scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

enhanced user management

Browse Source
This commit is contained in:
Thomas von Dein 2024-12-16 14:23:45 +01:00
parent ef31172e81
commit e6baefdbd5
6 changed files with 172 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
TODO.md
View File

@ -14,3 +14,16 @@ test the current setup: does it get configured and how does it limit
users? also check if new users belong to login class "jail" and test
their limits
## devzat file busy still failing
https://github.com/BastilleBSD/bastille/issues/772
## ZFS quota
zfs set groupquota@bsdnixer=10MB zhcloud/home
zfs get groupquota@bsdnixer zhcloud/home
zfs groupspace zhcloud/home
zfs userspace zhcloud/home

9
group_vars/all/all.yaml
View File

@ -62,12 +62,21 @@ defaults:
jailbase: /usr/local/bastille/jails
jailgroups:
- name: first
state: present
id: 4000
- name: bsdnixer
state: present
jailusers:
- name: first
state: present
id: 4000
- name: scip
state: present
- name: tuud
group: wheel
state: present
- name: tom
state: present

5
roles/chat/templates/Bastillefile.j2
View File

@ -1,17 +1,18 @@
SERVICE devzat stop
CP usr /
SYSRC sendmail_enable=NONE
SYSRC tmpsize=500m
SYSRC tmpmfs=AUTO
SYSRC clear_tmp_enable=YES
SYSRC devzat_enable=YES
CMD if test -L /home; then rm /home; fi
CMD mkdir -p /home
FSTAB /home home nullfs rw 0 0
CMD install -d -o nobody -m 700 /home/devzat
CP usr /
SERVICE devzat start

21
roles/pub/bin/group.sh
View File

@ -2,6 +2,7 @@
rootdir=""
group=""
id=""
action=""
usage() {
@ -16,7 +17,7 @@ run() {
}
OPTIND=1
while getopts d:g:a: opt ; do
while getopts d:g:a:i: opt ; do
case $opt in
d)
rootdir="$OPTARG"
@ -24,6 +25,9 @@ while getopts d:g:a: opt ; do
g)
group="$OPTARG"
;;
i)
id="$OPTARG"
;;
a)
action="$OPTARG"
;;
@ -39,10 +43,16 @@ if test -z "$group" -o -z "$action"; then
usage
fi
root=""
# we do it once for $rootdir and once on the host to have synchronous groups
for root in "$rootdir" ""; do
args=""
if test -n "$rootdir"; then
root="-R $rootdir"
if test -n "$root"; then
root="-R $root"
fi
if test -n "$id"; then
args="-g $id"
fi
case "$action" in
@ -52,7 +62,7 @@ case "$action" in
echo "$group exists."
fi
else
run pw $root group add "$group"
run pw $root group add "$group" $args
fi
;;
absent)
@ -64,3 +74,4 @@ case "$action" in
usage
;;
esac
done

38
roles/pub/bin/user.sh
View File

@ -11,6 +11,7 @@ shell="/usr/local/bin/bash"
comment=""
loginclass="jail"
action=""
id=""
usage() {
echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
@ -35,7 +36,7 @@ run() {
# parse commandline flags
OPTIND=1
while getopts d:u:h:g:s:c:a: opt ; do
while getopts d:u:h:g:s:c:a:i: opt ; do
case $opt in
d)
rootdir="$OPTARG"
@ -43,6 +44,9 @@ while getopts d:u:h:g:s:c:a: opt ; do
u)
user="$OPTARG"
;;
i)
id="$OPTARG"
;;
h)
home="$OPTARG"
;;
@ -70,12 +74,20 @@ if test -z "$user" -o -z "$action"; then
usage
fi
# we do it once for $rootdir and once on the host to have synchronous
# users, however, host users will be locked, unless they are in group
# wheel
for root in "$rootdir" ""; do
# setup pw flags
args=""
root=""
skel=""
if test -n "$rootdir"; then
root="-R $rootdir"
if test -n "$root"; then
root="-R $root"
if test -d "$root/etc/skel"; then
skel="-k /etc/skel"
fi
fi
if test -n "$groups"; then
@ -83,9 +95,9 @@ if test -n "$groups"; then
fi
if test -n "$home"; then
args="$args -d $home -k /etc/skel -m -M 700"
args="$args -d $home $skel -m -M 700"
else
args="$args -d /home/$user -k /etc/skel -m -M 700"
args="$args -d /home/$user $skel -m -M 700"
fi
if test -n "$shell"; then
@ -102,19 +114,28 @@ if test -n "$loginclass"; then
args="$args -L $loginclass"
fi
if test -n "$id"; then
args="$args -u $id"
fi
# the horse shall work
case "$action" in
present)
if pw $root user show "$user" > /dev/null 2>&1; then
if pw $root user show "$user" | grep -q LOCKED; then
# user is present but locked
run pw unlock "$user"
run pw $root unlock "$user"
else
echo "$user exists."
fi
else
# create user
run pw $root user add "$user" $args
# if we're running on host and the user is a regular jail user, lock them
if test -z "$root" -a "$groups" != "wheel"; then
run pw lock "$user"
fi
fi
if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
@ -158,7 +179,7 @@ case "$action" in
echo "$user is already locked."
else
# lock'em out
run pw lock "$user"
run pw $root lock "$user"
fi
fi
;;
@ -166,3 +187,4 @@ case "$action" in
usage
;;
esac
done

4
roles/pub/tasks/main.yaml
View File

@ -97,7 +97,7 @@
# create our own group[s]
- name: Manage groups
loop: "{{ jailgroups }}"
ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -i '{{ item.id | default(None) }}' -d /usr/local/bastille/jails/{{ role_name }}/root"
# The normal ansible user module can't be used here, because we're
# talking about jail users here. I tried to patch the module to
@ -109,7 +109,7 @@
# well.
- name: Manage users
loop: "{{ jailusers }}"
ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -i '{{ item.id | default(None) }}' -d {{ defaults.jailbase }}/{{ role_name }}/root"
- name: add dns entry for jail host
community.dns.hetzner_dns_record: