[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Cluster-devel] conga/luci site/Makefile site/luci/bin/runzope ...



CVSROOT:	/cvs/cluster
Module name:	conga
Changes by:	kupcevic sourceware org	2006-08-18 13:28:45

Modified files:
	luci/site      : Makefile 
	luci/site/luci/bin: runzope.in 
	luci/utils     : luci_admin 
Added files:
	luci/site/luci : .admin_password_has_been_set 

Log message:
	Under certain circumstances, default luci password would not get reset.
	Disable luci startup in that case.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/Makefile.diff?cvsroot=cluster&r1=1.8&r2=1.9
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/.admin_password_has_been_set.diff?cvsroot=cluster&r1=NONE&r2=1.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/bin/runzope.in.diff?cvsroot=cluster&r1=1.1&r2=1.2
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/utils/luci_admin.diff?cvsroot=cluster&r1=1.45&r2=1.46

--- conga/luci/site/Makefile	2006/08/18 07:21:02	1.8
+++ conga/luci/site/Makefile	2006/08/18 13:28:44	1.9
@@ -39,6 +39,9 @@
 
 
 install:
+	install -d ${DESTDIR}/var/lib/luci
+	install -m 0640 luci/.admin_password_has_been_set ${DESTDIR}/var/lib/luci/
+
 	install -d ${DESTDIR}/var/lib/luci/bin
 #	install `find luci/bin -maxdepth 1 -type f` ${DESTDIR}/var/lib/luci/bin
 	install luci/bin/runzope ${DESTDIR}/var/lib/luci/bin
/cvs/cluster/conga/luci/site/luci/.admin_password_has_been_set,v  -->  standard output
revision 1.1
--- conga/luci/site/luci/.admin_password_has_been_set
+++ -	2006-08-18 13:28:45.554587000 +0000
@@ -0,0 +1 @@
+False
--- conga/luci/site/luci/bin/runzope.in	2006/07/24 20:17:02	1.1
+++ conga/luci/site/luci/bin/runzope.in	2006/08/18 13:28:45	1.2
@@ -19,4 +19,16 @@
 
 ZOPE_RUN="$SOFTWARE_HOME/Zope2/Startup/run.py"
 
-exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@"
+
+if [ "B`cat $INSTANCE_HOME/.admin_password_has_been_set`" == "BTrue" ]; then
+    exec "$PYTHON" "$ZOPE_RUN" -C "$CONFIG_FILE" "$@"
+else 
+    echo ""
+    echo ""
+    echo "luci \'admin\' password has to be changed before server is allowed to start"
+    echo "To do so, execute (as root): " 
+    echo -e "\tluci_admin password"
+    echo ""
+    echo ""
+    exit 1
+fi
--- conga/luci/utils/luci_admin	2006/08/04 19:19:10	1.45
+++ conga/luci/utils/luci_admin	2006/08/18 13:28:45	1.46
@@ -34,25 +34,27 @@
 
 LUCI_INIT_DEBUG = 0
 
-LUCI_USER = 'luci'
+LUCI_USER  = 'luci'
 LUCI_GROUP = 'luci'
 
-LUCI_BACKUP_DIR = '/var/lib/luci/var'
-LUCI_CERT_DIR = '/var/lib/luci/var/certs/'
-LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml'
-LUCI_DB_PATH = '/var/lib/luci/var/Data.fs'
+LUCI_HOME_DIR       = '/var/lib/luci'
+LUCI_DB_PATH        = LUCI_HOME_DIR + '/var/Data.fs'
+LUCI_CERT_DIR       = LUCI_HOME_DIR + '/var/certs/'
+LUCI_BACKUP_DIR     = LUCI_HOME_DIR + '/var'
+LUCI_BACKUP_PATH    = LUCI_BACKUP_DIR + '/luci_backup.xml'
+LUCI_ADMIN_SET_PATH = LUCI_HOME_DIR + '/.admin_password_has_been_set'
 
-SSL_PRIVKEY_NAME = 'privkey.pem'
-SSL_PUBKEY_NAME = 'cacert.pem'
+SSL_PRIVKEY_NAME       = 'privkey.pem'
+SSL_PUBKEY_NAME        = 'cacert.pem'
 SSL_HTTPS_PRIVKEY_NAME = 'https.key.pem'
-SSL_HTTPS_PUBKEY_NAME = 'https.pem'
-SSL_KEYCONFIG_NAME = 'cacert.config'
+SSL_HTTPS_PUBKEY_NAME  = 'https.pem'
+SSL_KEYCONFIG_NAME     = 'cacert.config'
 
-SSL_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_PRIVKEY_NAME
-SSL_PUBKEY_PATH = LUCI_CERT_DIR + SSL_PUBKEY_NAME
+SSL_PRIVKEY_PATH       = LUCI_CERT_DIR + SSL_PRIVKEY_NAME
+SSL_PUBKEY_PATH        = LUCI_CERT_DIR + SSL_PUBKEY_NAME
 SSL_HTTPS_PRIVKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PRIVKEY_NAME
-SSL_HTTPS_PUBKEY_PATH = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME
-SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME
+SSL_HTTPS_PUBKEY_PATH  = LUCI_CERT_DIR + SSL_HTTPS_PUBKEY_NAME
+SSL_KEYCONFIG_PATH     = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME
 
 ssl_key_data = [
 	{ 'id': SSL_PRIVKEY_PATH, 'name': SSL_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 },
@@ -70,6 +72,34 @@
 else:
 	verbose = null
 
+
+
+def get_luci_uid_gid():
+	try:
+		luci = pwd.getpwnam(LUCI_USER)[2:4]
+		if not luci:
+			raise
+		if len(luci) != 2:
+			raise
+		return luci
+	except:
+		msg = 'Cannot find the \"' + LUCI_USER + '\" user.\n'
+		sys.stderr.write(msg)
+		raise msg
+	
+
+def set_default_passwd_reset_flag():
+	# set flag marking admin password has been set
+	uid, gid = get_luci_uid_gid()
+	open(LUCI_ADMIN_SET_PATH, 'w').write('True')
+	os.chown(LUCI_ADMIN_SET_PATH, uid, gid)
+	os.chmod(LUCI_ADMIN_SET_PATH, 0640)
+	return True
+
+def get_default_passwd_reset_flag():
+	return open(LUCI_ADMIN_SET_PATH, 'r').read(16) == 'True'
+
+
 def read_passwd(prompt, confirm_prompt):
 	from getpass import getpass
 	while True:
@@ -77,6 +107,9 @@
 		if len(s1) < 6:
 			print 'Password has to be at least 6 characters long'
 			continue
+		if ' ' in s1:
+			print 'Spaces are not allowed in passwords'
+			continue
 		s2 = getpass(confirm_prompt)
 		if s1 != s2:
 			print 'Passwords mismatch, try again'
@@ -86,20 +119,18 @@
 
 
 def restore_luci_db_fsattr():
+	uid, gid = -1, -1
 	try:
-		luci = pwd.getpwnam(LUCI_USER)[2:4]
-		if not luci or len(luci) != 2:
-			raise
+		uid, gid = get_luci_uid_gid()
 	except:
-		sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n')
 		return -1
-
+	
 	try:
-		os.chown(LUCI_DB_PATH, luci[0], luci[1])
+		os.chown(LUCI_DB_PATH, uid, gid)
 		os.chmod(LUCI_DB_PATH, 0600)
 		for i in [ '.tmp', '.old', '.index', '.lock' ]:
 			try:
-				os.chown(LUCI_DB_PATH + i, luci[0], luci[1])
+				os.chown(LUCI_DB_PATH + i, uid, gid)
 				os.chmod(LUCI_DB_PATH + i, 0600)
 			except: pass
 	except:
@@ -181,7 +212,10 @@
 
 	if restore_luci_db_fsattr():
 		return -1
-
+	
+	if user == 'admin' and ret == 0:
+		set_default_passwd_reset_flag()
+	
 	return ret
 
 
@@ -194,12 +228,10 @@
 	if not certList or len(certList) < 1:
 		sys.stderr.write('Your backup file contains no certificate data. Please check that your backup file is not corrupt.\n')
 		return -1
+	uid, gid = -1, -1
 	try:
-		luci = pwd.getpwnam(LUCI_USER)[2:4]
-		if not luci or len(luci) != 2:
-			raise
+		uid, gid = get_luci_uid_gid()
 	except:
-		sys.stderr.write('Cannot find the \"' + LUCI_USER + '\" user.\n')
 		return -1
 
 	for c in certList:
@@ -235,10 +267,11 @@
 
 		os.chmod(path, mode)
 		f.write(data + '\n')
-		os.chown(path, luci[0], luci[1])
+		os.chown(path, uid, gid)
 		f.close()
 	return None
 
+
 def luci_restore(argv):
 	sys.stderr = null
 	import ZODB
@@ -920,41 +953,43 @@
 
 
 def luci_initialized():
-    # existence of privkey.pem file means that luci is initialized
-    return os.access(SSL_PRIVKEY_PATH, os.F_OK)
+    # existence of privkey.pem file and
+    # admin password (not the one Data.fs comes with)
+    # mean that luci has been initialized
+    b1 = get_default_passwd_reset_flag()
+    b2 = os.access(SSL_PRIVKEY_PATH, os.F_OK)
+    return b1 and b2
 
 
 
 def generate_ssl_certs():
+    command = '/bin/rm'
+    args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
+    _execWithCaptureErrorStatus(command, args)
+    
     # /usr/bin/openssl genrsa -out /var/lib/luci/var/certs/privkey.pem 2048 > /dev/null 2>&1
     command = '/usr/bin/openssl'
     args = [command, 'genrsa', '-out', SSL_PRIVKEY_PATH, '2048']
     _execWithCaptureErrorStatus(command, args)
-
+    
     # /usr/bin/openssl req -new -x509 -key /var/lib/luci/var/certs/privkey.pem -out /var/lib/luci/var/certs/cacert.pem -days 1095 -config /var/lib/luci/var/certs/cacert.config
     command = '/usr/bin/openssl'
     args = [command, 'req', '-new', '-x509', '-key', SSL_PRIVKEY_PATH, '-out', SSL_PUBKEY_PATH, '-days', '1095', '-config', SSL_KEYCONFIG_PATH]
     _execWithCaptureErrorStatus(command, args)
-
-    # /bin/chown -R zope:zope /var/lib/luci/var/certs/*
-    command = '/bin/chown'
-    args = [command, LUCI_USER + ':' + LUCI_GROUP, SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
-    _execWithCaptureErrorStatus(command, args)
-
-    # /bin/chmod 644 /var/lib/luci/var/certs/*
-    command = '/bin/chmod'
-    args = [command, '644', SSL_PUBKEY_PATH]
-    o, e, s = _execWithCaptureErrorStatus(command, args)
-    if s != 0:
-        return False
-
-    # /bin/chmod 400 /var/lib/luci/var/certs/privkey.pem
-    command = '/bin/chmod'
-    args = [command, '600', SSL_PRIVKEY_PATH]
-    o, e, s = _execWithCaptureErrorStatus(command, args)
-    if s != 0:
-        return False
-
+    
+    # take ownership and restrict access
+    try:
+	    uid, gid = get_luci_uid_gid()
+	    os.chown(SSL_PRIVKEY_PATH, uid, gid)
+	    os.chown(SSL_PUBKEY_PATH, uid, gid)
+	    os.chmod(SSL_PRIVKEY_PATH, 0600)
+	    os.chmod(SSL_PUBKEY_PATH, 0644)
+    except:
+	    command = '/bin/rm'
+	    args = [command, '-f', SSL_PRIVKEY_PATH, SSL_PUBKEY_PATH]
+	    _execWithCaptureErrorStatus(command, args)
+	    return False
+    
     return True
 
 
@@ -976,12 +1011,9 @@
 		sys.stderr.write('If you want to reset admin password, execute\n')
 		sys.stderr.write('\t' + argv[0] + ' password\n')
 		sys.exit(1)
+	
 	print 'Initializing the Luci server\n'
-	print 'Generating SSL certificates...'
-	if generate_ssl_certs() == False:
-		sys.stderr.write('failed. exiting ...\n')
-		sys.exit(1)
-
+	
 	print '\nCreating the \'admin\' user\n'
 	password = read_passwd('Enter password: ', 'Confirm password: ')
 	print '\nPlease wait...'
@@ -991,8 +1023,13 @@
 	else:
 		sys.stderr.write('Unable to set the admin user\'s password.\n')
 		sys.exit(1)
-
-	print 'The Luci server has been successfully initialized'
+	
+	print 'Generating SSL certificates...'
+	if generate_ssl_certs() == False:
+		sys.stderr.write('failed. exiting ...\n')
+		sys.exit(1)
+	
+	print 'Luci server has been successfully initialized'
 	restart_message()
 	
 	return
@@ -1003,7 +1040,7 @@
 	if '--random' in argv:
 		print 'Resetting the admin user\'s password to some random value\n'
 		try:
-			rand = file('/dev/urandom', 'r')
+			rand = open('/dev/urandom', 'r')
 			password = rand.read(16)
 			rand.close()
 		except:
@@ -1095,6 +1132,7 @@
 
 	print 'Luci backup was successful.\nThe backup data is contained in the file \"' + LUCI_BACKUP_PATH + '\"'
 
+
 def restore(argv):
 	print 'Restoring the Luci server...'
 
@@ -1105,6 +1143,7 @@
 		ret = False
 		sys.stderr.write('The Luci restore failed. Try reinstalling Luci, then restoring again.\n')
 	else:
+		set_default_passwd_reset_flag()
 		ret = True
 		print 'Restore was successful.'
 		restart_message()
@@ -1120,25 +1159,45 @@
     print argv[0] + ' [init|backup|restore|password|help]'
     print
     print '\tinit: initialize Luci site'
+    print '\tpassword: reset admin password'
+    print '\t\tpassword: reset admin password to random value (disable account)'
     print '\tbackup: backup Luci site to a file'
     print '\trestore: restore Luci site from backup'
-    print '\tpassword: reset admin password'
     print '\thelp: this help message'
     print
 
 
+
+def test_luci_installation():
+   # perform basic checks
+   # TODO: do more tests
+   
+   # check if luci user and group are present on the system
+   try:
+	   get_luci_uid_gid()
+   except:
+	   sys.stderr.write('There is a problem with luci installation!\n')
+	   sys.stderr.write('Mising luci\'s system account and group')
+	   sys.stderr.write('Recommended action: reinstall luci\n\n')
+	   sys.exit(3)
+   
+   return True
+
+
 def main(argv):
     if len(argv) < 2:
         luci_help(argv)
         sys.exit(1)
-
-
-    # only root can modify Luci server
+    
+    # only root should run this
     if os.getuid() != 0:
-        sys.stderr.write('Only root can modify Luci server.\n')
+        sys.stderr.write('Only \'root\' can run ' + argv[0] + '\n')
         sys.stderr.write('Try again with root privileges.\n')
         sys.exit(2)
 
+    # test if luci installation is OK
+    test_luci_installation()
+    
     if 'init' in argv:
         init(argv)
     elif 'backup' in argv:


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]