From 56266febf9657f470480a1367f7ac8f8262deb20 Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Mon, 6 Jul 2020 17:01:09 +0200 Subject: [PATCH] checktrust: Alert user on greeter if workstation lost trust Install three new files into the system: - /etc/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf - /usr/libexec/lightdm-greeter-wrapper - /usr/libexec/lightdm-show-trust-warning The first file adds a configuration option to lightdm to invoke the greeter via a wrapper. The second file is the wrapper script, which forks of the third script before exec-ing into the greeter. The third script uses /usr/sbin/trustcheck to find out whether we lost trust of the other nodes. If it gets a negative verdict, it shows a dialog on top of the login screen to alert the user about the condition. If it doesn't get a verdict, it keeps asking (e.g. when the network is not plugged in). xdotool is used to raise the dialog above the (full screen) login window. This has to be done in a loop, because we don't know how long the login windows needs to appear and pop up in front of the dialog. --- checktrust/lightdm-greeter-wrapper | 3 +++ checktrust/lightdm-show-trust-warning | 28 +++++++++++++++++++++++++++ checktrust/lightdm-use-wrapper.conf | 2 ++ install.sh | 4 ++++ 4 files changed, 37 insertions(+) create mode 100755 checktrust/lightdm-greeter-wrapper create mode 100755 checktrust/lightdm-show-trust-warning create mode 100644 checktrust/lightdm-use-wrapper.conf diff --git a/checktrust/lightdm-greeter-wrapper b/checktrust/lightdm-greeter-wrapper new file mode 100755 index 0000000..1e47ada --- /dev/null +++ b/checktrust/lightdm-greeter-wrapper @@ -0,0 +1,3 @@ +#! /bin/bash +(/usr/libexec/lightdm-show-trust-warning &) +exec "$@" diff --git a/checktrust/lightdm-show-trust-warning b/checktrust/lightdm-show-trust-warning new file mode 100755 index 0000000..ed738c0 --- /dev/null +++ b/checktrust/lightdm-show-trust-warning @@ -0,0 +1,28 @@ +#! /usr/bin/bash + +while true; do + reply="$(/usr/sbin/checktrust)" + if [ "$reply" = "trusted" ]; then + break + elif [ "$reply" = "not trusted" ]; then + if [ -z "$XDOPID" ]; then + (while true; do xdotool search --sync --name bla windowraise; sleep 1; done) & + XDOPID=$! + fi + xdotool search --sync --name bla windowraise & + zenity --width 400 --error --title bla --text \ +"Loss of trust detected! + +Looks like your machine lost the trust of our network. Maybe it was offline for too long. + +You won't be able to log in. + +Please contact IT Helpdesk + +helpdesk@molgen.mpg.de +phone: -1708" + continue + fi + sleep 5 +done +test -n "$XDOPID" && kill $XDOPID diff --git a/checktrust/lightdm-use-wrapper.conf b/checktrust/lightdm-use-wrapper.conf new file mode 100644 index 0000000..80af383 --- /dev/null +++ b/checktrust/lightdm-use-wrapper.conf @@ -0,0 +1,2 @@ +[Seat:*] +greeter-wrapper=/usr/libexec/lightdm-greeter-wrapper diff --git a/install.sh b/install.sh index 5887a97..11475d2 100755 --- a/install.sh +++ b/install.sh @@ -167,4 +167,8 @@ install_data crashkernel/crashkernel.service "$DESTDIR$systemdunitd install_exec crashkernel/crash-recovery.sh "$DESTDIR$root_sbindir/crash-recovery.sh" install_data misc_systemd_units/admin-sshd.service "$DESTDIR$systemdunitdir/admin-sshd.service" install_exec checktrust/checktrust "$DESTDIR$usr_sbindir/checktrust" +mkdir -p "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d" +install_data checktrust/lightdm-use-wrapper.conf "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf" +install_exec checktrust/lightdm-greeter-wrapper "$DESTDIR$usr_exec_prefix/libexec/lightdm-greeter-wrapper" +install_exec checktrust/lightdm-show-trust-warning "$DESTDIR$usr_exec_prefix/libexec/lightdm-show-trust-warning" exit