@ -49,7 +49,6 @@ set_default_options()
opt[overwrite-cron]=1
opt[syslog-ng]=1
opt[overwrite-syslog-ng]=1
opt[migration-grant-aclkeeper-to-gatekeepers]=0
opt[check-ttyrec]=1
opt[install-fake-ttyrec]=0
}
@ -98,6 +97,7 @@ while [ -n "$1" ]; do
set_default_options
else
# "--[no]-wait" is no longer used, but to keep compatibility, we keep it here (ignored)
# same for --migration-grant-aclkeeper-to-gatekeepers
foundoption=0
for allowedopt in modify-banner modify-sshd-config modify-ssh-config modify-motd modify-umask \
modify-pam-lastlog remove-weak-moduli regen-hostkeys overwrite-logrotate overwrite-cron \
@ -197,13 +197,6 @@ Usage:
--[no-]install-fake-ttyrec install a fake ttyrec binary if ttyrec is not present; useful mainly for tests,
or if you *really* don't want to use the real ttyrec
ONE-SHOT MIGRATION OPTIONS:
--migration-grant-aclkeeper-to-gatekeepers
Only useful when you're migrating from a version that doesn't implement the notion of aclkeeper (<2.21.00)
to a version that does (>=2.21.00): this option grants the aclkeeper right to all preexisting gatekeepers,
this helps ensuring a smooth transition from the users perspective
EOF
exit 1
fi
@ -355,68 +348,6 @@ if [ "$nothing" = 0 ]; then
action_na
fi
# remove obsolete logrotate files if needed
if [ "${opt[logrotate]}" = 1 ]; then
action_doing "Remove obsolete logrotate files..."
at_least_one_changed=0
for obsolete in osh-proxy-http osh-update-active-users
do
if [ -e "$ETC_DIR/logrotate.d/$obsolete" ]; then
at_least_one_changed=1
rm -f "$ETC_DIR/logrotate.d/$obsolete"
fi
done
fi
if [ "$at_least_one_changed" = 1 ]; then
action_done
else
action_na
fi
# remove obsolete cron files if needed
if [ "${opt[cron]}" = 1 ]; then
action_doing "Remove obsolete cron files..."
at_least_one_changed=0
for obsolete in osh-backupAclKeys osh-compressOldSqlite osh-encryptRsyncTtyrec \
osh-lingeringSessionsReaper osh-orphanedHomedir osh-pivGraceReaper \
osh-protectLogs osh-rotateTtyrec osh-activeUsers
do
if [ -e "$CRON_DIR/$obsolete" ]; then
at_least_one_changed=1
rm -f "$CRON_DIR/$obsolete"
fi
done
fi
if [ "$at_least_one_changed" = 1 ]; then
action_done
else
action_na
fi
action_doing "Move $BASTION_ETC_DIR/proxy-http.conf if needed"
if [ -f $BASTION_ETC_DIR/proxy-http.conf ] && ! [ -e $BASTION_ETC_DIR/osh-http-proxy.conf ]; then
mv $BASTION_ETC_DIR/proxy-http.conf $BASTION_ETC_DIR/osh-http-proxy.conf
action_done
else
action_na
fi
action_doing "Move $BASTION_ETC_DIR/sync-watcher-rsync.filter if needed"
if [ -f $BASTION_ETC_DIR/sync-watcher-rsync.filter ] && ! [ -e $BASTION_ETC_DIR/osh-sync-watcher.rsyncfilter ]; then
mv $BASTION_ETC_DIR/sync-watcher-rsync.filter $BASTION_ETC_DIR/osh-sync-watcher.rsyncfilter
action_done
else
action_na
fi
action_doing "Move $BASTION_ETC_DIR/sync-watcher.sh if needed"
if [ -f $BASTION_ETC_DIR/sync-watcher.sh ] && ! [ -e $BASTION_ETC_DIR/osh-sync-watcher.sh ]; then
mv $BASTION_ETC_DIR/sync-watcher.sh $BASTION_ETC_DIR/osh-sync-watcher.sh
action_done
else
action_na
fi
list="bastion"
[ "${opt[logrotate]}" = 1 ] && list="$list logrotate"
[ "${opt[cron]}" = 1 ] && list="$list cron"
@ -624,45 +555,6 @@ if [ "$nothing" = 0 ]; then
fi
chmod 0755 /home/passkeeper
# rename potential old groups to new names
action_doing "Rename legacy group to new names"
at_least_one_changed=0
for i in accountListBastionKeys:accountListEgressKeys \
selfAddPrivateAccess:selfAddPersonalAccess \
selfDelPrivateAccess:selfDelPersonalAccess \
accountAddPrivateAccess:accountAddPersonalAccess \
accountDelPrivateAccess:accountDelPersonalAccess \
accountListKeys:accountListIngressKeys \
accountResetKeys:accountResetIngressKeys
do
old=osh-$(echo "$i" | cut -d: -f1)
new=osh-$(echo "$i" | cut -d: -f2)
if getent group "$old" >/dev/null ; then
at_least_one_changed=1
# old group exists, does the new one exist too?
action_detail "Old group $old found"
if getent group "$new" >/dev/null ; then
# weird, both groups exist, just delete the old one
if groupdel "$old" ; then
action_detail "New group $new already existed, just deleted $old"
else
action_error "Error while attempting to delete $old"
fi
else
if group_rename_compat "$old" "$new"; then
action_detail "Renamed $old to $new"
else
action_error "Error while attempting to rename $old to $new"
fi
fi
fi
done
if [ "$at_least_one_changed" = 1 ]; then
action_done
else
action_na
fi
# add groups for specific modules
action_doing "Create needed system groups"
at_least_one_changed=0
@ -684,22 +576,6 @@ if [ "$nothing" = 0 ]; then
action_na
fi
# fix bad authorized_keys2 contents created in some cases before v2.30.00
action_doing "Fixing potential buggy keys in $AK_FILE contents"
at_least_one_changed=0
for account in $(getent passwd | grep ":$basedir/bin/shell/osh.pl$" | cut -d: -f1); do
test -f "/home/$account/$AK_FILE" || continue
grep -Eq '^from="[^ ]+"(ssh-|ecdsa-)' "/home/$account/$AK_FILE" || continue
at_least_one_changed=1
action_detail "... $account"
sed_compat 's/^(from="[^ ]+")(ssh-|ecdsa-)/\1 \2/g' "/home/$account/$AK_FILE"
done
if [ "$at_least_one_changed" = 1 ]; then
action_done
else
action_na
fi
# lastoshuser
# ensures that users created without specifying IDs will be created
# with higher IDs than the lastoshuser UID
@ -804,46 +680,6 @@ if [ "$nothing" = 0 ]; then
chmod 0710 /var/log/bastion
action_done
# move old "always_active" flags to the new way
action_doing "Convert oldschool always_active flags if any"
at_least_one_changed=0
while IFS= read -r -d '' i
do
at_least_one_changed=1
account=$(echo "$i" | cut -d/ -f3 | cut -d. -f2)
if [ -z "$account" ] || ! [ -d "/home/$account" ] ; then
action_detail "unrecognized file, or account '$account' no longer existing, removing"
else
filename="/home/allowkeeper/$account/config.always_active"
echo yes > "$filename"
chmod 0644 "$filename"
chown allowkeeper:allowkeeper "$filename"
action_detail "converted $account"
fi
rm -v "$i"
done < <(find /home/ -mindepth 1 -maxdepth 1 -type f -name ".*.always_active" -print0)
if [ "$at_least_one_changed" = 1 ]; then
action_done
else
action_na
fi
# migration auto: ensure all groups have their corresponding aclkeeper group
action_doing "Creating missing aclkeeper groups where needed"
at_least_one_changed=0
for grp in $(getent group | cut -d: -f1 | grep -- '-gatekeeper$' | sed -e 's/-gatekeeper$//'); do
if ! getent group "$grp-aclkeeper" >/dev/null ; then
action_detail "... creating $grp-aclkeeper"
groupadd_compat "$grp-aclkeeper" HIGH
at_least_one_changed=1
fi
done
if [ "$at_least_one_changed" = 1 ]; then
action_done
else
action_na
fi
# ensuring proper ACLs on group homes
action_doing "Ensuring proper ACLs on group homes and allowed.ip"
for grp in $(getent group | cut -d: -f1 | grep -- '-gatekeeper$' | sed -e 's/-gatekeeper$//'); do
@ -1074,14 +910,6 @@ if [ "$nothing" = 0 ]; then
action_done
fi
action_doing "Removing potentially bogus directories"
if [ -d /nonexistent ]; then
rmdir /nonexistent 2>/dev/null || true
action_done
else
action_na
fi
action_doing "Replacing legacy o+w by bastion-users/g+w"
at_least_one_changed=0
for file in \
@ -1388,7 +1216,7 @@ fi
if [ "${opt[remove-weak-moduli]}" = 1 ]; then
# remove low moduli
action_doing "Remove weak moduli"
action_doing "Remove weak moduli (less than 4K) "
if [ -e $SSH_DIR/moduli ] ; then
tmpmod=$(mktemp)
awk '$5 >= 4095' $SSH_DIR/moduli > "$tmpmod"
@ -1402,22 +1230,6 @@ if [ "${opt[remove-weak-moduli]}" = 1 ]; then
fi
fi
# optional migration: grant aclkeeper to gatekeepers
if [ "${opt[migration-grant-aclkeeper-to-gatekeepers]}" = 1 ] ; then
action_doing "Migration: giving the aclkeeper right to all gatekeepers"
for grp in $(getent group | cut -d: -f1 | grep -- '-gatekeeper$' | sed -e 's/-gatekeeper$//'); do
action_detail "... checking group $grp"
for gatek in $(getent group "$grp-gatekeeper" | cut -d: -f4 | tr "," "\\n"); do
action_detail "... $grp: granting $gatek as aclkeeper"
add_user_to_group_compat "$gatek" "$grp-aclkeeper"; ret=$?
if [ $ret -ne 0 ]; then
action_warn "Error while adding $gatek to $grp-aclkeeper!"
fi
done
done
action_done
fi
# lastly, check for ttyrec version and yell if it's not the proper one
if [ "${opt[check-ttyrec]}" = 1 ] ; then
action_doing "Checking ttyrec version"
Stéphane Lesimple
4 years ago
committed by
Stéphane Lesimple