From 0cef711699b267353b032ddca3a79f8fbc0060df Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Thu, 9 Jul 2020 10:21:54 +0200 Subject: [PATCH 1/5] install.sh: Add function to install a symlink --- install.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/install.sh b/install.sh index 1543cc8..feb9240 100755 --- a/install.sh +++ b/install.sh @@ -76,6 +76,13 @@ function install_cron() install_if "$1" "$2" $INSTALL_CRON } +function install_symlink() +{ + if [ "$(readlink "$2")" != "$1" ]; then + ln -sfv "$1" "$2" + fi +} + umask 022; mkdir -p "$DESTDIR$usr_bindir" From de028ee597b72f1eba8e25f3483120b5b415324a Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Tue, 7 Jul 2020 13:09:31 +0200 Subject: [PATCH 2/5] clusterd: Add trustcheck service Add a very simple tcp service on port 236 to clusterd which can be used by other hosts to query, if they are still trusted. clusterd replies with either "I trust you\n" or "I don't trust you\n" depending on whether the connecting host has the amd hostconfig flag or not. After sending the message, clusterd will hang up. --- clusterd/clusterd | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/clusterd/clusterd b/clusterd/clusterd index 96741a8..f6c7dc2 100755 --- a/clusterd/clusterd +++ b/clusterd/clusterd @@ -1794,6 +1794,31 @@ sub cmd_push { #------------------------------------------------------------ +our $TRUSTCHECK_PORT=236; +our $trustcheck_listen_socket; + +sub trustcheck_init { + $trustcheck_listen_socket=new IO::Socket::INET(LocalPort=>$TRUSTCHECK_PORT,Proto=>'tcp',Listen=>10,ReuseAddr=>1); + defined $trustcheck_listen_socket or die "$!\n"; + My::Select::reader($trustcheck_listen_socket,\&trustcheck_connect_request); +} + +sub trustcheck_connect_request { + My::Select::reader_requeue(); + my $socket=$trustcheck_listen_socket->accept(); + $socket->blocking(0); + my $hostname = gethostbyaddr(inet_aton($socket->peerhost()), AF_INET); + system 'hostconfig','--host',$hostname,'amd'; + if ($? == 0) { + $socket->send("I trust you\n", 0); + } elsif ($? == 256) { + $socket->send("I don't trust you\n", 0); + } + close($socket); +} + +#------------------------------------------------------------ + use constant USAGE => <<'__EOF__'; usage: $0 [options] @@ -1901,6 +1926,7 @@ if (defined $options{'push'}) { init_area(); mgmt_init(); clp_init(); + trustcheck_init(); sync_cluster_pw() or warn "$CLUSTER_PW_FILE: $!\n"; From cebbd07700d45a74cf6cdbe48d22bf6319177d12 Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Thu, 9 Jul 2020 11:25:56 +0200 Subject: [PATCH 3/5] checktrust: Add /usr/sbin/checktrust command Add a script to determine whether the system has lost the trust of other systems. Query a few remote systems which are supposed to be online most of the time. Note, that this script has a tristate result (trusted, not trusted, unknown) so we don't communicate the result via exit status, but output "trusted", "not trusted" or nothing. --- checktrust/checktrust | 12 ++++++++++++ install.sh | 1 + 2 files changed, 13 insertions(+) create mode 100755 checktrust/checktrust diff --git a/checktrust/checktrust b/checktrust/checktrust new file mode 100755 index 0000000..ba55e28 --- /dev/null +++ b/checktrust/checktrust @@ -0,0 +1,12 @@ +#! /usr/bin/bash + +for host in wtf afk pummelfee; do + reply="$(netcat -w 1 $host 236 Date: Mon, 6 Jul 2020 17:01:09 +0200 Subject: [PATCH 4/5] checktrust: Alert user on greeter if workstation lost trust Install three new files into the system: - /etc/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf - /usr/libexec/lightdm-greeter-wrapper - /usr/libexec/lightdm-show-trust-warning The first file adds a configuration option to lightdm to invoke the greeter via a wrapper. The second file is the wrapper script, which forks of the third script before exec-ing into the greeter. The third script uses /usr/sbin/trustcheck to find out whether we lost trust of the other nodes. If it gets a negative verdict, it shows a dialog on top of the login screen to alert the user about the condition. If it doesn't get a verdict, it keeps asking (e.g. when the network is not plugged in). xdotool is used to raise the dialog above the (full screen) login window. This has to be done in a loop, because we don't know how long the login windows needs to appear and pop up in front of the dialog. --- checktrust/lightdm-greeter-wrapper | 3 +++ checktrust/lightdm-show-trust-warning | 28 +++++++++++++++++++++++++++ checktrust/lightdm-use-wrapper.conf | 2 ++ install.sh | 4 ++++ 4 files changed, 37 insertions(+) create mode 100755 checktrust/lightdm-greeter-wrapper create mode 100755 checktrust/lightdm-show-trust-warning create mode 100644 checktrust/lightdm-use-wrapper.conf diff --git a/checktrust/lightdm-greeter-wrapper b/checktrust/lightdm-greeter-wrapper new file mode 100755 index 0000000..1e47ada --- /dev/null +++ b/checktrust/lightdm-greeter-wrapper @@ -0,0 +1,3 @@ +#! /bin/bash +(/usr/libexec/lightdm-show-trust-warning &) +exec "$@" diff --git a/checktrust/lightdm-show-trust-warning b/checktrust/lightdm-show-trust-warning new file mode 100755 index 0000000..ed738c0 --- /dev/null +++ b/checktrust/lightdm-show-trust-warning @@ -0,0 +1,28 @@ +#! /usr/bin/bash + +while true; do + reply="$(/usr/sbin/checktrust)" + if [ "$reply" = "trusted" ]; then + break + elif [ "$reply" = "not trusted" ]; then + if [ -z "$XDOPID" ]; then + (while true; do xdotool search --sync --name bla windowraise; sleep 1; done) & + XDOPID=$! + fi + xdotool search --sync --name bla windowraise & + zenity --width 400 --error --title bla --text \ +"Loss of trust detected! + +Looks like your machine lost the trust of our network. Maybe it was offline for too long. + +You won't be able to log in. + +Please contact IT Helpdesk + +helpdesk@molgen.mpg.de +phone: -1708" + continue + fi + sleep 5 +done +test -n "$XDOPID" && kill $XDOPID diff --git a/checktrust/lightdm-use-wrapper.conf b/checktrust/lightdm-use-wrapper.conf new file mode 100644 index 0000000..80af383 --- /dev/null +++ b/checktrust/lightdm-use-wrapper.conf @@ -0,0 +1,2 @@ +[Seat:*] +greeter-wrapper=/usr/libexec/lightdm-greeter-wrapper diff --git a/install.sh b/install.sh index 5887a97..11475d2 100755 --- a/install.sh +++ b/install.sh @@ -167,4 +167,8 @@ install_data crashkernel/crashkernel.service "$DESTDIR$systemdunitd install_exec crashkernel/crash-recovery.sh "$DESTDIR$root_sbindir/crash-recovery.sh" install_data misc_systemd_units/admin-sshd.service "$DESTDIR$systemdunitdir/admin-sshd.service" install_exec checktrust/checktrust "$DESTDIR$usr_sbindir/checktrust" +mkdir -p "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d" +install_data checktrust/lightdm-use-wrapper.conf "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf" +install_exec checktrust/lightdm-greeter-wrapper "$DESTDIR$usr_exec_prefix/libexec/lightdm-greeter-wrapper" +install_exec checktrust/lightdm-show-trust-warning "$DESTDIR$usr_exec_prefix/libexec/lightdm-show-trust-warning" exit From a018d40fc7fefd26a5214cf5b6faac4c7011132c Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Thu, 9 Jul 2020 10:23:29 +0200 Subject: [PATCH 5/5] checktrust: Let getty display a warning if trust is lost Create a service "checktrust" which is run before getty is started. If this service detects that the system has lost trust, a warning message is dropped into /node/issue.d/notrust.issue. Create a symlink for agetty in /etc/issue.d to the (only possibly existing) file in the /node path. agetty shows this message before the login prompt. checktrust-for-getty: Use checktrust command --- checktrust/getty-checktrust | 14 ++++++++++++++ checktrust/getty-checktrust.service | 11 +++++++++++ install.sh | 4 ++++ 3 files changed, 29 insertions(+) create mode 100755 checktrust/getty-checktrust create mode 100644 checktrust/getty-checktrust.service diff --git a/checktrust/getty-checktrust b/checktrust/getty-checktrust new file mode 100755 index 0000000..5e7dfc4 --- /dev/null +++ b/checktrust/getty-checktrust @@ -0,0 +1,14 @@ +#! /usr/bin/bash + +if [ "$(/usr/sbin/checktrust)" = "not trusted" ]; then + mkdir -p /node/issue.d + cat > /node/issue.d/notrust.issue <, phone: -1708 ** + +EOF +else + rm -f /node/issue.d/notrust.issue +fi diff --git a/checktrust/getty-checktrust.service b/checktrust/getty-checktrust.service new file mode 100644 index 0000000..2d301e3 --- /dev/null +++ b/checktrust/getty-checktrust.service @@ -0,0 +1,11 @@ +[Unit] +Description=Check Mariux64 trust for getty +Before=getty@.service + +[Install] +WantedBy=getty@.service + +[Service] +Type=oneshot +ExecStart=/usr/libexec/getty-checktrust +RemainAfterExit=yes diff --git a/install.sh b/install.sh index 11475d2..44c8e89 100755 --- a/install.sh +++ b/install.sh @@ -171,4 +171,8 @@ mkdir -p "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d" install_data checktrust/lightdm-use-wrapper.conf "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf" install_exec checktrust/lightdm-greeter-wrapper "$DESTDIR$usr_exec_prefix/libexec/lightdm-greeter-wrapper" install_exec checktrust/lightdm-show-trust-warning "$DESTDIR$usr_exec_prefix/libexec/lightdm-show-trust-warning" +mkdir -p "$DESTDIR$sysconfdir/issue.d/" +install_symlink /node/issue.d/notrust.issue "$DESTDIR$sysconfdir/issue.d/notrust.issue" +install_data checktrust/getty-checktrust.service "$DESTDIR$systemdunitdir/getty-checktrust.service" +install_exec checktrust/getty-checktrust "$DESTDIR$usr_exec_prefix/libexec/getty-checktrust" exit