|
|
|
#
|
|
|
|
# Add users expected by tests. Assumes passwordless sudo to root.
|
|
|
|
#
|
|
|
|
# WARNING: this creates non-privilged accounts with pre-set passwords!
|
|
|
|
#
|
|
|
|
|
|
|
|
- import_playbook: ../ansible/setup/report_controller.yml
|
|
|
|
|
|
|
|
- hosts: all
|
|
|
|
gather_facts: true
|
|
|
|
strategy: mitogen_free
|
|
|
|
become: true
|
|
|
|
vars:
|
|
|
|
distro: "{{ansible_distribution}}"
|
|
|
|
special_users:
|
|
|
|
- has_sudo
|
|
|
|
- has_sudo_nopw
|
|
|
|
- has_sudo_pubkey
|
|
|
|
- pw_required
|
|
|
|
- readonly_homedir
|
|
|
|
- require_tty
|
|
|
|
- require_tty_pw_required
|
|
|
|
- permdenied
|
|
|
|
- slow_user
|
|
|
|
- webapp
|
|
|
|
- sudo1
|
|
|
|
- sudo2
|
|
|
|
- sudo3
|
|
|
|
- sudo4
|
|
|
|
|
|
|
|
user_groups:
|
|
|
|
has_sudo: ['mitogen__group', '{{sudo_group[distro]}}']
|
|
|
|
has_sudo_pubkey: ['mitogen__group', '{{sudo_group[distro]}}']
|
|
|
|
has_sudo_nopw: ['mitogen__group', 'mitogen__sudo_nopw']
|
|
|
|
sudo1: ['mitogen__group', 'mitogen__sudo_nopw']
|
|
|
|
sudo2: ['mitogen__group', '{{sudo_group[distro]}}']
|
|
|
|
sudo3: ['mitogen__group', '{{sudo_group[distro]}}']
|
|
|
|
sudo4: ['mitogen__group', '{{sudo_group[distro]}}']
|
|
|
|
|
|
|
|
normal_users: "{{
|
|
|
|
lookup('sequence', 'start=1 end=5 format=user%d', wantlist=True)
|
|
|
|
}}"
|
|
|
|
|
|
|
|
all_users: "{{
|
|
|
|
special_users +
|
|
|
|
normal_users
|
|
|
|
}}"
|
|
|
|
tasks:
|
|
|
|
- name: Disable non-localhost SSH for Mitogen users
|
|
|
|
when: false
|
|
|
|
blockinfile:
|
|
|
|
path: /etc/ssh/sshd_config
|
|
|
|
block: |
|
|
|
|
Match User mitogen__* Address !127.0.0.1
|
|
|
|
DenyUsers *
|
|
|
|
|
|
|
|
- name: Create Mitogen test groups
|
|
|
|
group:
|
|
|
|
name: "mitogen__{{item}}"
|
|
|
|
with_items:
|
|
|
|
- group
|
|
|
|
- sudo_nopw
|
|
|
|
|
|
|
|
- name: Create user accounts
|
|
|
|
block:
|
|
|
|
- user:
|
|
|
|
name: "mitogen__{{item}}"
|
|
|
|
shell: /bin/bash
|
|
|
|
groups: "{{user_groups[item]|default(['mitogen__group'])}}"
|
|
|
|
password: "{{ (item + '_password') | password_hash('sha256') }}"
|
|
|
|
with_items: "{{all_users}}"
|
|
|
|
when: ansible_system != 'Darwin'
|
|
|
|
- user:
|
|
|
|
name: "mitogen__{{item}}"
|
|
|
|
shell: /bin/bash
|
|
|
|
groups: |
|
|
|
|
{{
|
|
|
|
['com.apple.access_ssh'] +
|
|
|
|
(user_groups[item] | default(['mitogen__group']))
|
|
|
|
}}
|
|
|
|
password: "{{item}}_password"
|
|
|
|
with_items: "{{all_users}}"
|
|
|
|
when: ansible_system == 'Darwin'
|
|
|
|
|
|
|
|
- name: Hide users from login window (Darwin).
|
|
|
|
when: ansible_system == 'Darwin'
|
|
|
|
with_items: "{{all_users}}"
|
|
|
|
osx_defaults:
|
|
|
|
array_add: true
|
|
|
|
domain: /Library/Preferences/com.apple.loginwindow
|
|
|
|
type: array
|
|
|
|
key: HiddenUsersList
|
|
|
|
value: ['mitogen_{{item}}']
|
|
|
|
|
|
|
|
- name: Check if AccountsService is used
|
|
|
|
stat:
|
|
|
|
path: /var/lib/AccountsService/users
|
|
|
|
register: out
|
|
|
|
|
|
|
|
- name: Hide users from login window (Linux).
|
|
|
|
when: ansible_system == 'Linux' and out.stat.exists
|
|
|
|
with_items: "{{all_users}}"
|
|
|
|
copy:
|
|
|
|
dest: /var/lib/AccountsService/users/mitogen__{{item}}
|
|
|
|
mode: u=rw,go=
|
|
|
|
content: |
|
|
|
|
[User]
|
|
|
|
SystemAccount=true
|
|
|
|
|
|
|
|
- name: Restart AccountsService (Linux).
|
|
|
|
when: ansible_system == 'Linux' and out.stat.exists
|
|
|
|
service:
|
|
|
|
name: accounts-daemon
|
|
|
|
state: restarted
|
|
|
|
|
|
|
|
- name: Readonly homedir for one account
|
|
|
|
shell: "chown -R root: ~mitogen__readonly_homedir"
|
|
|
|
|
|
|
|
- name: Slow bash profile for one account
|
|
|
|
copy:
|
|
|
|
dest: ~mitogen__slow_user/.{{item}}
|
|
|
|
src: ../data/docker/mitogen__slow_user.profile
|
|
|
|
owner: mitogen__slow_user
|
|
|
|
group: mitogen__group
|
|
|
|
mode: u=rw,go=r
|
|
|
|
with_items:
|
|
|
|
- bashrc
|
|
|
|
- profile
|
|
|
|
|
|
|
|
- name: "Login throws permission denied errors (issue #271)"
|
|
|
|
copy:
|
|
|
|
dest: ~mitogen__permdenied/.{{item}}
|
|
|
|
src: ../data/docker/mitogen__permdenied.profile
|
|
|
|
owner: mitogen__permdenied
|
|
|
|
group: mitogen__group
|
|
|
|
mode: u=rw,go=r
|
|
|
|
with_items:
|
|
|
|
- bashrc
|
|
|
|
- profile
|
|
|
|
|
|
|
|
- name: Install pubkey for mitogen__has_sudo_pubkey
|
|
|
|
block:
|
|
|
|
- file:
|
|
|
|
path: ~mitogen__has_sudo_pubkey/.ssh
|
|
|
|
state: directory
|
|
|
|
mode: go=
|
|
|
|
owner: mitogen__has_sudo_pubkey
|
|
|
|
group: mitogen__group
|
|
|
|
- copy:
|
|
|
|
dest: ~mitogen__has_sudo_pubkey/.ssh/authorized_keys
|
|
|
|
src: ../data/docker/mitogen__has_sudo_pubkey.key.pub
|
|
|
|
mode: go=
|
|
|
|
owner: mitogen__has_sudo_pubkey
|
|
|
|
group: mitogen__group
|
|
|
|
|
|
|
|
- name: Require a TTY for two accounts
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/sudoers
|
|
|
|
line: "{{item}}"
|
|
|
|
with_items:
|
|
|
|
- Defaults>mitogen__pw_required targetpw
|
|
|
|
- Defaults>mitogen__require_tty requiretty
|
|
|
|
- Defaults>mitogen__require_tty_pw_required requiretty,targetpw
|
|
|
|
|
|
|
|
- name: Require password for two accounts
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/sudoers
|
|
|
|
line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}:ALL) ALL"
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
with_items:
|
|
|
|
- mitogen__pw_required
|
|
|
|
- mitogen__require_tty_pw_required
|
|
|
|
when:
|
|
|
|
- ansible_virtualization_type != "docker"
|
|
|
|
|
|
|
|
- name: Allow passwordless sudo for require_tty/readonly_homedir
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/sudoers
|
|
|
|
line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}:ALL) NOPASSWD:ALL"
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
with_items:
|
|
|
|
- mitogen__require_tty
|
|
|
|
- mitogen__readonly_homedir
|
|
|
|
when:
|
|
|
|
- ansible_virtualization_type != "docker"
|
|
|
|
|
|
|
|
- name: Allow passwordless for many accounts
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/sudoers
|
|
|
|
line: "{{lookup('pipe', 'whoami')}} ALL = (mitogen__{{item}}:ALL) NOPASSWD:ALL"
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
with_items: "{{normal_users}}"
|
|
|
|
when:
|
|
|
|
- ansible_virtualization_type != "docker"
|