-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit bf1240b
Showing
10 changed files
with
322 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
*.tgz* | ||
# Created by https://www.gitignore.io/api/ruby | ||
|
||
### Ruby ### | ||
*.gem | ||
*.rbc | ||
/.config | ||
/coverage/ | ||
/InstalledFiles | ||
/pkg/ | ||
/spec/reports/ | ||
/spec/examples.txt | ||
/test/tmp/ | ||
/test/version_tmp/ | ||
/tmp/ | ||
|
||
## Specific to RubyMotion: | ||
.dat* | ||
.repl_history | ||
build/ | ||
|
||
## Documentation cache and generated files: | ||
/.yardoc/ | ||
/_yardoc/ | ||
/doc/ | ||
/rdoc/ | ||
|
||
## Environment normalisation: | ||
/.bundle/ | ||
/vendor/bundle | ||
/lib/bundler/man/ | ||
|
||
# for a library or gem, you might want to ignore these files since the code is | ||
# intended to run in multiple environments; otherwise, check them in: | ||
# Gemfile.lock | ||
# .ruby-version | ||
# .ruby-gemset | ||
|
||
# unless supporting rvm < 1.11.0 or doing something fancy, ignore this: | ||
.rvmrc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
2.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
source 'http://rubygems.org' | ||
|
||
ruby '2.3.0' | ||
|
||
group :development do | ||
gem 'guard' | ||
gem 'guard-shell', '>= 0.6' | ||
gem 'shlint' | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
VERSION=0.0.1 | ||
ARCHIVE=manray-$(VERSION).tgz | ||
CHECKSUM=$(ARCHIVE).md5 | ||
|
||
all: $(CHECKSUM) | ||
|
||
$(CHECKSUM): $(ARCHIVE) | ||
md5sum $(ARCHIVE) >$(CHECKSUM) | ||
|
||
$(ARCHIVE): clean-archive opt/custom/smf/*.xml opt/custom/smf/manray-load opt/custom/smf/manray-persist | ||
tar cv opt | gzip -n >manray-$(VERSION).tgz | ||
|
||
lint: shfmt bashate shlint checkbashisms shellcheck | ||
|
||
shfmt: | ||
stank . | xargs shfmt -w -i 4 | ||
|
||
bashate: | ||
stank . | xargs bashate | ||
|
||
shlint: | ||
stank . | xargs shlint | ||
|
||
checkbashisms: | ||
stank . | xargs checkbashisms -n -p | ||
|
||
shellcheck: | ||
stank . | xargs shellcheck | ||
|
||
clean: clean-checksum clean-archive | ||
|
||
clean-checksum: | ||
-rm *.md5 | ||
|
||
clean-archive: | ||
-rm *.tgz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# manray: RBAC persistence for SmartOS global zones | ||
|
||
# EXAMPLE | ||
|
||
```console | ||
$ svcadm disable -s manray-persist | ||
|
||
$ passwd | ||
New password: vagrant | ||
Re-enter new password: vagrant | ||
|
||
$ svcadm enable -s manray-persist | ||
``` | ||
|
||
# ABOUT | ||
|
||
manray enables modifiable, persistent UNIX user accounts and RBAC configuration for SmartOS global zones, by providing a pair of boot time services: `manray-load` and `manray-persist`, that assist administrators in loading and persisting custom account information. | ||
|
||
At boot, `manray-load` copies select configuration files from a `/usbkey` wallet to `/etc`, so that a user `patrick` may login, invoke RBAC privileges with `pfexec`, and so on. Once the `manray-load` service launches, `manray-persist` becomes enabled. | ||
|
||
While `manray-persist` is enabled, Patrick sees a read-only edition of `/etc` files. Administrators can disable `manray-persist`, which triggers writeable copies to be injected onto the system. Then, administrators can execute `passwd`, `usermod`, `groupadd`, and so on to modify UNIX user account and RBAC configuration. Finally, the administrator re-renables `manray-persist`, which backs up the configuration to `/usbkey`. | ||
|
||
Warning: Changes to UNIX accounts and RBAC configuration will be lost at next boot unless `manray-persist` is re-enabled beforehand. | ||
|
||
![Manray hands Patrick his Wallet](https://raw.githubusercontent.com/mcandre/manray/master/manray.png) | ||
|
||
# INSTALL | ||
|
||
```console | ||
$ curl -kLO https://github.com/mcandre/manray/releases/download/v0.0.1/manray-0.0.1.tgz | ||
$ tar xzvf manray-0.0.1.tgz -C / | ||
$ svccfg import /opt/custom/smf/manray-load.xml | ||
$ svccfg import /opt/custom/smf/manray-persist.xml | ||
``` | ||
|
||
Warning: As SSL certificates are disregarded, the tarball should be verified against official release checksums with the `digest` utility. | ||
|
||
# RUNTIME REQUIREMENTS | ||
|
||
* SmartOS global zone | ||
|
||
# BUILDTIME REQUIREMENTS | ||
|
||
* make, e.g. [GNU make](https://www.gnu.org/software/make/) | ||
* tar, md5sum from coreutils, e.g., [GNU coreutils](https://www.gnu.org/software/coreutils/coreutils.html) | ||
* a build environment that preserves UNIX file permissions | ||
* [shfmt](https://github.com/mvdan/sh) (e.g. `go get mvdan.cc/sh/cmd/shfmt`) | ||
* [bashate](https://pypi.python.org/pypi/bashate/0.5.1) | ||
* [shlint](https://rubygems.org/gems/shlint) | ||
* [checkbashisms](https://sourceforge.net/projects/checkbaskisms/) | ||
* [ShellCheck](https://hackage.haskell.org/package/ShellCheck) | ||
* [stank](https://github.com/mcandre/stank) (e.g. `go get github.com/mcandre/stank/...`) | ||
|
||
# CREDITS | ||
|
||
* [vagrant-smartos-packager](https://github.com/vagrant-smartos/vagrant-smartos-packager) - provides a working example of how to setup a virtual machine for SmartOS global zones with persistent, modifiable UNIX accounts |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#!/usr/bin/bash | ||
|
||
usage() { | ||
echo "Usage: $0 <start|stop>" | ||
exit 1 | ||
} | ||
|
||
PATRICK='/etc' | ||
WALLET='/usbkey' | ||
PERSISTENT_FILES=(/etc/passwd | ||
/etc/group | ||
/etc/shadow | ||
/etc/user_attr | ||
/etc/ouser_attr | ||
/etc/security/policy.conf | ||
/etc/security/auth_attr | ||
/etc/security/exec_attr | ||
/etc/security/prof_attr) | ||
|
||
if [ "$#" -ne 1 ]; then | ||
usage | ||
fi | ||
|
||
COMMAND="$1" | ||
|
||
case "$COMMAND" in | ||
start) | ||
bootparams | grep '^smartos=true' >/dev/null | ||
if [ "$?" -eq 0 ]; then | ||
for file in ${PERSISTENT_FILES[*]}; do | ||
file_wallet="${WALLET}/$(basename file)" | ||
|
||
if [ -e "$file_wallet" ]; then | ||
touch "$file_wallet" | ||
fi | ||
done | ||
|
||
# Workaround SmartOS misupdating /etc/user_attr at boot | ||
if [ -e "${WALLET}/user_attr" ]; then | ||
cp "${WALLET}/user_attr" "${PATRICK}/user_attr" | ||
fi | ||
fi | ||
;; | ||
stop) ;; | ||
|
||
*) | ||
usage | ||
;; | ||
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
<?xml version='1.0'?> | ||
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> | ||
<service_bundle type='manifest' name='export'> | ||
<service name='site/manray-load' type='service' version='0'> | ||
<create_default_instance enabled='true'/> | ||
<single_instance/> | ||
<dependency name='fs-local' grouping='require_all' restart_on='error' type='service'> | ||
<service_fmri value='svc:/system/filesystem/local'/> | ||
</dependency> | ||
<dependency name='fs-root' grouping='require_all' restart_on='error' type='service'> | ||
<service_fmri value='svc:/system/filesystem/root'/> | ||
</dependency> | ||
<method_context/> | ||
<exec_method name='start' type='method' exec='/opt/custom/smf/manray-load start' timeout_seconds='60'/> | ||
<exec_method name='stop' type='method' exec=':true' timeout_seconds='60'/> | ||
<property_group name='startd' type='framework'> | ||
<propval name='duration' type='astring' value='transient'/> | ||
<propval name='ignore_error' type='astring' value='core,signal'/> | ||
</property_group> | ||
<property_group name='application' type='application'/> | ||
<stability value='Evolving'/> | ||
<template> | ||
<common_name> | ||
<loctext xml:lang='C'>Mount sensitive configuration files from /usbkey to /etc</loctext> | ||
</common_name> | ||
</template> | ||
</service> | ||
</service_bundle> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
#!/bin/bash | ||
|
||
usage() { | ||
echo "Usage: $0 <start|stop>" | ||
exit 1 | ||
} | ||
|
||
PATRICK='/etc' | ||
WALLET='/usbkey' | ||
PERSISTENT_FILES=(/etc/passwd | ||
/etc/group | ||
/etc/shadow | ||
/etc/user_attr | ||
/etc/ouser_attr | ||
/etc/security/policy.conf | ||
/etc/security/auth_attr | ||
/etc/security/exec_attr | ||
/etc/security/prof_attr) | ||
|
||
# Synchronize configuration files bidirectionally between a persisted manray wallet and read-only loopbacks. | ||
# | ||
# Usage: seal_wallet | ||
seal_wallet() { | ||
bootparams | grep '^smartos=true' >/dev/null | ||
if [ "$?" -eq 0 ]; then | ||
for file in ${PERSISTENT_FILES[*]}; do | ||
file_wallet="${WALLET}/$(basename $file)" | ||
|
||
mount -p | grep "$file" >/dev/null | ||
if [ "$?" -ne 0 ]; then | ||
if [[ "$file" -ot "$file_wallet" ]]; then | ||
cp "$file_wallet" "$file" | ||
else | ||
cp "$file" "$file_wallet" | ||
fi | ||
|
||
touch "$file" "$file_wallet" | ||
mount -F lofs "$file_wallet" "$file" | ||
fi | ||
done | ||
fi | ||
} | ||
|
||
# Retract the persisted wallet for a transiently writeable edition of configuration files. | ||
# Warning: Change will be lost a the next boot unless the wallet is explicitly sealed beforehand. | ||
# | ||
# Usage: unseal_wallet | ||
unseal_wallet() { | ||
for file in ${PERSISTENT_FILES[*]}; do | ||
file_wallet="${WALLET}/$(basename $file)" | ||
|
||
mount -p | grep "$file" >/dev/null | ||
if [ "$?" -eq 0 ]; then | ||
umount "$file" && touch "$file" | ||
fi | ||
done | ||
} | ||
|
||
if [ "$#" -ne 1 ]; then | ||
usage | ||
fi | ||
|
||
COMMAND="$1" | ||
|
||
case "$COMMAND" in | ||
start) | ||
seal_wallet | ||
;; | ||
stop) | ||
unseal_wallet | ||
;; | ||
*) | ||
usage | ||
;; | ||
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
<?xml version='1.0'?> | ||
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> | ||
<service_bundle type='manifest' name='export'> | ||
<service name='site/manray-persist' type='service' version='0'> | ||
<create_default_instance enabled='true'/> | ||
<single_instance/> | ||
<dependency name='filesystem' grouping='require_all' restart_on='error' type='service'> | ||
<service_fmri value='svc:/system/filesystem/local'/> | ||
</dependency> | ||
<dependency name='userfiles' grouping='require_all' restart_on='error' type='service'> | ||
<service_fmri value='svc:/site/manray-load'/> | ||
</dependency> | ||
<method_context/> | ||
<exec_method name='start' type='method' exec='/opt/custom/smf/manray-persist start' timeout_seconds='60'/> | ||
<exec_method name='stop' type='method' exec='/opt/custom/smf/manray-persist stop' timeout_seconds='60'/> | ||
<property_group name='startd' type='framework'> | ||
<propval name='duration' type='astring' value='transient'/> | ||
<propval name='ignore_error' type='astring' value='core,signal'/> | ||
</property_group> | ||
<property_group name='application' type='application'/> | ||
<stability value='Evolving'/> | ||
<template> | ||
<common_name> | ||
<loctext xml:lang='C'>Bidirectionally synchronize sensitive configuration files between /usbkey and /etc</loctext> | ||
</common_name> | ||
</template> | ||
</service> | ||
</service_bundle> |