diff options
Diffstat (limited to 'server')
-rwxr-xr-x | server/bin/checkperms | 4 | ||||
-rwxr-xr-x | server/bin/getRepoIface | 9 | ||||
-rwxr-xr-x | server/bin/oglivecli | 23 | ||||
-rwxr-xr-x | server/bin/setclientmode | 90 | ||||
-rwxr-xr-x | server/bin/setserveraddr | 1 | ||||
-rwxr-xr-x | server/bin/setsmbpass | 2 | ||||
-rwxr-xr-x | server/bin/setsslkey | 127 | ||||
-rwxr-xr-x | server/bin/settoken | 83 | ||||
-rwxr-xr-x | server/lib/ogfunctions.sh | 31 | ||||
-rwxr-xr-x | server/lib/security-config | 40 | ||||
-rw-r--r-- | server/tftpboot/grub/default | 65 | ||||
-rw-r--r-- | server/tftpboot/grub/grub.cfg | 9 | ||||
-rw-r--r-- | server/tftpboot/grub/templates/00unknown | 30 | ||||
-rw-r--r-- | server/tftpboot/grub/templates/10 | 6 | ||||
-rw-r--r-- | server/tftpboot/grub/templates/11 | 4 | ||||
-rw-r--r-- | server/tftpboot/grub/templates/12 | 4 | ||||
-rw-r--r-- | server/tftpboot/grub/templates/19pxeADMIN | 22 | ||||
-rw-r--r-- | server/tftpboot/grub/templates/21UEFIpxe | 7 | ||||
-rw-r--r-- | server/tftpboot/grub/templates/pxe | 37 | ||||
-rw-r--r-- | server/tftpboot/menu.lst/templates/10 (renamed from server/tftpboot/menu.lst/templates/01) | 2 | ||||
-rw-r--r-- | server/tftpboot/menu.lst/templates/11 | 4 | ||||
-rw-r--r-- | server/tftpboot/menu.lst/templates/12 | 4 |
22 files changed, 535 insertions, 69 deletions
diff --git a/server/bin/checkperms b/server/bin/checkperms index 5c558c45..3f79e2d3 100755 --- a/server/bin/checkperms +++ b/server/bin/checkperms @@ -44,6 +44,8 @@ find $OPENGNSYS_DIR/images -maxdepth 1 -exec chown :$OPENGNSYS_USER {} \; find $OPENGNSYS_DIR/images -maxdepth 1 -type d -exec chmod 775 {} \; find $OPENGNSYS_DIR/images -maxdepth 1 -type f -exec chmod 664 {} \; find $OPENGNSYS_DIR/client/{interfaceAdm,scripts} ! -name "*.txt" -exec chmod +x {} \; +chown -R $OPENGNSYS_USER:$OPENGNSYS_USER $OPENGNSYS_DIR/client/etc/ssl/private +chmod -R go-rwx $OPENGNSYS_DIR/client/etc/ssl/private chown $OPENGNSYS_USER:$OPENGNSYS_USER $OPENGNSYS_DIR/client/interfaceAdm/CambiarAcceso chmod 700 $OPENGNSYS_DIR/client/interfaceAdm/CambiarAcceso chown root:root $OPENGNSYS_DIR/etc/{ogAdmServer,ogAdmAgent}*.cfg @@ -53,7 +55,7 @@ chmod 640 $OPENGNSYS_DIR/{www/controlacceso*.php,etc/ogAdmRepo*.cfg} chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/www/images/{fotos,iconos} mkdir -p $OPENGNSYS_DIR/www/{api,tmp} chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/www/{api,tmp} -chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/tftpboot/menu.lst +chown -R $APACHE_USER:$APACHE_GROUP $OPENGNSYS_DIR/tftpboot/{menu.lst,grub} chown -R :$OPENGNSYS_USER $OPENGNSYS_DIR/tftpboot/ogLive* find -L $OPENGNSYS_DIR/tftpboot -type d -exec chmod 755 {} \; find -L $OPENGNSYS_DIR/tftpboot -type f -exec chmod 644 {} \; diff --git a/server/bin/getRepoIface b/server/bin/getRepoIface new file mode 100755 index 00000000..2ce208be --- /dev/null +++ b/server/bin/getRepoIface @@ -0,0 +1,9 @@ +#!/bin/bash + +# This script takes the IPlocal variable of the repository +# and returns the system interface +# Alfredo Luque <aluque@soleta.eu> + +source /opt/opengnsys/etc/ogAdmRepo.cfg + +ip addr show | grep $IPlocal | cut -f2 | awk '{ print $NF }' diff --git a/server/bin/oglivecli b/server/bin/oglivecli index 451c3c12..ca8ac0f9 100755 --- a/server/bin/oglivecli +++ b/server/bin/oglivecli @@ -14,13 +14,14 @@ # Global constants definition. -PROG=$(basename "$(realpath "$0")") -OPENGNSYS=/opt/opengnsys -DOWNLOADDIR=$OPENGNSYS/lib -DOWNLOADURL="https://opengnsys.es/trac/downloads" -TFTPDIR=$OPENGNSYS/tftpboot -DEFOGLIVE="ogLive" -INFOFILE=$OPENGNSYS/etc/ogliveinfo.json +PROG=$(basename "$(realpath "$0")") # Program name. +OPENGNSYS=/opt/opengnsys # OpenGnsys main directory. +DOWNLOADDIR=$OPENGNSYS/lib # Directory to store ogLive images. +DOWNLOADURL="https://opengnsys.es/trac/downloads" # Download URL. +TFTPDIR=$OPENGNSYS/tftpboot # TFTP directory. +DEFOGLIVE="ogLive" # Default ogLive directory. +MINREL=20190601 # Mininum ogLive compatibility release. +INFOFILE=$OPENGNSYS/etc/ogliveinfo.json # Configuration file. # Auxiliar functions. @@ -154,6 +155,7 @@ ogLive download URL: $DOWNLOADURL ogLive download directory: $DOWNLOADDIR ogLive installation directory: $TFTPDIR Default ogLive name: $DEFOGLIVE +Mainimum compatibility release: r$MINREL EOT ;; 1) # Show specified parameter. @@ -163,6 +165,7 @@ EOT download-dir) echo "$DOWNLOADDIR" ;; install-dir) echo "$TFTPDIR" ;; default-name) echo "$DEFOGLIVE" ;; + min-release) echo "r$MINREL" ;; *) raiseError notfound "$1" ;; esac ;; @@ -208,6 +211,8 @@ function check() { [ $DOWNLOADDIR/$DEF -nt $TFTPDIR/$INST ] && echo "$DEF" done) [ -n "$AUX" ] && echo "Some ISOs are downloaded after installation: ${AUX//$'\n'/, }" && let ERR++ + AUX=$(jq -r '.oglive[] as $og | if ($og.revision[1:9] | tonumber) < '$MINREL' then $og.directory else "" end' $INFOFILE 2>/dev/null) + [ -n "$AUX" ] && echo "Some installed ogLive aren't fully compatible: ${AUX//$'\n'/, }" && let ERR++ # Print result. [ $ERR -eq 0 ] && echo "OK!" || echo "Problems detected: $ERR" return $ERR @@ -253,7 +258,7 @@ function search() { # Show a menu to select and download an ogLive ISO image from the OpenGnsys website. function download() { local OGLIVE NISOS i SOURCELENGTH TARGETFILE - local ISOREL MINREL=5000 # Mininum compatibility release. + local ISOREL [ $# -gt 1 ] && raiseError usage [ ! -d $DOWNLOADDIR ] && raiseError notfound "Download directory" [ ! -w $DOWNLOADDIR ] && raiseError access "Download directory" @@ -268,7 +273,7 @@ function download() { echo "Available downloads (+ = installed, * = full compatibility):" for i in $(seq 1 $NISOS); do [ -e $DOWNLOADDIR/${OGLIVE[i-1]} ] && OGLIVE[i-1]="(+) ${OGLIVE[i-1]}" - ISOREL=${OGLIVE[i-1]##*-r}; ISOREL=${ISOREL%.*} + ISOREL=${OGLIVE[i-1]##*-r}; ISOREL=${ISOREL%%.*} [ $ISOREL -ge $MINREL ] && OGLIVE[i-1]="(*) ${OGLIVE[i-1]}" done select opt in "${OGLIVE[@]}"; do diff --git a/server/bin/setclientmode b/server/bin/setclientmode index 855ae4a6..4004e932 100755 --- a/server/bin/setclientmode +++ b/server/bin/setclientmode @@ -22,41 +22,58 @@ #@version 1.1.0a - El server siempre es el servidor PXE. El segundo parámetro de la IP es el SERVER. La asignación del ogLive siempre es el server. (ticket #859). #@author Antonio J. Doblas Viso, Universidad de Malaga #@date 2018-07-11 +#@version 1.1.1 - Crea configuración PXE para BIOS y UEFI. Permite pasar los datos acceso a la base de datos por variables de entorno. (ticket #802) +#@author Irina Gomez, ETSII Universidad de Sevilla +#@date 2019-02-13 #*/ ## - # Variables. PROG=$(basename $0) OPENGNSYS=${OPENGNSYS:-"/opt/opengnsys"} SERVERCONF=$OPENGNSYS/etc/ogAdmServer.cfg -PXEDIR=$OPENGNSYS/tftpboot/menu.lst +PXEDIR[0]=$OPENGNSYS/tftpboot/menu.lst +PXEDIR[1]=$OPENGNSYS/tftpboot/grub LOGFILE=$OPENGNSYS/log/opengnsys.log MYCNF=/tmp/.my.cnf.$$ + # Control básico de errores. if [ $# -ne 3 ]; then echo "$PROG: Error de ejecución" echo "Formato: $PROG PLANTILLA [NOMBRE_PC|NOMBRE_AULA] MODO" exit 1 fi -if [ ! -r $SERVERCONF ]; then - echo "$PROG: Sin acceso a fichero de configuración" - exit 2 + +# Comprobar si el usuario es "root" o el del servicio web. +WEBUSER=$(ps axho user,comm|awk '!/root/ && /httpd|apache/ {print $1; exit;}') +if [ "$USER" != "root" -a "$USER" != "$WEBUSER" ]; then + echo "$PROG: Need to be root. (The console can also call the script)." >&2 + exit 1 +fi + +# El acceso a mysql por las variables pasadas o por el fichero de configuarción. +if [ -z "$USUARIO" ] || [ -z "$PASSWORD" ] || [ -z "$CATALOG" ]; then + if [ -r "$SERVERCONF" ]; then + source $SERVERCONF + else + echo "$PROG: Sin acceso a fichero de configuración" + exit 2 + fi fi -TEMPLATE=$(grep -l "^#.* $1 *$" $PXEDIR/templates/*) -if [ -z "$TEMPLATE" ]; then +TEMPLATE[0]=$(grep -l "^#.* $1 *$" ${PXEDIR[0]}/templates/*) +TEMPLATE[1]=$(grep -l "^#.* $1 *$" ${PXEDIR[1]}/templates/*) +if [ -z "${TEMPLATE[0]}" -a -z "${TEMPLATE[1]}" ]; then echo "No existe archivo platilla: $1" exit fi -case "$3" in + +case "${3^^}" in 0|TEMP) MODE="TEMP" ;; 1|PERM) MODE="PERM" ;; *) echo "$PROG: Modo desconodido: 0, TEMP (temporal), 1, PERM (permanente)" exit 1 ;; esac -# Obtener datos de acceso a la Base de datos. -source $SERVERCONF # Sustituir caracteres ' por \' para evitar inyección SQL. BOOTMODE="${1//\'/\'}" RESOURCE="${2//\'/\'}" @@ -87,9 +104,9 @@ NPC=0 for MAC in $ETHERNET; do date +"%b %d %T $PROG: Detectada ethernet \"$MAC\" en \"$2\"" | tee -a $LOGFILE MACFILE="${MAC^^}" - PXEFILE=$PXEDIR/01-${MACFILE:0:2}-${MACFILE:2:2}-${MACFILE:4:2}-${MACFILE:6:2}-${MACFILE:8:2}-${MACFILE:10:2} - # Renombra el fichero PXE original - [ -e $PXEFILE ] && mv $PXEFILE $PXEFILE.netboot + PXEFILE[0]=01-${MACFILE:0:2}-${MACFILE:2:2}-${MACFILE:4:2}-${MACFILE:6:2}-${MACFILE:8:2}-${MACFILE:10:2} + MACFILE="${MAC,,}" + PXEFILE[1]=01-${MACFILE:0:2}:${MACFILE:2:2}:${MACFILE:4:2}:${MACFILE:6:2}:${MACFILE:8:2}:${MACFILE:10:2} if [ "$1" != "default" ]; then # Si no está definida la variable LANG, usar idioma inglés por defecto. [ -z "$LANG" -o "$LANG" == "C" ] && LANG="en" @@ -130,30 +147,49 @@ for MAC in $ETHERNET; do [[ "$DATOS" =~ (vga|video) ]] || DATOS="$DATOS vga=788" # Obtener directorio ogLive a partir de los datos. OGLIVEDIR=$(echo "$DATOS" | awk -F= 'BEGIN {RS=" "} $1=="oglivedir" {print $2}') - # Comprobar si existe "oglivedir" en la plantilla para evitar duplicados. - if grep -q "oglivedir=" $TEMPLATE 2>/dev/null; then - DATOS="${DATOS/oglivedir=$OGLIVEDIR/}" - fi - # Crear fichero PXE a partir de la plantilla con los datos obtenidos en la BD. - sed -e "s,vga=[0-9]*,,g; s,INFOHOST,${DATOS//,/\\,},g; s,set ISODIR=.*,set ISODIR=$OGLIVEDIR,g" $TEMPLATE >$PXEFILE - # Ponemos como propietario al usuario y grupo de Apache para que se pueda cambiar desde la consola web. - PERMS=$(ps axho user,group,comm|awk '!/root/ && /httpd|apache/ {u=$1; g=$2} END {if (g) printf "%s:%s",u,g}') - [ -n "$PERMS" ] && chown $PERMS $PXEFILE + + # Pondremos como propietario al usuario y grupo de Apache para que se pueda cambiar desde la consola web. + WEBGROUP=$(ps axho group,comm|awk '!/root/ && /httpd|apache/ {print $1; exit;}') + for BOOTTYPE in 0 1; do + # Si no existe la plantilla borramos el archivo PXE anterior continuamos + if [ -z "${TEMPLATE[$BOOTTYPE]}" ]; then + rm ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} + continue + fi + # Comprobar si existe "oglivedir" en la plantilla para evitar duplicados. + if grep -q "oglivedir=" ${TEMPLATE[$BOOTTYPE]} 2>/dev/null; then + DATOSAUX="${DATOS/oglivedir=$OGLIVEDIR/}" + fi + # Renombra el fichero PXE original + [ -e ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} ] && mv ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}.netboot + + # Crear fichero PXE a partir de la plantilla con los datos obtenidos en la BD. + sed -e "s,vga=[0-9]*,,g; s,INFOHOST,${DATOSAUX//,/\\,},g; s,set ISODIR=.*,set ISODIR=$OGLIVEDIR,g" ${TEMPLATE[$BOOTTYPE]} >${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} + [ -n "$WEBUSER" ] && chown $WEBUSER:$WEBGROUP ${PXEDIR[$BOOTTYPE]}/${PXEFILEE[$BOOTTYPE]} + done + + # Si el modo de trabajo es temporal (0) mete un retardo, restaura el fichero PXE a su estado original y no toca la base de datos if [ "$MODE" == "TEMP" ]; then sleep 60 - rm $PXEFILE - [ -e $PXEFILE.netboot ] && mv $PXEFILE.netboot $PXEFILE + for BOOTTYPE in 0 1; do + [ -e ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} ] && rm ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} + [ -e ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}.netboot ] && mv ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]}.netboot ${PXEDIR[$BOOTTYPE]}/${PXEFILE[$BOOTTYPE]} + done fi + # Si el modo de trabajo es permanente (1) borra el fichero PXE.netboot si existe y graba los datos en la base de datos if [ "$MODE" == "PERM" ]; then - [ -e $PXEFILE.netboot ] && rm $PXEFILE.netboot + [ -e ${PXEDIR[0]}/${PXEFILE[0]}.netboot ] && rm ${PXEDIR[0]}/${PXEFILE[0]}.netboot + [ -e ${PXEDIR[1]}/${PXEFILE[1]}.netboot ] && rm ${PXEDIR[1]}/${PXEFILE[1]}.netboot + # Si no existe la plantilla de tipo BIOS tomo el nombre de la UEFI + [ -z "${TEMPLATE[0]}" ] && TEMPLATE[0]=${TEMPLATE[1]} + mysql --defaults-extra-file=$MYCNF -D "$CATALOG" -e \ - "UPDATE ordenadores SET arranque='$(basename $TEMPLATE)' WHERE mac='$MAC';" + "UPDATE ordenadores SET arranque='$(basename ${TEMPLATE[0]})' WHERE mac='$MAC';" fi fi let NPC=NPC+1 done date +"%b %d %T $PROG: $NPC equipo(s) configurado(s)" | tee -a $LOGFILE - diff --git a/server/bin/setserveraddr b/server/bin/setserveraddr index eb52d64d..cca279b8 100755 --- a/server/bin/setserveraddr +++ b/server/bin/setserveraddr @@ -120,6 +120,7 @@ if [ -n "$SERVERIP" ]; then if [ "$RUN_OGADMREPO" == "yes" ]; then REPOKEY=$(php -r 'echo md5(uniqid(rand(), true));') sed -i -e "s/ApiToken=.*/ApiToken=$REPOKEY/" $OPENGNSYS/etc/ogAdmRepo.cfg + sed -i -e "s/APITOKEN=.*/APITOKEN=$REPOKEY/" $OPENGNSYS/etc/ogAdmServer.cfg fi # If OpenGnsys Server is active, updating the database. if [ "$RUN_OGADMSERVER" == "yes" ]; then diff --git a/server/bin/setsmbpass b/server/bin/setsmbpass index 2162b3be..efd90eec 100755 --- a/server/bin/setsmbpass +++ b/server/bin/setsmbpass @@ -105,7 +105,7 @@ for OGLIVE in $LIST; do done if [[ $CHANGES != 0 ]]; then # Ticket 565, preparar acceso Rsync servidor. - echo "$SAMBAUSER:$SAMBAPASS" > /etc/rsyncd.secrets + [ -e /etc/rsyncd.secrets ] && sed -i -n -e "/^$SAMBAUSER:/!p" -e "$ a$SAMBAUSER:$SAMBAPASS" /etc/rsyncd.secrets || echo "$SAMBAUSER:$SAMBAPASS" > /etc/rsyncd.secrets chown root.root /etc/rsyncd.secrets chmod 600 /etc/rsyncd.secrets # Cambiar clave Samba. diff --git a/server/bin/setsslkey b/server/bin/setsslkey new file mode 100755 index 00000000..9652f006 --- /dev/null +++ b/server/bin/setsslkey @@ -0,0 +1,127 @@ +#!/bin/bash + +#/** +# setsslkey +#@file setsslkey [NEW] [ogLive] +#@brief Configura las claves públicas en los ogLive para que puedan autenticarse entre ellos. +#@param $1 crear_key [NEW] (opcional). Crear la pareja de claves ssl. Por defecto toma la del oglive por defecto. +#@param $2 ogLive (opcional). ogLive al que se le incluyen las claves públicas, por defecto a todos. +#@warning Se modifica el Initrd del cliente. +#@version 1.1.2 - Versión inicial - Basado en setserveraddr +#@author Irina Gómez - ETSII Universidad Sevilla +#@date 2019-09-25 +#*/ ## + + +# Variables. +PROG=$(basename "$0") +PATH=$PATH:$(dirname "$(realpath "$0")") +OPENGNSYS=${OPENGNSYS:-"/opt/opengnsys"} +TFTPDIR=$OPENGNSYS/tftpboot +INITRD=oginitrd.img +TMPDIR=/tmp/oglive$$ +let CHANGES=0 + +# Control básico de errores. +if [ "$USER" != "root" ]; then + echo "$PROG: Error: solo ejecutable por root" >&2 + exit 1 +fi + +# Regenerar las claves públicas aunque existan +[ "${1^^}" == "NEW" ] && NEWKEY="NEW" && shift + +case $# in + 0) # Cambios en todos los clientes ogLive instalados. + if which oglivecli &>/dev/null; then + LIST=$(oglivecli list | awk '{print $2}') + else + LIST="ogclient" + fi ;; + 1) # Cambios en único ogLive (AVISO: puede crear inconsistencias con otros ogLive). + LIST="$1" ;; + *) # Error de formato. + echo "$PROG: Error de ejecución" >&2 + echo "Formato: $PROG ogLive" + exit 1 ;; +esac + +# Si me salgo con error borro el directorio temporal +trap "rm -rf $TMPDIR 2>/dev/null" 1 2 3 6 9 15 + +# ogLive por defecto +OGLIVEDEFAULT=$(oglivecli list |awk -v NUM=$(oglivecli get-default) '{if ($1 == NUM) print $2}') + +if [ "$NEWKEY" != "NEW" ]; then + # Comprobamos si el ogLive por defecto contiene la clave + CLIENTINITRD="$TFTPDIR/$OGLIVEDEFAULT/$INITRD" + if [ -r "$CLIENTINITRD" ]; then + mkdir -p $TMPDIR + cd $TMPDIR || exit 3 + gzip -dc "$CLIENTINITRD" | cpio -im + if [ -r scripts/ssl/id_rsa ]; then + PRIVKEY=$(cat scripts/ssl/id_rsa |grep -v '\-\-\-') + PUBLICKEY=$(cat scripts/ssl/id_rsa.pub) + else + NEWKEY="NEW" + fi + rm -fr $TMPDIR + else + NEWKEY="NEW" + fi +fi + +# Genero nueva clave +if [ "$NEWKEY" == "NEW" ]; then + [ -d $TMPDIR ] && rm -rf $TMPDIR + mkdir $TMPDIR + ssh-keygen -N "" -f $TMPDIR/id_rsa + PRIVKEY=$(cat $TMPDIR/id_rsa |grep -v "\-\-\-") + PUBLICKEY=$(cat $TMPDIR/id_rsa.pub) + rm -rf $TMPDIR +fi + +# Buscar todos los clients ogLive instalados. +for OGLIVE in $LIST; do + # Si no hay generar nueva clave ssl no hay que modificar el ogLive por defecto + [ "$NEWKEY" != "NEW" ] && [ "$OGLIVE" == "$OGLIVEDEFAULT" ] && continue + + # Crear clave para usuario de acceso a los recursos. + CLIENTINITRD="$TFTPDIR/$OGLIVE/$INITRD" + if [ -r "$CLIENTINITRD" ]; then + # Editar la parte de acceso del cliente: + # descomprimir Initrd, sustituir clave y recomprimir Initrd). + echo "Configurando cliente \"$OGLIVE\" ..." + mkdir -p $TMPDIR + cd $TMPDIR || exit 3 + gzip -dc "$CLIENTINITRD" | cpio -im + + # Genero archivos de claves + [ -d $TMPDIR/scripts/ssl ] || mkdir -p $TMPDIR/scripts/ssl + + echo "-----BEGIN RSA PRIVATE KEY-----" > $TMPDIR/scripts/ssl/id_rsa + echo $PRIVKEY |sed s/" "/\\n/g >> $TMPDIR/scripts/ssl/id_rsa + echo "-----END RSA PRIVATE KEY-----" >> $TMPDIR/scripts/ssl/id_rsa + + echo $PUBLICKEY > $TMPDIR/scripts/ssl/id_rsa.pub + echo $PUBLICKEY > $TMPDIR/scripts/ssl/authorized_keys + + chmod 400 $TMPDIR/scripts/ssl/id_rsa + chmod 400 $TMPDIR/scripts/ssl/authorized_keys + + # Generar Initrd del cliente. + find . | cpio -H newc -oa | gzip -9c > "$CLIENTINITRD" + + rm -fr $TMPDIR + # Calcular suma de comprobación. + md5sum "$CLIENTINITRD" | cut -f1 -d" " > "$CLIENTINITRD.sum" + let CHANGES++ + else + echo "$PROG: Cliente \"$OGLIVE\" no accesible." + fi +done +if [[ $CHANGES != 0 ]]; then + echo "$PROG: Se ha modificado la pareja de claves ssl en $CHANGES clientes." +else + echo "$PROG: Aviso: no se ha modificado la clave de ningún cliente." +fi diff --git a/server/bin/settoken b/server/bin/settoken new file mode 100755 index 00000000..dd98f06a --- /dev/null +++ b/server/bin/settoken @@ -0,0 +1,83 @@ +#!/bin/bash + +#/** +#@file settoken +#@brief Generate a new security token for the specified service. +#@usage settoken [-f] [Service] +#@param -f: force server restart without prompting (ask by default) +#@param Service: may be "server", "repo" or "both" (by default) +#@warning This script uses "php" command. +#@version 1.1.2 - Initial version. +#@author Ramón M. Gómez - ETSII Univ. Sevilla +#@date 2019-09-25 +#*/ ## + +# Global constants definition. +PROG=$(basename "$(realpath "$0")") # Program name. +OPENGNSYS=/opt/opengnsys # OpenGnsys main directory. +SERVERCFG=$OPENGNSYS/etc/ogAdmServer.cfg # Configuration files. +REPOCFG=$OPENGNSYS/etc/ogAdmRepo.cfg + +# Functions. +source $OPENGNSYS/lib/ogfunctions.sh + +# Error control. +[ "$USER" != "root" ] && raiseError access "Need to by root" +if [ "$1" == "-f" ]; then + FORCE=1 + shift +fi +[ $# -gt 1 ] && raiseError usage +case "${1,,}" in + help) + help ;; + server) + SERVER=1 ;; + repo) + REPO=1 ;; + ""|both) + SERVER=1; REPO=1 ;; + *) + raiseError notfound "Unknown service" +esac +[ -w $SERVERCFG ] || raiseError access "Server configuration file" + +# Update server token. +if [ "$SERVER" ]; then + # Confirm action (server will be restarted). + if [ ! "$FORCE" ]; then + read -rp "It will be necessary to restart ogAdmServer service. Continue? [y/N]: " ANSWER + [ "${ANSWER,,}" != "y" ] && raiseError cancel "API tokens not updated" + fi + APIKEY=$(php -r 'echo md5(uniqid(rand(), true));') + sed -i "s/^APITOKEN=.*/APITOKEN=$APIKEY/" $SERVERCFG || raiseError access "Cannot update server file" +fi + +# Update repository token. +if [ "$REPO" ]; then + [ -w $REPOCFG ] || raiseError access "Repository configuration file" + APIKEY=$(php -r 'echo md5(uniqid(rand(), true));') + sed -i "s/^ApiToken=.*/ApiToken=$APIKEY/" $REPOCFG || raiseError access "Cannot update repository file" + # If database is local, update it. + source $SERVERCFG + source $REPOCFG + if [ "$ServidorAdm" == "$IPlocal" ]; then + MYCNF=$(mktemp) + trap "rm -f $MYCNF" 0 1 2 3 6 9 15 + chmod 600 $MYCNF + cat << EOT > $MYCNF +[client] +user=$USUARIO +password=$PASSWORD +host=$datasource +EOT + mysql --defaults-extra-file="$MYCNF" --default-character-set=utf8 -D "$CATALOG" -e \ + "UPDATE repositorios SET apikey='$APIKEY' WHERE ip='$IPlocal';" || raiseError access "Database error" + fi +fi + +# Restart server, if needed. +if [ "$SERVER" ]; then + restart opengnsys +fi + diff --git a/server/lib/ogfunctions.sh b/server/lib/ogfunctions.sh index 51de6b77..34b2ab7b 100755 --- a/server/lib/ogfunctions.sh +++ b/server/lib/ogfunctions.sh @@ -23,6 +23,9 @@ function raiseError() { download) echo "$PROG: Download error: $2" >&2 exit 4 ;; + cancel) + echo "$PROG: Operation cancelled: $2" >&2 + exit 5 ;; *) echo "$PROG: Unknown error" >&2 exit 1 ;; @@ -54,6 +57,20 @@ function help() { exit 0 } +# Functions to manage a service. +function restart() { + _service restart "$1" +} +function start() { + _service start "$1" +} +function stop() { + _service stop "$1" +} + + +### Meta-functions and private functions. + # Metafunction to check if JSON result exists. JQ=$(which jq 2>/dev/null) || raiseError notfound "Need to install \"jq\"." function jq() { @@ -63,3 +80,17 @@ function jq() { echo "$OUTPUT" } +# Private function to acts on a service (do not use directly). +function _service() { + local ACTION="$1" + local SERVICE="$2" + if which systemctl 2>/dev/null; then + systemctl "$ACTION" "$SERVICE" + elif which service 2>/dev/null; then + service "$SERVICE" "$ACTION" + elif [ -x /etc/init.d/"$SERVICE" ]; then + /etc/init.d/"$SERVICE" "$ACTION" + else + raiseError notfound "Service $SERVICE" + fi +} diff --git a/server/lib/security-config b/server/lib/security-config index 11961758..6d53d198 100755 --- a/server/lib/security-config +++ b/server/lib/security-config @@ -23,16 +23,16 @@ if which ufw &>/dev/null; then echo "Configuring UFW." # Adding active services. ufw allow "Apache Secure" + ufw allow from 127.0.0.1/8 to any port mysql proto tcp # MySQL from the loopback ufw allow OpenSSH ufw allow Samba - ufw allow mysql ufw allow rsync ufw allow tftp ufw allow 67,68/udp # DHCP - ufw allow 2008/tcp # OpenGnsys service + ufw allow 2008,2009,2011/tcp # OpenGnsys services ufw allow 6881:6999/udp # BitTorrent ufw allow 9000/tcp # PHP-FPM - ufw allow 9000:9051/udp # Multicast + ufw allow 9000:9101/udp # Multicast # Applying configuration. ufw enable # FirewallD configuration. @@ -42,9 +42,9 @@ elif which firewall-cmd &>/dev/null; then python -c " import firewall.core.io.service as ios s=ios.Service() -s.short = 'OpenGnsys Server' -s.name = 'ogAdmServer' -s.ports = [('2008', 'tcp')] +s.short = 'OpenGnsys Services' +s.name = 'opengnsys' +s.ports = [('2008', 'tcp'), ('2009', 'tcp'), ('2011', 'tcp')] ios.service_writer(s, '/etc/firewalld/services') s.name = 'php-fpm' s.ports = [('9000', 'tcp')] @@ -52,9 +52,9 @@ ios.service_writer(s, '/etc/firewalld/services')" # Adding active services. firewall-cmd --permanent --add-service=dhcp firewall-cmd --permanent --add-service=https - firewall-cmd --permanent --add-service=php-fpm firewall-cmd --permanent --add-service=mysql --zone internal - firewall-cmd --permanent --add-service=ogAdmServer + firewall-cmd --permanent --add-service=opengnsys + firewall-cmd --permanent --add-service=php-fpm # Ubuntu 14.04 does not define "rsyncd" service. firewall-cmd --permanent --add-service=rsyncd || \ firewall-cmd --permanent --add-port=873/tcp @@ -73,16 +73,20 @@ fi # SELinux configuration. if which setsebool &>/dev/null; then - echo "Configuring SELinux." - # Configuring Apache. - setsebool -P httpd_can_connect_ldap on - semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?" - # Configuring Samba. - setsebool -P samba_export_all_ro=1 samba_export_all_rw=1 - semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?" - semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?" - # Applying configuration. - restorecon -R $OPENGNSYS + if selinuxenabled; then + echo "Configuring SELinux." + # Configuring Apache. + setsebool -P httpd_can_connect_ldap on + semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?" + # Configuring Samba. + setsebool -P samba_export_all_ro=1 samba_export_all_rw=1 + semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?" + semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?" + # Applying configuration. + restorecon -R $OPENGNSYS + else + echo "$PROG: Warning: SELinux is disabled, it won't be configured." + fi else echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)." fi diff --git a/server/tftpboot/grub/default b/server/tftpboot/grub/default new file mode 100644 index 00000000..6c505de6 --- /dev/null +++ b/server/tftpboot/grub/default @@ -0,0 +1,65 @@ +# Busca cargadores existentes por orden de prioridad e +# inicia el primero que encuentra. +# Si no existe ningún cargador de arranque muestre mensaje de error. +set timeout=5 + +set detectado='no' +# Compruebo si existen distintos cargadores. +echo "Searching rEFInd" +search --file --set rootRefind /EFI/refind/shimx64.efi.signed +if [ "$rootRefind" != "" ]; then + set detectado='si' + menuentry "rEFInd" { + root="$rootRefind" + chainloader /EFI/refind/shimx64.efi.signed +} +fi + +echo "Searching Part-01-02" +search --file --set rootP2 /EFI/Part-01-02/Boot/ogloader.efi +if [ "$rootP2" != "" ]; then + set detectado='si' + menuentry "Part-01-02" { + root="$rootP2" + chainloader /EFI/Part-01-02/Boot/ogloader.efi + } +fi + +echo "Searching Part-01-03" +search --file --set rootP3 /EFI/Part-01-03/Boot/ogloader.efi +if [ "$rootP3" != "" ]; then + set detectado='si' + menuentry "Part-01-03" { + root="$rootP3" + chainloader /EFI/Part-01-03/Boot/ogloader.efi + } +fi + +echo "Searching Microsoft" +search --file --set rootMS /EFI/Microsoft/Boot/bootmgfw.efi +if [ "$rootMS" != "" ]; then + set detectado='si' + menuentry "Microsoft" { + root="$rootMS" + chainloader /EFI/Microsoft/Boot/bootmgfw.efi + } +fi + +echo "Searching Ubuntu" +search --file --set rootUb /EFI/ubuntu/grubx64.efi +if [ "$rootUb" != "" ]; then + set detectado='si' + menuentry "Ubuntu" + root="$rootUb" + chainloader /EFI/ubuntu/grubx64.efi + } +fi + + +# Si no hay ningún sistam operativo muestro mensaje. +if [ $detectado == 'no' ]; then + menuentry "OpenGnsys no ha detectado ningún sistema operativo" { + # para evitar mensajes de error. + set root="(hd0,gpt1)" + } +fi diff --git a/server/tftpboot/grub/grub.cfg b/server/tftpboot/grub/grub.cfg index 53db4d84..56f19639 100644 --- a/server/tftpboot/grub/grub.cfg +++ b/server/tftpboot/grub/grub.cfg @@ -1,2 +1,9 @@ -source "$prefix/$net_default_mac" +# Cargo configuración PC +configfile=$prefix/01-$net_default_mac +source "$configfile" +# Si no existe anterior cargo configuracion por defecto +# Lo compruebo buscando variables más usuales +if [ "$timeout" == "" -a "$default" == "" ]; then + source "$prefix/default" +fi diff --git a/server/tftpboot/grub/templates/00unknown b/server/tftpboot/grub/templates/00unknown new file mode 100644 index 00000000..3352a965 --- /dev/null +++ b/server/tftpboot/grub/templates/00unknown @@ -0,0 +1,30 @@ +##NO-TOCAR-ESTA-LINEA Sin-designar +set default="0" +set timeout="30" + +menuentry 'ogLive' { +set ISODIR=ogLive +linux (tftp)/$ISODIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogtmpfs=15 oglivedir=$ISODIR INFOHOST +initrd (tftp)/$ISODIR/oginitrd.img +boot +} +menuentry 'ReFind' { + root='hd0,gpt1' + chainloader /EFI/refind/shimx64.efi + boot +} +menuentry 'Part-01-02' { + root='hd0,gpt1' + chainloader /EFI/Part-01-02/Boot/ogloader.efi + boot +} +menuentry 'Windows' { + root='hd0,gpt1' + chainloader /EFI/Microsoft/Boot/bootmgfw.efi + boot +} +menuentry 'Ubuntu' { + root='hd0,gpt1' + chainloader /EFI/ubuntu/grubx64.efi + boot +} diff --git a/server/tftpboot/grub/templates/10 b/server/tftpboot/grub/templates/10 new file mode 100644 index 00000000..82c44464 --- /dev/null +++ b/server/tftpboot/grub/templates/10 @@ -0,0 +1,6 @@ +##NO-TOCAR-ESTA-LINEA 1hd +echo "rEFInd" + +root='hd0,gpt1' +chainloader /EFI/refind/shimx64.efi.signed +boot diff --git a/server/tftpboot/grub/templates/11 b/server/tftpboot/grub/templates/11 new file mode 100644 index 00000000..06b34088 --- /dev/null +++ b/server/tftpboot/grub/templates/11 @@ -0,0 +1,4 @@ +##NO-TOCAR-ESTA-LINEA 1hd-1os +root='hd0,gpt1' +chainloader /EFI/Part-01-02/Boot/ogloader.efi +boot diff --git a/server/tftpboot/grub/templates/12 b/server/tftpboot/grub/templates/12 new file mode 100644 index 00000000..6f22fc30 --- /dev/null +++ b/server/tftpboot/grub/templates/12 @@ -0,0 +1,4 @@ +##NO-TOCAR-ESTA-LINEA 1hd-2os +root='hd0,gpt1' +chainloader /EFI/Part-01-03/Boot/ogloader.efi +boot diff --git a/server/tftpboot/grub/templates/19pxeADMIN b/server/tftpboot/grub/templates/19pxeADMIN new file mode 100644 index 00000000..211a543b --- /dev/null +++ b/server/tftpboot/grub/templates/19pxeADMIN @@ -0,0 +1,22 @@ +##NO-TOCAR-ESTA-LINEA ogLiveAdmin +set timeout=0 +set timeout_style=hidden + +set ISODIR=ogLive +set default=0; + +echo "OgLive $ISODIR" +menuentry "OgLive $ISODIR" { + # Si no existe el ogLive de ISODIR en la red, inicio ogLive por defecto + for DIR in $ISODIR ogLive; do + if linux (tftp)/$DIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=true ogdebug=true ogtmpfs=15 oglivedir=$ISODIR INFOHOST ; then + set DIR=$DIR + break + else + echo "OgLive default" + fi + done + + initrd (tftp)/$DIR/oginitrd.img + boot +} diff --git a/server/tftpboot/grub/templates/21UEFIpxe b/server/tftpboot/grub/templates/21UEFIpxe deleted file mode 100644 index 7892a495..00000000 --- a/server/tftpboot/grub/templates/21UEFIpxe +++ /dev/null @@ -1,7 +0,0 @@ -##NO-TOCAR-ESTA-LINEA UEFI-pxe -set ISODIR=ogLive -linux (tftp)/$ISODIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogtmpfs=15 oglivedir=$ISODIR INFOHOST -initrd (tftp)/$OGLIVE/oginitrd.img -boot - - diff --git a/server/tftpboot/grub/templates/pxe b/server/tftpboot/grub/templates/pxe new file mode 100644 index 00000000..1a67fc25 --- /dev/null +++ b/server/tftpboot/grub/templates/pxe @@ -0,0 +1,37 @@ +##NO-TOCAR-ESTA-LINEA ogLive +set timeout=0 +set timeout_style=hidden + +set ISODIR=ogLive + +# Si existe ogLive en CACHE lo inicio, si no el de la red +set root='' +echo "OgLive CACHE" +search --file --set root /boot/$ISODIR/ogvmlinuz +if [ "$root" == "" ]; then + echo "OgLive $ISODIR" + set default=1; +else + set default=0; +fi + +menuentry "OgLive CACHE" { + linux /boot/$ISODIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogupdateinitrd=true ogtmpfs=15 oglivedir=$ISODIR INFOHOST + initrd /boot/$ISODIR/oginitrd.img + boot +} + +menuentry "OgLive $ISODIR" { + # Si no existe el ogLive de ISODIR en la red, inicio ogLive por defecto + for DIR in $ISODIR ogLive; do + if linux (tftp)/$DIR/ogvmlinuz ro boot=oginit quiet splash vga=788 irqpoll acpi=on og2nd=sqfs ogprotocol=smb ogactiveadmin=false ogdebug=false ogtmpfs=15 oglivedir=$ISODIR INFOHOST ; then + set DIR=$DIR + break + else + echo "OgLive default" + fi + done + + initrd (tftp)/$DIR/oginitrd.img + boot +} diff --git a/server/tftpboot/menu.lst/templates/01 b/server/tftpboot/menu.lst/templates/10 index db7a3ee7..96d0f500 100644 --- a/server/tftpboot/menu.lst/templates/01 +++ b/server/tftpboot/menu.lst/templates/10 @@ -1,4 +1,4 @@ -##NO-TOCAR-ESTA-LINEA MBR +##NO-TOCAR-ESTA-LINEA 1hd timeout 1 title MBR chainloader (hd0)+1 diff --git a/server/tftpboot/menu.lst/templates/11 b/server/tftpboot/menu.lst/templates/11 index 6ff6b10b..c1492b57 100644 --- a/server/tftpboot/menu.lst/templates/11 +++ b/server/tftpboot/menu.lst/templates/11 @@ -1,6 +1,6 @@ -##NO-TOCAR-ESTA-LINEA 1hd-1partition +##NO-TOCAR-ESTA-LINEA 1hd-1os timeout 1 -title FirstHardDisk-FirstPartition +title FirstDisk-FirstOperatingSystem root (hd0,0) chainloader (hd0,0)+1 boot diff --git a/server/tftpboot/menu.lst/templates/12 b/server/tftpboot/menu.lst/templates/12 index 0843c3b1..0db966b7 100644 --- a/server/tftpboot/menu.lst/templates/12 +++ b/server/tftpboot/menu.lst/templates/12 @@ -1,6 +1,6 @@ -##NO-TOCAR-ESTA-LINEA 1hd-2partition +##NO-TOCAR-ESTA-LINEA 1hd-2os timeout 1 -title FirstHardDisk-SecondPartition +title FirstHardDisk-SecondOperatingSystem root (hd0,1) chainloader (hd0,1)+1 boot |