scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

enhanced user management

Browse Source
This commit is contained in:
Thomas von Dein 2024-12-16 14:23:45 +01:00
parent ef31172e81
commit e6baefdbd5
6 changed files with 172 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
TODO.md
View File

@ -14,3 +14,16 @@ test the current setup: does it get configured and how does it limit
users? also check if new users belong to login class "jail" and test users? also check if new users belong to login class "jail" and test
their limits their limits
## devzat file busy still failing
https://github.com/BastilleBSD/bastille/issues/772
## ZFS quota
zfs set groupquota@bsdnixer=10MB zhcloud/home
zfs get groupquota@bsdnixer zhcloud/home
zfs groupspace zhcloud/home
zfs userspace zhcloud/home

9
group_vars/all/all.yaml
View File

@ -62,12 +62,21 @@ defaults:
jailbase: /usr/local/bastille/jails jailbase: /usr/local/bastille/jails
jailgroups: jailgroups:
- name: first
state: present
id: 4000
- name: bsdnixer - name: bsdnixer
state: present state: present
jailusers: jailusers:
- name: first
state: present
id: 4000
- name: scip - name: scip
state: present state: present
- name: tuud
group: wheel
state: present
- name: tom - name: tom
state: present state: present

5
roles/chat/templates/Bastillefile.j2
View File

@ -1,17 +1,18 @@
SERVICE devzat stop SERVICE devzat stop
CP usr /
SYSRC sendmail_enable=NONE SYSRC sendmail_enable=NONE
SYSRC tmpsize=500m SYSRC tmpsize=500m
SYSRC tmpmfs=AUTO SYSRC tmpmfs=AUTO
SYSRC clear_tmp_enable=YES SYSRC clear_tmp_enable=YES
SYSRC devzat_enable=YES SYSRC devzat_enable=YES
CMD if test -L /home; then rm /home; fi CMD if test -L /home; then rm /home; fi
CMD mkdir -p /home CMD mkdir -p /home
FSTAB /home home nullfs rw 0 0 FSTAB /home home nullfs rw 0 0
CMD install -d -o nobody -m 700 /home/devzat CMD install -d -o nobody -m 700 /home/devzat
CP usr /
SERVICE devzat start SERVICE devzat start

21
roles/pub/bin/group.sh
View File

@ -2,6 +2,7 @@
rootdir="" rootdir=""
group="" group=""
id=""
action="" action=""
usage() { usage() {
@ -16,7 +17,7 @@ run() {
} }
OPTIND=1 OPTIND=1
while getopts d:g:a: opt ; do while getopts d:g:a:i: opt ; do
case $opt in case $opt in
d) d)
rootdir="$OPTARG" rootdir="$OPTARG"
@ -24,6 +25,9 @@ while getopts d:g:a: opt ; do
g) g)
group="$OPTARG" group="$OPTARG"
;; ;;
i)
id="$OPTARG"
;;
a) a)
action="$OPTARG" action="$OPTARG"
;; ;;
@ -39,10 +43,16 @@ if test -z "$group" -o -z "$action"; then
usage usage
fi fi
root="" # we do it once for $rootdir and once on the host to have synchronous groups
for root in "$rootdir" ""; do
args=""
if test -n "$rootdir"; then if test -n "$root"; then
root="-R $rootdir" root="-R $root"
fi
if test -n "$id"; then
args="-g $id"
fi fi
case "$action" in case "$action" in
@ -52,7 +62,7 @@ case "$action" in
echo "$group exists." echo "$group exists."
fi fi
else else
run pw $root group add "$group" run pw $root group add "$group" $args
fi fi
;; ;;
absent) absent)
@ -64,3 +74,4 @@ case "$action" in
usage usage
;; ;;
esac esac
done

38
roles/pub/bin/user.sh
View File

@ -11,6 +11,7 @@ shell="/usr/local/bin/bash"
comment="" comment=""
loginclass="jail" loginclass="jail"
action="" action=""
id=""
usage() { usage() {
echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action" echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
@ -35,7 +36,7 @@ run() {
# parse commandline flags # parse commandline flags
OPTIND=1 OPTIND=1
while getopts d:u:h:g:s:c:a: opt ; do while getopts d:u:h:g:s:c:a:i: opt ; do
case $opt in case $opt in
d) d)
rootdir="$OPTARG" rootdir="$OPTARG"
@ -43,6 +44,9 @@ while getopts d:u:h:g:s:c:a: opt ; do
u) u)
user="$OPTARG" user="$OPTARG"
;; ;;
i)
id="$OPTARG"
;;
h) h)
home="$OPTARG" home="$OPTARG"
;; ;;
@ -70,12 +74,20 @@ if test -z "$user" -o -z "$action"; then
usage usage
fi fi
# we do it once for $rootdir and once on the host to have synchronous
# users, however, host users will be locked, unless they are in group
# wheel
for root in "$rootdir" ""; do
# setup pw flags # setup pw flags
args="" args=""
root="" skel=""
if test -n "$rootdir"; then
root="-R $rootdir" if test -n "$root"; then
root="-R $root"
if test -d "$root/etc/skel"; then
skel="-k /etc/skel"
fi
fi fi
if test -n "$groups"; then if test -n "$groups"; then
@ -83,9 +95,9 @@ if test -n "$groups"; then
fi fi
if test -n "$home"; then if test -n "$home"; then
args="$args -d $home -k /etc/skel -m -M 700" args="$args -d $home $skel -m -M 700"
else else
args="$args -d /home/$user -k /etc/skel -m -M 700" args="$args -d /home/$user $skel -m -M 700"
fi fi
if test -n "$shell"; then if test -n "$shell"; then
@ -102,19 +114,28 @@ if test -n "$loginclass"; then
args="$args -L $loginclass" args="$args -L $loginclass"
fi fi
if test -n "$id"; then
args="$args -u $id"
fi
# the horse shall work # the horse shall work
case "$action" in case "$action" in
present) present)
if pw $root user show "$user" > /dev/null 2>&1; then if pw $root user show "$user" > /dev/null 2>&1; then
if pw $root user show "$user" | grep -q LOCKED; then if pw $root user show "$user" | grep -q LOCKED; then
# user is present but locked # user is present but locked
run pw unlock "$user" run pw $root unlock "$user"
else else
echo "$user exists." echo "$user exists."
fi fi
else else
# create user # create user
run pw $root user add "$user" $args run pw $root user add "$user" $args
# if we're running on host and the user is a regular jail user, lock them
if test -z "$root" -a "$groups" != "wheel"; then
run pw lock "$user"
fi
fi fi
if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
@ -158,7 +179,7 @@ case "$action" in
echo "$user is already locked." echo "$user is already locked."
else else
# lock'em out # lock'em out
run pw lock "$user" run pw $root lock "$user"
fi fi
fi fi
;; ;;
@ -166,3 +187,4 @@ case "$action" in
usage usage
;; ;;
esac esac
done

4
roles/pub/tasks/main.yaml
View File

@ -97,7 +97,7 @@
# create our own group[s] # create our own group[s]
- name: Manage groups - name: Manage groups
loop: "{{ jailgroups }}" loop: "{{ jailgroups }}"
ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root" ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -i '{{ item.id | default(None) }}' -d /usr/local/bastille/jails/{{ role_name }}/root"
# The normal ansible user module can't be used here, because we're # The normal ansible user module can't be used here, because we're
# talking about jail users here. I tried to patch the module to # talking about jail users here. I tried to patch the module to
@ -109,7 +109,7 @@
# well. # well.
- name: Manage users - name: Manage users
loop: "{{ jailusers }}" loop: "{{ jailusers }}"
ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root" ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -i '{{ item.id | default(None) }}' -d {{ defaults.jailbase }}/{{ role_name }}/root"
- name: add dns entry for jail host - name: add dns entry for jail host
community.dns.hetzner_dns_record: community.dns.hetzner_dns_record: