Date: Mon, 22 Jan 2018 00:14:28 +0000 (UTC) From: Richard Gallamore <ultima@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r459632 - in head/sysutils: . google-compute-engine-oslogin google-compute-engine-oslogin/files Message-ID: <201801220014.w0M0ESgt020564@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ultima Date: Mon Jan 22 00:14:28 2018 New Revision: 459632 URL: https://svnweb.freebsd.org/changeset/ports/459632 Log: This package enables Google Cloud OS Login features on Google Compute Engine instances. The OS Login package has the following components: - Authorized Keys Command to fetch SSH keys from the user's OS Login profile and make them available to sshd. - NSS Module provides support for making OS Login user and group information available to the system, using NSS (Name Service Switch) functionality. - PAM Module provides authorization and authentication support allowing the system to use data stored in Google Cloud IAM permissions to control both, the ability to log into an instance, and to perform operations as root (sudo). - Utils provides common code to support the components listed above. In addition to the main components, there are also utilities for packaging and installing these components: - bin contains a shell script for (de)activating the package components. WWW: https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_oslogin PR: 225014 Submitted by: Helen Koike (maintainer) Reviewed by: mat Differential Revision: https://reviews.freebsd.org/D13811 Added: head/sysutils/google-compute-engine-oslogin/ head/sysutils/google-compute-engine-oslogin/Makefile (contents, props changed) head/sysutils/google-compute-engine-oslogin/distinfo (contents, props changed) head/sysutils/google-compute-engine-oslogin/files/ head/sysutils/google-compute-engine-oslogin/files/patch-Makefile (contents, props changed) head/sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control (contents, props changed) head/sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc (contents, props changed) head/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc (contents, props changed) head/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc (contents, props changed) head/sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc (contents, props changed) head/sysutils/google-compute-engine-oslogin/pkg-descr (contents, props changed) head/sysutils/google-compute-engine-oslogin/pkg-plist (contents, props changed) Modified: head/sysutils/Makefile Modified: head/sysutils/Makefile ============================================================================== --- head/sysutils/Makefile Sun Jan 21 22:50:56 2018 (r459631) +++ head/sysutils/Makefile Mon Jan 22 00:14:28 2018 (r459632) @@ -419,6 +419,7 @@ SUBDIR += gnome-system-monitor SUBDIR += gnome_subr SUBDIR += goaccess + SUBDIR += google-compute-engine-oslogin SUBDIR += goss SUBDIR += gpart SUBDIR += gpte Added: head/sysutils/google-compute-engine-oslogin/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/Makefile Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,46 @@ +# $FreeBSD$ + +PORTNAME= google-compute-engine-oslogin +DISTVERSION= 1.1.2 +CATEGORIES= sysutils + +MAINTAINER= helen.koike@collabora.com +COMMENT= OS Login Guest Environment for Google Compute Engine + +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/../LICENSE + +LIB_DEPENDS= libcurl.so:ftp/curl \ + libjson-c.so:devel/json-c +RUN_DEPENDS= gsed:textproc/gsed \ + ${LOCALBASE}/lib/pam_mkhomedir.so:security/pam_mkhomedir + +USES= gmake +USE_LDCONFIG= yes +USE_GCC= any +USE_GITHUB= yes +GH_ACCOUNT= GoogleCloudPlatform +GH_PROJECT= compute-image-packages +GH_TAGNAME= 20171213 +MAKE_ARGS= JSON_INCLUDE_PATH=${LOCALBASE}/include/json-c \ + BIN_INSTALL_PATH=/bin \ + PAM_INSTALL_PATH=/lib \ + AUTHKEYS_INSTALL_PATH=/bin \ + NSS_LIBRARY_SONAME=nss_oslogin.so.1 + +WRKSRC_SUBDIR= google_compute_engine_oslogin + +PLIST_SUB= DISTVERSION=${DISTVERSION} + +post-patch: + @${REINPLACE_CMD} -e 's|/etc/sudoers.d|${PREFIX}/etc/sudoers.d|g ; \ + s|/usr/bin|${PREFIX}/bin|g' ${WRKSRC}/bin/google_oslogin_control + +post-install: + ${LN} -sf libnss_${PORTNAME}-${DISTVERSION}.so ${STAGEDIR}${PREFIX}/lib/nss_oslogin.so.1 + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/google_authorized_keys \ + ${STAGEDIR}${PREFIX}/lib/libnss_google-compute-engine-oslogin-${DISTVERSION}.so \ + ${STAGEDIR}${PREFIX}/lib/pam_oslogin_admin.so \ + ${STAGEDIR}${PREFIX}/lib/pam_oslogin_login.so + +.include <bsd.port.mk> Added: head/sysutils/google-compute-engine-oslogin/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/distinfo Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,3 @@ +TIMESTAMP = 1514471176 +SHA256 (GoogleCloudPlatform-compute-image-packages-1.1.2-20171213_GH0.tar.gz) = 483d97c6d64cd7d9002247db63af8cb591e526a09ce52fd8d545c66da3ebb181 +SIZE (GoogleCloudPlatform-compute-image-packages-1.1.2-20171213_GH0.tar.gz) = 131055 Added: head/sysutils/google-compute-engine-oslogin/files/patch-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/files/patch-Makefile Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,11 @@ +--- Makefile.orig 2017-12-13 23:47:59 UTC ++++ Makefile +@@ -15,7 +15,7 @@ AUTHKEYS_INSTALL_PATH = /usr/bin + JSON_INCLUDE_PATH = /usr/include/json-c + INCLUDE_FLAGS = -I$(JSON_INCLUDE_PATH) + +-CXX = g++ ++CXX ?= g++ + CXXFLAGS += -fPIC# -Wall + PAMFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared + NSSFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared -Wl,-soname,$(NSS_LIBRARY_SONAME) Added: head/sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,51 @@ +--- bin/google_oslogin_control.orig 2017-12-13 23:47:59 UTC ++++ bin/google_oslogin_control +@@ -65,29 +65,31 @@ overwrite_file() { + + remove_from_config() { + config=$1 +- sed -i "/${added_comment}/,+1d" ${config}.new ++ gsed -i "/${added_comment}/,+1d" ${config}.new + } + + remove_from_nss_config() { +- sed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new ++ gsed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new + } + + add_to_sshd_config() { + remove_from_config ${sshd_config} +- sed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new +- sed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new ++ gsed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new ++ gsed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new + } + + add_to_nss_config() { + remove_from_nss_config +- sed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new ++ gsed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new ++ # Replace compat by files (as compat cannot be used with other sources) ++ gsed -i '/^passwd:/ s/compat/files/' ${nss_config}.new + } + + add_to_pam_config() { + remove_from_config ${pam_config} +- sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new +- sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new +- sed -i "/pam_loginuid.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new ++ gsed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new ++ gsed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new ++ gsed -i "/session.*pam_permit.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new + } + + restart_service() { +@@ -100,7 +102,7 @@ restart_service() { + fi + fi + if which service > /dev/null 2>&1; then +- if service --status-all | grep -Fq ${service}; then ++ if service -e | grep -Fq ${service}; then + echo "Restarting ${service}." + service ${service} restart + return $? Added: head/sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,38 @@ +--- nss_module/nss_oslogin.cc.orig 2017-12-13 23:47:59 UTC ++++ nss_module/nss_oslogin.cc +@@ -16,6 +16,7 @@ + #include <errno.h> + #include <grp.h> + #include <nss.h> ++#include <nsswitch.h> + #include <pthread.h> + #include <pwd.h> + #include <sys/types.h> +@@ -150,4 +151,27 @@ int _nss_oslogin_getpwent_r(struct passw + } + return NSS_STATUS_SUCCESS; + } ++ ++NSS_METHOD_PROTOTYPE(__nss_compat_getpwnam_r); ++NSS_METHOD_PROTOTYPE(__nss_compat_getpwuid_r); ++NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r); ++NSS_METHOD_PROTOTYPE(__nss_compat_setpwent); ++NSS_METHOD_PROTOTYPE(__nss_compat_endpwent); ++ ++static ns_mtab methods[] = { ++ { NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, (void*)_nss_oslogin_getpwnam_r }, ++ { NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, (void*)_nss_oslogin_getpwuid_r }, ++ { NSDB_PASSWD, "getpwent_r", __nss_compat_getpwent_r, (void*)_nss_oslogin_getpwent_r }, ++ { NSDB_PASSWD, "endpwent", __nss_compat_endpwent, (void*)_nss_oslogin_endpwent }, ++ { NSDB_PASSWD, "setpwent", __nss_compat_setpwent, (void*)_nss_oslogin_setpwent }, ++}; ++ ++ns_mtab * ++nss_module_register (const char *name, unsigned int *size, ++ nss_module_unregister_fn *unregister) ++{ ++ *size = sizeof (methods) / sizeof (methods[0]); ++ *unregister = NULL; ++ return (methods); ++} + } // extern "C" Added: head/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,28 @@ +--- pam_module/pam_oslogin_admin.cc.orig 2017-12-13 23:47:59 UTC ++++ pam_module/pam_oslogin_admin.cc +@@ -14,7 +14,6 @@ + + #define PAM_SM_ACCOUNT + #include <security/pam_appl.h> +-#include <security/pam_ext.h> + #include <security/pam_modules.h> + #include <sys/stat.h> + #include <sys/types.h> +@@ -47,7 +46,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + int pam_result = PAM_SUCCESS; + const char *user_name; + if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) { +- pam_syslog(pamh, LOG_INFO, "Could not get pam user."); ++ syslog(LOG_INFO, "Could not get pam user."); + return pam_result; + } + string str_user_name(user_name); +@@ -77,7 +76,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + if (HttpGet(url.str(), &response, &http_code) && http_code == 200 && + ParseJsonToAuthorizeResponse(response)) { + if (!file_exists) { +- pam_syslog(pamh, LOG_INFO, ++ syslog(LOG_INFO, + "Granting sudo permissions to organization user %s.", + user_name); + std::ofstream sudoers_file; Added: head/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,37 @@ +--- pam_module/pam_oslogin_login.cc.orig 2017-12-13 23:47:59 UTC ++++ pam_module/pam_oslogin_login.cc +@@ -14,7 +14,6 @@ + + #define PAM_SM_ACCOUNT + #include <security/pam_appl.h> +-#include <security/pam_ext.h> + #include <security/pam_modules.h> + #include <sys/stat.h> + #include <sys/types.h> +@@ -45,7 +44,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + int pam_result = PAM_PERM_DENIED; + const char *user_name; + if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) { +- pam_syslog(pamh, LOG_INFO, "Could not get pam user."); ++ syslog(LOG_INFO, "Could not get pam user."); + return pam_result; + } + string str_user_name(user_name); +@@ -88,7 +87,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + chown(users_filename.c_str(), 0, 0); + chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP); + } +- pam_syslog(pamh, LOG_INFO, ++ syslog(LOG_INFO, + "Granting login permission for organization user %s.", + user_name); + pam_result = PAM_SUCCESS; +@@ -96,7 +95,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + if (file_exists) { + remove(users_filename.c_str()); + } +- pam_syslog(pamh, LOG_INFO, ++ syslog(LOG_INFO, + "Denying login permission for organization user %s.", user_name); + + pam_result = PAM_PERM_DENIED; Added: head/sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,18 @@ +--- utils/oslogin_utils.cc.orig 2017-12-13 23:47:59 UTC ++++ utils/oslogin_utils.cc +@@ -218,7 +218,14 @@ bool ValidatePasswd(struct passwd* resul + } + } + if (strlen(result->pw_shell) == 0) { +- if (!buf->AppendString("/bin/bash", &result->pw_shell, errnop)) { ++ if (!buf->AppendString("/bin/sh", &result->pw_shell, errnop)) { ++ return false; ++ } ++ } ++ ++ // If shell is set to /bin/bash, fallback to /bin/sh ++ if (strcmp(result->pw_shell, "/bin/bash") == 0 ) { ++ if (!buf->AppendString("/bin/sh", &result->pw_shell, errnop)) { + return false; + } + } Added: head/sysutils/google-compute-engine-oslogin/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/pkg-descr Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,19 @@ +This package enables Google Cloud OS Login features on Google Compute Engine +instances. +The OS Login package has the following components: + +- Authorized Keys Command to fetch SSH keys from the user's OS Login profile and +make them available to sshd. +- NSS Module provides support for making OS Login user and group information +available to the system, using NSS (Name Service Switch) functionality. +- PAM Module provides authorization and authentication support allowing the +system to use data stored in Google Cloud IAM permissions to control both, the +ability to log into an instance, and to perform operations as root (sudo). +- Utils provides common code to support the components listed above. + +In addition to the main components, there are also utilities for packaging and +installing these components: + +- bin contains a shell script for (de)activating the package components. + +WWW: https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_oslogin Added: head/sysutils/google-compute-engine-oslogin/pkg-plist ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/google-compute-engine-oslogin/pkg-plist Mon Jan 22 00:14:28 2018 (r459632) @@ -0,0 +1,6 @@ +bin/google_authorized_keys +bin/google_oslogin_control +lib/libnss_google-compute-engine-oslogin-%%DISTVERSION%%.so +lib/nss_oslogin.so.1 +lib/pam_oslogin_admin.so +lib/pam_oslogin_login.so
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801220014.w0M0ESgt020564>