integ: Convert wrsroot -> sysadmin
This also changes the group wrs_protected to sys_protected to de-brand the user and group names. Depends-On: I887464a20fc17d66529caea03be2b445156f9426 Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea Story: 2004716 Task: 28748 Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit is contained in:
parent
6ccb588bf8
commit
83c6575d51
@ -25,18 +25,18 @@ d /run/log 0755 root root -
|
|||||||
z /run/log/journal 2755 root systemd-journal - -
|
z /run/log/journal 2755 root systemd-journal - -
|
||||||
Z /run/log/journal/%m ~2750 root systemd-journal - -
|
Z /run/log/journal/%m ~2750 root systemd-journal - -
|
||||||
|
|
||||||
a+ /run/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x
|
a+ /run/log/journal/%m - - - - d:group:sys_protected:r-x,d:group:wheel:r-x
|
||||||
A+ /run/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x
|
A+ /run/log/journal/%m - - - - group:sys_protected:r-x,group:wheel:r-x
|
||||||
|
|
||||||
z /var/log/journal 2755 root systemd-journal - -
|
z /var/log/journal 2755 root systemd-journal - -
|
||||||
z /var/log/journal/%m 2755 root systemd-journal - -
|
z /var/log/journal/%m 2755 root systemd-journal - -
|
||||||
z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
|
z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
|
||||||
|
|
||||||
a+ /var/log/journal - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x
|
a+ /var/log/journal - - - - d:group:sys_protected:r-x,d:group:wheel:r-x
|
||||||
a+ /var/log/journal - - - - group:wrs_protected:r-x,group:wheel:r-x
|
a+ /var/log/journal - - - - group:sys_protected:r-x,group:wheel:r-x
|
||||||
a+ /var/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x
|
a+ /var/log/journal/%m - - - - d:group:sys_protected:r-x,d:group:wheel:r-x
|
||||||
a+ /var/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x
|
a+ /var/log/journal/%m - - - - group:sys_protected:r-x,group:wheel:r-x
|
||||||
a+ /var/log/journal/%m/system.journal - - - - group:wrs_protected:r--,group:wheel:r--
|
a+ /var/log/journal/%m/system.journal - - - - group:sys_protected:r--,group:wheel:r--
|
||||||
|
|
||||||
d /var/lib/systemd 0755 root root -
|
d /var/lib/systemd 0755 root root -
|
||||||
d /var/lib/systemd/coredump 0755 root root 3d
|
d /var/lib/systemd/coredump 0755 root root 3d
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
COPY_LIST="files/*"
|
COPY_LIST="files/*"
|
||||||
TIS_PATCH_VER=0
|
TIS_PATCH_VER=1
|
||||||
|
@ -12,26 +12,25 @@ Group: base
|
|||||||
Packager: StarlingX
|
Packager: StarlingX
|
||||||
URL: unknown
|
URL: unknown
|
||||||
|
|
||||||
Source0: wrs.sudo
|
Source0: sysadmin.sudo
|
||||||
Source1: LICENSE
|
Source1: LICENSE
|
||||||
|
|
||||||
%define WRSROOT_P cBglipPpsKwBQ
|
%define SYSADMIN_P 4SuW8cnXFyxsk
|
||||||
|
|
||||||
%description
|
%description
|
||||||
StarlingX sudo configuration file
|
StarlingX sudo configuration file
|
||||||
|
|
||||||
%install
|
%install
|
||||||
install -d %{buildroot}/%{_sysconfdir}/sudoers.d
|
install -d %{buildroot}/%{_sysconfdir}/sudoers.d
|
||||||
install -m 440 %{SOURCE0} %{buildroot}/%{_sysconfdir}/sudoers.d/wrs
|
install -m 440 %{SOURCE0} %{buildroot}/%{_sysconfdir}/sudoers.d/sysadmin
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group wrs >/dev/null || groupadd -r wrs
|
getent group sys_protected >/dev/null || groupadd -f -g 345 sys_protected
|
||||||
getent group wrs_protected >/dev/null || groupadd -f -g 345 wrs_protected
|
getent passwd sysadmin > /dev/null || \
|
||||||
getent passwd wrsroot > /dev/null || \
|
useradd -m -g sys_protected -G root \
|
||||||
useradd -m -g wrs -G root,wrs_protected \
|
-d /home/sysadmin -p %{SYSADMIN_P} \
|
||||||
-d /home/wrsroot -p %{WRSROOT_P} \
|
-s /bin/sh sysadmin 2> /dev/null || :
|
||||||
-s /bin/sh wrsroot 2> /dev/null || :
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license ../SOURCES/LICENSE
|
%license ../SOURCES/LICENSE
|
||||||
%config(noreplace) %{_sysconfdir}/sudoers.d/wrs
|
%config(noreplace) %{_sysconfdir}/sudoers.d/sysadmin
|
||||||
|
12
config-files/sudo-config/files/sysadmin.sudo
Normal file
12
config-files/sudo-config/files/sysadmin.sudo
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
##
|
||||||
|
## User privilege specification
|
||||||
|
##
|
||||||
|
sysadmin ALL=(ALL) ALL
|
||||||
|
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_controller
|
||||||
|
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_region
|
||||||
|
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_subcloud
|
||||||
|
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_management
|
||||||
|
sysadmin ALL=(root) NOPASSWD: /usr/local/sbin/collect
|
||||||
|
|
||||||
|
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
|
||||||
|
Defaults passprompt="Password: "
|
@ -1,12 +0,0 @@
|
|||||||
##
|
|
||||||
## User privilege specification
|
|
||||||
##
|
|
||||||
wrsroot ALL=(ALL) ALL
|
|
||||||
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_controller
|
|
||||||
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_region
|
|
||||||
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_subcloud
|
|
||||||
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_management
|
|
||||||
wrsroot ALL=(root) NOPASSWD: /usr/local/sbin/collect
|
|
||||||
|
|
||||||
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
|
|
||||||
Defaults passprompt="Password: "
|
|
@ -12,7 +12,7 @@
|
|||||||
|
|
||||||
|
|
||||||
# We want to run as the "www" user and scripts can't be setuid. The
|
# We want to run as the "www" user and scripts can't be setuid. The
|
||||||
# sudoers permissions are set up to allow wrsroot to run this script
|
# sudoers permissions are set up to allow sysadmin to run this script
|
||||||
# as the "www" user without a password.
|
# as the "www" user without a password.
|
||||||
if [ $USER != "www" ]; then
|
if [ $USER != "www" ]; then
|
||||||
exec sudo -u www $0 $@
|
exec sudo -u www $0 $@
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
wrsroot ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload
|
sysadmin ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload
|
||||||
|
|
||||||
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
|
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
|
||||||
|
@ -49,7 +49,7 @@ index 0000000..27d12dc
|
|||||||
+. "$_RUNTIMEFILE"
|
+. "$_RUNTIMEFILE"
|
||||||
+
|
+
|
||||||
+# runtime defaults
|
+# runtime defaults
|
||||||
+_DEFAULTGRP2="wrs_protected"
|
+_DEFAULTGRP2="sys_protected"
|
||||||
+_BASHSHELL="/bin/bash"
|
+_BASHSHELL="/bin/bash"
|
||||||
+_DEFAULTSHADOWMAX="90"
|
+_DEFAULTSHADOWMAX="90"
|
||||||
+_DEFAULTSHADOWWARNING="2"
|
+_DEFAULTSHADOWWARNING="2"
|
||||||
|
@ -30,7 +30,7 @@ Index: keyring-5.3/keyring/backends/file.py
|
|||||||
+ if oct(stat.S_IMODE(os.stat(lockdir + "/" + lockfile).st_mode)) != '0770':
|
+ if oct(stat.S_IMODE(os.stat(lockdir + "/" + lockfile).st_mode)) != '0770':
|
||||||
+ # Must have the lock file with the correct group and permissisions g+rw
|
+ # Must have the lock file with the correct group and permissisions g+rw
|
||||||
+ os.chmod(lockdir + "/" + lockfile, stat.S_IRWXG | stat.S_IRWXU)
|
+ os.chmod(lockdir + "/" + lockfile, stat.S_IRWXG | stat.S_IRWXU)
|
||||||
+ groupinfo = grp.getgrnam('wrs_protected')
|
+ groupinfo = grp.getgrnam('sys_protected')
|
||||||
+ os.chown(lockdir + "/" + lockfile,-1,groupinfo.gr_gid)
|
+ os.chown(lockdir + "/" + lockfile,-1,groupinfo.gr_gid)
|
||||||
|
|
||||||
|
|
||||||
|
@ -82,7 +82,7 @@ Index: keyring-5.3/keyring/backends/file.py
|
|||||||
- if os.geteuid() == 0 and (not os.path.exists(lockfile)):
|
- if os.geteuid() == 0 and (not os.path.exists(lockfile)):
|
||||||
- from pwd import getpwnam
|
- from pwd import getpwnam
|
||||||
- import stat
|
- import stat
|
||||||
- nonrootuser = "wrsroot"
|
- nonrootuser = "sysadmin"
|
||||||
- with open(lockfile, 'w'):
|
- with open(lockfile, 'w'):
|
||||||
- pass
|
- pass
|
||||||
- # must have the lock file with the correct group permissisions g+rw
|
- # must have the lock file with the correct group permissisions g+rw
|
||||||
|
@ -180,7 +180,7 @@ Index: keyring-5.3/keyring/backends/file.py
|
|||||||
+ if os.geteuid() == 0 and (not os.path.exists(lockfile)):
|
+ if os.geteuid() == 0 and (not os.path.exists(lockfile)):
|
||||||
+ from pwd import getpwnam
|
+ from pwd import getpwnam
|
||||||
+ import stat
|
+ import stat
|
||||||
+ nonrootuser = "wrsroot"
|
+ nonrootuser = "sysadmin"
|
||||||
+ with open(lockfile, 'w'):
|
+ with open(lockfile, 'w'):
|
||||||
+ pass
|
+ pass
|
||||||
+ # must have the lock file with the correct group permissisions g+rw
|
+ # must have the lock file with the correct group permissisions g+rw
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
# Generally, individual commands that display output have that output
|
# Generally, individual commands that display output have that output
|
||||||
# redirected to the appropriate info file in /scratch/var/extra
|
# redirected to the appropriate info file in /scratch/var/extra
|
||||||
#
|
#
|
||||||
# wrsroot@controller-0:/scratch# sudo collect
|
# sysadmin@controller-0:/scratch# sudo collect
|
||||||
# nodetype : controller
|
# nodetype : controller
|
||||||
# Collector: /scratch
|
# Collector: /scratch
|
||||||
# Extra Dir: /scratch/var/extra
|
# Extra Dir: /scratch/var/extra
|
||||||
@ -76,7 +76,7 @@ TOOL_NAME=collect
|
|||||||
TOOL_VER=2
|
TOOL_VER=2
|
||||||
TOOL_REV=0
|
TOOL_REV=0
|
||||||
|
|
||||||
# collect must be run as wrsroot
|
# collect must be run as sysadmin
|
||||||
if [ ${UID} -eq 0 ]; then
|
if [ ${UID} -eq 0 ]; then
|
||||||
echo "Error: Cannot run collect as 'root' user"
|
echo "Error: Cannot run collect as 'root' user"
|
||||||
exit 1
|
exit 1
|
||||||
@ -149,8 +149,8 @@ function print_help()
|
|||||||
echo ""
|
echo ""
|
||||||
echo "Optionally specify a --name prefix of the collected tar file."
|
echo "Optionally specify a --name prefix of the collected tar file."
|
||||||
echo ""
|
echo ""
|
||||||
echo "With the command set specified, simply run collect as wrsroot and when"
|
echo "With the command set specified, simply run collect as sysadmin and when"
|
||||||
echo "prompted provide the wrsroot sudo password and let collect handle the rest."
|
echo "prompted provide the sysadmin sudo password and let collect handle the rest."
|
||||||
echo ""
|
echo ""
|
||||||
echo "Scope Options:"
|
echo "Scope Options:"
|
||||||
echo ""
|
echo ""
|
||||||
@ -563,7 +563,7 @@ function clean_scratch_dir_remote()
|
|||||||
spawn bash -i
|
spawn bash -i
|
||||||
expect -re $
|
expect -re $
|
||||||
set timeout 60
|
set timeout 60
|
||||||
send "${SSH_CMD} wrsroot@${this_hostname}\n"
|
send "${SSH_CMD} sysadmin@${this_hostname}\n"
|
||||||
expect {
|
expect {
|
||||||
"assword:" {
|
"assword:" {
|
||||||
send "${pw}\r"
|
send "${pw}\r"
|
||||||
@ -621,7 +621,7 @@ function delete_remote_dir_or_file()
|
|||||||
spawn bash -i
|
spawn bash -i
|
||||||
expect -re $
|
expect -re $
|
||||||
set timeout 60
|
set timeout 60
|
||||||
send "${SSH_CMD} wrsroot@${this_hostname}\n"
|
send "${SSH_CMD} sysadmin@${this_hostname}\n"
|
||||||
expect {
|
expect {
|
||||||
"assword:" {
|
"assword:" {
|
||||||
send "${pw}\r"
|
send "${pw}\r"
|
||||||
@ -683,7 +683,7 @@ function get_file_from_host()
|
|||||||
spawn bash -i
|
spawn bash -i
|
||||||
set timeout ${SCP_TIMEOUT}
|
set timeout ${SCP_TIMEOUT}
|
||||||
expect -re $
|
expect -re $
|
||||||
send "${SCP_CMD} wrsroot@${this_hostname}:${remote_src} ${local_dest} 2>>${HOST_COLLECT_ERROR_LOG}\n"
|
send "${SCP_CMD} sysadmin@${this_hostname}:${remote_src} ${local_dest} 2>>${HOST_COLLECT_ERROR_LOG}\n"
|
||||||
expect {
|
expect {
|
||||||
"assword:" {
|
"assword:" {
|
||||||
send "${pw}\r"
|
send "${pw}\r"
|
||||||
@ -1083,7 +1083,7 @@ EOF
|
|||||||
spawn bash -i
|
spawn bash -i
|
||||||
set timeout 30
|
set timeout 30
|
||||||
expect -re $
|
expect -re $
|
||||||
send "${SSH_CMD} wrsroot@${host}\n"
|
send "${SSH_CMD} sysadmin@${host}\n"
|
||||||
expect {
|
expect {
|
||||||
"assword:" {
|
"assword:" {
|
||||||
send "${pw}\r"
|
send "${pw}\r"
|
||||||
@ -1131,7 +1131,7 @@ EOF
|
|||||||
exit ${FAIL_UNREACHABLE}
|
exit ${FAIL_UNREACHABLE}
|
||||||
}
|
}
|
||||||
"Host key verification failed" {
|
"Host key verification failed" {
|
||||||
send "rm -f /home/wrsroot/.ssh/known_hosts\n"
|
send "rm -f /home/sysadmin/.ssh/known_hosts\n"
|
||||||
exit ${FAIL}
|
exit ${FAIL}
|
||||||
}
|
}
|
||||||
timeout { exit ${FAIL_TIMEOUT} }
|
timeout { exit ${FAIL_TIMEOUT} }
|
||||||
|
@ -332,8 +332,8 @@ function collect_extra()
|
|||||||
echo "${hostname}: Bash History ......: ${LOGFILE}"
|
echo "${hostname}: Bash History ......: ${LOGFILE}"
|
||||||
|
|
||||||
# history
|
# history
|
||||||
delimiter ${LOGFILE} "cat /home/wrsroot/.bash_history"
|
delimiter ${LOGFILE} "cat /home/sysadmin/.bash_history"
|
||||||
cat /home/wrsroot/.bash_history >> ${LOGFILE} 2>>${COLLECT_ERROR_LOG}
|
cat /home/sysadmin/.bash_history >> ${LOGFILE} 2>>${COLLECT_ERROR_LOG}
|
||||||
|
|
||||||
LOGFILE="${EXTRA_DIR}/interrupt.info"
|
LOGFILE="${EXTRA_DIR}/interrupt.info"
|
||||||
echo "${hostname}: Interrupt Info ....: ${LOGFILE}"
|
echo "${hostname}: Interrupt Info ....: ${LOGFILE}"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
username="wrsroot"
|
username="sysadmin"
|
||||||
password="Li69nux*"
|
password="Li69nux*"
|
||||||
test_duration="30"
|
test_duration="30"
|
||||||
wait_duration="5"
|
wait_duration="5"
|
||||||
|
@ -32,7 +32,7 @@ fi
|
|||||||
sudo mkdir -p ${DEST}
|
sudo mkdir -p ${DEST}
|
||||||
|
|
||||||
# rsync options
|
# rsync options
|
||||||
USER=wrsroot
|
USER=sysadmin
|
||||||
RSYNC_OPT="-r -l --safe-links -h -P --stats --exclude=*.pyc"
|
RSYNC_OPT="-r -l --safe-links -h -P --stats --exclude=*.pyc"
|
||||||
|
|
||||||
# Rsync data from multiple locations
|
# Rsync data from multiple locations
|
||||||
|
@ -21,11 +21,11 @@ fi
|
|||||||
|
|
||||||
source ./lab.conf
|
source ./lab.conf
|
||||||
|
|
||||||
rsync -azvh wrsroot@${CONTROLLER0_IP}:/scratch/syseng_data/* .
|
rsync -azvh sysadmin@${CONTROLLER0_IP}:/scratch/syseng_data/* .
|
||||||
rsync -azvh wrsroot@${CONTROLLER1_IP}:/scratch/syseng_data/* .
|
rsync -azvh sysadmin@${CONTROLLER1_IP}:/scratch/syseng_data/* .
|
||||||
|
|
||||||
rsync -azvh wrsroot@${CONTROLLER0_IP}:/opt/backups/tmp/syseng-data/* .
|
rsync -azvh sysadmin@${CONTROLLER0_IP}:/opt/backups/tmp/syseng-data/* .
|
||||||
rsync -azvh wrsroot@${CONTROLLER1_IP}:/opt/backups/tmp/syseng-data/* .
|
rsync -azvh sysadmin@${CONTROLLER1_IP}:/opt/backups/tmp/syseng-data/* .
|
||||||
|
|
||||||
# Compress the newly download data files if they have not been compressed
|
# Compress the newly download data files if they have not been compressed
|
||||||
CURDIR=$(pwd)
|
CURDIR=$(pwd)
|
||||||
|
Loading…
Reference in New Issue
Block a user