ansible-bootstrap fails: slapd fails to start

stx-config/puppet-manifest:
 - set ldap module path to libexec
 - default is lib64 which is not where OE installs openldap
sudo:
 - build --with-ldap and apply stx patches
 - needed for sudo.schema / slapd
openldap:
 - install ldap / la modules
packagegroups:
 - stx-python: pexpect, trove, colorama, debtcollector, mysql
 - stx: e2fsprogs-resize2fs nss-pam-ldapd openldap-devand libmysqld + deps
rabbitmq-server:
 - run under uid 0 to bypass permission errors
conf/layer.conf:
 - Add ldap user
 - set preferred versions
 - Set CONTROLLER_IP to localhost
classes/stx-postrun.bbclass:
 - Add openldap fine tuning
 - fix permissions for keystone to start
This commit is contained in:
Sar Ashki, Babak 2019-12-11 19:43:19 -08:00
parent 3ac95c37ef
commit 1a30a897a9
19 changed files with 750 additions and 23 deletions

View File

@ -21,7 +21,7 @@ stx_postprocess_rootfs() {
sed -i -e '/^l .*resolv.conf$/d' ${IMAGE_ROOTFS}/etc/default/volatiles/00_core
sed -i -e '/^f .*resolv.conf none$/d' ${IMAGE_ROOTFS}/etc/default/volatiles/00_core
for srv in $(echo apache2 kubelet cinder-init glance-api glance-init glance-registry keystone-init \
for srv in $(echo lighttpd kubelet cinder-init glance-api glance-init glance-registry \
neutron-init nova-compute nova-consoleauth nova-console nova-init nova-network \
nova-xvpvncproxy nova-spicehtml5proxy openvswitch \
registry-token-server)
@ -46,6 +46,24 @@ stx_postprocess_rootfs() {
done
cd $CPWD
# OpenLdap:
# To avoid install conflicts, we need to post run a number of
# commands. But openldap packages are getting renamed to libldap-.
# Consequently pkg_postinstall_ontarget_openldap-config fails.
# So this here is really a hack to get the build moving forward.
# Lastly, we need to take a look at the right user and group
# permission settings
cp ${IMAGE_ROOTFS}/usr/share/starlingx/slapd.service ${IMAGE_ROOTFS}/lib/systemd/system/slapd.service
cp ${IMAGE_ROOTFS}/usr/share/starlingx/slapd.sysconfig ${IMAGE_ROOTFS}/etc/sysconfig/slapd
chmod 644 ${IMAGE_ROOTFS}//lib/systemd/system/slapd.service
chmod 644 ${IMAGE_ROOTFS}/etc/openldap/*
chmod 755 ${IMAGE_ROOTFS}/etc/openldap
chmod 755 ${IMAGE_ROOTFS}/etc/openldap/slapd.d
# Issue 11 etcd:
# Once the ansible-playbook runs it resets ETCD_DATA_DIR to
# /opt/etcd/19.01/controller.etcd in /etc/etcd/etcd.conf
@ -56,8 +74,14 @@ stx_postprocess_rootfs() {
mkdir -p ${IMAGE_ROOTFS}/opt/etcd
chown etcd:etcd ${IMAGE_ROOTFS}/opt/etcd
# keystone hacks
# Fix python packages' permissions
find ${IMAGE_ROOTFS}/${libdir}/python2.7/site-packages/ -name PKG-INFO -exec chmod 644 {} +
chmod 644 ${IMAGE_ROOTFS}/${libdir}/python2.7/site-packages/docker_registry_core-2.0.3-py2.7.egg-info/namespace_packages.txt
# Puppet hacks
sed -i -e 's:puppet apply : puppet apply --hiera_config=/etc/puppet/hiera.yaml :g' ${IMAGE_ROOTFS}/usr/bin/puppet-manifest-apply.sh
# Fake being redhat for dev purpose only. This must be removed
cat > ${IMAGE_ROOTFS}/etc/redhat-release << \EOF
CentOS Linux release 7.3.1611 (Core)

View File

@ -35,6 +35,9 @@ EXTRA_USERS_PARAMS_CONFIG = "\
useradd -p '' ceph; \
groupadd ceph; \
usermod -a -G ceph ceph; \
useradd -p '' ldap; \
groupadd ldap; \
usermod -a -G ldap ldap; \
"
EXTRA_IMAGE_FEATURES += " empty-root-password"
@ -102,16 +105,20 @@ PREFERRED_PROVIDER_virtual/kernel = "linux-yocto"
PREFERRED_VERSION_keyutils = "1.5.10"
PREFERRED_VERSION_python-voluptuous = "0.8.9"
PREFERRED_VERSION_python3-cherrypy = "git"
PREFERRED_VERSION_python-cheroot = "git"
PREFERRED_VERSION_python3-cheroot = "git"
PREFERRED_VERSION_python3-cherrypy = "18.2.0"
PREFERRED_VERSION_python-cheroot = "7.0.0"
PREFERRED_VERSION_python3-cheroot = "7.0.0"
PREFERRED_VERSION_python-cherrypy = "git"
PREFERRED_VERSION_pythonkeystoneauth1 = "3.17.1"
PREFERRED_VERSION_drbd-utils = "8.4.3rc1"
PREFERRED_VERSION_python-pyyaml = "3.13"
PREFERRED_VERSION_python-cmd2 = "0.6.8"
PREFERRED_VERSION_python-expect = "4.6.0"
PREFERRED_VERSION_python-pika = "0.10.0%"
# From meta-cloud-services TBD
# PREFERRED_VERSION_openldap = "2.4.39"
# Used by:
# neutron-init
# glance-init
CONTROLLER_IP = "0.0.0.0"
CONTROLLER_IP = "127.0.0.1"

View File

@ -180,4 +180,9 @@ RDEPENDS_packagegroup-stx-python = " \
python-configshell \
python2-os-service-types \
python-coverage \
python-pexpect \
python-trove \
python-colorama \
python-debtcollector \
mysql-python \
"

View File

@ -69,6 +69,7 @@ RDEPENDS_packagegroup-stx-openldap = " \
openldap-bin \
openldap-slapd \
openldap-config \
openldap-dev \
"
RDEPENDS_packagegroup-stx-kube = "\
@ -117,6 +118,9 @@ RDEPENDS_packagegroup-stx-misc = "\
hiera \
gssproxy \
polkit \
e2fsprogs-resize2fs \
libmysqld libmysqlclient libmysqlclient-r libmysqlclient-dev libmysqlclient-r-dev \
nss-pam-ldapd \
"
RDEPENDS_packagegroup-stx-puppet = "\

View File

@ -0,0 +1,26 @@
From 32efd8d303556b43005f26715bd8264886e17420 Mon Sep 17 00:00:00 2001
From: "Sar Ashki, Babak" <Babak.SarAshki@windriver.com>
Date: Wed, 11 Dec 2019 17:24:17 -0800
Subject: [PATCH] puppet-manifests integ: set correct ldap module path
OE installs ldap modules under libexec.
---
puppet-manifests/src/modules/platform/manifests/ldap.pp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/puppet-manifests/src/modules/platform/manifests/ldap.pp b/puppet-manifests/src/modules/platform/manifests/ldap.pp
index b3d6ee71..7205e7d3 100644
--- a/puppet-manifests/src/modules/platform/manifests/ldap.pp
+++ b/puppet-manifests/src/modules/platform/manifests/ldap.pp
@@ -53,7 +53,7 @@ class platform::ldap::server::local
-e 's:serverID.*:serverID ${server_id}:' \\
-e 's:credentials.*:credentials=${admin_pw}:' \\
-e 's:^rootpw .*:rootpw ${admin_hashed_pw}:' \\
- -e 's:modulepath .*:modulepath /usr/lib64/openldap:' \\
+ -e 's:modulepath .*:modulepath /usr/libexec/openldap:' \\
/etc/openldap/slapd.conf",
onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf'
}
--
2.23.0

View File

@ -11,7 +11,10 @@ LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRC_URI = "git://opendev.org/starlingx/config.git;protocol=${PROTOCOL};rev=${SRCREV};branch=${BRANCH}"
SRC_URI = " \
git://opendev.org/starlingx/config.git;protocol=${PROTOCOL};rev=${SRCREV};branch=${BRANCH} \
file://0001-puppet-manifests-integ-set-correct-ldap-module-path.patch \
"
DEPENDS = "\
puppet \

View File

@ -4,7 +4,8 @@ After=network.target
[Service]
Type=simple
User=rabbitmq
User=root
Environment=HOME=/home/root
WorkingDirectory=/var/lib/rabbitmq
LogsDirectory=rabbitmq
ExecStartPre=/usr/bin/rabbitmq-server-setup

View File

@ -0,0 +1,27 @@
From 8a045c3880e06f5fcf69a73c4029d6725e17f7bc Mon Sep 17 00:00:00 2001
From: Tomas Sykora <tosykora@redhat.com>
Date: Fri, 19 Aug 2016 13:49:25 +0200
Subject: [PATCH 01/10] We do not strip
rebased from:
Patch1: sudo-1.6.7p5-strip.patch
---
install-sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install-sh b/install-sh
index 6944fba..49d383a 100755
--- a/install-sh
+++ b/install-sh
@@ -147,7 +147,7 @@ while ${MORETODO} ; do
fi
;;
X-s)
- STRIPIT=true
+ #STRIPIT=true
;;
X--)
shift
--
2.7.4

View File

@ -0,0 +1,27 @@
From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001
From: Tomas Sykora <tosykora@redhat.com>
Date: Fri, 19 Aug 2016 14:07:35 +0200
Subject: [PATCH 02/10] Added "Enviroment debugging" message
rebased from:
Patch2: sudo-1.7.2p1-envdebug.patch
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 9feddfd..39a2d86 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug,
[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
[ case "$enableval" in
yes) AC_MSG_RESULT(yes)
- AC_DEFINE(ENV_DEBUG)
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
;;
no) AC_MSG_RESULT(no)
;;
--
2.7.4

View File

@ -0,0 +1,161 @@
From 0f303a2de843c31afb03b558dfb7287be79e6e17 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 26 Jul 2018 12:31:29 -0600
Subject: [PATCH] Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors
from pam_acct_mgmt() if authentication is disabled for the user. Bug #843
---
plugins/sudoers/auth/bsdauth.c | 2 +-
plugins/sudoers/auth/pam.c | 10 +++++++++-
plugins/sudoers/auth/sudo_auth.c | 4 ++--
plugins/sudoers/auth/sudo_auth.h | 6 +++---
plugins/sudoers/check.c | 4 +++-
plugins/sudoers/sudoers.h | 2 +-
6 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c
index 444cd337..390263d3 100644
--- a/plugins/sudoers/auth/bsdauth.c
+++ b/plugins/sudoers/auth/bsdauth.c
@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con
}
int
-bsdauth_approval(struct passwd *pw, sudo_auth *auth)
+bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
struct bsdauth_state *state = auth->data;
debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH)
diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 347289da..a4749448 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
}
int
-sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
+sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
const char *s;
int *pam_status = (int *) auth->data;
@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
"is your account locked?"));
debug_return_int(AUTH_FATAL);
case PAM_NEW_AUTHTOK_REQD:
+ /* Ignore if user is exempt from password restrictions. */
+ if (exempt)
+ debug_return_int(AUTH_SUCCESS);
+ /* New password required, try to change it. */
log_warningx(0, N_("Account or password is "
"expired, reset your password and try again"));
*pam_status = pam_chauthtok(pamh,
@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
N_("unable to change expired password: %s"), s);
debug_return_int(AUTH_FAILURE);
case PAM_AUTHTOK_EXPIRED:
+ /* Ignore if user is exempt from password restrictions. */
+ if (exempt)
+ debug_return_int(AUTH_SUCCESS);
+ /* Password expired, cannot be updated by user. */
log_warningx(0,
N_("Password expired, contact your system administrator"));
debug_return_int(AUTH_FATAL);
diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
index 6ef9bd72..5d9382dc 100644
--- a/plugins/sudoers/auth/sudo_auth.c
+++ b/plugins/sudoers/auth/sudo_auth.c
@@ -163,7 +163,7 @@ sudo_auth_init(struct passwd *pw)
* Returns true on success, false on failure and -1 on error.
*/
int
-sudo_auth_approval(struct passwd *pw, int validated)
+sudo_auth_approval(struct passwd *pw, int validated, bool exempt)
{
sudo_auth *auth;
debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH)
@@ -171,7 +171,7 @@ sudo_auth_approval(struct passwd *pw, int validated)
/* Call approval routines. */
for (auth = auth_switch; auth->name; auth++) {
if (auth->approval && !IS_DISABLED(auth)) {
- int status = (auth->approval)(pw, auth);
+ int status = (auth->approval)(pw, auth, exempt);
if (status != AUTH_SUCCESS) {
/* Assume error msg already printed. */
log_auth_failure(validated, 0);
diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h
index ea5ed9cd..9ae69cd5 100644
--- a/plugins/sudoers/auth/sudo_auth.h
+++ b/plugins/sudoers/auth/sudo_auth.h
@@ -31,7 +31,7 @@ typedef struct sudo_auth {
int (*init)(struct passwd *pw, struct sudo_auth *auth);
int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth);
int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback);
- int (*approval)(struct passwd *pw, struct sudo_auth *auth);
+ int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt);
int (*cleanup)(struct passwd *pw, struct sudo_auth *auth);
int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth);
int (*end_session)(struct passwd *pw, struct sudo_auth *auth);
@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv;
/* Prototypes for standalone methods */
int bsdauth_init(struct passwd *pw, sudo_auth *auth);
int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
-int bsdauth_approval(struct passwd *pw, sudo_auth *auth);
+int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_aix_init(struct passwd *pw, sudo_auth *auth);
int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback);
@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_pam_init(struct passwd *pw, sudo_auth *auth);
int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth);
int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
-int sudo_pam_approval(struct passwd *pw, sudo_auth *auth);
+int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);
int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth);
diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
index ed49d63a..486a80d8 100644
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -175,6 +175,7 @@ check_user(int validated, int mode)
{
struct passwd *auth_pw;
int ret = -1;
+ bool exempt = false;
debug_decl(check_user, SUDOERS_DEBUG_AUTH)
/*
@@ -194,6 +195,7 @@ check_user(int validated, int mode)
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
!def_authenticate ? "authentication disabled" :
"user exempt from authentication");
+ exempt = true;
ret = true;
goto done;
}
@@ -218,7 +220,7 @@ check_user(int validated, int mode)
done:
if (ret == true) {
/* The approval function may disallow a user post-authentication. */
- ret = sudo_auth_approval(auth_pw, validated);
+ ret = sudo_auth_approval(auth_pw, validated, exempt);
}
sudo_auth_cleanup(auth_pw);
sudo_pw_delref(auth_pw);
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index 57db74c1..956cb084 100644
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -265,7 +265,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv
int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
int sudo_auth_end_session(struct passwd *pw);
int sudo_auth_init(struct passwd *pw);
-int sudo_auth_approval(struct passwd *pw, int validated);
+int sudo_auth_approval(struct passwd *pw, int validated, bool exempt);
int sudo_auth_cleanup(struct passwd *pw);
/* set_perms.c */
--
2.13.6

View File

@ -0,0 +1,70 @@
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
@@ -34,7 +34,7 @@
},
{
"Binding": [
- { "username": "%them" }
+ { "usergroup": "them" }
],
"Options": [
{ "set_home": true }
@@ -42,7 +42,7 @@
},
{
"Binding": [
- { "username": "%: non UNIX 0 c" }
+ { "nonunixgroup": " non UNIX 0 c" }
],
"Options": [
{ "set_home": true }
@@ -50,7 +50,7 @@
},
{
"Binding": [
- { "username": "+net" }
+ { "netgroup": "net" }
],
"Options": [
{ "set_home": true }
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
#
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
#
DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
LEXTRACE("ERROR "); /* empty string */
LEXRETURN(ERROR);
}
- if (prev_state == INITIAL) {
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
switch (sudoerslval.string[0]) {
case '%':
if (sudoerslval.string[1] == '\0' ||
diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
LEXTRACE("ERROR "); /* empty string */
LEXRETURN(ERROR);
}
- if (prev_state == INITIAL) {
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
switch (sudoerslval.string[0]) {
case '%':
if (sudoerslval.string[1] == '\0' ||

View File

@ -0,0 +1,27 @@
diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
if (ldap_conf.search_filter)
sz += strlen(ldap_conf.search_filter);
- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
- sz += 29 + sudo_ldap_value_len(pw->pw_name);
+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
/* Add space for primary and supplementary groups and gids */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
CHECK_STRLCAT(buf, ")", sz);
+ /* Append user uid */
+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
+ (void) strlcat(buf, "(sudoUser=#", sz);
+ (void) strlcat(buf, gidbuf, sz);
+ (void) strlcat(buf, ")", sz);
+
/* Append primary group and gid */
if (grp != NULL) {
CHECK_STRLCAT(buf, "(sudoUser=%", sz);

View File

@ -0,0 +1,89 @@
diff -up sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/cvtsudoers.c
--- sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing 2018-06-28 11:24:25.966475241 +0200
+++ sudo-1.8.23/plugins/sudoers/cvtsudoers.c 2018-06-28 11:26:40.215025493 +0200
@@ -321,6 +321,15 @@ main(int argc, char *argv[])
sudo_fatalx("error: unhandled input %d", input_format);
}
+ /*
+ * cvtsudoers group filtering doesn't work if def_match_group_by_gid
+ * is set to true by default (at compile-time). It cannot be set to false
+ * because cvtsudoers doesn't apply the parsed Defaults.
+ *
+ * Related: sudo-1.8.23-legacy-group-processing.patch
+ */
+ def_match_group_by_gid = def_legacy_group_processing = false;
+
/* Apply filters. */
filter_userspecs(conf);
filter_defaults(conf);
diff -up sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/defaults.c
--- sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/defaults.c 2018-06-28 11:24:25.966475241 +0200
@@ -87,6 +87,7 @@ static struct early_default early_defaul
{ I_FQDN },
#endif
{ I_MATCH_GROUP_BY_GID },
+ { I_LEGACY_GROUP_PROCESSING },
{ I_GROUP_PLUGIN },
{ I_RUNAS_DEFAULT },
{ I_SUDOERS_LOCALE },
@@ -488,6 +489,8 @@ init_defaults(void)
}
/* First initialize the flags. */
+ def_legacy_group_processing = true;
+ def_match_group_by_gid = true;
#ifdef LONG_OTP_PROMPT
def_long_otp_prompt = true;
#endif
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.c
--- sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-28 11:24:25.966475241 +0200
@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Ignore case when matching group names"),
NULL,
}, {
+ "legacy_group_processing", T_FLAG,
+ N_("Don't pre-resolve all group names"),
+ NULL,
+ }, {
NULL, 0, NULL
}
};
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.h
--- sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-28 11:24:25.967475238 +0200
@@ -226,6 +226,8 @@
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
#define I_CASE_INSENSITIVE_GROUP 113
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 114
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
enum def_tuple {
never,
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.in
--- sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-28 11:24:25.967475238 +0200
@@ -357,3 +357,6 @@ case_insensitive_user
case_insensitive_group
T_FLAG
"Ignore case when matching group names"
+legacy_group_processing
+ T_FLAG
+ "Don't pre-resolve all group names"
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/sudoers.c
--- sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-28 11:24:25.967475238 +0200
@@ -209,6 +209,10 @@ sudoers_policy_init(void *info, char * c
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
ret = true;
+ if (!def_match_group_by_gid || !def_legacy_group_processing) {
+ def_match_group_by_gid = false;
+ def_legacy_group_processing = false;
+ }
cleanup:
if (!restore_perms())
ret = -1;

View File

@ -0,0 +1,61 @@
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Don't pre-resolve all group names"),
NULL,
}, {
+ "cmnd_no_wait", T_FLAG,
+ N_("Don't fork and wait for the command to finish, just exec it"),
+ NULL,
+ }, {
NULL, 0, NULL
}
};
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
@@ -228,6 +228,8 @@
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
#define I_LEGACY_GROUP_PROCESSING 114
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+#define I_CMND_NO_WAIT 115
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
enum def_tuple {
never,
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
@@ -360,3 +360,6 @@ case_insensitive_group
legacy_group_processing
T_FLAG
"Don't pre-resolve all group names"
+cmnd_no_wait
+ T_FLAG
+ "Don't fork and wait for the command to finish, just exec it"
diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
def_match_group_by_gid = false;
def_legacy_group_processing = false;
}
+
+ /*
+ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
+ * and I/O logging. This will cause sudo to execute the given command
+ * directly instead of forking a separate process for it.
+ */
+ if (def_cmnd_no_wait) {
+ def_pam_setcred = false;
+ def_pam_session = false;
+ def_use_pty = false;
+ def_log_input = false;
+ def_log_output = false;
+ }
+
cleanup:
if (!restore_perms())
ret = -1;

View File

@ -0,0 +1,32 @@
diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in
--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-05-23 13:38:08.347538854 +0200
+++ sudo-1.8.23/doc/Makefile.in 2018-05-23 13:38:12.806523146 +0200
@@ -345,10 +345,16 @@ install-doc: install-dirs
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
+ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
+ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
else \
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
+ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
+ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
fi
install-plugin:
@@ -363,8 +369,9 @@ uninstall:
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
+ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
+ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
+ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
splint:

View File

@ -0,0 +1,90 @@
From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001
From: Tomas Sykora <tosykora@redhat.com>
Date: Wed, 17 Aug 2016 10:12:11 +0200
Subject: [PATCH] Sudo logs username root instead of realuser
RHEL7 sudo logs username root instead of realuser in /var/log/secure
Rebased from:
Patch50: sudo-1.8.6p7-logsudouser.patch
Resolves:
rhbz#1312486
---
plugins/sudoers/logging.c | 14 +++++++-------
plugins/sudoers/sudoers.h | 1 +
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
index 45cae67..74b2220 100644
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg)
* Log the full line, breaking into multiple syslog(3) calls if necessary
*/
fmt = _("%8s : %s");
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
for (p = msg; *p != '\0'; ) {
len = strlen(p);
if (len > maxlen) {
@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg)
save = *tmp;
*tmp = '\0';
- mysyslog(pri, fmt, user_name, p);
+ mysyslog(pri, fmt, sudo_user_name, p);
*tmp = save; /* restore saved character */
@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg)
for (p = tmp; *p == ' '; p++)
continue;
} else {
- mysyslog(pri, fmt, user_name, p);
+ mysyslog(pri, fmt, sudo_user_name, p);
p += len;
}
fmt = _("%8s : (command continued) %s");
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
}
sudoers_setlocale(oldlocale, NULL);
@@ -179,10 +179,10 @@ do_logfile(const char *msg)
timestr = "invalid date";
if (def_log_host) {
len = asprintf(&full_line, "%s : %s : HOST=%s : %s",
- timestr, user_name, user_srunhost, msg);
+ timestr, sudo_user_name, user_srunhost, msg);
} else {
len = asprintf(&full_line, "%s : %s : %s",
- timestr, user_name, msg);
+ timestr, sudo_user_name, msg);
}
if (len == -1) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...)
if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL)
timestr = "invalid date";
- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name);
+ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name);
va_start(ap, fmt);
(void) vfprintf(mail, fmt, ap);
va_end(ap);
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index cfd5abb..c69a043 100644
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -180,6 +180,7 @@ struct sudo_user {
/*
* Shortcuts for sudo_user contents.
*/
+#define sudo_user_name (sudo_user.pw->pw_name)
#define user_name (sudo_user.name)
#define user_uid (sudo_user.uid)
#define user_gid (sudo_user.gid)
--
2.7.4

View File

@ -2,17 +2,57 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
# This bbappend replaces stx sudo-config
SRC_URI += "file://sysadmin"
DEPENDS += " \
openldap \
libgcrypt \
"
SRC_URI += " \
file://sysadmin \
file://sudo-1.6.7p5-strip.patch \
file://sudo-1.7.2p1-envdebug.patch \
file://sudo-1.8.23-sudoldapconfman.patch \
file://sudo-1.8.23-legacy-group-processing.patch \
file://sudo-1.8.23-ldapsearchuidfix.patch \
file://sudo-1.8.6p7-logsudouser.patch \
file://sudo-1.8.23-nowaitopt.patch \
file://sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch \
file://sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch \
"
EXTRA_OECONF += " \
--with-pam-login \
--with-editor=/bin/vi \
--with-env-editor \
--with-ignore-dot \
--with-tty-tickets \
--with-ldap \
--with-ldap-conf-file="${sysconfdir}/sudo-ldap.conf" \
--with-passprompt="[sudo] password for %Zp: " \
--with-linux-audit \
--with-sssd \
"
do_install_append () {
install -m644 ${S}/../sysadmin ${D}/${sysconfdir}/sudoers.d/sysadmin
install -m755 -d ${D}/${sysconfdir}/openldap/schema
install -m644 ${S}/doc/schema.OpenLDAP ${D}/${sysconfdir}/openldap/schema/sudo.schema
}
pkg_postinst_ontarget_sudo_append () {
SYSADMIN_P="4SuW8cnXFyxsk"
/usr/sbin/groupadd sys_protected
/usr/sbin/useradd -m -g sys_protected -G root \
-d /home/sysadmin -p $SYSADMIN_P \
-s /bin/sh sysadmin 2> /dev/null || :
# We do this with extrausers_config.bbclass
#SYSADMIN_P="4SuW8cnXFyxsk"
#/usr/sbin/groupadd sys_protected
#/usr/sbin/useradd -m -g sys_protected -G root \
# -d /home/sysadmin -p $SYSADMIN_P \
# -s /bin/sh sysadmin 2> /dev/null || :
/usr/bin/chage -d0 sysadmin
}
# This means sudo package only owns files
# to avoid install conflict with openldap on
# /etc/openldap. Sure there is a better way.
DIRFILES = "1"

View File

@ -0,0 +1,21 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
RuntimeDirectory=openldap
StateDirectory=openldap-data
# PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u root -h ${SLAPD_URLS} $SLAPD_OPTIONS
[Install]
WantedBy=multi-user.target

View File

@ -34,6 +34,7 @@ SRC_URI += " \
file://0021-openldap-and-stx-source-and-config-files.patch \
file://0022-ltb-project-openldap-ppolicy-check-password-1.1.patch \
file://0001-stx-openldap-config-files.patch \
file://stx-slapd.service \
"
inherit pkgconfig
@ -49,6 +50,9 @@ DEPENDS += " \
RDEPENDS_${PN}_append = " bash"
# Do not remove libtool la files slapd.conf uses ppolicy.la
REMOVE_LIBTOOL_LA = "0"
# Defaults:
# --enable-bdb=no
@ -130,9 +134,9 @@ do_install_append () {
install -m 0755 libexec-generate-server-cert.sh ${D}/${libexecdir}/openldap/generate-server-cert.sh
install -m 0755 libexec-update-ppolicy-schema.sh ${D}/${libexecdir}/openldap/update-ppolicy-schema.sh
install -m 0644 slapd.service ${D}/${systemd_system_unitdir}/stx-slapd.service
install -m 0644 ${S}/../stx-slapd.service ${D}/${systemd_system_unitdir}/stx-slapd.service
install -m 0755 -d ${D}/${sysconfdir}/sysconfig
install -m 0644 slapd.sysconfig ${D}/${sysconfdir}/sysconfig/slapd.sysconfig
install -m 0644 slapd.sysconfig ${D}/${sysconfdir}/sysconfig/slapd
install -m 0755 -d ${D}/${datadir}/openldap-servers
install -m 0644 slapd.ldif ${D}/${datadir}/openldap-servers/slapd.ldif
install -m 0750 -d ${D}/${sysconfdir}/openldap/slapd.d
@ -143,12 +147,17 @@ do_install_append () {
mkdir -p ${D}/${sysconfdir}/rc.d/init.d
install -m 755 initscript ${D}/${sysconfdir}/rc.d/init.d/openldap
install -d -m 740 ${D}/${sysconfdir}/openldap
install -m 600 slapd.conf ${D}/${sysconfdir}/openldap/slapd.conf
install -m 600 initial_config.ldif ${D}/${sysconfdir}/openldap/initial_config.ldif
install -m 644 slapd.conf ${D}/${sysconfdir}/openldap/slapd.conf
install -m 644 initial_config.ldif ${D}/${sysconfdir}/openldap/initial_config.ldif
install -d ${D}/${datadir}/starlingx
install -m 644 slapd.service ${D}/${datadir}/starlingx/slapd.service
install -m 644 ${S}/../stx-slapd.service ${D}/${datadir}/starlingx/slapd.service
install -m 644 slapd.sysconfig ${D}/${datadir}/starlingx/slapd.sysconfig
#cd ${S}/
#oe_runmake -e -C servers/slapd/overlays DESTDIR=${D} install
sed -i -e 's:\(/sbin/runuser\):/usr\1:g' ${D}/usr/libexec/openldap/functions
}
FILES_openldap-config = " \
@ -158,11 +167,14 @@ FILES_openldap-config = " \
${datadir}/starlingx/slapd.sysconfig \
"
pkg_postinst_ontarget_libldap-${PN}_append () {
cp ${datadir}/starlingx/slapd.service ${systemd_system_unitdir}/slapd.service
chmod 644 ${systemd_system_unitdir}/slapd.service
cp ${datadir}/starlingx/slapd.sysconfig ${sysconfdir}/sysconfig/slapd
}
#pkg_postinst_ontarget_libldap-2.4_append () {
# cp /usr/share/starlingx/slapd.service ${systemd_system_unitdir}/slapd.service
# chmod 644 ${systemd_system_unitdir}/slapd.service
# cp ${datadir}/starlingx/slapd.sysconfig ${sysconfdir}/sysconfig/slapd
# systemctl daemon-reload
# chmod 755 /etc/openldap
# chmod 755 /etc/openldap/slapd.d
#}
FILES_${PN}_append = " \
${datadir}/openldap-servers/ \