Fix bugs

2 years ago · adbdb034c0
parent 468b47ff29
commit adbdb034c0
6 changed files with 66 additions and 54 deletions
--- a/ublinux/default
+++ b/ublinux/default
@ -220,7 +220,11 @@ MKSQFS_OPTS="-b 32K -comp gzip"

 SAMBA_USERSHARE=enable

-AUTHPAM[minimal]=with-faillock,with-time,with-systemd-homed
+AUTHPAM[minimal]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess"
+AUTHPAM[nis]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess"
+AUTHPAM[winbind]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess"
+AUTHPAM[sssd]="with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple,with-pamaccess,with-sudo,with-mdns4,with-mdns6,with-files-domain"
+AUTHPAM=minimal

 JOURNALD[Storage]=persistent
 JOURNALD[Compress]=yes
--- a/ublinux/functions
+++ b/ublinux/functions
@ -825,6 +825,8 @@ ubconfig_exec_system(){
 					${ROOTFS}/usr/lib/ublinux/rc.preinit.d/20-services exec_services_enabledisable "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}"
 					${ROOTFS}/usr/lib/ublinux/rc.preinit.d/20-services exec_services_startstop_live "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}"
 		;;
+		AUTHPAM)		${ROOTFS}/usr/lib/ublinux/rc.preinit.d/40-authpam "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" ;;
+		AUTHPAM\[*\])		${ROOTFS}/usr/lib/ublinux/rc.preinit.d/40-authpam "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" ;;
 	        *)			NO_FIND_EXCUTE=1 ;;
 	    esac
 	;;
@ -912,7 +914,7 @@ ubconfig_exec_system(){
 	;;
 	"[${SYSCONF}/network]"|"[network]")
    	    case "${NAME_VAR}" in
-		DOMAIN)		 	${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_live "${COMMAND_MODE_VAR}" ;;
+		DOMAIN)		 	${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd exec_domain "${COMMAND_MODE_VAR}" ;;
 		DOMAIN\[*\]) 		${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_configure_live "${COMMAND_MODE_VAR}" ;;
 		REALM_SSSD\[*\])	${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_configure_live "${COMMAND_MODE_VAR}" ;;
 		REALM_PERMIT_USER)	${ROOTFS}/usr/lib/ublinux/rc.preinit.d/23-realmd domain_configure_live "${COMMAND_MODE_VAR}" ;;
--- a/ublinux/rc.preinit.d/23-realmd
+++ b/ublinux/rc.preinit.d/23-realmd
@ -39,35 +39,29 @@ SOURCE=${SYSCONF}/network; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
 #fi

 exec_domain(){
-    if [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_sssd" ]]; then
-	${CMD_CHROOT} /usr/bin/ubdomain-client --quiet configure 
-	if [[ -f ${ROOTFS}/etc/krb5.keytab ]]; then
-	    #[[ -f ${ROOTFS}/etc/krb5.conf && -f ${ROOTFS}/etc/sssd/sssd.conf ]] || ${CMD_CHROOT} /usr/bin/ubdomain-client --quite configure 2>/dev/null    
-	    [[ -f ${ROOTFS}/usr/lib/systemd/system/sssd.service ]] && ln -sf /usr/lib/systemd/system/sssd.service ${ROOTFS}/etc/systemd/system/multi-user.target.wants/sssd.service
-	fi
-    elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_winbind" ]]; then
-	true
-    elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "samba" ]]; then
-	true
-    fi
-}
-
-domain_live(){
-# Если выполнение в initrd, то выход
-    [[ -z ${ROOTFS} ]] || return 0
    [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && COMMAND=$1 && shift
    [[ -n ${COMMAND} ]] || COMMAND="set="
    local PARAM="$@"
+    [[ $(declare -p DOMAIN 2>/dev/null) =~ "declare -A" ]] || declare -A DOMAIN
    if [[ -n ${PARAM} ]]; then
 	unset DOMAIN
 	declare -A DOMAIN
 	[[ ${PARAM%%=*} =~ [!\$%\&()*+,./:\;\<\=\>?\@\^\{|\}~-] ]] || eval "${PARAM%%=*}=\${PARAM#*=}"
    fi
    if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then
-	[[ -z ${DOMAIN} ]] && return 0
-	${ROOTFS}/usr/bin/ubdomain-client configure
+	if [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_sssd" ]]; then
+	    if [[ -f ${ROOTFS}/etc/krb5.keytab ]]; then
+		${CMD_CHROOT} /usr/bin/ubdomain-client --quiet configure 
+		#[[ -f ${ROOTFS}/etc/krb5.conf && -f ${ROOTFS}/etc/sssd/sssd.conf ]] || ${CMD_CHROOT} /usr/bin/ubdomain-client --quite configure #2>/dev/null    
+		[[ -f ${ROOTFS}/usr/lib/systemd/system/sssd.service ]] && ln -sf /usr/lib/systemd/system/sssd.service ${ROOTFS}/etc/systemd/system/multi-user.target.wants/sssd.service
+	    fi
+	elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_winbind" ]]; then
+	    true
+	elif [[ -n ${DOMAIN} && ${DOMAIN[client]} == "samba" ]]; then
+	    true
+	fi
    elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then
-	${ROOTFS}/usr/bin/ubdomain-client unconfigure
+	${CMD_CHROOT} /usr/bin/ubdomain-client unconfigure	
    fi    
 }

@ -80,9 +74,11 @@ domain_configure_live(){
    if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then
 	[[ -z ${DOMAIN} ]] && return 0
 	${ROOTFS}/usr/bin/ubdomain-client configure
+	systemctl restart sssd.service
    elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then
 	[[ -z ${DOMAIN} ]] && return 0
 	${ROOTFS}/usr/bin/ubdomain-client configure
+	systemctl restart sssd.service
    fi    
 }

--- a/ublinux/rc.preinit.d/30-network-hostname
+++ b/ublinux/rc.preinit.d/30-network-hostname
@ -63,11 +63,10 @@ set_hostname_live(){
    hostnamectl set-hostname "${SET_HOSTNAME}"
    ## Если меняется имя хоста в запущенных X, то новое имя добавляем в xauth
    who | grep "(:[0-9.]*)$" | cut -d' ' -f1 | xargs -ri su {} -c "xauth list | sed 's|^.*/|su {} -c \\\\\"xauth add ${SET_HOSTNAME}/|;s|$|\\\\\"|'" | xargs -ri sh -c '{}'
-
    # Если указан задан домен в имени хоста и не соответствует DOMAIN, то задаём переменную DOMAIN=
-    [[ ${DOMAIN} != ${SET_DOMAIN} ]] && ubconfig set network DOMAIN="${SET_DOMAIN}"
+    #[[ ${DOMAIN} != ${SET_DOMAIN} ]] && ubconfig --noexecute set network DOMAIN="${SET_DOMAIN}"
    # При условии, что в имене хоста домен указан отличный от DOMAIN
-    [[ ${HOSTNAME} != ${SET_HOSTNAME} ]] && ubconfig --target global [system] HOSTNAME="${SET_HOSTNAME}"
+    [[ ${HOSTNAME} == ${SET_HOSTNAME} ]] || ubconfig --target global [system] HOSTNAME="${SET_HOSTNAME}"
 }

 exec_hostname(){
@ -83,7 +82,7 @@ exec_hostname(){
 	# Если в имени хоста указан домен, то зададим на сеанс DOMAIN
 	[[ ${HOSTNAME} != ${HOSTNAME#*.} ]] && SET_DOMAIN="${HOSTNAME#*.}"
    fi
-    set_hostname "${SET_HOSTNAME}" "${SET_DOMAIN}"
+#    set_hostname "${SET_HOSTNAME}" "${SET_DOMAIN}"
    # Если выполнение в initrd, то пропустить
    [[ -n ${ROOTFS} ]] || set_hostname_live "${SET_HOSTNAME}" "${SET_DOMAIN}"
 }
--- a/ublinux/rc.preinit.d/40-authpam
+++ b/ublinux/rc.preinit.d/40-authpam
@ -20,30 +20,30 @@ SYSCONF="${ROOTFS}${SYSCONF}"
 SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
 SOURCE=${SYSCONF}/system; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null

-    [[ -n $1 && -n $2 ]] && AUTHPAM[$1]="$2"
-    if [[ -n ${AUTHPAM[@]} && ${AUTHPAM[@],,} != @(disable|no|none|off) ]]; then
-# TODO: Сделать отработку по параметру загруженному, убрать парсинг
-	AUTHPAM_PROFILE=$(grep -h '^AUTHPAM\[' ${ROOTFS}/usr/lib/ublinux/default ${ROOTFS}/etc/ublinux/system | tail -1 | sed -E 's/AUTHPAM\[([a-z]*)\].*/\1/') #'
-	PROFILE_FEATURE=$(tr ',;' " " <<< ${AUTHPAM[${AUTHPAM_PROFILE}]})
-	${CMD_CHROOT} /usr/bin/authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet
-    fi
-
-#    if [[ -n ${AUTHPAM[@]} && ${AUTHPAM[@],,} != "disable" && ${AUTHPAM} != "-" && ${AUTHPAM,} != "no" && ${AUTHPAM,,} != "off" && ${SYSTEMBOOT_STATEMODE,,} =~ ^"sandbox" ]]; then
-#	[[ ${#AUTHPAM[@]} -gt 1 ]] && unset AUTHPAM[minimal]
-#	for AUTHPAM_PROFILE in "${!AUTHPAM[@]}"; do
-#	    AUTHPAM_CURRENT_PROFILE=$(authselect current --raw)
-#	    [[ $? != 0 ]] && unset AUTHPAM_CURRENT_PROFILE
-#	    read -a AUTHPAM_CURRENT_PROFILE <<< ${AUTHPAM_CURRENT_PROFILE}
-#	    PROFILE_FEATURE=$(tr ',;' " " <<< ${AUTHPAM[${AUTHPAM_PROFILE}]})
-#	    if [[ -z ${AUTHPAM_CURRENT_PROFILE} ]]; then
-#		authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet
-#	    else
-#		if [[ ${AUTHPAM_PROFILE} == ${AUTHPAM_CURRENT_PROFILE[0]} ]]; then
-#		    authselect enable-feature ${PROFILE_FEATURE} --force --nobackup --quiet
-#		else
-#		    authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet
-#		fi
-#		
-#	    fi
-#	done
-#    fi
+exec_authpam(){
+    [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && COMMAND=$1 && shift
+    [[ -n ${COMMAND} ]] || COMMAND="set="
+    [[ $(declare -p AUTHPAM 2>/dev/null) =~ "declare -A" ]] || declare -A AUTHPAM
+    local PARAM="$@"
+    AUTHSELECT_LIST_ALL=$(${CMD_CHROOT} /usr/bin/authselect list)
+    AUTHPAM_FEATURE=${AUTHPAM[${AUTHPAM[0]}]//,/ }; AUTHPAM_FEATURE=${AUTHPAM_FEATURE//;/ }
+    if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then
+	if [[ ${AUTHPAM[0]} != @(""|disable|no|none|off) ]] \
+	&& [[ ${AUTHSELECT_LIST_ALL} =~ (^|$'\n')([^$'\n'$])+[[:blank:]]+${AUTHPAM[0]}[[:blank:]]+([^$'\n'$])+($'\n'|$) ]] \
+	&& [[ ${PARAM} =~ '['${AUTHPAM[0]}']='  || ${PARAM} =~ ^'AUTHPAM='${AUTHPAM[0]}$ ]]; then
+	    ${CMD_CHROOT} /usr/bin/authselect select ${AUTHPAM[0]} ${AUTHPAM_FEATURE} --force --nobackup --quiet
+	fi
+    elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then
+	if [[ ${AUTHPAM[0]} != @(""|disable|no|none|off) ]]; then
+	    ${CMD_CHROOT} /usr/bin/authselect select ${AUTHPAM[0]} ${AUTHPAM_FEATURE} --force --nobackup --quiet	
+	fi
+    fi    
+
+}
+
+
+################
+##### MAIN #####
+################
+
+    exec_authpam $@
--- a/ublinux/templates/ublinux-data.ini
+++ b/ublinux/templates/ublinux-data.ini
@ -108,7 +108,7 @@ SERVICES_ENABLE=dbus-broker,NetworkManager,sshd,systemd-swap,cups,cockpit.socket
 #ENVIROMENT[profile:VAR_PROFILE]="my value for all users"
 #ENVIROMENT[superadmin:VAR_USER]="my value for select user"

-## Профиль конфигурации PAM авторизации, authselect. Профили /usr/share/authselect/default
+## Настройки профиля конфигурации PAM авторизации, authselect. Профили /usr/share/authselect/default
 ## AUTHPAM[<profile>]=<feature>|disable|no|off
 ##   <profile>		# Профиль
 ##    *minimal		# Local users only for minimal installations, default
@ -124,7 +124,18 @@ SERVICES_ENABLE=dbus-broker,NetworkManager,sshd,systemd-swap,cups,cockpit.socket
 ## Информация о профиле: authselect show sssd
 #AUTHPAM[minimal]=with-faillock,with-time,with-systemd-homed
 #AUTHPAM[sssd]=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
-#AUTHPAM=disable
+
+## Тип используемого профиля конфигурации PAM авторизации, authselect. Профили /usr/share/authselect/default
+## AUTHPAM=<profile>|disable|no|off
+##   <profile>		# Профиль
+##    *minimal		# Local users only for minimal installations, default
+##     nis		# Enable NIS for system authentication
+##     sssd		# Enable SSSD for system authentication (also for local users only)
+##     winbind		# Enable winbind for system authentication
+## AUTHPAM=minimal
+## AUTHPAM=disable
+#AUTHPAM=sssd
+

 ## Алгоритм сжатия модулей по умолчанию
 #MKSQFS_OPTS="-b 512K -comp xz -Xbcj x86"