Swap usernames for uids

Author: aw

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 1.18.0 (2017-12-02)
+
+  * Ensure directories are created with uids instead of usernames
+  * Ensure chown and chgrp permissions are assigned to uids
+  * Ensure sudo commands use the uid
+
 ## 1.17.1 (2017-11-02)
 
   * Fix regression in ansible role creation of backup script template

group_vars/images

@@ -5,4 +5,4 @@ admin_type: LIVE IMAGE
 admin_type_lowcase: live image
 ssh_path: /usr/local/etc/ssh
 
-jidoteki_admin_version: 1.17.1
+jidoteki_admin_version: 1.18.0

roles/admin/tasks/main.yml

@@ -1,11 +1,13 @@
 # Jidoteki Admin tasks
+#
+# user/group 998 = sftpadmin, 997 = admin, 50 = staff, 0 = root
 
 - name: Create admin home directories
   file: >
     state=directory
     path={{ prefix }}{{ item }}
-    owner=admin
-    group=admin
+    owner=997
+    group=997
     mode=1750
     recurse=no
   with_items:
@@ -18,8 +20,8 @@
   file: >
     state=directory
     path={{ prefix }}{{ item }}
-    owner=root
-    group=root
+    owner=0
+    group=0
     mode=0755
   with_items:
     - "{{ admin_path }}/bin"
@@ -32,8 +34,8 @@
   file: >
     state=directory
     path={{ prefix }}{{ item }}
-    owner=sftpadmin
-    group=admin
+    owner=998
+    group=997
     mode=0770
     recurse=no
   with_items:
@@ -45,8 +47,8 @@
   file: >
     state=directory
     path={{ prefix }}{{ item }}
-    owner=root
-    group=admin
+    owner=0
+    group=997
     mode=1775
   with_items:
     - "{{ admin_path }}/log"
@@ -58,8 +60,8 @@
   template: >
     src={{ item }}.j2
     dest="{{ prefix }}{{ admin_path }}/bin/{{ item }}"
-    owner=root
-    group=root
+    owner=0
+    group=0
     mode=0755
   with_items:
     - update_backup.sh
@@ -80,8 +82,8 @@
   template: >
     src=wrapper.sh.j2
     dest="{{ prefix }}{{ admin_path }}/bin/wrapper.sh"
-    owner=root
-    group=admin
+    owner=0
+    group=997
     mode=0750
   tags:
     - admin

roles/admin/templates/update_backup.sh.j2

@@ -89,7 +89,7 @@ stop_backup() {
 restore_backup() {
   echo "[`date +%s`][{{ admin_type }}] Restoring backup archive to $restore_path" | log_output
 
-  sudo -u admin /bin/tar -C "$restore_path" -xf "$backup_archive" || fail_and_exit
+  sudo -u '#997' /bin/tar -C "$restore_path" -xf "$backup_archive" || fail_and_exit
   rm -f "$backup_archive"
 
   echo "[`date +%s`][{{ admin_type }}] Restore complete" | log_output
@@ -101,7 +101,7 @@ trap fail_and_exit INT SIGINT SIGTERM
 
 if [ "$backup_action" = "START" ]; then
   echo -n "{\"status\":\"running\"}" > "$backup_json"
-  chgrp admin "$backup_json"
+  chgrp 997 "$backup_json"
 
   start_backup  || fail_and_exit
 elif [ "$backup_action" = "RESTORE" ]; then

roles/admin/templates/update_certs.sh.j2

@@ -106,8 +106,8 @@ generate_chained_cert() {
 
 replace_old_certs() {
   chmod 0640 enterprise.key enterprise.crt enterprise.pem
-  chown root:staff enterprise.key enterprise.crt
-  chown root:admin enterprise.pem
+  chown 0:50 enterprise.key enterprise.crt
+  chown 0:997 enterprise.pem
 
   mkdir -p /usr/local/etc/pki/tls/private /usr/local/etc/pki/tls/certs /usr/local/etc/pki/tls/cacerts
 
@@ -119,7 +119,7 @@ replace_old_certs() {
 
   if [ -f "enterprise-ca.crt" ]; then
     chmod 0640 enterprise-ca.crt
-    chown root:staff enterprise-ca.crt
+    chown 0:50 enterprise-ca.crt
     mv -f enterprise-ca.crt /usr/local/etc/pki/tls/cacerts/
     [ -f "ca-bundle.crt" ] && mv -f ca-bundle.crt /usr/local/etc/pki/tls/
   fi

roles/admin/templates/update_debug.sh.j2

@@ -66,7 +66,7 @@ compress_debug_files() {
   [ -f "${admin_dir}/home/sftp/uploads/${log_file}" ] && { openssl enc -aes-256-cbc -salt -in $log_file -out ${log_file}.enc -pass file:./debug.key || return 1; }
 
   tar -cvf debug-bundle.tar *.enc && \
-  chmod 640 debug-bundle.tar ; chown root:admin debug-bundle.tar && \
+  chmod 640 debug-bundle.tar ; chown 0:997 debug-bundle.tar && \
   mv -f debug-bundle.tar ${admin_dir}/home/sftp/uploads/ || return 1
 }
 

roles/admin/templates/update_license.sh.j2

@@ -34,7 +34,7 @@ move_license_file() {
 
   echo "[`date +%s`][{{ admin_type }}] Updating license. Please wait.." 2>&1 | tee -a "${admin_dir}/log/update_license.log"
   mv -f license.asc ${admin_dir}/etc/
-  chmod 640 "${admin_dir}/etc/license.asc" ; chown root:admin "${admin_dir}/etc/license.asc"
+  chmod 640 "${admin_dir}/etc/license.asc" ; chown 0:997 "${admin_dir}/etc/license.asc"
   echo "[`date +%s`][{{ admin_type }}] Updating license successful" 2>&1 | tee -a "${admin_dir}/log/update_license.log"
 }
 

roles/admin/templates/update_logs.sh.j2

@@ -33,7 +33,7 @@ fail_and_exit() {
 compress_log_files() {
   echo "[`date +%s`][{{ admin_type }}] Generating compressed logs.tar.gz. Please wait.." 2>&1
   tar --ignore-failed-read -zcf $log_file ${log_dirs}
-  chmod 640 $log_file ; chown root:admin $log_file
+  chmod 640 $log_file ; chown 0:997 $log_file
   mv -f $log_file ${admin_dir}/home/sftp/uploads/
   echo "[`date +%s`][{{ admin_type }}] Generated logs successful" 2>&1
 }

roles/admin/templates/update_replication.sh.j2

@@ -34,12 +34,12 @@ move_settings_files() {
 
   if [ -f "replication.json" ]; then
     mv -f replication.json ${admin_dir}/etc/
-    chmod 640 "${admin_dir}/etc/replication.json" ; chown root:admin "${admin_dir}/etc/replication.json"
+    chmod 640 "${admin_dir}/etc/replication.json" ; chown 0:997 "${admin_dir}/etc/replication.json"
   fi
 
   if [ -f "replication.conf" ]; then
     mv -f replication.conf /usr/local/etc/
-    chmod 640 "/usr/local/etc/replication.conf" ; chown root:admin "/usr/local/etc/replication.conf"
+    chmod 640 "/usr/local/etc/replication.conf" ; chown 0:997 "/usr/local/etc/replication.conf"
   fi
 }
 

roles/admin/templates/update_settings.sh.j2

@@ -35,17 +35,17 @@ move_settings_files() {
 
   if [ -f "app.json" ]; then
     mv -f app.json ${admin_dir}/etc/
-    chmod 640 "${admin_dir}/etc/app.json" ; chown root:admin "${admin_dir}/etc/app.json"
+    chmod 640 "${admin_dir}/etc/app.json" ; chown 0:997 "${admin_dir}/etc/app.json"
   fi
 
   if [ -f "network.json" ]; then
     mv -f network.json ${admin_dir}/etc/
-    chmod 640 "${admin_dir}/etc/network.json" ; chown root:admin "${admin_dir}/etc/network.json"
+    chmod 640 "${admin_dir}/etc/network.json" ; chown 0:997 "${admin_dir}/etc/network.json"
   fi
 
   if [ -f "network.conf" ]; then
     mv -f network.conf /usr/local/etc/
-    chmod 640 "/usr/local/etc/network.conf" ; chown root:admin "/usr/local/etc/network.conf"
+    chmod 640 "/usr/local/etc/network.conf" ; chown 0:997 "/usr/local/etc/network.conf"
   fi
 }