starlingx
/
integ
Code Issues Proposed changes

integ: Convert wrsroot -> sysadmin 

This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.

Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea
Story: 2004716
Task: 28748
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This commit is contained in:
Saul Wold 2019-05-09 12:58:20 -07:00
parent 6ccb588bf8
commit 83c6575d51
16 changed files with 52 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
base/systemd-config/files/systemd.conf.tmpfiles.d
View File

@ -25,18 +25,18 @@ d /run/log 0755 root root -
z /run/log/journal 2755 root systemd-journal - - z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 root systemd-journal - - Z /run/log/journal/%m ~2750 root systemd-journal - -
a+ /run/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x a+ /run/log/journal/%m - - - - d:group:sys_protected:r-x,d:group:wheel:r-x
A+ /run/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x A+ /run/log/journal/%m - - - - group:sys_protected:r-x,group:wheel:r-x
z /var/log/journal 2755 root systemd-journal - - z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - -
z /var/log/journal/%m/system.journal 0640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
a+ /var/log/journal - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x a+ /var/log/journal - - - - d:group:sys_protected:r-x,d:group:wheel:r-x
a+ /var/log/journal - - - - group:wrs_protected:r-x,group:wheel:r-x a+ /var/log/journal - - - - group:sys_protected:r-x,group:wheel:r-x
a+ /var/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x a+ /var/log/journal/%m - - - - d:group:sys_protected:r-x,d:group:wheel:r-x
a+ /var/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x a+ /var/log/journal/%m - - - - group:sys_protected:r-x,group:wheel:r-x
a+ /var/log/journal/%m/system.journal - - - - group:wrs_protected:r--,group:wheel:r-- a+ /var/log/journal/%m/system.journal - - - - group:sys_protected:r--,group:wheel:r--
d /var/lib/systemd 0755 root root - d /var/lib/systemd 0755 root root -
d /var/lib/systemd/coredump 0755 root root 3d d /var/lib/systemd/coredump 0755 root root 3d

2
config-files/sudo-config/centos/build_srpm.data
View File

@ -1,2 +1,2 @@
COPY_LIST="files/*" COPY_LIST="files/*"
TIS_PATCH_VER=0 TIS_PATCH_VER=1

19
config-files/sudo-config/centos/sudo-config.spec
View File

@ -12,26 +12,25 @@ Group: base
Packager: StarlingX Packager: StarlingX
URL: unknown URL: unknown
Source0: wrs.sudo Source0: sysadmin.sudo
Source1: LICENSE Source1: LICENSE
%define WRSROOT_P cBglipPpsKwBQ %define SYSADMIN_P 4SuW8cnXFyxsk
%description %description
StarlingX sudo configuration file StarlingX sudo configuration file
%install %install
install -d %{buildroot}/%{_sysconfdir}/sudoers.d install -d %{buildroot}/%{_sysconfdir}/sudoers.d
install -m 440 %{SOURCE0} %{buildroot}/%{_sysconfdir}/sudoers.d/wrs install -m 440 %{SOURCE0} %{buildroot}/%{_sysconfdir}/sudoers.d/sysadmin
%pre %pre
getent group wrs >/dev/null || groupadd -r wrs getent group sys_protected >/dev/null || groupadd -f -g 345 sys_protected
getent group wrs_protected >/dev/null || groupadd -f -g 345 wrs_protected getent passwd sysadmin > /dev/null || \
getent passwd wrsroot > /dev/null || \ useradd -m -g sys_protected -G root \
useradd -m -g wrs -G root,wrs_protected \ -d /home/sysadmin -p %{SYSADMIN_P} \
-d /home/wrsroot -p %{WRSROOT_P} \ -s /bin/sh sysadmin 2> /dev/null || :
-s /bin/sh wrsroot 2> /dev/null || :
%files %files
%license ../SOURCES/LICENSE %license ../SOURCES/LICENSE
%config(noreplace) %{_sysconfdir}/sudoers.d/wrs %config(noreplace) %{_sysconfdir}/sudoers.d/sysadmin

12
config-files/sudo-config/files/sysadmin.sudo Normal file
View File

@ -0,0 +1,12 @@
##
## User privilege specification
##
sysadmin ALL=(ALL) ALL
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_controller
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_region
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_subcloud
sysadmin ALL=(root) NOPASSWD: /usr/bin/config_management
sysadmin ALL=(root) NOPASSWD: /usr/local/sbin/collect
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
Defaults passprompt="Password: "

12
config-files/sudo-config/files/wrs.sudo
View File

@ -1,12 +0,0 @@
##
## User privilege specification
##
wrsroot ALL=(ALL) ALL
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_controller
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_region
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_subcloud
wrsroot ALL=(root) NOPASSWD: /usr/bin/config_management
wrsroot ALL=(root) NOPASSWD: /usr/local/sbin/collect
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
Defaults passprompt="Password: "

2
kubernetes/helm/centos/files/helm-upload
View File

@ -12,7 +12,7 @@
# We want to run as the "www" user and scripts can't be setuid. The # We want to run as the "www" user and scripts can't be setuid. The
# sudoers permissions are set up to allow wrsroot to run this script # sudoers permissions are set up to allow sysadmin to run this script
# as the "www" user without a password. # as the "www" user without a password.
if [ $USER != "www" ]; then if [ $USER != "www" ]; then
exec sudo -u www $0 $@ exec sudo -u www $0 $@

2
kubernetes/helm/centos/files/helm.sudo
View File

@ -1,3 +1,3 @@
wrsroot ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload sysadmin ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

2
ldap/ldapscripts/files/ldap-user-setup-support.patch
View File

@ -49,7 +49,7 @@ index 0000000..27d12dc
+. "$_RUNTIMEFILE" +. "$_RUNTIMEFILE"
+ +
+# runtime defaults +# runtime defaults
+_DEFAULTGRP2="wrs_protected" +_DEFAULTGRP2="sys_protected"
+_BASHSHELL="/bin/bash" +_BASHSHELL="/bin/bash"
+_DEFAULTSHADOWMAX="90" +_DEFAULTSHADOWMAX="90"
+_DEFAULTSHADOWWARNING="2" +_DEFAULTSHADOWWARNING="2"

2
security/python-keyring/python-keyring/chmod_keyringlock2.patch
View File

@ -30,7 +30,7 @@ Index: keyring-5.3/keyring/backends/file.py
+ if oct(stat.S_IMODE(os.stat(lockdir + "/" + lockfile).st_mode)) != '0770': + if oct(stat.S_IMODE(os.stat(lockdir + "/" + lockfile).st_mode)) != '0770':
+ # Must have the lock file with the correct group and permissisions g+rw + # Must have the lock file with the correct group and permissisions g+rw
+ os.chmod(lockdir + "/" + lockfile, stat.S_IRWXG | stat.S_IRWXU) + os.chmod(lockdir + "/" + lockfile, stat.S_IRWXG | stat.S_IRWXU)
+ groupinfo = grp.getgrnam('wrs_protected') + groupinfo = grp.getgrnam('sys_protected')
+ os.chown(lockdir + "/" + lockfile,-1,groupinfo.gr_gid) + os.chown(lockdir + "/" + lockfile,-1,groupinfo.gr_gid)

2
security/python-keyring/python-keyring/fix_keyring_lockfile_location.patch
View File

@ -82,7 +82,7 @@ Index: keyring-5.3/keyring/backends/file.py
- if os.geteuid() == 0 and (not os.path.exists(lockfile)): - if os.geteuid() == 0 and (not os.path.exists(lockfile)):
- from pwd import getpwnam - from pwd import getpwnam
- import stat - import stat
- nonrootuser = "wrsroot" - nonrootuser = "sysadmin"
- with open(lockfile, 'w'): - with open(lockfile, 'w'):
- pass - pass
- # must have the lock file with the correct group permissisions g+rw - # must have the lock file with the correct group permissisions g+rw

2
security/python-keyring/python-keyring/use_new_lock.patch
View File

@ -180,7 +180,7 @@ Index: keyring-5.3/keyring/backends/file.py
+ if os.geteuid() == 0 and (not os.path.exists(lockfile)): + if os.geteuid() == 0 and (not os.path.exists(lockfile)):
+ from pwd import getpwnam + from pwd import getpwnam
+ import stat + import stat
+ nonrootuser = "wrsroot" + nonrootuser = "sysadmin"
+ with open(lockfile, 'w'): + with open(lockfile, 'w'):
+ pass + pass
+ # must have the lock file with the correct group permissisions g+rw + # must have the lock file with the correct group permissisions g+rw

18
tools/collector/scripts/collect
View File

@ -28,7 +28,7 @@
# Generally, individual commands that display output have that output # Generally, individual commands that display output have that output
# redirected to the appropriate info file in /scratch/var/extra # redirected to the appropriate info file in /scratch/var/extra
# #
# wrsroot@controller-0:/scratch# sudo collect # sysadmin@controller-0:/scratch# sudo collect
# nodetype : controller # nodetype : controller
# Collector: /scratch # Collector: /scratch
# Extra Dir: /scratch/var/extra # Extra Dir: /scratch/var/extra
@ -76,7 +76,7 @@ TOOL_NAME=collect
TOOL_VER=2 TOOL_VER=2
TOOL_REV=0 TOOL_REV=0
# collect must be run as wrsroot # collect must be run as sysadmin
if [ ${UID} -eq 0 ]; then if [ ${UID} -eq 0 ]; then
echo "Error: Cannot run collect as 'root' user" echo "Error: Cannot run collect as 'root' user"
exit 1 exit 1
@ -149,8 +149,8 @@ function print_help()
echo "" echo ""
echo "Optionally specify a --name prefix of the collected tar file." echo "Optionally specify a --name prefix of the collected tar file."
echo "" echo ""
echo "With the command set specified, simply run collect as wrsroot and when" echo "With the command set specified, simply run collect as sysadmin and when"
echo "prompted provide the wrsroot sudo password and let collect handle the rest." echo "prompted provide the sysadmin sudo password and let collect handle the rest."
echo "" echo ""
echo "Scope Options:" echo "Scope Options:"
echo "" echo ""
@ -563,7 +563,7 @@ function clean_scratch_dir_remote()
spawn bash -i spawn bash -i
expect -re $ expect -re $
set timeout 60 set timeout 60
send "${SSH_CMD} wrsroot@${this_hostname}\n" send "${SSH_CMD} sysadmin@${this_hostname}\n"
expect { expect {
"assword:" { "assword:" {
send "${pw}\r" send "${pw}\r"
@ -621,7 +621,7 @@ function delete_remote_dir_or_file()
spawn bash -i spawn bash -i
expect -re $ expect -re $
set timeout 60 set timeout 60
send "${SSH_CMD} wrsroot@${this_hostname}\n" send "${SSH_CMD} sysadmin@${this_hostname}\n"
expect { expect {
"assword:" { "assword:" {
send "${pw}\r" send "${pw}\r"
@ -683,7 +683,7 @@ function get_file_from_host()
spawn bash -i spawn bash -i
set timeout ${SCP_TIMEOUT} set timeout ${SCP_TIMEOUT}
expect -re $ expect -re $
send "${SCP_CMD} wrsroot@${this_hostname}:${remote_src} ${local_dest} 2>>${HOST_COLLECT_ERROR_LOG}\n" send "${SCP_CMD} sysadmin@${this_hostname}:${remote_src} ${local_dest} 2>>${HOST_COLLECT_ERROR_LOG}\n"
expect { expect {
"assword:" { "assword:" {
send "${pw}\r" send "${pw}\r"
@ -1083,7 +1083,7 @@ EOF
spawn bash -i spawn bash -i
set timeout 30 set timeout 30
expect -re $ expect -re $
send "${SSH_CMD} wrsroot@${host}\n" send "${SSH_CMD} sysadmin@${host}\n"
expect { expect {
"assword:" { "assword:" {
send "${pw}\r" send "${pw}\r"
@ -1131,7 +1131,7 @@ EOF
exit ${FAIL_UNREACHABLE} exit ${FAIL_UNREACHABLE}
} }
"Host key verification failed" { "Host key verification failed" {
send "rm -f /home/wrsroot/.ssh/known_hosts\n" send "rm -f /home/sysadmin/.ssh/known_hosts\n"
exit ${FAIL} exit ${FAIL}
} }
timeout { exit ${FAIL_TIMEOUT} } timeout { exit ${FAIL_TIMEOUT} }

4
tools/collector/scripts/collect_host
View File

@ -332,8 +332,8 @@ function collect_extra()
echo "${hostname}: Bash History ......: ${LOGFILE}" echo "${hostname}: Bash History ......: ${LOGFILE}"
# history # history
delimiter ${LOGFILE} "cat /home/wrsroot/.bash_history" delimiter ${LOGFILE} "cat /home/sysadmin/.bash_history"
cat /home/wrsroot/.bash_history >> ${LOGFILE} 2>>${COLLECT_ERROR_LOG} cat /home/sysadmin/.bash_history >> ${LOGFILE} 2>>${COLLECT_ERROR_LOG}
LOGFILE="${EXTRA_DIR}/interrupt.info" LOGFILE="${EXTRA_DIR}/interrupt.info"
echo "${hostname}: Interrupt Info ....: ${LOGFILE}" echo "${hostname}: Interrupt Info ....: ${LOGFILE}"

2
tools/engtools/hostdata-collectors/scripts/linux_benchmark.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
username="wrsroot" username="sysadmin"
password="Li69nux*" password="Li69nux*"
test_duration="30" test_duration="30"
wait_duration="5" wait_duration="5"

2
tools/engtools/hostdata-collectors/scripts/remote/rsync-engtools-data.sh
View File

@ -32,7 +32,7 @@ fi
sudo mkdir -p ${DEST} sudo mkdir -p ${DEST}
# rsync options # rsync options
USER=wrsroot USER=sysadmin
RSYNC_OPT="-r -l --safe-links -h -P --stats --exclude=*.pyc" RSYNC_OPT="-r -l --safe-links -h -P --stats --exclude=*.pyc"
# Rsync data from multiple locations # Rsync data from multiple locations

8
tools/engtools/parsers/common/download-data.sh
View File

@ -21,11 +21,11 @@ fi
source ./lab.conf source ./lab.conf
rsync -azvh wrsroot@${CONTROLLER0_IP}:/scratch/syseng_data/* . rsync -azvh sysadmin@${CONTROLLER0_IP}:/scratch/syseng_data/* .
rsync -azvh wrsroot@${CONTROLLER1_IP}:/scratch/syseng_data/* . rsync -azvh sysadmin@${CONTROLLER1_IP}:/scratch/syseng_data/* .
rsync -azvh wrsroot@${CONTROLLER0_IP}:/opt/backups/tmp/syseng-data/* . rsync -azvh sysadmin@${CONTROLLER0_IP}:/opt/backups/tmp/syseng-data/* .
rsync -azvh wrsroot@${CONTROLLER1_IP}:/opt/backups/tmp/syseng-data/* . rsync -azvh sysadmin@${CONTROLLER1_IP}:/opt/backups/tmp/syseng-data/* .
# Compress the newly download data files if they have not been compressed # Compress the newly download data files if they have not been compressed
CURDIR=$(pwd) CURDIR=$(pwd)