Support for systemd, SELinux, and SUSE (widdix#99)

KusabiSensei · michaelwittig · commit 73bd78ffa35c · 2017-12-07T17:52:06.000+01:00
* Support Multiple init daemons and service programs (#1) * Add test to determine init system for sshd restart In the install file, I've added a simple test to determine what init system is currently on the system, and to select the correct restart command for sshd that is required. This is tested on the following OSes in EC2: * Amazon Linux 2017.09 (using upstart) * Ubuntu 16.04.3 LTS (using systemd) * SUSE Enterprise Server 12 SP3 (using systemd) * RHEL 7.3 (using systemd) * Hush the stderr message when systemd doesn't exist This is to ensure that the output for a user is the same as it is when using the standard codebase. Message is successfully suppressed on Amazon Linux 2017.09 * Add useradd(1) arg to force user group creation By default on most distros, `USERGROUPS_ENAB` is set to `yes` which causes `useradd(1)` to create a group for a user that is added. There is an implicit dependency on line 179 of the `import_users.sh` script. I've altered the `useradd(1)` argument set to include `-U/--user-group` to force this on systems where `USERGROUPS_ENAB` is set to `no` This is needed to support SUSE Linux Enterprise Server on EC2. * Add check to not spam the sshd_config file The `install.sh` script currently checks if there is a line that reads `AuthorizedKeysCommand none` and then changes it. Old behaviour was to simply append the line on the end of the file is this line didn't exist. There is now a check to see if the correct line that we want already exists, so we don't spam the end of the configuration file. * Add SELinux support to install script If we have the `getenforce` command available to us, and we find that it returns the value `Enforcing` (meaning SELinux will block our access to AWS when called by `sshd`), we enable the `nis_enabled` boolean persistently in SELinux to inform SELinux that it should expect outbound access from sshd and other login programs (like PAM) to remote servers to get user account information. This allows `sshd` to call the script to get the user's public key from IAM. I also cleaned up the `systemd` conditional in the script to use the simpler way to check if commands exist. * Revert the supposedly clever way of command checks Chaining the command check with the return value failed miserably. Reverting this to be normal again. * Allow which(1) to exit and the script to continue We use `which(1)` to determine if a command is available to us. According to the man page, `which(1)` will return a return code `1` if the command is not found. Since the script is run with `-e` as an option in the shebang, this causes the script to exit prematurely. I've wrapped the `which(1)` calls in `set +e/set -e` wrappers so that the script continues gracefully. * Adjust which(1) pipelines to return valid exit codes On systems where `which(1)` doesn't find a given command, it will return exit code `1`. This will cause the script to abort under the `-e` option in the shebang. I've changed the pipeline to capture the return value of which on the other side of a logical OR, which does work correctly, and thus the pipeline gets a 0 return code (making `-e` happy), and I get the return value which tells me whether or not the command exists. Which makes me happy. * Adjust which(1) blocks to account for shortcircuit eval I forgot about shortcircuit evaluation. So I've added the success code in the variable before calling `which(1)`. This means that if the command is found, the 0 retval will get used in the test. The only time that it would change that to a non-zero status would be if something wasn't found. Like before, the whole command pipeline will return success, so `-e` stays happy as a clam.
diff --git a/import_users.sh b/import_users.sh
@@ -42,7 +42,7 @@ fi
 : ${USERADD_PROGRAM:="/usr/sbin/useradd"}
 
 # Possibility to provide custom useradd arguments
-: ${USERADD_ARGS:="--create-home --shell /bin/bash"}
+: ${USERADD_ARGS:="--user-group --create-home --shell /bin/bash"}
 
 # Initizalize INSTANCE variable
 INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
diff --git a/install.sh b/install.sh
@@ -124,13 +124,17 @@ fi
 if grep -q '#AuthorizedKeysCommand none' $SSHD_CONFIG_FILE; then
     sed -i "s:#AuthorizedKeysCommand none:AuthorizedKeysCommand ${AUTHORIZED_KEYS_COMMAND_FILE}:g" $SSHD_CONFIG_FILE
 else
-    echo "AuthorizedKeysCommand ${AUTHORIZED_KEYS_COMMAND_FILE}" >> $SSHD_CONFIG_FILE
+    if ! grep -q "AuthorizedKeysCommand ${AUTHORIZED_KEYS_COMMAND_FILE}" $SSHD_CONFIG_FILE; then
+        echo "AuthorizedKeysCommand ${AUTHORIZED_KEYS_COMMAND_FILE}" >> $SSHD_CONFIG_FILE
+    fi
 fi
 
 if grep -q '#AuthorizedKeysCommandUser nobody' $SSHD_CONFIG_FILE; then
     sed -i "s:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g" $SSHD_CONFIG_FILE
 else
-    echo "AuthorizedKeysCommandUser nobody" >> $SSHD_CONFIG_FILE
+    if ! grep -q 'AuthorizedKeysCommandUser nobody' $SSHD_CONFIG_FILE; then
+        echo "AuthorizedKeysCommandUser nobody" >> $SSHD_CONFIG_FILE
+    fi
 fi
 
 cat > /etc/cron.d/import_users << EOF
@@ -144,8 +148,53 @@ chmod 0644 /etc/cron.d/import_users
 
 $IMPORT_USERS_SCRIPT_FILE
 
-if [ -f "/etc/init.d/sshd" ]; then
-  service sshd restart
+# In order to support SELinux in Enforcing mode, we need to tell SELinux that it
+# should have the nis_enabled boolean turned on (so it should expect login services
+# like PAM and sshd to make calls to get public keys from a remote server)
+#
+# This is observed on CentOS 7 and RHEL 7
+
+# Capture the return code and use that to determine if we have the command available
+retval=0
+which getenforce > /dev/null 2>&1 || retval=$?
+
+if [[ "$retval" -eq "0" ]]; then
+  retval=0
+  selinuxenabled || retval=$?
+  if [[ "$retval" -eq "0" ]]; then
+    setsebool -P nis_enabled on
+  fi
+fi
+
+
+# Restart sshd using an appropriate method based on the currently running init daemon
+# Note that systemd can return "running" or "degraded" (If a systemd unit has failed)
+# This was observed on the RHEL 7.3 AMI, so it's added for completeness
+# systemd is also not standardized in the name of the ssh service, nor in the places
+# where the unit files are stored.
+
+# Capture the return code and use that to determine if we have the command available
+retval=0
+which systemctl > /dev/null 2>&1 || retval=$?
+
+if [[ "$retval" -eq "0" ]]; then
+  if [[ (`systemctl is-system-running` =~ running) || (`systemctl is-system-running` =~ degraded) ]]; then
+    if [ -f "/usr/lib/systemd/system/sshd.service" ] || [ -f "/lib/systemd/system/sshd.service" ]; then
+      systemctl restart sshd.service
+    else
+      systemctl restart ssh.service
+    fi
+  fi
+elif [[ `/sbin/init --version` =~ upstart ]]; then
+    if [ -f "/etc/init.d/sshd" ]; then
+      service sshd restart
+    else
+      service ssh restart
+    fi
 else
-  service ssh restart
+  if [ -f "/etc/init.d/sshd" ]; then
+    /etc/init.d/sshd restart
+  else
+    /etc/init.d/ssh restart
+  fi
 fi
