diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f75794a..997a02c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -20,7 +20,7 @@ jobs: name: Full strategy: matrix: - platform: [centos7, centos8, debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004] + platform: ['centos7@centos:7.7.1908', 'centos7@centos:7.8.2003', 'centos7@centos:7.9.2009', 'centos8@centos:8.1.1911', 'centos8@centos:8.2.2004', 'centos8@centos:8.3.2011', debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004] runs-on: ubuntu-latest if: contains(github.event.pull_request.labels.*.name, 'tests:full') steps: diff --git a/README.md b/README.md index 518d65a..19744c5 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Also don't forget to customize your `bastion.conf` file, which can be found in ` Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS: - Debian 10 (Buster), 9 (Stretch), 8 (Jessie) -- RHEL/CentOS 8, 7 +- RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908) - Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* - OpenSUSE Leap 15.2\*, 15.1\*, 15.0\* diff --git a/bin/admin/packages-check.sh b/bin/admin/packages-check.sh index 3bdc70a..97cfa21 100755 --- a/bin/admin/packages-check.sh +++ b/bin/admin/packages-check.sh @@ -69,12 +69,12 @@ if echo "$DISTRO_LIKE" | grep -q -w debian; then install_cmd="apt-get install" elif echo "$DISTRO_LIKE" | grep -q -w rhel; then wanted_list="perl-JSON perl-Net-Netmask perl-Net-IP \ - perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \ - sudo fping xz sqlite binutils acl perl-TimeDate gnupg rsync \ + perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \ + sudo fping xz sqlite binutils acl gnupg rsync \ perl-JSON-XS inotify-tools lsof curl perl-Term-ReadLine-Gnu \ perl-libwww-perl perl-Digest perl-Net-Server cryptsetup mosh \ expect openssh-server nc bash perl-CGI perl(Test::More) passwd \ - cracklib-dicts perl-Time-Piece perl-Time-HiRes which \ + cracklib-dicts perl-Time-Piece perl-Time-HiRes diffutils \ perl-Sys-Syslog pamtester google-authenticator qrencode-libs" if [ "$DISTRO_VERSION_MAJOR" = 7 ]; then wanted_list="$wanted_list fortune-mod coreutils" @@ -102,14 +102,14 @@ elif echo "$DISTRO_LIKE" | grep -q -w rhel; then install_cmd="yum install" elif echo "$DISTRO_LIKE" | grep -q -w suse; then wanted_list="perl-common-sense perl-JSON perl-Net-Netmask perl-Net-IP \ - perl-Net-DNS perl-DBD-SQLite perl-TermReadKey perl-DateTime \ + perl-Net-DNS perl-DBD-SQLite perl-TermReadKey \ fortune sudo fping \ - xz sqlite binutils acl perl-TimeDate gnupg rsync \ + xz sqlite binutils acl gnupg rsync \ perl-JSON-XS inotify-tools lsof curl perl-TermReadLine-Gnu \ perl-libwww-perl perl-Digest perl-IO-Socket-SSL \ perl-Net-Server cryptsetup mosh expect openssh \ coreutils netcat-openbsd bash perl-CGI iputils \ - perl-Time-HiRes which perl-Unix-Syslog hostname" + perl-Time-HiRes perl-Unix-Syslog hostname" wanted_list="$wanted_list google-authenticator-libpam" # perl-GnuPG [ "$opt_syslogng" = 1 ] && wanted_list="$wanted_list syslog-ng" diff --git a/bin/helper/osh-groupCreate b/bin/helper/osh-groupCreate index ef2b5a8..5b5bf20 100755 --- a/bin/helper/osh-groupCreate +++ b/bin/helper/osh-groupCreate @@ -175,6 +175,26 @@ $fnret->err eq 'OK' # Building /home/$group OVH::Bastion::touch_file("/home/$group/allowed.ip"); +osh_info("Adjusting permissions..."); +my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x'); +foreach my $command ( + ['chown', '-R', "$group:$group", "/home/$group"], + ['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"], + ['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"], + ['chmod', '0664', "/home/$group/allowed.ip"], + ) +{ + $fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1); + $fnret->err eq 'OK' + or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")"); +} +chmod 0751, "/home/$group" if !OVH::Bastion::has_acls(); + +foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") { + OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x") + or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir"); +} + osh_debug("Adding allowkeeper to group $group"); $fnret = OVH::Bastion::add_user_to_group(group => $group, user => 'allowkeeper', groupType => 'key'); $fnret or HEXIT($fnret); @@ -239,26 +259,6 @@ if (!$no_key) { $fnret or HEXIT($fnret); } -osh_info("Adjusting permissions..."); -my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x'); -foreach my $command ( - ['chown', '-R', "$group:$group", "/home/$group"], - ['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"], - ['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"], - ['chmod', '0664', "/home/$group/allowed.ip"], - ) -{ - $fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1); - $fnret->err eq 'OK' - or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")"); -} -chmod 0751, "/home/$group" if !OVH::Bastion::has_acls(); - -foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") { - OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x") - or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir"); -} - # allowed to sudo for the group osh_info("Configuring sudoers for this group"); $fnret = OVH::Bastion::execute(cmd => [$OVH::Bastion::BASEPATH . '/bin/sudogen/generate-sudoers.sh', 'create', 'group', $group], must_succeed => 1, noisy_stdout => 1); diff --git a/doc/sphinx/installation/basic.rst b/doc/sphinx/installation/basic.rst index f680e52..849cf42 100644 --- a/doc/sphinx/installation/basic.rst +++ b/doc/sphinx/installation/basic.rst @@ -27,7 +27,7 @@ We published a Puppet module to handle The Bastion configuration and prerequisit The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS: - Debian 10 (Buster), 9 (Stretch), 8 (Jessie) -- RHEL/CentOS 8, 7 +- RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908) - Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* - OpenSUSE Leap 15.2\*, 15.1\*, 15.0\* diff --git a/docker/Dockerfile.centos7 b/docker/Dockerfile.centos7 index 14e8d44..71f2101 100644 --- a/docker/Dockerfile.centos7 +++ b/docker/Dockerfile.centos7 @@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] ENTRYPOINT /opt/bastion/docker/entrypoint.sh # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 +# TESTFROM centos:7.9.2009 centos:7.8.2003 centos:7.7.1908 diff --git a/docker/Dockerfile.centos8 b/docker/Dockerfile.centos8 index 3607961..85bb3ca 100644 --- a/docker/Dockerfile.centos8 +++ b/docker/Dockerfile.centos8 @@ -24,3 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] ENTRYPOINT /opt/bastion/docker/entrypoint.sh # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 +# TESTFROM centos:8.3.2011 centos:8.2.2004 centos:8.1.1911 diff --git a/tests/functional/docker/docker_build_and_run_tests.sh b/tests/functional/docker/docker_build_and_run_tests.sh index 2829e92..4d4de9d 100755 --- a/tests/functional/docker/docker_build_and_run_tests.sh +++ b/tests/functional/docker/docker_build_and_run_tests.sh @@ -11,22 +11,56 @@ namespace=the-bastion-test target="$1" test_script="$2" +get_supported_targets() { + local target targets subtarget + for dockerfile in "$(dirname "$0")"/../../../docker/Dockerfile.*; do + if grep -q '^# TESTENV ' "$dockerfile"; then + target=$(basename "$dockerfile") + target=${target/Dockerfile./} + # if the file has a TESTFROM entry, then it's actually multiple similar targets + if grep -q '^# TESTFROM ' "$dockerfile"; then + # shellcheck disable=SC2013 + for testfrom in $(grep '^# TESTFROM ' "$dockerfile" | cut -d' ' -f3-); do + subtarget="$target@$testfrom" + targets="$targets $subtarget" + done + fi + targets="$targets $target" + fi + done + # shellcheck disable=SC2086 + echo $targets +} + +print_supported_targets() { + local target + for target in $(get_supported_targets | tr " " "\n" | sort); do + echo "- $target" + done + echo +} + if [ -z "$target" ] || [ "$target" = "--list-targets" ]; then - targets=$(grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==') if [ -z "$target" ]; then echo "Usage: $0 " >&2 - echo -n "Supported targets are: " >&2 - grep -l '^# TESTENV' "$(dirname "$0")"/../../../docker/Dockerfile.* | sed -re 's=^.+/Dockerfile\.==' | tr '\n' " " >&2 - echo >&2 + echo "Supported targets are: " >&2 + print_supported_targets >&2 exit 1 else # shellcheck disable=SC2086 - echo $targets + print_supported_targets exit 0 fi fi -target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target" +if echo "$target" | grep -q '@'; then + subtarget=$(echo "$target" | cut -d@ -f2) + target_dockerfile=$(echo "$target" | cut -d@ -f1) +else + subtarget='' + target_dockerfile="$target" +fi +target_dockerfile="$(dirname "$0")"/../../../docker/Dockerfile."$target_dockerfile" if [ ! -f "$target_dockerfile" ] ; then echo "Couldn't find a Dockerfile for $target ($target_dockerfile)" >&2 exit 1 @@ -37,10 +71,35 @@ echo "Building test environment" testenv_dockerfile="$(dirname "$0")/../../../docker/Dockerfile.tester" docker build -f "$testenv_dockerfile" -t "$namespace:tester" "$(dirname "$0")"/../../.. +# if we have a subtarget, we need to override the FROM of the target_dockerfile +# don't do this in place however, create a tempfile for this +if [ -n "$subtarget" ]; then + dockerfiletmp=$(mktemp) + trap 'rm -f $dockerfiletmp' EXIT + sed -re "s/^FROM .+/FROM $subtarget/" "$target_dockerfile" > "$dockerfiletmp" + target_dockerfile="$dockerfiletmp" +fi + # build target echo "Building target environment" +target=$(echo "$target" | sed -re 's/[^a-zA-Z0-9_-]/_/g') docker build -f "$target_dockerfile" -t "$namespace:$target" --build-arg "TEST_QUICK=$TEST_QUICK" "$(dirname "$0")"/../../.. +# get the target environment we want from the dockerfile +varstoadd='' +privileged='' +for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//') +do + echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var " + [ "$var" = "PRIVILEGED=1" ] && privileged='--privileged' +done + +# cleanup the dockerfile temp if applicable +if [ -n "$subtarget" ]; then + rm -f "$dockerfiletmp" + trap - EXIT +fi + # create temp key echo "Create user and root SSH keys" privdir=$(mktemp -d) @@ -54,14 +113,6 @@ ROOT_PUBKEY_B64=$(base64 -w0 < "$privdir"/rootkey.pub) rm -rf "$privdir" trap - EXIT -varstoadd='' -privileged='' -for var in $(grep '^# TESTENV' "$target_dockerfile" | tail -n1 | sed -re 's/^# TESTENV//') -do - echo "$var" | grep -Eq '^[A-Z0-9_]+=[01]$' && varstoadd="$varstoadd -e $var " - [ "$var" = "PRIVILEGED=1" ] && privileged='--privileged' -done - echo "Configuring network" docker rm -f "bastion_${target}_target" 2>/dev/null || true docker rm -f "bastion_${target}_tester" 2>/dev/null || true