diff --git a/base/systemd-config/files/systemd.conf.tmpfiles.d b/base/systemd-config/files/systemd.conf.tmpfiles.d index 44c2c3e56..3a5f2fe36 100644 --- a/base/systemd-config/files/systemd.conf.tmpfiles.d +++ b/base/systemd-config/files/systemd.conf.tmpfiles.d @@ -25,18 +25,18 @@ d /run/log 0755 root root - z /run/log/journal 2755 root systemd-journal - - Z /run/log/journal/%m ~2750 root systemd-journal - - -a+ /run/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x -A+ /run/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x +a+ /run/log/journal/%m - - - - d:group:sys_protected:r-x,d:group:wheel:r-x +A+ /run/log/journal/%m - - - - group:sys_protected:r-x,group:wheel:r-x z /var/log/journal 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - -a+ /var/log/journal - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x -a+ /var/log/journal - - - - group:wrs_protected:r-x,group:wheel:r-x -a+ /var/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x -a+ /var/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x -a+ /var/log/journal/%m/system.journal - - - - group:wrs_protected:r--,group:wheel:r-- +a+ /var/log/journal - - - - d:group:sys_protected:r-x,d:group:wheel:r-x +a+ /var/log/journal - - - - group:sys_protected:r-x,group:wheel:r-x +a+ /var/log/journal/%m - - - - d:group:sys_protected:r-x,d:group:wheel:r-x +a+ /var/log/journal/%m - - - - group:sys_protected:r-x,group:wheel:r-x +a+ /var/log/journal/%m/system.journal - - - - group:sys_protected:r--,group:wheel:r-- d /var/lib/systemd 0755 root root - d /var/lib/systemd/coredump 0755 root root 3d diff --git a/config-files/sudo-config/centos/build_srpm.data b/config-files/sudo-config/centos/build_srpm.data index 7e7b60ef4..2ec7ea02f 100644 --- a/config-files/sudo-config/centos/build_srpm.data +++ b/config-files/sudo-config/centos/build_srpm.data @@ -1,2 +1,2 @@ COPY_LIST="files/*" -TIS_PATCH_VER=0 +TIS_PATCH_VER=1 diff --git a/config-files/sudo-config/centos/sudo-config.spec b/config-files/sudo-config/centos/sudo-config.spec index c82fc0035..537f5b1ca 100644 --- a/config-files/sudo-config/centos/sudo-config.spec +++ b/config-files/sudo-config/centos/sudo-config.spec @@ -12,26 +12,25 @@ Group: base Packager: StarlingX URL: unknown -Source0: wrs.sudo +Source0: sysadmin.sudo Source1: LICENSE -%define WRSROOT_P cBglipPpsKwBQ +%define SYSADMIN_P 4SuW8cnXFyxsk %description StarlingX sudo configuration file %install install -d %{buildroot}/%{_sysconfdir}/sudoers.d -install -m 440 %{SOURCE0} %{buildroot}/%{_sysconfdir}/sudoers.d/wrs +install -m 440 %{SOURCE0} %{buildroot}/%{_sysconfdir}/sudoers.d/sysadmin %pre -getent group wrs >/dev/null || groupadd -r wrs -getent group wrs_protected >/dev/null || groupadd -f -g 345 wrs_protected -getent passwd wrsroot > /dev/null || \ -useradd -m -g wrs -G root,wrs_protected \ - -d /home/wrsroot -p %{WRSROOT_P} \ - -s /bin/sh wrsroot 2> /dev/null || : +getent group sys_protected >/dev/null || groupadd -f -g 345 sys_protected +getent passwd sysadmin > /dev/null || \ +useradd -m -g sys_protected -G root \ + -d /home/sysadmin -p %{SYSADMIN_P} \ + -s /bin/sh sysadmin 2> /dev/null || : %files %license ../SOURCES/LICENSE -%config(noreplace) %{_sysconfdir}/sudoers.d/wrs +%config(noreplace) %{_sysconfdir}/sudoers.d/sysadmin diff --git a/config-files/sudo-config/files/sysadmin.sudo b/config-files/sudo-config/files/sysadmin.sudo new file mode 100644 index 000000000..0e3f513e9 --- /dev/null +++ b/config-files/sudo-config/files/sysadmin.sudo @@ -0,0 +1,12 @@ +## +## User privilege specification +## +sysadmin ALL=(ALL) ALL +sysadmin ALL=(root) NOPASSWD: /usr/bin/config_controller +sysadmin ALL=(root) NOPASSWD: /usr/bin/config_region +sysadmin ALL=(root) NOPASSWD: /usr/bin/config_subcloud +sysadmin ALL=(root) NOPASSWD: /usr/bin/config_management +sysadmin ALL=(root) NOPASSWD: /usr/local/sbin/collect + +Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin +Defaults passprompt="Password: " diff --git a/config-files/sudo-config/files/wrs.sudo b/config-files/sudo-config/files/wrs.sudo deleted file mode 100644 index bf51703a8..000000000 --- a/config-files/sudo-config/files/wrs.sudo +++ /dev/null @@ -1,12 +0,0 @@ -## -## User privilege specification -## -wrsroot ALL=(ALL) ALL -wrsroot ALL=(root) NOPASSWD: /usr/bin/config_controller -wrsroot ALL=(root) NOPASSWD: /usr/bin/config_region -wrsroot ALL=(root) NOPASSWD: /usr/bin/config_subcloud -wrsroot ALL=(root) NOPASSWD: /usr/bin/config_management -wrsroot ALL=(root) NOPASSWD: /usr/local/sbin/collect - -Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin -Defaults passprompt="Password: " diff --git a/kubernetes/helm/centos/files/helm-upload b/kubernetes/helm/centos/files/helm-upload index 4dbacc088..f4ae8ef59 100644 --- a/kubernetes/helm/centos/files/helm-upload +++ b/kubernetes/helm/centos/files/helm-upload @@ -12,7 +12,7 @@ # We want to run as the "www" user and scripts can't be setuid. The -# sudoers permissions are set up to allow wrsroot to run this script +# sudoers permissions are set up to allow sysadmin to run this script # as the "www" user without a password. if [ $USER != "www" ]; then exec sudo -u www $0 $@ diff --git a/kubernetes/helm/centos/files/helm.sudo b/kubernetes/helm/centos/files/helm.sudo index 48e02bfbb..8a96f56d7 100644 --- a/kubernetes/helm/centos/files/helm.sudo +++ b/kubernetes/helm/centos/files/helm.sudo @@ -1,3 +1,3 @@ -wrsroot ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload +sysadmin ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin diff --git a/ldap/ldapscripts/files/ldap-user-setup-support.patch b/ldap/ldapscripts/files/ldap-user-setup-support.patch index 11102226b..f2b723eab 100644 --- a/ldap/ldapscripts/files/ldap-user-setup-support.patch +++ b/ldap/ldapscripts/files/ldap-user-setup-support.patch @@ -49,7 +49,7 @@ index 0000000..27d12dc +. "$_RUNTIMEFILE" + +# runtime defaults -+_DEFAULTGRP2="wrs_protected" ++_DEFAULTGRP2="sys_protected" +_BASHSHELL="/bin/bash" +_DEFAULTSHADOWMAX="90" +_DEFAULTSHADOWWARNING="2" diff --git a/security/python-keyring/python-keyring/chmod_keyringlock2.patch b/security/python-keyring/python-keyring/chmod_keyringlock2.patch index f95be88f7..8d9f6ad30 100644 --- a/security/python-keyring/python-keyring/chmod_keyringlock2.patch +++ b/security/python-keyring/python-keyring/chmod_keyringlock2.patch @@ -30,7 +30,7 @@ Index: keyring-5.3/keyring/backends/file.py + if oct(stat.S_IMODE(os.stat(lockdir + "/" + lockfile).st_mode)) != '0770': + # Must have the lock file with the correct group and permissisions g+rw + os.chmod(lockdir + "/" + lockfile, stat.S_IRWXG | stat.S_IRWXU) -+ groupinfo = grp.getgrnam('wrs_protected') ++ groupinfo = grp.getgrnam('sys_protected') + os.chown(lockdir + "/" + lockfile,-1,groupinfo.gr_gid) diff --git a/security/python-keyring/python-keyring/fix_keyring_lockfile_location.patch b/security/python-keyring/python-keyring/fix_keyring_lockfile_location.patch index 4287256b6..8531a28cc 100644 --- a/security/python-keyring/python-keyring/fix_keyring_lockfile_location.patch +++ b/security/python-keyring/python-keyring/fix_keyring_lockfile_location.patch @@ -82,7 +82,7 @@ Index: keyring-5.3/keyring/backends/file.py - if os.geteuid() == 0 and (not os.path.exists(lockfile)): - from pwd import getpwnam - import stat -- nonrootuser = "wrsroot" +- nonrootuser = "sysadmin" - with open(lockfile, 'w'): - pass - # must have the lock file with the correct group permissisions g+rw diff --git a/security/python-keyring/python-keyring/use_new_lock.patch b/security/python-keyring/python-keyring/use_new_lock.patch index d1b483d8f..d298c20ea 100644 --- a/security/python-keyring/python-keyring/use_new_lock.patch +++ b/security/python-keyring/python-keyring/use_new_lock.patch @@ -180,7 +180,7 @@ Index: keyring-5.3/keyring/backends/file.py + if os.geteuid() == 0 and (not os.path.exists(lockfile)): + from pwd import getpwnam + import stat -+ nonrootuser = "wrsroot" ++ nonrootuser = "sysadmin" + with open(lockfile, 'w'): + pass + # must have the lock file with the correct group permissisions g+rw diff --git a/tools/collector/scripts/collect b/tools/collector/scripts/collect index 758e377e0..5d50dbc96 100755 --- a/tools/collector/scripts/collect +++ b/tools/collector/scripts/collect @@ -28,7 +28,7 @@ # Generally, individual commands that display output have that output # redirected to the appropriate info file in /scratch/var/extra # -# wrsroot@controller-0:/scratch# sudo collect +# sysadmin@controller-0:/scratch# sudo collect # nodetype : controller # Collector: /scratch # Extra Dir: /scratch/var/extra @@ -76,7 +76,7 @@ TOOL_NAME=collect TOOL_VER=2 TOOL_REV=0 -# collect must be run as wrsroot +# collect must be run as sysadmin if [ ${UID} -eq 0 ]; then echo "Error: Cannot run collect as 'root' user" exit 1 @@ -149,8 +149,8 @@ function print_help() echo "" echo "Optionally specify a --name prefix of the collected tar file." echo "" - echo "With the command set specified, simply run collect as wrsroot and when" - echo "prompted provide the wrsroot sudo password and let collect handle the rest." + echo "With the command set specified, simply run collect as sysadmin and when" + echo "prompted provide the sysadmin sudo password and let collect handle the rest." echo "" echo "Scope Options:" echo "" @@ -563,7 +563,7 @@ function clean_scratch_dir_remote() spawn bash -i expect -re $ set timeout 60 - send "${SSH_CMD} wrsroot@${this_hostname}\n" + send "${SSH_CMD} sysadmin@${this_hostname}\n" expect { "assword:" { send "${pw}\r" @@ -621,7 +621,7 @@ function delete_remote_dir_or_file() spawn bash -i expect -re $ set timeout 60 - send "${SSH_CMD} wrsroot@${this_hostname}\n" + send "${SSH_CMD} sysadmin@${this_hostname}\n" expect { "assword:" { send "${pw}\r" @@ -683,7 +683,7 @@ function get_file_from_host() spawn bash -i set timeout ${SCP_TIMEOUT} expect -re $ - send "${SCP_CMD} wrsroot@${this_hostname}:${remote_src} ${local_dest} 2>>${HOST_COLLECT_ERROR_LOG}\n" + send "${SCP_CMD} sysadmin@${this_hostname}:${remote_src} ${local_dest} 2>>${HOST_COLLECT_ERROR_LOG}\n" expect { "assword:" { send "${pw}\r" @@ -1083,7 +1083,7 @@ EOF spawn bash -i set timeout 30 expect -re $ - send "${SSH_CMD} wrsroot@${host}\n" + send "${SSH_CMD} sysadmin@${host}\n" expect { "assword:" { send "${pw}\r" @@ -1131,7 +1131,7 @@ EOF exit ${FAIL_UNREACHABLE} } "Host key verification failed" { - send "rm -f /home/wrsroot/.ssh/known_hosts\n" + send "rm -f /home/sysadmin/.ssh/known_hosts\n" exit ${FAIL} } timeout { exit ${FAIL_TIMEOUT} } diff --git a/tools/collector/scripts/collect_host b/tools/collector/scripts/collect_host index 3016b1b3b..3faf250e6 100755 --- a/tools/collector/scripts/collect_host +++ b/tools/collector/scripts/collect_host @@ -332,8 +332,8 @@ function collect_extra() echo "${hostname}: Bash History ......: ${LOGFILE}" # history - delimiter ${LOGFILE} "cat /home/wrsroot/.bash_history" - cat /home/wrsroot/.bash_history >> ${LOGFILE} 2>>${COLLECT_ERROR_LOG} + delimiter ${LOGFILE} "cat /home/sysadmin/.bash_history" + cat /home/sysadmin/.bash_history >> ${LOGFILE} 2>>${COLLECT_ERROR_LOG} LOGFILE="${EXTRA_DIR}/interrupt.info" echo "${hostname}: Interrupt Info ....: ${LOGFILE}" diff --git a/tools/engtools/hostdata-collectors/scripts/linux_benchmark.sh b/tools/engtools/hostdata-collectors/scripts/linux_benchmark.sh index 64fd5ce8b..32d7dd206 100644 --- a/tools/engtools/hostdata-collectors/scripts/linux_benchmark.sh +++ b/tools/engtools/hostdata-collectors/scripts/linux_benchmark.sh @@ -1,6 +1,6 @@ #!/bin/bash -username="wrsroot" +username="sysadmin" password="Li69nux*" test_duration="30" wait_duration="5" diff --git a/tools/engtools/hostdata-collectors/scripts/remote/rsync-engtools-data.sh b/tools/engtools/hostdata-collectors/scripts/remote/rsync-engtools-data.sh index 4fdfc487e..08a1623de 100644 --- a/tools/engtools/hostdata-collectors/scripts/remote/rsync-engtools-data.sh +++ b/tools/engtools/hostdata-collectors/scripts/remote/rsync-engtools-data.sh @@ -32,7 +32,7 @@ fi sudo mkdir -p ${DEST} # rsync options -USER=wrsroot +USER=sysadmin RSYNC_OPT="-r -l --safe-links -h -P --stats --exclude=*.pyc" # Rsync data from multiple locations diff --git a/tools/engtools/parsers/common/download-data.sh b/tools/engtools/parsers/common/download-data.sh index 7ac8c3d21..320bca048 100755 --- a/tools/engtools/parsers/common/download-data.sh +++ b/tools/engtools/parsers/common/download-data.sh @@ -21,11 +21,11 @@ fi source ./lab.conf -rsync -azvh wrsroot@${CONTROLLER0_IP}:/scratch/syseng_data/* . -rsync -azvh wrsroot@${CONTROLLER1_IP}:/scratch/syseng_data/* . +rsync -azvh sysadmin@${CONTROLLER0_IP}:/scratch/syseng_data/* . +rsync -azvh sysadmin@${CONTROLLER1_IP}:/scratch/syseng_data/* . -rsync -azvh wrsroot@${CONTROLLER0_IP}:/opt/backups/tmp/syseng-data/* . -rsync -azvh wrsroot@${CONTROLLER1_IP}:/opt/backups/tmp/syseng-data/* . +rsync -azvh sysadmin@${CONTROLLER0_IP}:/opt/backups/tmp/syseng-data/* . +rsync -azvh sysadmin@${CONTROLLER1_IP}:/opt/backups/tmp/syseng-data/* . # Compress the newly download data files if they have not been compressed CURDIR=$(pwd)