Packaging updates supporting the use of immutable scripts, includes and config

Author: netlore

docs/WISHLIST.txt renamed to PLANNING.md

@@ -1,12 +1,21 @@
-*Blocking For 1.0 Release*
+**Blocking For 1.0 Release**
 
 * Code review, fix up input validation and graceful error handling/logging.
 
 * Fix rolefile interpreter bug
 
 
+**Planned Post 1.0 Enhancements**
 
-*Possible Future Enhancements*
+* Migrate server to systemd
+
+* IN PROGRESS - Migrate functions (including data) into a libexec folder to allow alternate data stores.
+
+* Merge multiple matching permissions.
+
+
+
+**Possible Future Enhancements (Suggestions)**
 
 * Write reason for authentication failure into the session record.
 
@@ -24,18 +33,12 @@
   host, and/or to determine why they were not permitted access,
   (require SYSTEM (or lower?) rights so it's not publically available).
 
-* Move audit name/command list into a configuration file.  
-
-* Merge multiple matching permissions.
+* Move audit name/command list into a configuration file.
 
 * for static keys, put comment in logs to show which key it is.
 
-* STARTED - Migrate data functions into a libexec folder to allow alternate data stores.
-
-
-
 
-*Archive/Completed Fixes & Changes
+**Archive/Completed Fixes & Changes**
 
 * DONE - Default role definition assigned to a host with no other role config.
 

QUICKSTART.txt

@@ -1,25 +1,31 @@
+**Building Packages**
 
-*Building Packages*
+NOTE: Building the packages is for advanced users/testers only, you can
+obtain packages in the normal way from OS repos by looking here:-
+
+https://netlore.github.io/OpenAKC/download/
 
 
 _Debian/Ubuntu_
 
 To create ".deb" packages for Debian/Ubuntu, simply download the repo using
 whatever method you prefer, then, as the "root" user, cd into the folder, and
 run "./makedebs.sh".  Watch for unexpected errors, and assuming there are no
-issues you will find that the required 3 .deb packages appear in the same
-folder as the "makedebs.sh" script.
+issues you will find that the required 4 .deb packages appear in the same
+folder as the "makedebs.sh" script.  Be sure to move them aside as they may
+interfere with some of the "contrib" tools.
 
 
 _Redhat_
 
 Collect the zip for "master", or for a release version, place it in the SOURCES
-folder of a working "rpmbuild" environment, Eg:-
+folder of a working "rpmbuild" environment (Configuring an RPM build
+environment is not covered here), Eg:-
 
 cd ~/rpmbuild/SOURCES
 wget https://github.com/netlore/OpenAKC/archive/master.zip
 
-Then extract the zip so that the associated "openakc.spec" file is available,
+Then extract the zip so that the associated "openakc-rhel.spec" file is available,
 and run rpmbuild to create the packages Eg:-
 
 unzip master.zip
@@ -28,15 +34,19 @@ rpmbuild -ba OpenAKC-master/openakc.spec
 If nothing goes wrong, the RPM's will appear in the build environments "RPMS"
 folder.
 
+_SuSE_
+
+As for RedHat, except if you build as root, it will already have a
+preconfigured RPM build environment in /usr/src
 
 
-*Quickstart Guide*
+**Quickstart Guide**
 
 
 _Server Installation_
 
-If installing from packages's rather than a repo, you may first need to ensure
-that some dependencies are installed.  At the time of writing, a standard
+If installing from compiledpackages's rather than a repo, you may first need to
+ensure that some dependencies are installed.  At the time of writing, a standard
 minimal "CentOS container" requires several packages to be installed
 in addition to the default:-
 
@@ -59,6 +69,9 @@ updates.
 register their keys, and administrators to upload static keys and configure
 permissions.
 
+3) "openakc-shared" which contains functions shared between all openakc
+components.
+
 To verify that the server is working, simply type "openakc ping" after
 installing the server packages.  This should force the server to write out
 a default configuration and reply with "OK: Pong!"
@@ -77,7 +90,7 @@ yum install e2fsprogs openssh-clients openssh-server openssl which
 For a minimal Ubuntu, installing extra dependencies is currently not
 required on the client host.
 
-Once any dependencies are met, simply install package "openakc"
+Once any dependencies are met, install packages "openakc" & "openakc-shared"
 
 To set up the client, ensure that the host(s) listed in the client config
 (/etc/openakc/openakc.conf) (which can be either name or IP) are configured
@@ -86,6 +99,11 @@ to refer to the appropriate server.  The configuration is pre-populated with
 configured in DNS, or in the /etc/hosts on the client for testing, or alter
 them as you prefer.
 
+NOTE: Before attempting to edit this file, you are advised to read the
+assocated "readme" - /etc/openakc/openakc.conf.readme, since the OpenAKC
+client installation marks its configuration "immutable" to avoid casual
+editing of those files by users you may need to grant root access.
+
 To verify that the client is configured, and can contact the server, after
 installation, you can run "openakc-plugin ping".  The plugin only has very
 minimal command line functions, but if for any reason you rebuild the
@@ -137,15 +155,16 @@ guide however, we will not discuss distributed systems.
 This user will now be able to run call the role management functions in the
 api tool Eg:-
 
-"openakc editrole root@test-client"
+"openakc editrole root@DEFAULT" (Default rolefile is applied to hosts not
+yet configured explicitly, so it is a useful way to get started).
 
 Examine the comments, and example role "block" shown, and create one
 defining access for a user or group.
 
 The role data can also be uploaded or downloaded using the "getrole" or
 "setrole" commands with a filename as an extra parameter Eg:-
 
-"openakc getrole root@test-client /tmp/role.txt"
+"openakc getrole root@DEFAULT /tmp/role.txt"
 
 This will get the role and write it to the file /tmp/role.txt... you can then
 edit it and upload it.  "setrole" could be used to upload roles without first
@@ -164,13 +183,19 @@ You can examine the logs on each host to see what was logged, as well as check
 the keystroke log written to /var/lib/openakc/keylogs on the server, as well as
 the configuration audit data in /var/lib/openakc/audit on the server.
 
-For further details please see the full documentation.
+For further details please see the full documentation which can be found at
+the web site:-
 
+https://netlore.github.io/OpenAKC/
 
+Note: At the time of writing, the documentation is incomplete, feel free to
+assist with this, or make suggestions at the GitHub site.
 
 *Related software*
 
 OpenAKC makes use of hpenc, by Vsevolod Stakhov and libsodium by Frank Denis,
-these tools are included unmodified, in the source package for OpenAKC and
-specific licence terms for these tools are included in separate LICENCE-* files
-and in the documentation directory deployed by OpenAKC packages.
+these tools are included with minor modifications (in the case of hpenc) to
+ensure successful compilation on newer versions of GCC, in the source package
+for OpenAKC and specific licence terms for these tools are included in
+separate LICENCE-* files and in the documentation directory deployed by
+OpenAKC packages.

contrib/debian-lxc-build+demo.sh

@@ -296,6 +296,16 @@ if [ ${REBUILD} -eq 1 ]; then
   echo
  fi
 #
+ if [ "x${MODE}" == "xunprivilaged" ]; then
+  LXCROOT="${HOME}/.local/share/lxc"
+ else
+  LXCROOT="/var/lib/lxc"
+  chattr -R -i /var/lib/lxc/openakc-combined 2> /dev/null
+  chattr -R -i /var/lib/lxc/openakc-client 2> /dev/null
+  chattr -R -a /var/lib/lxc/openakc-combined 2> /dev/null
+  chattr -R -a /var/lib/lxc/openakc-client 2> /dev/null
+ fi
+ #
  echo "Destroying old containers..."
  echo
  printf "${WHITE}"
@@ -332,12 +342,6 @@ fi
 #
 # OK, lets get our containers ready to use, and build our packages
 #
-if [ "x${MODE}" == "xunprivilaged" ]; then
- LXCROOT="${HOME}/.local/share/lxc"
-else
- LXCROOT="/var/lib/lxc"
-fi
-#
 if [ ${DNSFIX} -eq 1 ]; then
  printf "${CYAN}Applying DNS fix to containers${WHITE}\n"
  echo

makedeb.sh

@@ -5,7 +5,7 @@
 #
 source /etc/os-release
 VERSION="1.0.0~alpha14"
-BUILD="1"
+BUILD="4"
 
 #
 # Package requirements for build
@@ -204,6 +204,7 @@ cp bin/openakc-hpenc "${PDIR}/usr/bin/openakc-hpenc"
 cp bin/openakc-server.x "${PDIR}/usr/sbin/openakc-server"
 cp resources/deb_postinst-server "${PDIR}/DEBIAN/postinst"
 cp resources/deb_postrm-server "${PDIR}/DEBIAN/postrm"
+cp resources/deb_preinst-server "${PDIR}/DEBIAN/preinst"
 cp resources/openakc-sudoers "${PDIR}/etc/sudoers.d/openakc"
 cp resources/openakc-xinetd "${PDIR}/etc/xinetd.d/openakc"
 cp docs/OpenAKC_Admin_Guide.pdf "${PDIR}/usr/share/doc/openakc-server/"
@@ -238,22 +239,25 @@ PDIR="openakc-shared_${RELEASE}_amd64"
 #
 mkdir -p "${PDIR}/DEBIAN"
 mkdir -p "${PDIR}/var/lib/openakc/libexec"
-##mkdir -p "${PDIR}/usr/bin"
 mkdir -p "${PDIR}/usr/share/doc/openakc-shared"
 mkdir -p "${PDIR}/etc/rsyslog.d"
 #
 cp bin/openakc-functions "${PDIR}/var/lib/openakc/libexec/functions-${RELEASE}"
 cp resources/openakc-rsyslog "${PDIR}/etc/rsyslog.d/99-openakc.conf"
+cp resources/deb_preinst-shared "${PDIR}/DEBIAN/preinst"
+sed -e "s,%RELEASE%,$RELEASE,g" resources/deb_postinst-shared > "${PDIR}/DEBIAN/postinst"
 sed -e "s,%RELEASE%,$RELEASE,g" resources/deb_prerm-shared > "${PDIR}/DEBIAN/prerm"
-##cp resources/openakc-rsyslog "${PDIR}/etc/rsyslog.d/99-openakc.conf"
+cp resources/deb_postrm-shared "${PDIR}/DEBIAN/postrm"
 cp LICENSE "${PDIR}/usr/share/doc/openakc-shared/"
-##cp QUICKSTART.txt "${PDIR}/usr/share/doc/openakc-tools/"
 #
 ##chmod 755 "${PDIR}/usr/bin/openakc"
 chmod 640 "${PDIR}/etc/rsyslog.d/99-openakc.conf"
 chmod 644 "${PDIR}/var/lib/openakc/libexec/functions-${RELEASE}"
 chmod 755 "${PDIR}/var/lib/openakc/libexec"
+chmod 755 "${PDIR}/DEBIAN/preinst"
+chmod 755 "${PDIR}/DEBIAN/postinst"
 chmod 755 "${PDIR}/DEBIAN/prerm"
+chmod 755 "${PDIR}/DEBIAN/postrm"
 
 #
 echo "Package: openakc-shared" > "${PDIR}/DEBIAN/control"

openakc-rhel.spec

@@ -1,6 +1,6 @@
 Name:           openakc
 Version:        1.0.0~alpha14
-Release:        1%{?dist}
+Release:        4%{?dist}
 Summary:	This OpenAKC "client" package contains the client ssh plugin which queries the API for authentication information.
 Group:          Applications/System
 License:        GPLv2.0
@@ -183,6 +183,14 @@ passwd -u openakc 2> /dev/null 1> /dev/null
 [ -f /usr/sbin/openakc-plugin ]&&chattr -i /usr/sbin/openakc-plugin
 exit 0
 
+%pre server
+[ -d /var/lib/openakc ]&&chattr -a /var/lib/openakc
+exit 0
+
+%pre shared
+[ -d /var/lib/openakc/libexec ]&&chattr -i /var/lib/openakc/libexec
+exit 0
+
 %post
 #echo "Postroll = $*"
 setcap CAP_SETPCAP+ep /usr/bin/openakc-cap
@@ -197,8 +205,6 @@ chattr +i /usr/bin/openakc-cap
 chattr +i /usr/bin/openakc-hpenc
 chattr +i /usr/bin/openakc-session
 chattr +i /usr/sbin/openakc-plugin
-chattr +i /var/lib/openakc/libexec/functions-%{version}-%{release}
-chattr +i /var/lib/openakc/libexec
 chattr +a /var/lib/openakc
 #chattr +a /etc/ssh
 #chattr +i /etc/ssh/sshd_config
@@ -215,6 +221,11 @@ echo "openakc              889/tcp      # OpenAKC Authentication Protocol" >> /e
 /sbin/service xinetd restart > /dev/null 2>&1 || :
 exit 0
 
+%post shared
+chattr +i /var/lib/openakc/libexec
+chattr +i /var/lib/openakc/libexec/functions-%{version}-%{release}
+exit 0
+
 %preun
 [ -d /etc/openakc ]&&chattr -i /etc/openakc
 [ -d /var/lib/openakc ]&&chattr -a /var/lib/openakc
@@ -266,6 +277,9 @@ case "$*" in
 esac
 exit 0
 
+%postun shared
+[ -d /var/lib/openakc ]&&chattr +a /var/lib/openakc
+exit 0
 
 %files
 %defattr(-,root,root,-)

openakc-suse.spec

@@ -1,6 +1,6 @@
 Name:           openakc
 Version:        1.0.0~alpha14
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:	This OpenAKC "client" package contains the client ssh plugin which queries the API for authentication information.
 Group:          Applications/System
 License:        GPLv2.0
@@ -183,6 +183,14 @@ passwd -u openakc 2> /dev/null 1> /dev/null
 [ -f /usr/sbin/openakc-plugin ]&&chattr -i /usr/sbin/openakc-plugin
 exit 0
 
+%pre server
+[ -d /var/lib/openakc ]&&chattr -a /var/lib/openakc
+exit 0
+
+%pre shared
+[ -d /var/lib/openakc/libexec ]&&chattr -i /var/lib/openakc/libexec
+exit 0
+
 %post
 #echo "Postroll = $*"
 setcap CAP_SETPCAP+ep /usr/bin/openakc-cap
@@ -197,8 +205,6 @@ chattr +i /usr/bin/openakc-cap
 chattr +i /usr/bin/openakc-hpenc
 chattr +i /usr/bin/openakc-session
 chattr +i /usr/sbin/openakc-plugin
-chattr +i /var/lib/openakc/libexec/functions-%{version}-%{release}
-chattr +i /var/lib/openakc/libexec
 chattr +a /var/lib/openakc
 #chattr +a /etc/ssh
 #chattr +i /etc/ssh/sshd_config
@@ -215,6 +221,11 @@ echo "openakc              889/tcp      # OpenAKC Authentication Protocol" >> /e
 /sbin/service xinetd restart > /dev/null 2>&1 || :
 exit 0
 
+%post shared
+chattr +i /var/lib/openakc/libexec
+chattr +i /var/lib/openakc/libexec/functions-%{version}-%{release}
+exit 0
+
 %preun
 [ -d /etc/openakc ]&&chattr -i /etc/openakc
 [ -d /var/lib/openakc ]&&chattr -a /var/lib/openakc
@@ -266,6 +277,9 @@ case "$*" in
 esac
 exit 0
 
+%postun shared
+[ -d /var/lib/openakc ]&&chattr +a /var/lib/openakc
+exit 0
 
 %files
 %defattr(-,root,root,-)

resources/deb_postinst

@@ -8,7 +8,8 @@ case "$1" in
         sed -i "s,^#AuthorizedKeysCommandUser .*$,AuthorizedKeysCommandUser openakc,g" /etc/ssh/sshd_config
         service sshd restart > /dev/null 2>&1 || :
         chown -R root:openakc /etc/openakc
-        chown -R openakc:root /var/lib/openakc
+        chattr -a /var/lib/openakc
+        chown openakc:root /var/lib/openakc
         ;;
     upgrade|abort-upgrade)
         exit 0
@@ -26,8 +27,6 @@ chattr +i /usr/bin/openakc-cap
 chattr +i /usr/bin/openakc-hpenc
 chattr +i /usr/bin/openakc-session
 chattr +i /usr/sbin/openakc-plugin
-chattr +i /var/lib/openakc/libexec/functions-%RELEASE%
-chattr +i /var/lib/openakc/libexec
 chattr +a /var/lib/openakc
 #chattr +a /etc/ssh
 #chattr +i /etc/ssh/sshd_config

resources/deb_postinst-shared

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+chattr +i /var/lib/openakc/libexec
+chattr +i /var/lib/openakc/libexec/functions-%RELEASE%
+
+#DEBHELPER#
+
+exit 0

resources/deb_postrm-shared

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+[ -d /var/lib/openakc ]&&chattr +a /var/lib/openakc
+
+#DEBHELPER#
+
+exit 0