Hello Alon Bar-Lev,
I'd like you to do a code review. Please visit
http://gerrit.ovirt.org/22120
to review the following change.
Change subject: packaging: setup: aio: fix ssh issues
......................................................................
packaging: setup: aio: fix ssh issues
1. If ~root/.ssh is missing and selinux enabled, it will be created
without proper selinux attributes, causing ssh to fail.
2. If ~root/.ssh is missing it is created using mode 0755 and not 0700.
3. Validate /etc/ssh/sshd_config, if PermitRootLogin is no then fail
early.
Buf-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1036209
Change-Id: Icfe55ccf4535792fed69912553d86a53dec3764b
Signed-off-by: Alon Bar-Lev <[email protected]>
---
M packaging/setup/ovirt_engine_setup/constants.py
M packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py
M packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py
3 files changed, 57 insertions(+), 0 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/20/22120/1
diff --git a/packaging/setup/ovirt_engine_setup/constants.py
b/packaging/setup/ovirt_engine_setup/constants.py
index 5d42d4e..7031272 100644
--- a/packaging/setup/ovirt_engine_setup/constants.py
+++ b/packaging/setup/ovirt_engine_setup/constants.py
@@ -569,6 +569,7 @@
AIO_CONFIG_AVAILABLE = 'osetup.aio.config.available'
AIO_CONFIG_NOT_AVAILABLE = 'osetup.aio.config.not.available'
AIO_CONFIG_STORAGE = 'osetup.aio.config.storage'
+ AIO_CONFIG_SSH = 'osetup.aio.config.ssh'
AIO_CONFIG_VDSM = 'osetup.aio.config.vdsm'
UPGRADE_FROM_LEGACY_CONFIG = 'osetup.legacy.upgrade'
diff --git a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py
b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py
index 359f39b..4aa5f5b 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py
@@ -22,6 +22,7 @@
import os
+import re
import gettext
_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-setup')
@@ -40,6 +41,19 @@
"""
sshd service handler plugin.
"""
+
+ _PERMIT_ROOT_LOGIN_RE = re.compile(
+ flags=re.VERBOSE,
+ pattern=r"""
+ ^
+ \s*
+ PermitRootLogin
+ \s+
+ no
+ [\s#]*
+ $
+ """
+ )
def __init__(self, context):
super(Plugin, self).__init__(context=context)
@@ -62,6 +76,7 @@
osetupcons.CoreEnv.DEVELOPER_MODE
]
self.command.detect('sshd')
+ self.command.detect('restorecon')
@plugin.event(
stage=plugin.Stages.STAGE_CUSTOMIZATION,
@@ -104,6 +119,26 @@
)
@plugin.event(
+ stage=plugin.Stages.STAGE_VALIDATION,
+ condition=lambda self: (
+ self._enabled and
+ self.environment[osetupcons.AIOEnv.CONFIGURE]
+ ),
+ )
+ def _validation(self):
+ with open('/etc/ssh/sshd_config') as f:
+ for l in f.read().splitlines():
+ if self._PERMIT_ROOT_LOGIN_RE.match(l):
+ raise RuntimeError(
+ _(
+ 'Your sshd configuration does not permit root '
+ 'login, please enable PermitRootLogin to at '
+ 'least without-password at /etc/ssh/sshd_config, '
+ 'and restart sshd'
+ )
+ )
+
+ @plugin.event(
stage=plugin.Stages.STAGE_MISC,
condition=lambda self: (
self._enabled and
@@ -140,6 +175,7 @@
name=authorized_keys_file,
content=content,
mode=0o600,
+ dmode=0o700,
owner='root',
enforcePermissions=True,
modifiedList=self.environment[
@@ -150,6 +186,7 @@
@plugin.event(
stage=plugin.Stages.STAGE_CLOSEUP,
+ name=osetupcons.Stages.AIO_CONFIG_SSH,
condition=lambda self: (
self._enabled and
self.environment[osetupcons.AIOEnv.CONFIGURE]
@@ -161,5 +198,23 @@
state=True
)
+ if self.command.get('restorecon', optional=True) is not None:
+ rc, stdout, stderr = self.execute(
+ (
+ self.command.get('restorecon'),
+ '-r',
+ os.path.join(
+ os.path.expanduser('~root'),
+ '.ssh',
+ ),
+ ),
+ raiseOnError=False,
+ )
+
+ if rc != 0:
+ self.logger.warning(
+ _('Cannot set SELinux properties on SSH directory')
+ )
+
# vim: expandtab tabstop=4 shiftwidth=4
diff --git a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py
b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py
index 55d6665..da2c55d 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py
@@ -171,6 +171,7 @@
],
after=(
osetupcons.Stages.AIO_CONFIG_STORAGE,
+ osetupcons.Stages.AIO_CONFIG_SSH,
osetupcons.Stages.CORE_ENGINE_START,
osetupcons.Stages.APACHE_RESTART,
),
--
To view, visit http://gerrit.ovirt.org/22120
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icfe55ccf4535792fed69912553d86a53dec3764b
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.3.2
Gerrit-Owner: Sandro Bonazzola <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
