Merge pull request #494 from pneerincx/fix/logins

Bugfixes for logins and ldap roles.
rug-cit-hpc · Nov 23, 2021 · 3d492dd · 3d492dd
2 parents ebee006 + 50d858f
commit 3d492dd
Show file tree

Hide file tree

Showing 9 changed files with 194 additions and 192 deletions.
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
@@ -48,6 +48,16 @@ auth_groups:
   umcg-atd:
     gid: 20005
 #
+# Default for a group of users that are only allowd to transfer data.
+# Is used by the sshd role and listed in
+#     roles/sshd/defaults/main.yml,
+# but that file is not used when the
+#     roles/sshd/templates/sshd_config
+# is redeployed by other roles like the ldap or sssd roles.
+# Therefore we set a default here too.
+#
+data_transfer_only_group: sftp-only
+#
 # Custom/extra yum repos
 #
 yum_repos:

diff --git a/roles/ldap/handlers/main.yml b/roles/ldap/handlers/main.yml
@@ -23,4 +23,9 @@
     state: restarted
   become: true
   listen: restart_sshd
+
+- name: Run authconfig update to enable ldap.
+  command: "authconfig --enableldap --enableldapauth --update"
+  become: true
+  listen: authconfig_enable_ldap
 ...
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
@@ -90,6 +90,13 @@
     daemon_reload: true
   become: true
 
+- name: Check if we need to update authconfig.
+  command:
+    cmd: /usr/sbin/authconfig --test
+  register: authconfig_test
+  changed_when: ('nss_ldap is disabled' in authconfig_test.stdout) or ('pam_ldap is disabled' in authconfig_test.stdout)
+  notify: authconfig_enable_ldap
+
 - name: Redeploy sshd config.
   ansible.builtin.template:
     src: "{{ playbook_dir }}/roles/sshd/templates/sshd_config"

diff --git a/roles/logins/files/login_checks.sh b/roles/logins/files/login_checks.sh
diff --git a/roles/logins/files/login_checks_regular_home.sh b/roles/logins/files/login_checks_regular_home.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+set -u
+
+#
+##
+### Variables.
+##
+#
+# Set a tag for the log entries.
+LOGGER='logger --tag login_checks'
+
+#
+##
+### Functions.
+##
+#
+
+#
+# Usage: run_with_timeout N cmd args...
+#    or: run_with_timeout cmd args...
+# In the second case, cmd cannot be a number and the timeout will be 10 seconds.
+#
+run_with_timeout () {
+    local time=10
+    if [[ "${1}" =~ ^[0-9]+$ ]]; then time="${1}"; shift; fi
+    #
+    # Run in a subshell to avoid job control messages.
+    #
+    ( "${@}" &
+        child="${!}"
+        #
+        # Avoid default notification in non-interactive shell for SIGTERM.
+        #
+        trap -- "" SIGTERM
+        ( sleep "${time}"
+            kill "${child}" 2> /dev/null
+        ) &
+        wait "${child}"
+    )
+}
+
+login_actions () {
+    #
+    # Check if permissions on home dir are correct if home dir exists.
+    #
+    if [[ "${PAM_USER}" != 'root' ]]; then
+      home_dir="/home/${PAM_USER}/"
+      if [[ -e "${home_dir}" ]]; then
+        owner=$(stat -L -c '%U' "${home_dir}")
+        group=$(stat -L -c '%G' "${home_dir}")
+        mode=$(stat -L -c '%a' "${home_dir}")
+        if [[ "${owner}" != "${PAM_USER}" ]]; then
+          ${LOGGER} "ERROR: Home dir for user ${PAM_USER} is owned by: ${owner}."
+          ${LOGGER} "WARN: Fixing owner for ${home_dir} ${owner} -> ${PAM_USER} ..."
+          chown --dereference --silent "${PAM_USER}" "${home_dir}"
+        fi
+        if [[ "${group}" != "${PAM_USER}" ]]; then
+          ${LOGGER} "ERROR: Home dir for user ${PAM_USER} is in the wrong group: ${group}."
+          ${LOGGER} "WARN: Fixing group for ${home_dir} ${group} -> ${PAM_USER} ..."
+          chgrp --dereference --silent "${PAM_USER}" "${home_dir}"
+        fi
+        mode_regex='700$'
+        if [[ ! "${mode}" =~ ${mode_regex} ]]; then
+          ${LOGGER} "ERROR: Home dir for user ${PAM_USER} has wrong permissions mode: ${mode}."
+          ${LOGGER} "WARN: Fixing permissions for ${home_dir} ${mode} -> 700 ..."
+          chmod --silent 700 "${home_dir}"
+        fi
+      fi
+    fi
+}
+
+#
+##
+### Main.
+##
+#
+
+#
+# Run the desired login actions with a timeout of 10 seconds.
+#
+run_with_timeout 10 login_actions
+
+exit 0
diff --git a/roles/logins/files/password-auth-ac b/roles/logins/files/password-auth-ac
diff --git a/roles/logins/files/password-auth-local b/roles/logins/files/password-auth-local
@@ -0,0 +1,12 @@
+#%PAM-1.0
+#
+# This is managed with ansible.
+#
+auth        include       password-auth-ac
+
+account     include       password-auth-ac
+
+password    include       password-auth-ac
+
+session     include       password-auth-ac
+session     optional      pam_script.so
diff --git a/roles/logins/handlers/main.yml b/roles/logins/handlers/main.yml
@@ -7,7 +7,7 @@
 - name: 'Run authconfig update.'
   command: "authconfig --enablemkhomedir --update"
   become: true
-  listen: authconfig_update
+  listen: authconfig_enable_mkhomedir
 
 #
 # Notes: