cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ssh user perm fixes 

* Ssh.authorizedKey: Make the authorized_keys file and .ssh directory
  be owned by the user, not root.
* Ssh.knownHost: Make the .ssh directory be owned by the user, not root.
This commit is contained in:
Joey Hess 2015-02-12 12:35:15 -04:00
parent 0743e2223e
commit da77276378
4 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config-joey.hs
View File

@ -127,7 +127,7 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64"
-- with propellor. -- with propellor.
kite :: Host kite :: Host
kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64"
[ "Welcome to the new kitenet.net server!" ] [ "Welcome to kite!" ]
& ipv4 "66.228.36.95" & ipv4 "66.228.36.95"
& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2" & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
& alias "kitenet.net" & alias "kitenet.net"

3
debian/changelog vendored
View File

@ -5,6 +5,9 @@ propellor (2.1.0) UNRELEASED; urgency=medium
* New Cron.Times data type, which allows Cron.job to install * New Cron.Times data type, which allows Cron.job to install
daily/monthly/weekly jobs that anacron can run. (API change) daily/monthly/weekly jobs that anacron can run. (API change)
* Fix Git.daemonRunning to restart inetd after enabling the git server. * Fix Git.daemonRunning to restart inetd after enabling the git server.
* Ssh.authorizedKey: Make the authorized_keys file and .ssh directory
be owned by the user, not root.
* Ssh.knownHost: Make the .ssh directory be owned by the user, not root.
-- Joey Hess <id@joeyh.name> Thu, 29 Jan 2015 01:41:07 -0400 -- Joey Hess <id@joeyh.name> Thu, 29 Jan 2015 01:41:07 -0400

1
src/Propellor/Property/SiteSpecific/JoeySites.hs
View File

@ -330,7 +330,6 @@ twitRss = combineProperties "twitter rss" $ props
] ]
-- Work around for expired ssl cert. -- Work around for expired ssl cert.
-- (no longer expired, TODO remove this and change urls)
pumpRss :: Property NoInfo pumpRss :: Property NoInfo
pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/" pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/"
"wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null" "wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null"

12
src/Propellor/Property/Ssh.hs
View File

@ -207,6 +207,7 @@ knownHost hosts hn user = property desc $
, f `File.containsLines` , f `File.containsLines`
(map (\k -> hn ++ " " ++ k) (M.elems m)) (map (\k -> hn ++ " " ++ k) (M.elems m))
, File.ownerGroup f user user , File.ownerGroup f user user
, File.ownerGroup (takeDirectory f) user user
] ]
go _ = do go _ = do
warningMessage $ "no configred pubKey for " ++ hn warningMessage $ "no configred pubKey for " ++ hn
@ -230,12 +231,17 @@ authorizedKeys user context = withPrivData (SshAuthorizedKeys user) context $ \g
-- | Ensures that a user's authorized_keys contains a line. -- | Ensures that a user's authorized_keys contains a line.
-- Any other lines in the file are preserved as-is. -- Any other lines in the file are preserved as-is.
authorizedKey :: UserName -> String -> Property NoInfo authorizedKey :: UserName -> String -> Property NoInfo
authorizedKey user l = property (user ++ " has autorized_keys line " ++ l) $ do authorizedKey user l = property desc $ do
f <- liftIO $ dotFile "authorized_keys" user f <- liftIO $ dotFile "authorized_keys" user
ensureProperty $ ensureProperty $ combineProperties desc
f `File.containsLine` l [ f `File.containsLine` l
`requires` File.dirExists (takeDirectory f) `requires` File.dirExists (takeDirectory f)
`onChange` File.mode f (combineModes [ownerWriteMode, ownerReadMode]) `onChange` File.mode f (combineModes [ownerWriteMode, ownerReadMode])
, File.ownerGroup f user user
, File.ownerGroup (takeDirectory f) user user
]
where
desc = user ++ " has autorized_keys line " ++ l
-- | Makes the ssh server listen on a given port, in addition to any other -- | Makes the ssh server listen on a given port, in addition to any other
-- ports it is configured to listen on. -- ports it is configured to listen on.