f -n -S 'System Experiment' ".
" -L 'System Experiment' ".
" -E '$desc - DO NOT DELETE' ".
......
ssh-dss AAAAB3NzaC1kc3MAAACBALZW2gdjByaRsaohoN9tV/xCl+hRpAvwgsvTq60xXpZZDFP2EUI+L+k7RH3vDeEza8jQl9xoNb/Jj+olVWhrg8hlNCAXvzqt+b7AsuclAWIzsSi//AaEhg5onumDgeq2nvwJYYgjEeYw7lWQfThnN7FOV2TqDXLlnGU39FtTg2pnAAAAFQDSckd+7/wBEIsAmuXIMBOd+zfEsQAAAIB/FksTXKNymz/FulhYa9RbcRXSPYvPi74CuV42vxOtT1iLH8L2WA93HoOM4RXzI/ybMAd/ihcrpp4Cb3fUklrvL3sGZfnn2AxGAMXEnaGCmNBDxiCgIgs0xWiIuxrCEWFDEvqanHnjL5O5e38g8AoouqlwdbiFIgLClVkSyWQcZQAAAIBEvmLTh+Suzh9pFSvcBqJ/duuvYGzgd0J27+KhMVBIdLpsnPBx7baaSiyL999s0cpySf+LlVGI73j61BSPOAD+YHem56pM+ZG4A6Q1yrCZ2jsGCBYA71AT/5q8u2XfNMXRz3P09huarj9oZVl6mIVfrflkf7X1w+n2M5hEHhtGag== elabman@emulab.net
......@@ -31,14 +31,14 @@ my $protouser = 'elabman';
my $protouser_name = 'Emulab Manager';
my $protouser_email = '@TBOPSEMAIL@';
my $protouser_shell = 'tcsh';
my $protouser_notes = "DO NOT DELETE THIS ACCOUNT!";
my $HOMEDIR = USERROOT();
my $protoproj = 'emulab-ops';
my $protoproj_desc = 'Operations Meta-Project';
my $batchmode = 0;
my $webonly = 1;
my $uid_idx = 1; # Initial IDX for protouser.
my $pid_idx = 1; # Initial IDX for protoproj.
my $trust = "project_root";
my $binshell = "/bin/nologin";
my $password;
my $encpass;
my %opts;
......@@ -65,7 +65,6 @@ if (defined($opts{p})) {
}
if (defined($opts{u})) {
$protouser = $opts{u};
$webonly = 0;
$trust = "local_root";
}
if (defined($opts{n})) {
......@@ -151,10 +150,20 @@ if (!$batchmode) {
}
}
# Initial protouser gets a real shell until actively frozen later.
# Also setup a notes entry.
if (!defined($opts{u})) {
$binshell = "/bin/tcsh";
$protouser_notes = "This account can be frozen after your Emulab ".
"is fully setup and running. DO NOT DELETE THIS ACCOUNT!";
}
print "Creating user on boss...\n";
if (system "/usr/sbin/pw useradd $protouser -u $uid -g $agid -G \"$Ggid\" -h - " .
"-m -d $HOMEDIR/$protouser -s /bin/nologin -c \"$protouser_name\"\n") {
die "Unable to add user to the password file!\n";
if (system("/usr/sbin/pw useradd $protouser -u $uid -g $agid ".
"-G \"$Ggid\" -h - " .
"-m -d $HOMEDIR/$protouser -s $binshell ".
"-c \"$protouser_name\"")) {
die "Unable to add user to the password file!\n";
}
if ($CONTROL ne $BOSSNODE) {
......@@ -162,7 +171,7 @@ if ($CONTROL ne $BOSSNODE) {
if (system("ssh $CONTROL ".
"'/usr/sbin/pw useradd $protouser -u $uid -g $agid ".
"-G \"$Ggid\" -h - -d $HOMEDIR/$protouser -s /bin/nologin ".
"-G \"$Ggid\" -h - -d $HOMEDIR/$protouser -s $binshell ".
"-c \"$protouser_name\"'")) {
die "Unable to add user to the ops password file!\n";
}
......@@ -173,10 +182,12 @@ DBQueryFatal("replace into emulab_indicies set name='next_uid',idx=$uid+1");
print "Creating user in database...\n";
DBQueryFatal("insert into users set uid='$protouser', usr_created=now(), " .
"usr_name='$protouser_name', usr_pswd='$encpass', unix_uid=$uid, ".
"usr_modified=now(), admin=1, webonly=$webonly, status='active', ".
"usr_shell='$protouser_shell', usr_email='$protouser_email', ".
"mailman_password='$mailman_password',uid_idx=$uid");
"usr_name='$protouser_name', ".
"usr_addr='DO NOT DELETE THIS ACCOUNT', ".
"usr_pswd='$encpass', unix_uid=$uid, notes='$protouser_notes', ".
"usr_modified=now(), admin=1, webonly=0, status='active',".
"usr_shell='$protouser_shell', usr_email='$protouser_email', ".
"mailman_password='$mailman_password',uid_idx=$uid");
DBQueryFatal("insert into user_stats set uid='$protouser',uid_idx=$uid");
if (!defined($opts{u})) {
......
......@@ -263,12 +263,6 @@ elseif (strcmp($approval, "approve") == 0) {
using the account you just
created so that you can continue setting up your new Emulab!
</font><br>\n";
#
# Freeze the initial user.
#
DBQueryFatal("update users set ".
" status='" . TBDB_USERSTATUS_FROZEN . "' ".
"where uid='$FIRSTUSER'");
#
# Move to next phase.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment