diff --git a/ublinux/default b/ublinux/default index 556b6e3..444685c 100644 --- a/ublinux/default +++ b/ublinux/default @@ -220,7 +220,11 @@ MKSQFS_OPTS="-b 32K -comp gzip" SAMBA_USERSHARE=enable -AUTHPAM[minimal]=with-faillock,with-time,with-systemd-homed +AUTHPAM[minimal]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess" +AUTHPAM[nis]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess" +AUTHPAM[winbind]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess" +AUTHPAM[sssd]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess,with-sudo,with-mdns4,with-mdns6,with-files-domain" +AUTHPAM=minimal JOURNALD[Storage]=persistent JOURNALD[Compress]=yes diff --git a/ublinux/functions b/ublinux/functions index 1cd7c8a..7fb79ea 100755 --- a/ublinux/functions +++ b/ublinux/functions @@ -825,6 +825,8 @@ ubconfig_exec_system(){ ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/20-services exec_services_enabledisable "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/20-services exec_services_startstop_live "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" ;; + AUTHPAM) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/40-authpam "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" ;; + AUTHPAM\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/40-authpam "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" ;; *) NO_FIND_EXCUTE=1 ;; esac ;; @@ -912,7 +914,7 @@ ubconfig_exec_system(){ ;; "[${SYSCONF}/network]"|"[network]") case "${NAME_VAR}" in - DOMAIN) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_live "${COMMAND_MODE_VAR}" ;; + DOMAIN) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd exec_domain "${COMMAND_MODE_VAR}" ;; DOMAIN\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_configure_live "${COMMAND_MODE_VAR}" ;; REALM_SSSD\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_configure_live "${COMMAND_MODE_VAR}" ;; REALM_PERMIT_USER) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_configure_live "${COMMAND_MODE_VAR}" ;; diff --git a/ublinux/rc.preinit.d/23-realmd b/ublinux/rc.preinit.d/23-realmd index f61087d..79b51e6 100755 --- a/ublinux/rc.preinit.d/23-realmd +++ b/ublinux/rc.preinit.d/23-realmd @@ -39,35 +39,29 @@ SOURCE=${SYSCONF}/network; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null #fi exec_domain(){ - if [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_sssd" ]]; then - ${CMD_CHROOT} /usr/bin/ubdomain-client --quiet configure - if [[ -f ${ROOTFS}/etc/krb5.keytab ]]; then - #[[ -f ${ROOTFS}/etc/krb5.conf && -f ${ROOTFS}/etc/sssd/sssd.conf ]] || ${CMD_CHROOT} /usr/bin/ubdomain-client --quite configure 2>/dev/null - [[ -f ${ROOTFS}/usr/lib/systemd/system/sssd.service ]] && ln -sf /usr/lib/systemd/system/sssd.service ${ROOTFS}/etc/systemd/system/multi-user.target.wants/sssd.service - fi - elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_winbind" ]]; then - true - elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "samba" ]]; then - true - fi -} - -domain_live(){ -# Если выполнение в initrd, то выход - [[ -z ${ROOTFS} ]] || return 0 [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && COMMAND=$1 && shift [[ -n ${COMMAND} ]] || COMMAND="set=" local PARAM="$@" + [[ $(declare -p DOMAIN 2>/dev/null) =~ "declare -A" ]] || declare -A DOMAIN if [[ -n ${PARAM} ]]; then unset DOMAIN declare -A DOMAIN [[ ${PARAM%%=*} =~ [!\$%\&()*+,./:\;\<\=\>?\@\^\{|\}~-] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then - [[ -z ${DOMAIN} ]] && return 0 - ${ROOTFS}/usr/bin/ubdomain-client configure + if [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_sssd" ]]; then + if [[ -f ${ROOTFS}/etc/krb5.keytab ]]; then + ${CMD_CHROOT} /usr/bin/ubdomain-client --quiet configure + #[[ -f ${ROOTFS}/etc/krb5.conf && -f ${ROOTFS}/etc/sssd/sssd.conf ]] || ${CMD_CHROOT} /usr/bin/ubdomain-client --quite configure #2>/dev/null + [[ -f ${ROOTFS}/usr/lib/systemd/system/sssd.service ]] && ln -sf /usr/lib/systemd/system/sssd.service ${ROOTFS}/etc/systemd/system/multi-user.target.wants/sssd.service + fi + elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_winbind" ]]; then + true + elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "samba" ]]; then + true + fi elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then - ${ROOTFS}/usr/bin/ubdomain-client unconfigure + ${CMD_CHROOT} /usr/bin/ubdomain-client unconfigure fi } @@ -80,9 +74,11 @@ domain_configure_live(){ if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then [[ -z ${DOMAIN} ]] && return 0 ${ROOTFS}/usr/bin/ubdomain-client configure + systemctl restart sssd.service elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then [[ -z ${DOMAIN} ]] && return 0 ${ROOTFS}/usr/bin/ubdomain-client configure + systemctl restart sssd.service fi } diff --git a/ublinux/rc.preinit.d/30-network-hostname b/ublinux/rc.preinit.d/30-network-hostname index 4e173ed..52d8d27 100755 --- a/ublinux/rc.preinit.d/30-network-hostname +++ b/ublinux/rc.preinit.d/30-network-hostname @@ -63,11 +63,10 @@ set_hostname_live(){ hostnamectl set-hostname "${SET_HOSTNAME}" ## Если меняется имя хоста в запущенных X, то новое имя добавляем в xauth who | grep "(:[0-9.]*)$" | cut -d' ' -f1 | xargs -ri su {} -c "xauth list | sed 's|^.*/|su {} -c \\\\\"xauth add ${SET_HOSTNAME}/|;s|$|\\\\\"|'" | xargs -ri sh -c '{}' - # Если указан задан домен в имени хоста и не соответствует DOMAIN, то задаём переменную DOMAIN= - [[ ${DOMAIN} != ${SET_DOMAIN} ]] && ubconfig set network DOMAIN="${SET_DOMAIN}" + #[[ ${DOMAIN} != ${SET_DOMAIN} ]] && ubconfig --noexecute set network DOMAIN="${SET_DOMAIN}" # При условии, что в имене хоста домен указан отличный от DOMAIN - [[ ${HOSTNAME} != ${SET_HOSTNAME} ]] && ubconfig --target global [system] HOSTNAME="${SET_HOSTNAME}" + [[ ${HOSTNAME} == ${SET_HOSTNAME} ]] || ubconfig --target global [system] HOSTNAME="${SET_HOSTNAME}" } exec_hostname(){ @@ -83,7 +82,7 @@ exec_hostname(){ # Если в имени хоста указан домен, то зададим на сеанс DOMAIN [[ ${HOSTNAME} != ${HOSTNAME#*.} ]] && SET_DOMAIN="${HOSTNAME#*.}" fi - set_hostname "${SET_HOSTNAME}" "${SET_DOMAIN}" +# set_hostname "${SET_HOSTNAME}" "${SET_DOMAIN}" # Если выполнение в initrd, то пропустить [[ -n ${ROOTFS} ]] || set_hostname_live "${SET_HOSTNAME}" "${SET_DOMAIN}" } diff --git a/ublinux/rc.preinit.d/40-authpam b/ublinux/rc.preinit.d/40-authpam index bf0176d..759cea1 100755 --- a/ublinux/rc.preinit.d/40-authpam +++ b/ublinux/rc.preinit.d/40-authpam @@ -20,30 +20,30 @@ SYSCONF="${ROOTFS}${SYSCONF}" SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null SOURCE=${SYSCONF}/system; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null - [[ -n $1 && -n $2 ]] && AUTHPAM[$1]="$2" - if [[ -n ${AUTHPAM[@]} && ${AUTHPAM[@],,} != @(disable|no|none|off) ]]; then -# TODO: Сделать отработку по параметру загруженному, убрать парсинг - AUTHPAM_PROFILE=$(grep -h '^AUTHPAM\[' ${ROOTFS}/usr/lib/ublinux/default ${ROOTFS}/etc/ublinux/system | tail -1 | sed -E 's/AUTHPAM\[([a-z]*)\].*/\1/') #' - PROFILE_FEATURE=$(tr ',;' " " <<< ${AUTHPAM[${AUTHPAM_PROFILE}]}) - ${CMD_CHROOT} /usr/bin/authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet - fi - -# if [[ -n ${AUTHPAM[@]} && ${AUTHPAM[@],,} != "disable" && ${AUTHPAM} != "-" && ${AUTHPAM,} != "no" && ${AUTHPAM,,} != "off" && ${SYSTEMBOOT_STATEMODE,,} =~ ^"sandbox" ]]; then -# [[ ${#AUTHPAM[@]} -gt 1 ]] && unset AUTHPAM[minimal] -# for AUTHPAM_PROFILE in "${!AUTHPAM[@]}"; do -# AUTHPAM_CURRENT_PROFILE=$(authselect current --raw) -# [[ $? != 0 ]] && unset AUTHPAM_CURRENT_PROFILE -# read -a AUTHPAM_CURRENT_PROFILE <<< ${AUTHPAM_CURRENT_PROFILE} -# PROFILE_FEATURE=$(tr ',;' " " <<< ${AUTHPAM[${AUTHPAM_PROFILE}]}) -# if [[ -z ${AUTHPAM_CURRENT_PROFILE} ]]; then -# authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet -# else -# if [[ ${AUTHPAM_PROFILE} == ${AUTHPAM_CURRENT_PROFILE[0]} ]]; then -# authselect enable-feature ${PROFILE_FEATURE} --force --nobackup --quiet -# else -# authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet -# fi -# -# fi -# done -# fi +exec_authpam(){ + [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && COMMAND=$1 && shift + [[ -n ${COMMAND} ]] || COMMAND="set=" + [[ $(declare -p AUTHPAM 2>/dev/null) =~ "declare -A" ]] || declare -A AUTHPAM + local PARAM="$@" + AUTHSELECT_LIST_ALL=$(${CMD_CHROOT} /usr/bin/authselect list) + AUTHPAM_FEATURE=${AUTHPAM[${AUTHPAM[0]}]//,/ }; AUTHPAM_FEATURE=${AUTHPAM_FEATURE//;/ } + if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then + if [[ ${AUTHPAM[0]} != @(""|disable|no|none|off) ]] \ + && [[ ${AUTHSELECT_LIST_ALL} =~ (^|$'\n')([^$'\n'$])+[[:blank:]]+${AUTHPAM[0]}[[:blank:]]+([^$'\n'$])+($'\n'|$) ]] \ + && [[ ${PARAM} =~ '['${AUTHPAM[0]}']=' || ${PARAM} =~ ^'AUTHPAM='${AUTHPAM[0]}$ ]]; then + ${CMD_CHROOT} /usr/bin/authselect select ${AUTHPAM[0]} ${AUTHPAM_FEATURE} --force --nobackup --quiet + fi + elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then + if [[ ${AUTHPAM[0]} != @(""|disable|no|none|off) ]]; then + ${CMD_CHROOT} /usr/bin/authselect select ${AUTHPAM[0]} ${AUTHPAM_FEATURE} --force --nobackup --quiet + fi + fi + +} + + +################ +##### MAIN ##### +################ + + exec_authpam $@ diff --git a/ublinux/templates/ublinux-data.ini b/ublinux/templates/ublinux-data.ini index 329afdf..ffb3dc7 100644 --- a/ublinux/templates/ublinux-data.ini +++ b/ublinux/templates/ublinux-data.ini @@ -108,7 +108,7 @@ SERVICES_ENABLE=dbus-broker,NetworkManager,sshd,systemd-swap,cups,cockpit.socket #ENVIROMENT[profile:VAR_PROFILE]="my value for all users" #ENVIROMENT[superadmin:VAR_USER]="my value for select user" -## Профиль конфигурации PAM авторизации, authselect. Профили /usr/share/authselect/default +## Настройки профиля конфигурации PAM авторизации, authselect. Профили /usr/share/authselect/default ## AUTHPAM[]=|disable|no|off ## # Профиль ## *minimal # Local users only for minimal installations, default @@ -124,7 +124,18 @@ SERVICES_ENABLE=dbus-broker,NetworkManager,sshd,systemd-swap,cups,cockpit.socket ## Информация о профиле: authselect show sssd #AUTHPAM[minimal]=with-faillock,with-time,with-systemd-homed #AUTHPAM[sssd]=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple -#AUTHPAM=disable + +## Тип используемого профиля конфигурации PAM авторизации, authselect. Профили /usr/share/authselect/default +## AUTHPAM=|disable|no|off +## # Профиль +## *minimal # Local users only for minimal installations, default +## nis # Enable NIS for system authentication +## sssd # Enable SSSD for system authentication (also for local users only) +## winbind # Enable winbind for system authentication +## AUTHPAM=minimal +## AUTHPAM=disable +#AUTHPAM=sssd + ## Алгоритм сжатия модулей по умолчанию #MKSQFS_OPTS="-b 512K -comp xz -Xbcj x86"