Merge pull request #2566 from holta/etc-profile.d

Fix for Graphical and TTY Logins [clean up auto-checking for iiab-admin's published password]

roles/iiab-admin/tasks/admin-user.yml

@@ -1,25 +1,26 @@
-- name: Create user {{ iiab_admin_user }} for Admin Console; set password from iiab_admin_pwd_hash if newly creating account
+- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account
   user:
-    name: "{{ iiab_admin_user }}"
+    name: "{{ iiab_admin_user }}"    # iiab-admin
     password: "{{ iiab_admin_pwd_hash }}"
     update_password: on_create
     shell: /bin/bash
+    groups: sudo
 
-- name: Create a wheel group
-  group:
-    name: wheel
-    state: present
+#- name: Create a wheel group
+#  group:
+#    name: wheel
+#    state: present
 
-- name: Create a sudo group (redhat)
-  group:
-    name: sudo
-    state: present
-  when: is_redhat | bool
+#- name: Create a sudo group (redhat)
+#  group:
+#    name: sudo
+#    state: present
+#  when: is_redhat | bool
 
-- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
-  user:
-    name: "{{ iiab_admin_user }}"
-    groups: wheel,sudo
+#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
+#  user:
+#    name: "{{ iiab_admin_user }}"
+#    groups: wheel,sudo
 
 - name: Edit the sudoers file -- first make it editable
   file:
@@ -33,10 +34,12 @@
     dest: /etc/sudoers
     state: present
 
-- name: Lets wheel sudo without password
-  lineinfile:
-    line: "%wheel ALL= NOPASSWD: ALL"
-    dest: /etc/sudoers
+#- name: Lets {{ iiab_admin_user }} sudo without password
+##- name: Lets wheel sudo without password
+#  lineinfile:
+#    line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
+##    line: "%wheel ALL= NOPASSWD: ALL"
+#    dest: /etc/sudoers
 
 - name: Remove the line which requires tty
   lineinfile:

roles/iiab-admin/tasks/main.yml

@@ -3,20 +3,6 @@
 
 - include_tasks: access.yml
 
-- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }}
-  ini_file:
-    dest: "{{ iiab_ini_file }}"
-    section: iiab-admin
-    option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
-  with_items:
-    - option: name
-      value: iiab-admin
-    - option: description
-      value: '"Admin User"'
-    - option: iiab_admin_user
-      value: "{{ iiab_admin_user }}"
-
 - name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
   template:
     src: sshpwd-profile-iiab.sh
@@ -61,3 +47,18 @@
     path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
     regexp: '^iiab_admin_installed'
     line: 'iiab_admin_installed: True'
+
+
+- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }}
+  ini_file:
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: iiab-admin
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
+  with_items:
+    - option: name
+      value: iiab-admin
+    - option: description
+      value: '"Admin User"'
+    - option: iiab_admin_user
+      value: "{{ iiab_admin_user }}"

roles/iiab-admin/templates/sshpwd-lxde-iiab.sh

@@ -1,12 +1,20 @@
 #!/bin/bash
 
-export TEXTDOMAIN=pprompt-iiab
+# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
 
-. gettext.sh
+# For Localization/Translation: (use /usr/bin/gettext below if later nec!)
+#export TEXTDOMAIN=pprompt-iiab
+#. gettext.sh
+# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh
+# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh
 
 # bash syntax "function check_user_pwd() {" was removed, as it prevented all
 # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
 check_user_pwd() {
+    id -u $1 > /dev/null 2>&1 || return 2    # FORCE ERROR if no such user
+    # *BUT* overall bash script still returns exit code 0 ("success")
+
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
     meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
@@ -15,14 +23,10 @@ check_user_pwd() {
     [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
 }
 
-# Credit to the folks at the Raspberry Pi Foundation
-check_hash() {
-   if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
-   if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
-   if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
-       zenity --warning --width=600 --text="SSH is enabled and the default password for user 'iiab-admin' is in use.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
-   fi
-}
+#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return
+#systemctl is-active {{ sshd_service }} || return
 
-systemctl is-active {{ sshd_service }} > /dev/null && check_hash
-unset check_hash
+if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin
+    zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
+    #zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
+fi

roles/iiab-admin/templates/sshpwd-profile-iiab.sh

@@ -1,31 +1,51 @@
 #!/bin/bash
 
-export TEXTDOMAIN=Linux-PAM
+# SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from...
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+# ...invoked by /etc/xdg/lxsession/LXDE-pi/autostart which is customized by...
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L32-L36
 
-. gettext.sh
+# For Localization/Translation: (use /usr/bin/gettext below if later nec!)
+#export TEXTDOMAIN=Linux-PAM
+#. gettext.sh
+# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh
+# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh
 
 # bash syntax "function check_user_pwd() {" was removed, as it prevented all
 # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
 check_user_pwd() {
+
+    id -u $1 > /dev/null 2>&1 || return 2    # FORCE ERROR if no such user
+    # *BUT* overall bash script still returns exit code 0 ("success")
+
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
-    meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
-    salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
-    hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
+    meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
+    salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
+    hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
     [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
 }
 
-# Credit to the folks at the Raspberry Pi Foundation
-check_hash() {
-    if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
-    if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
-    if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
-        echo
-        echo $(/usr/bin/gettext "SSH is enabled and the published password for user 'iiab-admin' is in use.")
-        echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.")
-        echo
-     fi
-}
+[ $(id -un) = "root" ] || return   # MUST be executed as root!  Non-root logins
+# were blocking on above permissions to grep /etc/shadow.  As it's unreasonable
+# to provide sudo privs to every user (with "NOPASSWD:" password-free sudo
+# access or not, as required by graphical logins!)  iiab/iiab#2561
 
-systemctl is-active {{ sshd_service }} > /dev/null && check_hash
-unset check_hash
+# 2020-10-10 RECAP: most logins (graphical or tty) blocked on above [sudo] grep
+# (at least tty logins finally let sudoers in, after entering password twice!)
+# EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still worked, no matter
+# whether sshpwd-lxde-iiab.sh's "sudo grep" displayed our popup warning or not!
+
+#[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || return
+# HISTORICAL: if password-free sudo access is truly nec, it can be set with
+# "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
+# BUT: popup warnings still don't appear on most OS's, much as mentioned here:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30
+
+if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin
+    echo
+    echo "Published password in use by user '{{ iiab_admin_user }}'."
+    echo "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it."
+    echo
+fi

roles/www_options/tasks/main.yml

@@ -86,7 +86,7 @@
   template:
     src: 020_apache_poweroff.j2
     dest: /etc/sudoers.d/020_apache_poweroff
-    mode: '0755'
+    mode: '0440'
   when: apache_allow_sudo | bool
 
 - name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff