From 0b3f0ce80e1d27a59cbe166c9c3f1ee91ab7b14b Mon Sep 17 00:00:00 2001 From: fdupoux Date: Thu, 30 Dec 2021 16:48:05 +0000 Subject: [PATCH 1/2] Convert sysrescue-initialize to python (#170) --- .../systemd/scripts/sysrescue-initialize.py | 123 ++++++++++++++++++ .../system/sysrescue-initialize.service | 2 +- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100755 airootfs/etc/systemd/scripts/sysrescue-initialize.py diff --git a/airootfs/etc/systemd/scripts/sysrescue-initialize.py b/airootfs/etc/systemd/scripts/sysrescue-initialize.py new file mode 100755 index 0000000..f923acd --- /dev/null +++ b/airootfs/etc/systemd/scripts/sysrescue-initialize.py @@ -0,0 +1,123 @@ +#! /usr/bin/env python3 +import subprocess +import os +import sys +import re + +print(f"Script {sys.argv[0]} starting ...") +errcnt = 0 + +bootcmdline = open("/proc/cmdline","r").readline() +bootopts = bootcmdline.split() + +for curopt in bootopts: + + # Configure keyboard layout if requested in the boot command line + match = re.search(r"^setkmap=(\S+)$", curopt) + if match != None: + curval = match.group(1) + print(f"=> Found option '{curopt}' on the boot command line") + p = subprocess.run(["localectl", "set-keymap", curval], text=True) + if p.returncode == 0: + print (f"Have changed the keymap successfully") + else: + print (f"Failed to change keymap") + errcnt+=1 + + # Configure root login shell if requested in the boot command line + match = re.search(r"^rootshell=(\S+)$", curopt) + if match != None: + curval = match.group(1) + print(f"=> Found option '{curopt}' on the boot command line") + p = subprocess.run(["chsh", "--shell", curval, "root"], text=True) + if p.returncode == 0: + print (f"Have changed the root shell successfully") + else: + print (f"Failed to change the root shell") + errcnt+=1 + + # Set the system root password from a clear password + match = re.search(r"^rootpass=(\S+)$", curopt) + if match != None: + curval = match.group(1) + print(f"=> Found option 'rootpass=******' on the boot command line") + p = subprocess.run(["chpasswd", "--crypt-method", "SHA512"], text=True, input=f"root:{curval}") + if p.returncode == 0: + print (f"Have changed the root password successfully") + else: + print (f"Failed to change the root password") + errcnt+=1 + + # Set the system root password from an encrypted password + # A password can be encrypted using a one-line python3 command such as: + # python3 -c 'import crypt; print(crypt.crypt("MyPassWord123", crypt.mksalt(crypt.METHOD_SHA512)))' + match = re.search(r"^rootcryptpass=(\S+)$", curopt) + if match != None: + curval = match.group(1) + print(f"=> Found option 'rootcryptpass=******' on the boot command line") + p = subprocess.run(["chpasswd", "--encrypted"], text=True, input=f"root:{curval}") + if p.returncode == 0: + print (f"Have changed the root password successfully") + else: + print (f"Failed to change the root password") + errcnt+=1 + + # Disable the firewall + match = re.search(r"^nofirewall$", curopt) + if match != None: + print(f"=> Found option 'nofirewall' on the boot command line") + # The firewall service(s) must be in the Before-section of sysrescue-initialize.service + p = subprocess.run(["systemctl", "disable", "--now", "iptables.service", "ip6tables.service"], text=True) + if p.returncode == 0: + print (f"Have disabled the firewall successfully") + else: + print (f"Failed to disable the firewall") + errcnt+=1 + + # Auto-start the graphical environment (tty1 only), dovnc implies dostartx + match = re.search(r"^dostartx|dovnc$", curopt) + if match != None: + print(f"=> Found option '{match.group(0)}' on the boot command line") + str = '[[ ! $DISPLAY ]] && [[ ! $SSH_TTY ]] && [[ $XDG_VTNR == 1 ]] && startx' + if (os.path.exists("/root/.bash_profile") == False) or (open("/root/.bash_profile", 'r').read().find(str) == -1): + file1 = open("/root/.bash_profile", "a") + file1.write(f"{str}\n") + file1.close() + file2 = open("/root/.zlogin", "w") + file2.write(f"{str}\n") + file2.close() + + # Require authenticated console access + match = re.search(r"^noautologin$", curopt) + if match != None: + print(f"=> Found option '{match.group(0)}' on the boot command line") + p = subprocess.run(["systemctl", "revert", "getty@.service", "serial-getty@.service"], text=True) + if p.returncode == 0: + print (f"Have enabled authenticated console access successfully") + else: + print (f"Failed to enable authenticated console access") + errcnt+=1 + + # Set the VNC password from a clear password + match = re.search(r"^vncpass=(\S+)$", curopt) + if match != None: + curval = match.group(1) + print(f"=> Found option 'vncpass=******' on the boot command line") + os.makedirs("/root/.vnc", exist_ok = True) + p = subprocess.run(["x11vnc", "-storepasswd", curval, "/root/.vnc/passwd"], text=True) + if p.returncode == 0: + print (f"Have changed the vnc password successfully") + else: + print (f"Failed to change the vnc password") + errcnt+=1 + + # Auto-start x11vnc with the graphical environment + match = re.search(r"^dovnc$", curopt) + if match != None: + # No need to print "Found option 'dovnc' on the boot command line" a second time + file = open("/root/.xprofile", "w") + file.write("""[ -f ~/.vnc/passwd ] && pwopt="-usepw" || pwopt="-nopw"\n""") + file.write("""x11vnc $pwopt -nevershared -forever -logfile /var/log/x11vnc.log &\n""") + file.close() + +sys.exit(errcnt) diff --git a/airootfs/etc/systemd/system/sysrescue-initialize.service b/airootfs/etc/systemd/system/sysrescue-initialize.service index 03ca7ca..6d95e47 100644 --- a/airootfs/etc/systemd/system/sysrescue-initialize.service +++ b/airootfs/etc/systemd/system/sysrescue-initialize.service @@ -5,7 +5,7 @@ Wants=getty-pre.target [Service] Type=oneshot -ExecStart=/etc/systemd/scripts/sysrescue-initialize +ExecStart=/etc/systemd/scripts/sysrescue-initialize.py RemainAfterExit=true [Install] From b6f2c86c0c2763035f3223f03505b03b927bd27e Mon Sep 17 00:00:00 2001 From: fdupoux Date: Thu, 30 Dec 2021 19:50:32 +0000 Subject: [PATCH 2/2] Remove the legacy shell version of sysrescue-initialize --- .../etc/systemd/scripts/sysrescue-initialize | 94 ------------------- 1 file changed, 94 deletions(-) delete mode 100755 airootfs/etc/systemd/scripts/sysrescue-initialize diff --git a/airootfs/etc/systemd/scripts/sysrescue-initialize b/airootfs/etc/systemd/scripts/sysrescue-initialize deleted file mode 100755 index 29cbd30..0000000 --- a/airootfs/etc/systemd/scripts/sysrescue-initialize +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/bash -echo "$0 Starting ..." -errcnt=0 - -# Process options passed on the boot command line -for curopt in $(< /proc/cmdline) -do - case "${curopt}" in - # Configure keyboard layout if requested in the boot command line - setkmap=*) - echo "Found option '${curopt}' on the boot command line" - localectl set-keymap ${curopt#*=} - ;; - - # Configure root login shell if requested in the boot command line - rootshell=*) - echo "Found option '${curopt}' on the boot command line" - chsh --shell ${curopt#*=} root - ;; - - # Set the system root password from a clear password - rootpass=*) - echo "Found option '${curopt%%=*}=******' on the boot command line" - if echo "root:${curopt#*=}" | chpasswd --crypt-method SHA512 - then - echo "Password successfully changed" - else - echo "Failed to change password" - errcnt=$((errcnt + 1)) - fi - ;; - - # Set the system root password from an encrypted password - # A password can be encrypted using a one-line python3 command such as: - # python3 -c 'import crypt; print(crypt.crypt("MyPassWord123", crypt.mksalt(crypt.METHOD_SHA512)))' - rootcryptpass=*) - echo "Found option '${curopt%%=*}=******' on the boot command line" - if echo "root:${curopt#*=}" | chpasswd --encrypted - then - echo "Password successfully changed" - else - echo "Failed to change password" - errcnt=$((errcnt + 1)) - fi - ;; - - # Option to allow user to disable the firewall - nofirewall) - echo "Found option '${curopt}' on the boot command line" - # The firewall service(s) must be in the Before-section of sysrescue-initialize.service - systemctl disable --now iptables.service ip6tables.service - ;; - - # Auto-start the graphical environment (tty1 only) - # dovnc implies dostartx - dostartx|dovnc) - echo "Found option '${curopt}' on the boot command line" - str='[[ ! $DISPLAY ]] && [[ ! $SSH_TTY ]] && [[ $XDG_VTNR == 1 ]] && startx' - grep -qF "$str" /root/.bash_profile || echo "$str" >> /root/.bash_profile - echo "$str" > /root/.zlogin - # Must not break out of the case block because there is another dovnc pattern to match below - ;;& - - # Require authenticated console access - noautologin) - echo "Found option '${curopt}' on the boot command line" - systemctl revert getty@.service serial-getty@.service - ;; - - # Set the VNC password from a clear password - vncpass=*) - echo "Found option '${curopt%%=*}=******' on the boot command line" - mkdir -p /root/.vnc - if x11vnc -storepasswd ${curopt#*=} /root/.vnc/passwd - then - echo "VNC password successfully changed" - else - echo "Failed to change VNC password" - errcnt=$((errcnt + 1)) - fi - ;; - - # Auto-start x11vnc with the graphical environment - dovnc) - # The "Found option..." message was already shown above in the dostartx pattern - { - echo '[ -f ~/.vnc/passwd ] && pwopt="-usepw" || pwopt="-nopw"' - echo 'x11vnc $pwopt -nevershared -forever -logfile /var/log/x11vnc.log &' - } > /root/.xprofile - ;; - esac -done - -exit ${errcnt}