mirror of https://github.com/apache/jclouds.git
Make home folder globally accessible when creating a user
Certain hardened images will have "umask 0077" set for the root user, making the newly created /home/users folder inaccessible to non-root. This results in a failure when trying to ssh with the new account. Explicitly set permissions to be independent of default umask.
This commit is contained in:
Svetoslav Neykov
Ignasi Barrera
parent
d4fa1159ac
commit
3bdac1cc33
|
|
@ -121,7 +121,9 @@ public class RunScriptOnNodeUsingSshTest {
|
||||||
expect(sshClient.getUsername()).andReturn("tester");
|
expect(sshClient.getUsername()).andReturn("tester");
|
||||||
expect(sshClient.getHostAddress()).andReturn("somewhere.example.com");
|
expect(sshClient.getHostAddress()).andReturn("somewhere.example.com");
|
||||||
expect(
|
expect(
|
||||||
sshClient.exec("sudo sh <<'RUN_SCRIPT_AS_ROOT_SSH'\n" + "mkdir -p /home/users\n"
|
sshClient.exec("sudo sh <<'RUN_SCRIPT_AS_ROOT_SSH'\n"
|
||||||
|
+ "mkdir -p /home/users\n"
|
||||||
|
+ "chmod 0755 /home/users\n"
|
||||||
+ "useradd -c testuser -s /bin/bash -m -d /home/users/testuser testuser\n"
|
+ "useradd -c testuser -s /bin/bash -m -d /home/users/testuser testuser\n"
|
||||||
+ "chown -R testuser /home/users/testuser\n" + "RUN_SCRIPT_AS_ROOT_SSH\n")).andReturn(
|
+ "chown -R testuser /home/users/testuser\n" + "RUN_SCRIPT_AS_ROOT_SSH\n")).andReturn(
|
||||||
new ExecResponse("done", null, 0));
|
new ExecResponse("done", null, 0));
|
||||||
|
|
|
||||||
|
|
@ -209,6 +209,7 @@ END_OF_JCLOUDS_SCRIPT
|
||||||
END_OF_JCLOUDS_FILE
|
END_OF_JCLOUDS_FILE
|
||||||
chmod 0440 /etc/sudoers
|
chmod 0440 /etc/sudoers
|
||||||
mkdir -p /home/users
|
mkdir -p /home/users
|
||||||
|
chmod 0755 /home/users
|
||||||
groupadd -f wheel
|
groupadd -f wheel
|
||||||
useradd -c 'defaultAdminUsername' -s /bin/bash -g wheel -m -d /home/users/defaultAdminUsername -p 'crypt(randompassword)' defaultAdminUsername
|
useradd -c 'defaultAdminUsername' -s /bin/bash -g wheel -m -d /home/users/defaultAdminUsername -p 'crypt(randompassword)' defaultAdminUsername
|
||||||
mkdir -p /home/users/defaultAdminUsername/.ssh
|
mkdir -p /home/users/defaultAdminUsername/.ssh
|
||||||
|
|
|
||||||
|
|
@ -209,6 +209,7 @@ END_OF_JCLOUDS_SCRIPT
|
||||||
END_OF_JCLOUDS_FILE
|
END_OF_JCLOUDS_FILE
|
||||||
chmod 0440 /etc/sudoers
|
chmod 0440 /etc/sudoers
|
||||||
mkdir -p /home/users
|
mkdir -p /home/users
|
||||||
|
chmod 0755 /home/users
|
||||||
groupadd -f wheel
|
groupadd -f wheel
|
||||||
useradd -c 'web' -s /bin/bash -g wheel -m -d /home/users/web -p 'crypt(randompassword)' web
|
useradd -c 'web' -s /bin/bash -g wheel -m -d /home/users/web -p 'crypt(randompassword)' web
|
||||||
mkdir -p /home/users/web/.ssh
|
mkdir -p /home/users/web/.ssh
|
||||||
|
|
|
||||||
|
|
@ -90,6 +90,7 @@ END_OF_JCLOUDS_SCRIPT
|
||||||
END_OF_JCLOUDS_FILE
|
END_OF_JCLOUDS_FILE
|
||||||
chmod 0440 /etc/sudoers
|
chmod 0440 /etc/sudoers
|
||||||
mkdir -p /over/ridden
|
mkdir -p /over/ridden
|
||||||
|
chmod 0755 /over/ridden
|
||||||
groupadd -f wheel
|
groupadd -f wheel
|
||||||
useradd -c 'foo' -s /bin/bash -g wheel -m -d /over/ridden/foo -p 'crypt(randompassword)' foo
|
useradd -c 'foo' -s /bin/bash -g wheel -m -d /over/ridden/foo -p 'crypt(randompassword)' foo
|
||||||
mkdir -p /over/ridden/foo/.ssh
|
mkdir -p /over/ridden/foo/.ssh
|
||||||
|
|
|
||||||
|
|
@ -186,9 +186,12 @@ public class UserAdd implements Statement {
|
||||||
if (family == OsFamily.WINDOWS)
|
if (family == OsFamily.WINDOWS)
|
||||||
throw new UnsupportedOperationException("windows not yet implemented");
|
throw new UnsupportedOperationException("windows not yet implemented");
|
||||||
String homeDir = (home != null) ? home : (defaultHome + '/' + login);
|
String homeDir = (home != null) ? home : (defaultHome + '/' + login);
|
||||||
|
String usersDir = homeDir.substring(0, homeDir.lastIndexOf('/'));
|
||||||
ImmutableList.Builder<Statement> statements = ImmutableList.builder();
|
ImmutableList.Builder<Statement> statements = ImmutableList.builder();
|
||||||
// useradd cannot create the default homedir
|
// useradd cannot create the default homedir
|
||||||
statements.add(Statements.exec("{md} " + homeDir.substring(0, homeDir.lastIndexOf('/'))));
|
statements.add(Statements.exec("{md} " + usersDir));
|
||||||
|
// make sure the folder is globally accessible even with umask 0077
|
||||||
|
statements.add(Statements.exec("chmod 0755 " + usersDir));
|
||||||
|
|
||||||
ImmutableMap.Builder<String, String> userAddOptions = ImmutableMap.builder();
|
ImmutableMap.Builder<String, String> userAddOptions = ImmutableMap.builder();
|
||||||
// Include the username as the full name for now.
|
// Include the username as the full name for now.
|
||||||
|
|
|
||||||
|
|
@ -29,29 +29,29 @@ public class UserAddTest {
|
||||||
|
|
||||||
public void testUNIX() {
|
public void testUNIX() {
|
||||||
assertEquals(UserAdd.builder().login("me").build().render(OsFamily.UNIX),
|
assertEquals(UserAdd.builder().login("me").build().render(OsFamily.UNIX),
|
||||||
"mkdir -p /home/users\nuseradd -c me -s /bin/bash -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
"mkdir -p /home/users\nchmod 0755 /home/users\nuseradd -c me -s /bin/bash -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testWithFullNameUNIX() {
|
public void testWithFullNameUNIX() {
|
||||||
assertEquals(UserAdd.builder().login("me").fullName("JClouds Guy").build().render(OsFamily.UNIX),
|
assertEquals(UserAdd.builder().login("me").fullName("JClouds Guy").build().render(OsFamily.UNIX),
|
||||||
"mkdir -p /home/users\nuseradd -c 'JClouds Guy' -s /bin/bash -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
"mkdir -p /home/users\nchmod 0755 /home/users\nuseradd -c 'JClouds Guy' -s /bin/bash -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testWithBaseUNIX() {
|
public void testWithBaseUNIX() {
|
||||||
assertEquals(UserAdd.builder().login("me").defaultHome("/export/home").build().render(OsFamily.UNIX),
|
assertEquals(UserAdd.builder().login("me").defaultHome("/export/home").build().render(OsFamily.UNIX),
|
||||||
"mkdir -p /export/home\nuseradd -c me -s /bin/bash -m -d /export/home/me me\nchown -R me /export/home/me\n");
|
"mkdir -p /export/home\nchmod 0755 /export/home\nuseradd -c me -s /bin/bash -m -d /export/home/me me\nchown -R me /export/home/me\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testWithGroupUNIX() {
|
public void testWithGroupUNIX() {
|
||||||
assertEquals(UserAdd.builder().login("me").group("wheel").build().render(OsFamily.UNIX),
|
assertEquals(UserAdd.builder().login("me").group("wheel").build().render(OsFamily.UNIX),
|
||||||
"mkdir -p /home/users\ngroupadd -f wheel\nuseradd -c me -s /bin/bash -g wheel -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
"mkdir -p /home/users\nchmod 0755 /home/users\ngroupadd -f wheel\nuseradd -c me -s /bin/bash -g wheel -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testWithGroupsUNIX() {
|
public void testWithGroupsUNIX() {
|
||||||
assertEquals(UserAdd.builder().login("me").groups(ImmutableList.of("wheel", "candy")).build().render(
|
assertEquals(UserAdd.builder().login("me").groups(ImmutableList.of("wheel", "candy")).build().render(
|
||||||
OsFamily.UNIX),
|
OsFamily.UNIX),
|
||||||
"mkdir -p /home/users\ngroupadd -f wheel\ngroupadd -f candy\nuseradd -c me -s /bin/bash -g wheel -G candy -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
"mkdir -p /home/users\nchmod 0755 /home/users\ngroupadd -f wheel\ngroupadd -f candy\nuseradd -c me -s /bin/bash -g wheel -G candy -m -d /home/users/me me\nchown -R me /home/users/me\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
Function<String, String> crypt = new Function<String, String>() {
|
Function<String, String> crypt = new Function<String, String>() {
|
||||||
|
|
@ -63,30 +63,30 @@ public class UserAddTest {
|
||||||
|
|
||||||
public void testWithPasswordUNIX() {
|
public void testWithPasswordUNIX() {
|
||||||
String userAdd = UserAdd.builder().cryptFunction(crypt).login("me").password("password").group("wheel").build().render(OsFamily.UNIX);
|
String userAdd = UserAdd.builder().cryptFunction(crypt).login("me").password("password").group("wheel").build().render(OsFamily.UNIX);
|
||||||
assert userAdd.startsWith("mkdir -p /home/users\ngroupadd -f wheel\nuseradd -c me -s /bin/bash -g wheel -m -d /home/users/me -p 'CRYPT'") : userAdd;
|
assert userAdd.startsWith("mkdir -p /home/users\nchmod 0755 /home/users\ngroupadd -f wheel\nuseradd -c me -s /bin/bash -g wheel -m -d /home/users/me -p 'CRYPT'") : userAdd;
|
||||||
assert userAdd.endsWith("' me\nchown -R me /home/users/me\n") : userAdd;
|
assert userAdd.endsWith("' me\nchown -R me /home/users/me\n") : userAdd;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testWithSshAuthorizedKeyUNIX() {
|
public void testWithSshAuthorizedKeyUNIX() {
|
||||||
assertEquals(
|
assertEquals(
|
||||||
UserAdd.builder().login("me").authorizeRSAPublicKey("rsapublickey").build().render(OsFamily.UNIX),
|
UserAdd.builder().login("me").authorizeRSAPublicKey("rsapublickey").build().render(OsFamily.UNIX),
|
||||||
"mkdir -p /home/users\nuseradd -c me -s /bin/bash -m -d /home/users/me me\nmkdir -p /home/users/me/.ssh\ncat >> /home/users/me/.ssh/authorized_keys <<-'END_OF_JCLOUDS_FILE'\n\trsapublickey\nEND_OF_JCLOUDS_FILE\nchmod 600 /home/users/me/.ssh/authorized_keys\nchown -R me /home/users/me\n");
|
"mkdir -p /home/users\nchmod 0755 /home/users\nuseradd -c me -s /bin/bash -m -d /home/users/me me\nmkdir -p /home/users/me/.ssh\ncat >> /home/users/me/.ssh/authorized_keys <<-'END_OF_JCLOUDS_FILE'\n\trsapublickey\nEND_OF_JCLOUDS_FILE\nchmod 600 /home/users/me/.ssh/authorized_keys\nchown -R me /home/users/me\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testWithSshInstalledKeyUNIX() {
|
public void testWithSshInstalledKeyUNIX() {
|
||||||
assertEquals(
|
assertEquals(
|
||||||
UserAdd.builder().login("me").installRSAPrivateKey("rsaprivate").build().render(OsFamily.UNIX),
|
UserAdd.builder().login("me").installRSAPrivateKey("rsaprivate").build().render(OsFamily.UNIX),
|
||||||
"mkdir -p /home/users\nuseradd -c me -s /bin/bash -m -d /home/users/me me\nmkdir -p /home/users/me/.ssh\nrm /home/users/me/.ssh/id_rsa\ncat >> /home/users/me/.ssh/id_rsa <<-'END_OF_JCLOUDS_FILE'\n\trsaprivate\nEND_OF_JCLOUDS_FILE\nchmod 600 /home/users/me/.ssh/id_rsa\nchown -R me /home/users/me\n");
|
"mkdir -p /home/users\nchmod 0755 /home/users\nuseradd -c me -s /bin/bash -m -d /home/users/me me\nmkdir -p /home/users/me/.ssh\nrm /home/users/me/.ssh/id_rsa\ncat >> /home/users/me/.ssh/id_rsa <<-'END_OF_JCLOUDS_FILE'\n\trsaprivate\nEND_OF_JCLOUDS_FILE\nchmod 600 /home/users/me/.ssh/id_rsa\nchown -R me /home/users/me\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testWithHomeUNIX() {
|
public void testWithHomeUNIX() {
|
||||||
assertEquals(UserAdd.builder().login("me").home("/myhome/myme").build().render(
|
assertEquals(UserAdd.builder().login("me").home("/myhome/myme").build().render(
|
||||||
OsFamily.UNIX),
|
OsFamily.UNIX),
|
||||||
"mkdir -p /myhome\nuseradd -c me -s /bin/bash -m -d /myhome/myme me\nchown -R me /myhome/myme\n");
|
"mkdir -p /myhome\nchmod 0755 /myhome\nuseradd -c me -s /bin/bash -m -d /myhome/myme me\nchown -R me /myhome/myme\n");
|
||||||
|
|
||||||
assertEquals(UserAdd.builder().login("me").home("/myhome/myme").defaultHome("/ignoreddefault").build().render(
|
assertEquals(UserAdd.builder().login("me").home("/myhome/myme").defaultHome("/ignoreddefault").build().render(
|
||||||
OsFamily.UNIX),
|
OsFamily.UNIX),
|
||||||
"mkdir -p /myhome\nuseradd -c me -s /bin/bash -m -d /myhome/myme me\nchown -R me /myhome/myme\n");
|
"mkdir -p /myhome\nchmod 0755 /myhome\nuseradd -c me -s /bin/bash -m -d /myhome/myme me\nchown -R me /myhome/myme\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test(expectedExceptions = UnsupportedOperationException.class)
|
@Test(expectedExceptions = UnsupportedOperationException.class)
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ root ALL = (ALL) ALL
|
||||||
END_OF_FILE
|
END_OF_FILE
|
||||||
chmod 0440 /etc/sudoers
|
chmod 0440 /etc/sudoers
|
||||||
mkdir -p /home/users
|
mkdir -p /home/users
|
||||||
|
chmod 0755 /home/users
|
||||||
groupadd -f wheel
|
groupadd -f wheel
|
||||||
useradd -c defaultAdminUsername -s /bin/bash -g wheel -d /home/users/defaultAdminUsername -p 'crypt(0)' defaultAdminUsername
|
useradd -c defaultAdminUsername -s /bin/bash -g wheel -d /home/users/defaultAdminUsername -p 'crypt(0)' defaultAdminUsername
|
||||||
mkdir -p /home/users/defaultAdminUsername/.ssh
|
mkdir -p /home/users/defaultAdminUsername/.ssh
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ cat > /etc/sudoers <<-'END_OF_JCLOUDS_FILE'
|
||||||
END_OF_JCLOUDS_FILE
|
END_OF_JCLOUDS_FILE
|
||||||
chmod 0440 /etc/sudoers
|
chmod 0440 /etc/sudoers
|
||||||
mkdir -p /over/ridden
|
mkdir -p /over/ridden
|
||||||
|
chmod 0755 /over/ridden
|
||||||
groupadd -f wheel
|
groupadd -f wheel
|
||||||
useradd -c 'foo' -s /bin/bash -g wheel -m -d /over/ridden/foo -p 'crypt(bar)' foo
|
useradd -c 'foo' -s /bin/bash -g wheel -m -d /over/ridden/foo -p 'crypt(bar)' foo
|
||||||
mkdir -p /over/ridden/foo/.ssh
|
mkdir -p /over/ridden/foo/.ssh
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ cat > /etc/sudoers <<-'END_OF_JCLOUDS_FILE'
|
||||||
END_OF_JCLOUDS_FILE
|
END_OF_JCLOUDS_FILE
|
||||||
chmod 0440 /etc/sudoers
|
chmod 0440 /etc/sudoers
|
||||||
mkdir -p /over/ridden
|
mkdir -p /over/ridden
|
||||||
|
chmod 0755 /over/ridden
|
||||||
groupadd -f wheel
|
groupadd -f wheel
|
||||||
useradd -c 'JClouds Foo' -s /bin/bash -g wheel -m -d /over/ridden/foo -p 'crypt(bar)' foo
|
useradd -c 'JClouds Foo' -s /bin/bash -g wheel -m -d /over/ridden/foo -p 'crypt(bar)' foo
|
||||||
mkdir -p /over/ridden/foo/.ssh
|
mkdir -p /over/ridden/foo/.ssh
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
mkdir -p /home/users
|
mkdir -p /home/users
|
||||||
|
chmod 0755 /home/users
|
||||||
useradd -c 'defaultAdminUsername' -s /bin/bash -m -d /home/users/defaultAdminUsername -p 'crypt(0)' defaultAdminUsername
|
useradd -c 'defaultAdminUsername' -s /bin/bash -m -d /home/users/defaultAdminUsername -p 'crypt(0)' defaultAdminUsername
|
||||||
mkdir -p /home/users/defaultAdminUsername/.ssh
|
mkdir -p /home/users/defaultAdminUsername/.ssh
|
||||||
cat >> /home/users/defaultAdminUsername/.ssh/authorized_keys <<-'END_OF_JCLOUDS_FILE'
|
cat >> /home/users/defaultAdminUsername/.ssh/authorized_keys <<-'END_OF_JCLOUDS_FILE'
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ cat > /etc/sudoers <<-'END_OF_JCLOUDS_FILE'
|
||||||
END_OF_JCLOUDS_FILE
|
END_OF_JCLOUDS_FILE
|
||||||
chmod 0440 /etc/sudoers
|
chmod 0440 /etc/sudoers
|
||||||
mkdir -p /home/users
|
mkdir -p /home/users
|
||||||
|
chmod 0755 /home/users
|
||||||
groupadd -f wheel
|
groupadd -f wheel
|
||||||
useradd -c 'defaultAdminUsername' -s /bin/bash -g wheel -m -d /home/users/defaultAdminUsername -p 'crypt(0)' defaultAdminUsername
|
useradd -c 'defaultAdminUsername' -s /bin/bash -g wheel -m -d /home/users/defaultAdminUsername -p 'crypt(0)' defaultAdminUsername
|
||||||
mkdir -p /home/users/defaultAdminUsername/.ssh
|
mkdir -p /home/users/defaultAdminUsername/.ssh
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue