def user_remove(admin):
""" create a user
"""
setup_env_for_user(admin)
run("userdel %s" % admin)
run("rm -fr %(admin_home_dir)s" % env)
def secure_account(user_account):
""" ensures owner is correctly set on all files under $HOME of user_account, and limit appropriately for ssh
"""
setup_env_for_user()
sudo('chown -R {0} ~{0}/.'.format(user_account))
sudo('chmod 700 ~{0}/. ~{0}/.ssh'.format(user_account))
sudo('chmod 600 ~{0}/.ssh/authorized_keys'.format(user_account))
print_successful()
def chown():
""" setup right permission on the install dir
"""
setup_env_for_user()
# run('chown -R :%(group)s %(PREFIX)s' % env)
# run('chmod g+rwx %(PREFIX)s' % env)
run('chown -R %(admin)s:%(group)s %(admin_home_dir)s' % env)
run('chmod -R ug+rwx %(admin_home_dir)s ' % env)
def bin_utils(port=None):
"""copy user utilities to $HOME/bin directory"""
if port is None:
setup_env_for_user()
env.http_port = run('echo $HTTP_LISTEN_PORT')
_upload_template("bin/activate", "%(base)s/bin/activate")
run('chmod ug+x %(base)s/bin/*' % env)
def create_user(user_account, password):
setup_env_for_user()
execute(root.user_create, user_account, password)
user_add_ssh(user_account, pub_key_file=env.key_filename + '.pub', use_sudo=True)
dummy_port = 123 # bh sets env variable 'HTTP_LISTENING_PORT' to this one, but we won't use that env var
execute(user.init_home_env, dummy_port, hosts=new_host_string(user=user_account))
sudo('mkdir -p ~{}/conf'.format(user_account))
secure_account(user_account)
print_successful()
def user_setup(admin, password='******'):
""" reinitialize user environment homedir and password
"""
setup_env_for_user(admin)
with settings(pwd=crypt.crypt(password, ".sax/")):
sudo('mkdir -p %(admin_home_dir)s' % env)
sudo('touch %(admin_home_dir)s/.scout' % env)
sudo('usermod -p "%(pwd)s" -g %(group)s -d %(admin_home_dir)s -s /bin/bash %(admin)s' % env)
sudo('touch %(admin_home_dir)s/.scout' % env)
chown()
def bootstrap(template_dir, server_yaml, pub_key_file):
""" run once to initialize an 'empty' Debian system. requires root access via password on port 22
NOTE: after this command, can only login as 'admin' (it has sudo rights)
- secures ssh access, creates 'admin' account with sudo rights
- ensures hostname exists both in your /etc/hosts and in remote's /etc/hosts
- restricts ssh: only login via ssh-key, no root login, ssh-port is non-standard
- LOCALLY: adds ssh-key and ssh-port to your local ~/.ssh/config
- installs denyhosts
- installs some basic libraries (see debian_requirements)
- iptables: routes 80 to configured port: {server.port_80_via}
- iptables: routes 443 to configured port: {server.port_443_via}
"""
server_config = get_config(env, yaml_file=server_yaml)
my_put_template = partial(put_template, context=server_config, template_dir=template_dir)
if not env.key_filename:
print(red('Must generate a key for ssh to this server (see example_app/bootstrap.py)'))
if 'root@' not in env.host_string or len(env.roles):
print(red('Must be run as root! (hint: do not run with -R or -H)'))
sys.exit(-1)
setup_env_for_user()
hostname = run('hostname')
append('/etc/hosts', '127.0.0.1 {}'.format(hostname))
local_append('/etc/hosts', text='{} {}'.format(env_ip(), hostname), refuse_keywords=[env_ip(), hostname],
use_sudo=True)
run('apt-get -y --force-yes install sudo vim')
debian_requirements()
install(['denyhosts'])
my_put_template('denyhosts.conf', '/etc/denyhosts.conf')
run('/etc/init.d/denyhosts restart')
password = gen_password()
user_account = 'admin'
with settings(hide('warnings'), warn_only=True):
run('userdel -f -r {}'.format(user_account))
run('useradd {user} -g {group}'.format(user=user_account, group='sudo'))
print(red("Set password for admin (has sudo rights), type in: {} or choose one yourself".format(password)))
passwd_retry('admin')
user_add_ssh(user_account, pub_key_file=pub_key_file)
local_ssh_config(env_ip(), hostname, server_config['server']['ssh_port'], env.key_filename)
# TODO: lock down: http://rudd-o.com/linux-and-free-software/hardening-a-linux-server-in-10-minutes
my_put_template('rc.local', '/etc/rc.local')
my_put_template('init_supervisors.py', '/etc/init_supervisors.py')
# config iptables
run('/etc/rc.local')
my_put_template('sshd_config', '/etc/ssh/sshd_config')
# note after restart, can only login as admin via public key on ssh-port defined in template
run('/etc/init.d/ssh restart')
print_successful()
def user_setup(admin, password="******", home_dir=None):
""" reinitialize user environment homedir and password
"""
setup_env_for_user(admin, home_dir)
home = home_dir or env.admin_home_dir
with settings(pwd=crypt.crypt(password, ".sax/"), home=home):
sudo("mkdir -p %(admin_home_dir)s" % env)
sudo("touch %(admin_home_dir)s/.scout" % env)
sudo('usermod -p "%(pwd)s" -g %(group)s -d %(home)s -s /bin/bash %(admin)s' % env)
sudo("touch %(admin_home_dir)s/.scout" % env)
chown()
def init_home_env(base_port):
""" initalize remote admin home directory
"""
setup_env_for_user()
env.http_port = base_port
run("mkdir -p ~/{bin,etc,var/run,var/www/media,var/www/static,logs/pasport,tmp,/etc/httpd/conf}")
_upload_template("home/bashrc", "%(base)s/.bashrc")
_upload_template("home/bash_profile", "%(base)s/.bash_profile")
_upload_template("home/django_bash_completion", "%(base)s/.django_bash_completion")
# _upload_template("httpd.conf", "%(base)s/etc/httpd/conf/httpd.conf")
bin_utils(env.http_port)
def user_create(admin, password='******'):
""" create a user
"""
if not contains("/etc/passwd", "^%s:" % admin):
with settings(admin=admin):
sudo('useradd -g %(group)s %(admin)s -M -g %(group)s' % env )
else:
out = sudo('groups %s' % admin)
assert re.search(r"\%(group)s\b" % env, out) # check the user in pasport group
setup_env_for_user(admin)
user_setup( admin, password )
def user_create(admin, password="******"):
""" create a user
"""
execute(group_create, env.group)
if not contains("/etc/passwd", "^%s:" % admin, use_sudo=True, escape=False):
with settings(admin=admin):
sudo("useradd -g %(group)s %(admin)s -M -g %(group)s" % env)
else:
out = sudo("groups %s" % admin)
assert re.search(": (.+)", out).group(1) == env.group
sudo("mkdir -p %(PREFIX)s" % env)
sudo("chown %(user)s:%(group)s %(PREFIX)s" % env)
setup_env_for_user(admin)
admin_home_dir = get_home_dir(admin)
user_setup(admin, password, admin_home_dir)
def g(*args, **kwargs):
setup_env_for_user()
f(*args, **kwargs)
