mirror of
https://github.com/iiab/iiab.git
synced 2025-03-09 15:40:17 +00:00
A Holt
GitHub
commit
797873b885
8 changed files with 98 additions and 70 deletions
|
|
@ -1,25 +1,26 @@
|
|||
- name: Create user {{ iiab_admin_user }} for Admin Console; set password from iiab_admin_pwd_hash if newly creating account
|
||||
- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account
|
||||
user:
|
||||
name: "{{ iiab_admin_user }}"
|
||||
name: "{{ iiab_admin_user }}" # iiab-admin
|
||||
password: "{{ iiab_admin_pwd_hash }}"
|
||||
update_password: on_create
|
||||
shell: /bin/bash
|
||||
groups: sudo
|
||||
|
||||
- name: Create a wheel group
|
||||
group:
|
||||
name: wheel
|
||||
state: present
|
||||
#- name: Create a wheel group
|
||||
# group:
|
||||
# name: wheel
|
||||
# state: present
|
||||
|
||||
- name: Create a sudo group (redhat)
|
||||
group:
|
||||
name: sudo
|
||||
state: present
|
||||
when: is_redhat | bool
|
||||
#- name: Create a sudo group (redhat)
|
||||
# group:
|
||||
# name: sudo
|
||||
# state: present
|
||||
# when: is_redhat | bool
|
||||
|
||||
- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
|
||||
user:
|
||||
name: "{{ iiab_admin_user }}"
|
||||
groups: wheel,sudo
|
||||
#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
|
||||
# user:
|
||||
# name: "{{ iiab_admin_user }}"
|
||||
# groups: wheel,sudo
|
||||
|
||||
- name: Edit the sudoers file -- first make it editable
|
||||
file:
|
||||
|
|
@ -33,10 +34,12 @@
|
|||
dest: /etc/sudoers
|
||||
state: present
|
||||
|
||||
- name: Lets wheel sudo without password
|
||||
lineinfile:
|
||||
line: "%wheel ALL= NOPASSWD: ALL"
|
||||
dest: /etc/sudoers
|
||||
#- name: Lets {{ iiab_admin_user }} sudo without password
|
||||
##- name: Lets wheel sudo without password
|
||||
# lineinfile:
|
||||
# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
|
||||
## line: "%wheel ALL= NOPASSWD: ALL"
|
||||
# dest: /etc/sudoers
|
||||
|
||||
- name: Remove the line which requires tty
|
||||
lineinfile:
|
||||
|
|
|
|||
|
|
@ -3,20 +3,6 @@
|
|||
|
||||
- include_tasks: access.yml
|
||||
|
||||
- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }}
|
||||
ini_file:
|
||||
dest: "{{ iiab_ini_file }}"
|
||||
section: iiab-admin
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value | string }}"
|
||||
with_items:
|
||||
- option: name
|
||||
value: iiab-admin
|
||||
- option: description
|
||||
value: '"Admin User"'
|
||||
- option: iiab_admin_user
|
||||
value: "{{ iiab_admin_user }}"
|
||||
|
||||
- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
|
||||
template:
|
||||
src: sshpwd-profile-iiab.sh
|
||||
|
|
@ -61,3 +47,18 @@
|
|||
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
|
||||
regexp: '^iiab_admin_installed'
|
||||
line: 'iiab_admin_installed: True'
|
||||
|
||||
|
||||
- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }}
|
||||
ini_file:
|
||||
dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini
|
||||
section: iiab-admin
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value | string }}"
|
||||
with_items:
|
||||
- option: name
|
||||
value: iiab-admin
|
||||
- option: description
|
||||
value: '"Admin User"'
|
||||
- option: iiab_admin_user
|
||||
value: "{{ iiab_admin_user }}"
|
||||
|
|
|
|||
|
|
@ -1,12 +1,20 @@
|
|||
#!/bin/bash
|
||||
|
||||
export TEXTDOMAIN=pprompt-iiab
|
||||
# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
|
||||
|
||||
. gettext.sh
|
||||
# For Localization/Translation: (use /usr/bin/gettext below if later nec!)
|
||||
#export TEXTDOMAIN=pprompt-iiab
|
||||
#. gettext.sh
|
||||
# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh
|
||||
# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh
|
||||
|
||||
# bash syntax "function check_user_pwd() {" was removed, as it prevented all
|
||||
# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
|
||||
check_user_pwd() {
|
||||
id -u $1 > /dev/null 2>&1 || return 2 # FORCE ERROR if no such user
|
||||
# *BUT* overall bash script still returns exit code 0 ("success")
|
||||
|
||||
# $meth (hashing method) is typically '6' which implies 5000 rounds
|
||||
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
||||
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
||||
|
|
@ -15,14 +23,10 @@ check_user_pwd() {
|
|||
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
||||
}
|
||||
|
||||
# Credit to the folks at the Raspberry Pi Foundation
|
||||
check_hash() {
|
||||
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
|
||||
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
|
||||
if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
|
||||
zenity --warning --width=600 --text="SSH is enabled and the default password for user 'iiab-admin' is in use.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
|
||||
fi
|
||||
}
|
||||
#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return
|
||||
#systemctl is-active {{ sshd_service }} || return
|
||||
|
||||
systemctl is-active {{ sshd_service }} > /dev/null && check_hash
|
||||
unset check_hash
|
||||
if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n
|
||||
zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
|
||||
#zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,31 +1,51 @@
|
|||
#!/bin/bash
|
||||
|
||||
export TEXTDOMAIN=Linux-PAM
|
||||
# SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from...
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
|
||||
# ...invoked by /etc/xdg/lxsession/LXDE-pi/autostart which is customized by...
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L32-L36
|
||||
|
||||
. gettext.sh
|
||||
# For Localization/Translation: (use /usr/bin/gettext below if later nec!)
|
||||
#export TEXTDOMAIN=Linux-PAM
|
||||
#. gettext.sh
|
||||
# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh
|
||||
# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh
|
||||
|
||||
# bash syntax "function check_user_pwd() {" was removed, as it prevented all
|
||||
# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
|
||||
check_user_pwd() {
|
||||
|
||||
id -u $1 > /dev/null 2>&1 || return 2 # FORCE ERROR if no such user
|
||||
# *BUT* overall bash script still returns exit code 0 ("success")
|
||||
|
||||
# $meth (hashing method) is typically '6' which implies 5000 rounds
|
||||
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
||||
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
||||
salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
||||
hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
||||
meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
||||
salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
||||
hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
||||
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
||||
}
|
||||
|
||||
# Credit to the folks at the Raspberry Pi Foundation
|
||||
check_hash() {
|
||||
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
|
||||
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
|
||||
if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
|
||||
echo
|
||||
echo $(/usr/bin/gettext "SSH is enabled and the published password for user 'iiab-admin' is in use.")
|
||||
echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.")
|
||||
echo
|
||||
fi
|
||||
}
|
||||
[ $(id -un) = "root" ] || return # MUST be executed as root! Non-root logins
|
||||
# were blocking on above permissions to grep /etc/shadow. As it's unreasonable
|
||||
# to provide sudo privs to every user (with "NOPASSWD:" password-free sudo
|
||||
# access or not, as required by graphical logins!) iiab/iiab#2561
|
||||
|
||||
systemctl is-active {{ sshd_service }} > /dev/null && check_hash
|
||||
unset check_hash
|
||||
# 2020-10-10 RECAP: most logins (graphical or tty) blocked on above [sudo] grep
|
||||
# (at least tty logins finally let sudoers in, after entering password twice!)
|
||||
# EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still worked, no matter
|
||||
# whether sshpwd-lxde-iiab.sh's "sudo grep" displayed our popup warning or not!
|
||||
|
||||
#[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || return
|
||||
# HISTORICAL: if password-free sudo access is truly nec, it can be set with
|
||||
# "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
|
||||
# BUT: popup warnings still don't appear on most OS's, much as mentioned here:
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30
|
||||
|
||||
if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n
|
||||
echo
|
||||
echo "Published password in use by user '{{ iiab_admin_user }}'."
|
||||
echo "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it."
|
||||
echo
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -4,5 +4,5 @@
|
|||
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
|
||||
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
|
||||
|
||||
phpmyadmin_name: "phpMyAdmin-5.0.2-all-languages"
|
||||
phpmyadmin_name: "phpMyAdmin-5.0.3-all-languages" # D/l from http://download.iiab.io/packages
|
||||
phpmyadmin_name_zip: "{{ phpmyadmin_name }}.zip"
|
||||
|
|
|
|||
|
|
@ -10,14 +10,14 @@
|
|||
|
||||
- name: Download {{ iiab_download_url }}/{{ phpmyadmin_name_zip }} to {{ downloads_dir }}
|
||||
get_url:
|
||||
url: "{{ iiab_download_url }}/{{ phpmyadmin_name_zip }}"
|
||||
url: "{{ iiab_download_url }}/{{ phpmyadmin_name_zip }}" # e.g. http://download.iiab.io/packages/phpMyAdmin-5.0.3-all-languages.zip
|
||||
dest: "{{ downloads_dir }}"
|
||||
timeout: "{{ download_timeout }}"
|
||||
when: internet_available | bool
|
||||
|
||||
- name: Does {{ downloads_dir }}/{{ phpmyadmin_name_zip }} exist? # e.g. /opt/iiab/downloads/phpMyAdmin-5.0.2-all-languages.zip
|
||||
- name: Does {{ downloads_dir }}/{{ phpmyadmin_name_zip }} exist?
|
||||
stat:
|
||||
path: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}"
|
||||
path: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}" # e.g. /opt/iiab/downloads/phpMyAdmin-5.0.3-all-languages.zip
|
||||
register: phpmyadmin_dl
|
||||
|
||||
- name: FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ phpmyadmin_name_zip }} doesn't exist
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ sugarizer_dir_version: sugarizer-1.4.0 # WAS: sugarizer-1.0, sugarizer-master
|
|||
sugarizer_git_version: v1.4.0 # WAS: v1.0.1, master, v1.1.0, v1.2.0, v1.3.0
|
||||
# PLEASE HELP MONITOR https://github.com/llaske/sugarizer/releases
|
||||
|
||||
sugarizer_server_dir_version: sugarizer-server-1.2.0 # WAS: sugarizer-server-1.0, sugarizer-server-master, sugarizer-server-dev, sugarizer-server-1.1.0, sugarizer-server-1.1.1
|
||||
sugarizer_server_git_version: v1.2.0 # WAS: v1.0.1, master, dev, f27bf6acd56aba6d99116ef471ca713b0f0dfed3, v1.1.0, v1.1.1
|
||||
sugarizer_server_dir_version: sugarizer-server-1.3.0 # WAS: sugarizer-server-1.0, sugarizer-server-master, sugarizer-server-dev, sugarizer-server-1.1.0, sugarizer-server-1.1.1, sugarizer-server-1.2.0
|
||||
sugarizer_server_git_version: v1.3.0 # WAS: v1.0.1, master, dev, f27bf6acd56aba6d99116ef471ca713b0f0dfed3, v1.1.0, v1.1.1, v1.2.0
|
||||
# PLEASE HELP MONITOR https://github.com/llaske/sugarizer-server/commits/dev
|
||||
# AND https://github.com/llaske/sugarizer-server/releases
|
||||
|
|
|
|||
|
|
@ -86,7 +86,7 @@
|
|||
template:
|
||||
src: 020_apache_poweroff.j2
|
||||
dest: /etc/sudoers.d/020_apache_poweroff
|
||||
mode: '0755'
|
||||
mode: '0440'
|
||||
when: apache_allow_sudo | bool
|
||||
|
||||
- name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue