From ad386a5f5a088cf7b500ac26fb36ba5791237294 Mon Sep 17 00:00:00 2001 From: Marco van Wieringen Date: Wed, 27 Feb 2013 10:44:06 +0100 Subject: [PATCH 1/2] add daemon user to required groups bareos storage daemon user must be in groups tape and/or disk to be able to access tape devices. Due to different behavior of different distributions (install order if not always the same), every package that requires a specific group/user set this up on its own. preinstall: bareos-common: setup default daemon group bareos and user bareos bareos-filedaemon: setup fd group (bareos) and user (root) bareos-storage: setup sd group (bareos) and user (bareos) bareos-director: setup dir group (bareos) and user (bareos) postinstall: bareos-storage: call bareos-config setup_sd_user, which checks if sd group and user exists, otherwise it creates them, and add the sd user (bareos) to the groups tape and disk, if they exists. Tested on: Debian 6, Ubuntu 12.04 (32bit), SLES11SP2, Centos5 Fixes #99: user bareos unable to operate tape changer due to wrong permissions --- autoconf/configure.in | 4 ++ debian/bareos-common.preinst | 66 ----------------------------- debian/bareos-common.preinst.in | 63 ++++++++++++++++++++++++++++ debian/bareos-director.preinst | 71 ------------------------------- debian/bareos-director.preinst.in | 63 ++++++++++++++++++++++++++++ debian/bareos-filedaemon.preinst | 71 ------------------------------- debian/bareos-filedaemon.preinst.in | 63 ++++++++++++++++++++++++++++ debian/bareos-storage.postinst | 1 + debian/bareos-storage.preinst | 71 ------------------------------- debian/bareos-storage.preinst.in | 63 ++++++++++++++++++++++++++++ platforms/rpms/bareos.spec | 78 +++++++++-------------------------- scripts/bareos-config.in | 76 +++++++++++++++++++++++++++++++--- 12 Dateien geändert, 347 Zeilen hinzugefügt(+), 343 Zeilen entfernt(-) delete mode 100644 debian/bareos-common.preinst create mode 100644 debian/bareos-common.preinst.in delete mode 100644 debian/bareos-director.preinst create mode 100644 debian/bareos-director.preinst.in delete mode 100644 debian/bareos-filedaemon.preinst create mode 100644 debian/bareos-filedaemon.preinst.in delete mode 100644 debian/bareos-storage.preinst create mode 100644 debian/bareos-storage.preinst.in diff --git a/autoconf/configure.in b/autoconf/configure.in index d82dc8c..0332473 100644 --- a/autoconf/configure.in +++ b/autoconf/configure.in @@ -3633,6 +3633,10 @@ fi AC_OUTPUT([autoconf/Make.common \ Makefile \ manpages/Makefile \ + debian/bareos-common.preinst \ + debian/bareos-filedaemon.preinst \ + debian/bareos-director.preinst \ + debian/bareos-storage.preinst \ scripts/bareos-config \ scripts/btraceback \ scripts/bconsole \ diff --git a/debian/bareos-common.preinst b/debian/bareos-common.preinst deleted file mode 100644 index 98c8b4f..0000000 --- a/debian/bareos-common.preinst +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/sh -# preinst script for bareos -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -daemon_user=bareos -daemon_group=bareos - -working_dir=/var/lib/bareos - -create_group() -{ - # creating group if he isn't already there - if ! getent group $daemon_group >/dev/null; then - # Adding system group - addgroup --system $daemon_group >/dev/null - fi -} - -create_user() -{ - # creating user if he isn't already there - if ! getent passwd $daemon_user >/dev/null; then - # Adding system user - adduser \ - --system \ - --disabled-login \ - --ingroup $daemon_group \ - --home $working_dir \ - --gecos "Bareos" \ - --shell /bin/false \ - $daemon_user >/dev/null - fi -} - -case "$1" in - install|upgrade) - create_group - create_user - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/bareos-common.preinst.in b/debian/bareos-common.preinst.in new file mode 100644 index 0000000..7518a82 --- /dev/null +++ b/debian/bareos-common.preinst.in @@ -0,0 +1,63 @@ +#!/bin/sh +# preinst script for bareos +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +daemon_user=bareos +daemon_group=bareos + +WORKING_DIR="@working_dir@" + + +create_group() +{ + [ -z "$1" ] && return + # creating group if he isn't already there. + # use addgroup instead of groupadd, + # because "addgroup" uses the next available number, + # while "groupadd" uses uses GID_MIN -1 (999) + getent group $1 > /dev/null || addgroup -q --system $1 +} + +create_user() +{ + [ -z "$1" ] && return + # creating user if he isn't already there. + # use adduser instead of useradd, + # because "adduser" uses the next available number, + # while "useradd" uses uses UID_MIN -1 (999) + getent passwd $1 > /dev/null || adduser -q --system --ingroup $daemon_group --home "$WORKING_DIR" --no-create-home --gecos "$1" $1 +} + + +case "$1" in + install|upgrade) + create_group $daemon_group + create_user $daemon_user + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/bareos-director.preinst b/debian/bareos-director.preinst deleted file mode 100644 index 5b3558e..0000000 --- a/debian/bareos-director.preinst +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/sh -# preinst script for bareos -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -daemon_user=bareos -daemon_group=bareos - -director_daemon_user=$daemon_user -#storage_daemon_user=$daemon_user -#file_daemon_user=root -#storage_daemon_group=$daemon_group - -working_dir=/var/lib/bareos - -create_group() -{ - # creating group if he isn't already there - if ! getent group $daemon_group >/dev/null; then - # Adding system group - addgroup --system $daemon_group >/dev/null - fi -} - -create_user() -{ - # creating user if he isn't already there - if ! getent passwd $director_daemon_user >/dev/null; then - # Adding system user - adduser \ - --system \ - --disabled-login \ - --ingroup $daemon_group \ - --home $working_dir \ - --gecos "Bareos" \ - --shell /bin/false \ - $director_daemon_user >/dev/null -fi -} - -case "$1" in - install|upgrade) - create_group - create_user - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/bareos-director.preinst.in b/debian/bareos-director.preinst.in new file mode 100644 index 0000000..f788800 --- /dev/null +++ b/debian/bareos-director.preinst.in @@ -0,0 +1,63 @@ +#!/bin/sh +# preinst script for bareos +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +daemon_group=@dir_group@ +daemon_user=@dir_user@ + +WORKING_DIR="@working_dir@" + + +create_group() +{ + [ -z "$1" ] && return + # creating group if he isn't already there. + # use addgroup instead of groupadd, + # because "addgroup" uses the next available number, + # while "groupadd" uses uses GID_MIN -1 (999) + getent group $1 > /dev/null || addgroup -q --system $1 +} + +create_user() +{ + [ -z "$1" ] && return + # creating user if he isn't already there. + # use adduser instead of useradd, + # because "adduser" uses the next available number, + # while "useradd" uses uses UID_MIN -1 (999) + getent passwd $1 > /dev/null || adduser -q --system --ingroup $daemon_group --home "$WORKING_DIR" --no-create-home --gecos "$1" $1 +} + + +case "$1" in + install|upgrade) + create_group ${daemon_group} + create_user ${daemon_user} + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/bareos-filedaemon.preinst b/debian/bareos-filedaemon.preinst deleted file mode 100644 index c3b7aba..0000000 --- a/debian/bareos-filedaemon.preinst +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/sh -# preinst script for bareos -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -daemon_user=bareos -daemon_group=bareos - -#director_daemon_user=$daemon_user -#storage_daemon_user=$daemon_user -#file_daemon_user=root -#storage_daemon_group=$daemon_group - -working_dir=/var/lib/bareos - -create_group() -{ - # creating group if he isn't already there - if ! getent group $daemon_group >/dev/null; then - # Adding system group - addgroup --system $daemon_group >/dev/null - fi -} - -create_user() -{ - # creating user if he isn't already there - if ! getent passwd $director_daemon_use >/dev/null; then - # Adding system user - adduser \ - --system \ - --disabled-login \ - --ingroup $daemon_group \ - --home $working_dir \ - --gecos "Bareos" \ - --shell /bin/false \ - $director_daemon_user >/dev/null -fi -} - -case "$1" in - install|upgrade) - create_group - #create_user - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/bareos-filedaemon.preinst.in b/debian/bareos-filedaemon.preinst.in new file mode 100644 index 0000000..f788800 --- /dev/null +++ b/debian/bareos-filedaemon.preinst.in @@ -0,0 +1,63 @@ +#!/bin/sh +# preinst script for bareos +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +daemon_group=@dir_group@ +daemon_user=@dir_user@ + +WORKING_DIR="@working_dir@" + + +create_group() +{ + [ -z "$1" ] && return + # creating group if he isn't already there. + # use addgroup instead of groupadd, + # because "addgroup" uses the next available number, + # while "groupadd" uses uses GID_MIN -1 (999) + getent group $1 > /dev/null || addgroup -q --system $1 +} + +create_user() +{ + [ -z "$1" ] && return + # creating user if he isn't already there. + # use adduser instead of useradd, + # because "adduser" uses the next available number, + # while "useradd" uses uses UID_MIN -1 (999) + getent passwd $1 > /dev/null || adduser -q --system --ingroup $daemon_group --home "$WORKING_DIR" --no-create-home --gecos "$1" $1 +} + + +case "$1" in + install|upgrade) + create_group ${daemon_group} + create_user ${daemon_user} + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/bareos-storage.postinst b/debian/bareos-storage.postinst index 71eac88..252d105 100644 --- a/debian/bareos-storage.postinst +++ b/debian/bareos-storage.postinst @@ -40,6 +40,7 @@ enable_rc_scripts() case "$1" in configure) permissions + /usr/lib/bareos/scripts/bareos-config setup_sd_user /usr/lib/bareos/scripts/bareos-config initialize_local_hostname /usr/lib/bareos/scripts/bareos-config initialize_passwords enable_rc_scripts diff --git a/debian/bareos-storage.preinst b/debian/bareos-storage.preinst deleted file mode 100644 index d8c898a..0000000 --- a/debian/bareos-storage.preinst +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/sh -# preinst script for bareos -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -daemon_user=bareos -daemon_group=bareos - -#director_daemon_user=$daemon_user -storage_daemon_user=$daemon_user -#file_daemon_user=root -storage_daemon_group=$daemon_group - -working_dir=/var/lib/bareos - -create_group() -{ - # creating group if he isn't already there - if ! getent group $daemon_group >/dev/null; then - # Adding system group - addgroup --system $daemon_group >/dev/null - fi -} - -create_user() -{ - # creating user if he isn't already there - if ! getent passwd $storage_daemon_user >/dev/null; then - # Adding system user - adduser \ - --system \ - --disabled-login \ - --ingroup $storage_daemon_group \ - --home $working_dir \ - --gecos "Bareos" \ - --shell /bin/false \ - $storage_daemon_user >/dev/null - fi -} - -case "$1" in - install|upgrade) - create_group - create_user - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/bareos-storage.preinst.in b/debian/bareos-storage.preinst.in new file mode 100644 index 0000000..f788800 --- /dev/null +++ b/debian/bareos-storage.preinst.in @@ -0,0 +1,63 @@ +#!/bin/sh +# preinst script for bareos +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +daemon_group=@dir_group@ +daemon_user=@dir_user@ + +WORKING_DIR="@working_dir@" + + +create_group() +{ + [ -z "$1" ] && return + # creating group if he isn't already there. + # use addgroup instead of groupadd, + # because "addgroup" uses the next available number, + # while "groupadd" uses uses GID_MIN -1 (999) + getent group $1 > /dev/null || addgroup -q --system $1 +} + +create_user() +{ + [ -z "$1" ] && return + # creating user if he isn't already there. + # use adduser instead of useradd, + # because "adduser" uses the next available number, + # while "useradd" uses uses UID_MIN -1 (999) + getent passwd $1 > /dev/null || adduser -q --system --ingroup $daemon_group --home "$WORKING_DIR" --no-create-home --gecos "$1" $1 +} + + +case "$1" in + install|upgrade) + create_group ${daemon_group} + create_user ${daemon_user} + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/platforms/rpms/bareos.spec b/platforms/rpms/bareos.spec index d99dde1..78dcbe9 100644 --- a/platforms/rpms/bareos.spec +++ b/platforms/rpms/bareos.spec @@ -824,6 +824,15 @@ echo "This is a meta package to install a full bareos system" > %{buildroot}%{_d %nil %endif +%define create_group() \ +getent group %1 > /dev/null || groupadd -r %1 \ +%nil + +# shell: use /bin/false, because nologin has different paths on different distributions +%define create_user() \ +getent passwd %1 > /dev/null || useradd -r --comment "%1" --home %{working_dir} -g %{daemon_group} --shell /bin/false %1 \ +%nil + %post director %{script_dir}/bareos-config initialize_local_hostname %{script_dir}/bareos-config initialize_passwords @@ -831,6 +840,9 @@ echo "This is a meta package to install a full bareos system" > %{buildroot}%{_d %add_service_start bareos-dir %post storage +# pre script has already generated the storage daemon user, +# but here we add the user to additional groups +%{script_dir}/bareos-config setup_sd_user %{script_dir}/bareos-config initialize_local_hostname %{script_dir}/bareos-config initialize_passwords %add_service_start bareos-sd @@ -889,73 +901,23 @@ echo "This is a meta package to install a full bareos system" > %{buildroot}%{_d %endif %pre director -if [ "%{director_daemon_user}" != "root" -a "%{director_daemon_user}" != "%{daemon_user}" ]; then - getent passwd %{director_daemon_user} > /dev/null || useradd -r -c "Bareos" -d %{working_dir} -g %{daemon_group} -M -s /sbin/nologin %{director_daemon_user} -fi +%create_group %{daemon_group} +%create_user %{director_daemon_user} exit 0 %pre storage -# -# See what secondary groups exist for the sd user to be added to. -# -SEC_GROUPS="tape disk" -ADD_GROUPS="" -for sec_group in ${SEC_GROUPS} -do - cnt=`getent group ${sec_group} | wc -l` - if [ ${cnt} -gt 0 ]; then - [ -z ${ADD_GROUPS} ] && ADD_GROUPS="${sec_group}" || ADD_GROUPS="${ADD_GROUPS},${sec_group}" - fi -done - -if [ "%{storage_daemon_group}" != "%{daemon_group}" ]; then - getent group %{storage_daemon_group} > /dev/null || groupadd -r %{storage_daemon_group} -fi - -# -# If the user doesn't exist create a new one otherwise modify it to have -# the wanted secondary groups. -# -if [ "%{storage_daemon_user}" != "root" -a "%{storage_daemon_user}" != "%{daemon_user}" ]; then - getent passwd %{storage_daemon_user} > /dev/null - if [ $? = 0 ]; then - # - # Make sure the correct primary group is set otherwise fix it. - # - if [ `id -gn %{storage_daemon_user}` != %{storage_daemon_group} ]; then - usermod -g %{storage_daemon_group} %{storage_daemon_user} - fi - # - # Make sure storage_daemon_user is part of the wanted secondary groups - # - usermod -G ${ADD_GROUPS} %{storage_daemon_user} - else - # - # Create a new storage_daemon_user - # - useradd -r -c "Bareos" -d %{working_dir} -g %{storage_daemon_group} -M -s /sbin/nologin %{storage_daemon_user} - # - # Make sure storage_daemon_user is part of the wanted secondary groups - # - usermod -G ${ADD_GROUPS} %{storage_daemon_user} - fi -else - # - # Make sure storage_daemon_user is part of the wanted secondary groups - # - usermod -G ${ADD_GROUPS} %{storage_daemon_user} -fi +%create_group %{daemon_group} +%create_user %{storage_daemon_user} exit 0 %pre filedaemon -if [ "%{file_daemon_user}" != "root" -a "%{file_daemon_user}" != "%{daemon_user}" ]; then - getent passwd %{file_daemon_user} > /dev/null || useradd -r -c "Bareos" -d %{working_dir} -g %{daemon_group} -M -s /sbin/nologin %{file_daemon_user} -fi +%create_group %{daemon_group} +%create_user %{storage_daemon_user} exit 0 %pre common -getent group %{daemon_group} > /dev/null || groupadd -r %{daemon_group} -getent passwd %{daemon_user} > /dev/null || useradd -r -c "Bareos" -d %{working_dir} -g %{daemon_group} -M -s /sbin/nologin %{daemon_user} +%create_group %{daemon_group} +%create_user %{daemon_user} exit 0 %preun director diff --git a/scripts/bareos-config.in b/scripts/bareos-config.in index e410837..0d20d8f 100644 --- a/scripts/bareos-config.in +++ b/scripts/bareos-config.in @@ -4,6 +4,16 @@ DIR_CFG=@sysconfdir@ CFG_DIR=${DIR_CFG}/bareos-dir.conf DIR_SCRIPTS=@scriptdir@ +SEC_GROUPS="tape disk" + +WORKING_DIR="@working_dir@" +FILE_DAEMON_USER="@fd_user@" +FILE_DAEMON_GROUP="@fd_group@" +STORAGE_DAEMON_USER="@sd_user@" +STORAGE_DAEMON_GROUP="@sd_group@" +DIRECTOR_DAEMON_USER="@dir_user@" +DIRECTOR_DAEMON_GROUP="@dir_group@" + PASSWORD_SUBST="\ XXX_REPLACE_WITH_DIRECTOR_PASSWORD_XXX \ XXX_REPLACE_WITH_CLIENT_PASSWORD_XXX \ @@ -13,6 +23,8 @@ XXX_REPLACE_WITH_CLIENT_MONITOR_PASSWORD_XXX \ XXX_REPLACE_WITH_STORAGE_MONITOR_PASSWORD_XXX \ " +os_type=`uname -s` + usage() { cat <<-EOT @@ -48,32 +60,84 @@ is_function() get_user_fd() { - echo "@fd_user@" + echo "${FILE_DAEMON_USER}" } get_group_fd() { - echo "@fd_group@" + echo "${FILE_DAEMON_GROUP}" } get_user_sd() { - echo "@sd_user@" + echo "${STORAGE_DAEMON_USER}" } get_group_sd() { - echo "@sd_group@" + echo "${STORAGE_DAEMON_GROUP}" } get_user_dir() { - echo "@dir_user@" + echo "${DIRECTOR_DAEMON_USER}" } get_group_dir() { - echo "@dir_group@" + echo "${DIRECTOR_DAEMON_GROUP}" +} + +[ ${os_type} = Linux ] && \ +setup_sd_user() +{ + # + # guaranties that storage-daemon user and group exists + # and storage-daemon user belongs to the required groups. + # + # normally, storage-daemon user + # is already installed by the package preinstall script. + # + + # + # See what secondary groups exist for the sd user to be added to. + # + ADD_GROUPS="" + for sec_group in ${SEC_GROUPS}; do + cnt=`getent group ${sec_group} | wc -l` + if [ ${cnt} -gt 0 ]; then + [ -z "${ADD_GROUPS}" ] && ADD_GROUPS="-G ${sec_group}" || ADD_GROUPS="${ADD_GROUPS},${sec_group}" + fi + done + + getent group ${STORAGE_DAEMON_GROUP} > /dev/null || groupadd -r ${STORAGE_DAEMON_GROUP} + + # + # If the user doesn't exist create a new one otherwise modify it to have the wanted secondary groups. + # + if [ "${STORAGE_DAEMON_USER}" != "root" ]; then + getent passwd ${STORAGE_DAEMON_USER} > /dev/null + if [ $? -ne 0 ]; then + # create a new storage_daemon_user + useradd -r --comment "bareos" --home ${WORKING_DIR} -g ${STORAGE_DAEMON_GROUP} ${ADD_GROUPS} --shell /bin/false ${STORAGE_DAEMON_USER} + fi + + # if the user has already created before, + # make sure the correct primary group is set otherwise fix it. + if [ "`id -gn ${STORAGE_DAEMON_USER}`" != "${STORAGE_DAEMON_GROUP}" ]; then + usermod -g ${STORAGE_DAEMON_GROUP} ${STORAGE_DAEMON_USER} + fi + + # add the storage_daemon_user to additional groups (if defined) + [ "${ADD_GROUPS}" ] && usermod ${ADD_GROUPS} ${STORAGE_DAEMON_USER} + fi +} + +[ ${os_type} != Linux ] && \ +setup_sd_user() +{ + echo "setup_sd_user() is not supported on this platform" + exit 1 } get_database_driver() -- 1.7.10.4