def user_remove(admin): """ create a user """ setup_env_for_user(admin) run("userdel %s" % admin) run("rm -fr %(admin_home_dir)s" % env)
def secure_account(user_account): """ ensures owner is correctly set on all files under $HOME of user_account, and limit appropriately for ssh """ setup_env_for_user() sudo('chown -R {0} ~{0}/.'.format(user_account)) sudo('chmod 700 ~{0}/. ~{0}/.ssh'.format(user_account)) sudo('chmod 600 ~{0}/.ssh/authorized_keys'.format(user_account)) print_successful()
def chown(): """ setup right permission on the install dir """ setup_env_for_user() # run('chown -R :%(group)s %(PREFIX)s' % env) # run('chmod g+rwx %(PREFIX)s' % env) run('chown -R %(admin)s:%(group)s %(admin_home_dir)s' % env) run('chmod -R ug+rwx %(admin_home_dir)s ' % env)
def bin_utils(port=None): """copy user utilities to $HOME/bin directory""" if port is None: setup_env_for_user() env.http_port = run('echo $HTTP_LISTEN_PORT') _upload_template("bin/activate", "%(base)s/bin/activate") run('chmod ug+x %(base)s/bin/*' % env)
def create_user(user_account, password): setup_env_for_user() execute(root.user_create, user_account, password) user_add_ssh(user_account, pub_key_file=env.key_filename + '.pub', use_sudo=True) dummy_port = 123 # bh sets env variable 'HTTP_LISTENING_PORT' to this one, but we won't use that env var execute(user.init_home_env, dummy_port, hosts=new_host_string(user=user_account)) sudo('mkdir -p ~{}/conf'.format(user_account)) secure_account(user_account) print_successful()
def user_setup(admin, password='******'): """ reinitialize user environment homedir and password """ setup_env_for_user(admin) with settings(pwd=crypt.crypt(password, ".sax/")): sudo('mkdir -p %(admin_home_dir)s' % env) sudo('touch %(admin_home_dir)s/.scout' % env) sudo('usermod -p "%(pwd)s" -g %(group)s -d %(admin_home_dir)s -s /bin/bash %(admin)s' % env) sudo('touch %(admin_home_dir)s/.scout' % env) chown()
def bootstrap(template_dir, server_yaml, pub_key_file): """ run once to initialize an 'empty' Debian system. requires root access via password on port 22 NOTE: after this command, can only login as 'admin' (it has sudo rights) - secures ssh access, creates 'admin' account with sudo rights - ensures hostname exists both in your /etc/hosts and in remote's /etc/hosts - restricts ssh: only login via ssh-key, no root login, ssh-port is non-standard - LOCALLY: adds ssh-key and ssh-port to your local ~/.ssh/config - installs denyhosts - installs some basic libraries (see debian_requirements) - iptables: routes 80 to configured port: {server.port_80_via} - iptables: routes 443 to configured port: {server.port_443_via} """ server_config = get_config(env, yaml_file=server_yaml) my_put_template = partial(put_template, context=server_config, template_dir=template_dir) if not env.key_filename: print(red('Must generate a key for ssh to this server (see example_app/bootstrap.py)')) if 'root@' not in env.host_string or len(env.roles): print(red('Must be run as root! (hint: do not run with -R or -H)')) sys.exit(-1) setup_env_for_user() hostname = run('hostname') append('/etc/hosts', '127.0.0.1 {}'.format(hostname)) local_append('/etc/hosts', text='{} {}'.format(env_ip(), hostname), refuse_keywords=[env_ip(), hostname], use_sudo=True) run('apt-get -y --force-yes install sudo vim') debian_requirements() install(['denyhosts']) my_put_template('denyhosts.conf', '/etc/denyhosts.conf') run('/etc/init.d/denyhosts restart') password = gen_password() user_account = 'admin' with settings(hide('warnings'), warn_only=True): run('userdel -f -r {}'.format(user_account)) run('useradd {user} -g {group}'.format(user=user_account, group='sudo')) print(red("Set password for admin (has sudo rights), type in: {} or choose one yourself".format(password))) passwd_retry('admin') user_add_ssh(user_account, pub_key_file=pub_key_file) local_ssh_config(env_ip(), hostname, server_config['server']['ssh_port'], env.key_filename) # TODO: lock down: http://rudd-o.com/linux-and-free-software/hardening-a-linux-server-in-10-minutes my_put_template('rc.local', '/etc/rc.local') my_put_template('init_supervisors.py', '/etc/init_supervisors.py') # config iptables run('/etc/rc.local') my_put_template('sshd_config', '/etc/ssh/sshd_config') # note after restart, can only login as admin via public key on ssh-port defined in template run('/etc/init.d/ssh restart') print_successful()
def user_setup(admin, password="******", home_dir=None): """ reinitialize user environment homedir and password """ setup_env_for_user(admin, home_dir) home = home_dir or env.admin_home_dir with settings(pwd=crypt.crypt(password, ".sax/"), home=home): sudo("mkdir -p %(admin_home_dir)s" % env) sudo("touch %(admin_home_dir)s/.scout" % env) sudo('usermod -p "%(pwd)s" -g %(group)s -d %(home)s -s /bin/bash %(admin)s' % env) sudo("touch %(admin_home_dir)s/.scout" % env) chown()
def init_home_env(base_port): """ initalize remote admin home directory """ setup_env_for_user() env.http_port = base_port run("mkdir -p ~/{bin,etc,var/run,var/www/media,var/www/static,logs/pasport,tmp,/etc/httpd/conf}") _upload_template("home/bashrc", "%(base)s/.bashrc") _upload_template("home/bash_profile", "%(base)s/.bash_profile") _upload_template("home/django_bash_completion", "%(base)s/.django_bash_completion") # _upload_template("httpd.conf", "%(base)s/etc/httpd/conf/httpd.conf") bin_utils(env.http_port)
def user_create(admin, password='******'): """ create a user """ if not contains("/etc/passwd", "^%s:" % admin): with settings(admin=admin): sudo('useradd -g %(group)s %(admin)s -M -g %(group)s' % env ) else: out = sudo('groups %s' % admin) assert re.search(r"\%(group)s\b" % env, out) # check the user in pasport group setup_env_for_user(admin) user_setup( admin, password )
def user_create(admin, password="******"): """ create a user """ execute(group_create, env.group) if not contains("/etc/passwd", "^%s:" % admin, use_sudo=True, escape=False): with settings(admin=admin): sudo("useradd -g %(group)s %(admin)s -M -g %(group)s" % env) else: out = sudo("groups %s" % admin) assert re.search(": (.+)", out).group(1) == env.group sudo("mkdir -p %(PREFIX)s" % env) sudo("chown %(user)s:%(group)s %(PREFIX)s" % env) setup_env_for_user(admin) admin_home_dir = get_home_dir(admin) user_setup(admin, password, admin_home_dir)
def g(*args, **kwargs): setup_env_for_user() f(*args, **kwargs)