Commit e3bc525e authored by Christopher Huhn's avatar Christopher Huhn
Browse files

Catch missing home dir write permissions in sys_ssh_authorize

parent edfd8049
......@@ -7,6 +7,7 @@
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
# Dennis Klein <d.klein@gsi.de>
# Matthias Pausch <m.pausch@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -234,11 +235,18 @@ suites:
log_level: alert
- name: sys_ssh
run_list:
- recipe[sys::accounts]
- recipe[sys::ssh]
attributes:
sys:
accounts:
mchammer:
home: /home/mchammer
ssh:
authorize:
mchammer:
keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+UAVz/kz0W/kTg0FGenwvJKZxxuBfLOKfg+VaKq9hB
root:
keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ7mI0iEdW2GmHZv+0OknkPDkQaBowEDzfaal2A+eRR
......
......@@ -2,11 +2,13 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
### Changed
## [1.63.1] - 2022-02-28
## Changed
- Updated [documentation for `sys::pam`](documents/pam.md)
- Send chef-client output to logfile in systemd-timer mode (!39)
- Shorter PGP key for `apt-key` test - goodbye fefe (!41)
- Catch missing home dir write permissions in `sys_ssh_authorize`
## [1.63.0] - 2022-02-07
......
# Cookbook Name:: sys
# File:: definitions/sys_ssh_authorize.rb
#
# Copyright 2012-2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
# Copyright 2012-2022 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
......@@ -56,6 +56,10 @@ define :sys_ssh_authorize, :keys => Array.new, :managed => false do
raise "#{account} has no home dir"
end
unless File.writable?(File.dirname(dot_ssh))
raise "~#{account} is not writable (root_squash?)"
end
# Create the ~/.ssh directory if missing
if node.run_context.resource_collection.select{ |e| e.name == dot_ssh }.empty? # ~FC023
directory dot_ssh do
......
# Cookbook Name:: sys
# Integration tests for recipe sys::ssh
#
# Copyright 2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
# Copyright 2020-2022 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
......@@ -20,7 +20,7 @@
#
#
# SSH is dificult to test as it is already configured and running inside vagrant VMs
# SSH is difficult to test as it is already configured and running inside vagrant VMs
#
require 'spec_helper'
......@@ -65,6 +65,12 @@ describe file('/root/.ssh') do
it { should be_mode('700') }
end
# the homedir should not be writable and sys_ssh_authorize should catch that
# without failing
describe file('/home/mchammer/.ssh/authorized_keys') do
it { should_not exist }
end
describe file('/root/.ssh/authorized_keys') do
it { should exist }
its(:content) do
......
#
# Cookbook Name:: sys
# Vagrant setup for test-kitchen
#
# Copyright 2018-2022 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
Vagrant.configure(2) do |config|
# install the Debian-provided Chef package
# exim4-base is required as MTA for sudo test
......@@ -8,6 +30,9 @@ Vagrant.configure(2) do |config|
sudo DEBIAN_FRONTEND=noninteractive apt-get -qq -y install mailutils
sudo DEBIAN_FRONTEND=noninteractive apt-get -qq -y install shellcheck
sudo DEBIAN_FRONTEND=noninteractive apt-get -qq -y install snmp
# for sys_ssh_authorize test:
sudo mkdir /home/mchammer
sudo chattr +i /home/mchammer # can't touch this
sudo gem install chef-vault --version '< 4'
SHELL
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment