From ea459e3e5eea2a0015649fb987abda7d7e925c78 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Tue, 31 Jul 2012 03:37:41 -0400 Subject: [PATCH] Fix all domtool scripts for modern Debian and HCoop practices * There is no longer any local `domtool' group, use `nogroup' instead and chmod files user readable only * The init scripts assumed `/usr/local/[s]bin' were in `$PATH', which is not true on a default Debian install. Rather than require customization of system defaults, just use long paths. It would be nice if the Makefile supported relocatable installs, but I also want a pony for xmas. * `domtool-admin-sudo' never worked properly. It seems to rely on the mistaken assumption that starting a `pagsh' gives you a new PAG... when `pagsh' has the unintuitive behavior of adopting the current PAG instead of creating a new one if one should exist. Things appeared to work since there was always a local domtool user, and some interaction between the init scripts acquiring tokens outside of a PAG and sudo led to use of the uid ticket cache. The solution is just to use `k5start' instead of `kinit && aklog' --- scripts/domtool-addcert | 4 ++-- scripts/domtool-admin-sudo | 4 +--- scripts/domtool-server | 25 +++++++++++++++++++------ scripts/domtool-server-logged | 2 +- scripts/domtool-slave | 24 +++++++++++++++++++----- scripts/domtool-slave-logged | 2 +- 6 files changed, 43 insertions(+), 18 deletions(-) diff --git a/scripts/domtool-addcert b/scripts/domtool-addcert index 8d9e295..6e58197 100755 --- a/scripts/domtool-addcert +++ b/scripts/domtool-addcert @@ -15,7 +15,7 @@ CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$USER.pem mkdir $KEYDIR || echo Key directory already exists. openssl genrsa -out $KEYFILE -chown -R domtool.domtool $KEYDIR +chown -R domtool.nogroup $KEYDIR fs sa $KEYDIR $USER read || echo This must be a server principal. echo "." >$KEYIN echo "." >>$KEYIN @@ -32,4 +32,4 @@ cat $NEWREQ $KEYFILE >$NEW rm $NEWREQ openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW rm $NEW -chown domtool.domtool $CERTFILE +chown domtool.nogroup $CERTFILE diff --git a/scripts/domtool-admin-sudo b/scripts/domtool-admin-sudo index 13eaf19..bd4341f 100755 --- a/scripts/domtool-admin-sudo +++ b/scripts/domtool-admin-sudo @@ -1,5 +1,3 @@ #!/usr/bin/pagsh.openafs -kinit -k -t /etc/keytabs/domtool domtool -aklog -domtool-admin $* >/dev/null 2>/dev/null +k5start -qtUf /etc/keytabs/domtool domtool-admin $* >/dev/null 2>/dev/null diff --git a/scripts/domtool-server b/scripts/domtool-server index 6078c60..d86f5ac 100755 --- a/scripts/domtool-server +++ b/scripts/domtool-server @@ -1,31 +1,44 @@ #!/usr/bin/pagsh.openafs +# -*- sh-mode -*- # This script should go in /etc/init.d/ on Debian Linux systems # running Domtool dispatchers. +# This script is NOT lsb compliant by a long shot... need to fix that + +### BEGIN INIT INFO +# Provides: domtool-server +# Required-Start: $remote_fs $network $time openafs-client nscd +# Required-Stop: $remote_fs $network openafs-client nscd +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Domtool Dispatcher +# Description: Launches the domtool server +### END INIT INFO + SELF=$(cd $(dirname $0); pwd -P)/$(basename $0) PIDFILE="/var/run/domtool/k5start-server.pid" -set -e +. /lib/lsb/init-functions case $1 in start) - echo -n "Starting Domtool dispatcher: domtool-server" + log_daemon_msg "Starting Domtool dispatcher" "domtool-server" if sudo -u domtool domtool-admin-sudo ping; then echo "...already running." else PIDDIR=$(dirname "$PIDFILE") if test ! -d "$PIDDIR"; then - mkdir -m 0755 $PIDDIR - chown domtool:domtool $PIDDIR + mkdir -m 0750 $PIDDIR + chown domtool:nogroup $PIDDIR fi start-stop-daemon --start --pidfile $PIDFILE \ - -c domtool:domtool \ + -c domtool:nogroup \ --exec /usr/bin/k5start -- -U -b \ -f /etc/keytabs/domtool \ -K 300 -t -p $PIDFILE \ - domtool-server-logged + /usr/local/bin/domtool-server-logged echo "." fi ;; diff --git a/scripts/domtool-server-logged b/scripts/domtool-server-logged index 9f8f285..a529acf 100755 --- a/scripts/domtool-server-logged +++ b/scripts/domtool-server-logged @@ -1 +1 @@ -domtool-server >>/var/log/domtool.log 2>>/var/log/domtool.log +/usr/local/sbin/domtool-server >>/var/log/domtool.log 2>>/var/log/domtool.log diff --git a/scripts/domtool-slave b/scripts/domtool-slave index 5392bea..dabbb70 100755 --- a/scripts/domtool-slave +++ b/scripts/domtool-slave @@ -1,12 +1,26 @@ #!/usr/bin/pagsh.openafs +# -*- sh -*- # This script should go in /etc/init.d/ on Debian Linux systems # running Domtool slaves. +# This script is NOT lsb compliant by a long shot... need to fix that +# We need nscd running to lookup afs users for whatever reason + +### BEGIN INIT INFO +# Provides: domtool-slave +# Required-Start: $remote_fs $network $time openafs-client nscd +# Required-Stop: $remote_fs $network openafs-client nscd +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Domtool Slave +# Description: Launches the domtool slave +### END INIT INFO + SELF=$(cd $(dirname $0); pwd -P)/$(basename $0) PIDFILE="/var/run/domtool/k5start-slave.pid" -set -e +. /lib/lsb/init-functions case $1 in start) @@ -16,16 +30,16 @@ case $1 in else PIDDIR=$(dirname "$PIDFILE") if test ! -d "$PIDDIR"; then - mkdir -m 0755 $PIDDIR - chown domtool:domtool $PIDDIR + mkdir -m 0750 $PIDDIR + chown domtool:nogroup $PIDDIR fi start-stop-daemon --start --pidfile $PIDFILE \ - -c domtool:domtool \ + -c domtool:nogroup \ --exec /usr/bin/k5start -- -U -b \ -f /etc/keytabs/domtool \ -K 300 -t -p $PIDFILE \ - domtool-slave-logged + /usr/local/bin/domtool-slave-logged echo "." fi ;; diff --git a/scripts/domtool-slave-logged b/scripts/domtool-slave-logged index c892bdf..674f3a4 100755 --- a/scripts/domtool-slave-logged +++ b/scripts/domtool-slave-logged @@ -1 +1 @@ -domtool-slave >>/var/log/domtool.log 2>>/var/log/domtool.log +/usr/local/sbin/domtool-slave >>/var/log/domtool.log 2>>/var/log/domtool.log -- 2.20.1