summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2014-03-30 20:18:45 -0400
committerJoey Hess2014-03-30 20:18:45 -0400
commit614d49789566cdf119997bf12c0d7494e386d4dd (patch)
tree8a3d11703c38832edcf834a52f353a09e46616b8
parent385a1de0ce80427e3d7d87c291758bf20f03fcf2 (diff)
propellor spin
-rw-r--r--Propellor.hs8
-rw-r--r--Property/User.hs22
2 files changed, 21 insertions, 9 deletions
diff --git a/Propellor.hs b/Propellor.hs
index 71f552d6..2b7f978e 100644
--- a/Propellor.hs
+++ b/Propellor.hs
@@ -19,8 +19,6 @@ getProperties :: HostName -> [Property]
getProperties hostname@"clam.kitenet.net" =
[ cleanCloudAtCost hostname
, standardSystem Apt.Unstable
- , User.hasPassword "root"
- , User.hasPassword "joey"
-- Clam is a tor bridge.
, Tor.isBridge
, Apt.installed ["docker.io"]
@@ -44,19 +42,19 @@ standardSystem suite = propertyList "standard system"
, Apt.installed ["etckeeper"]
, Apt.installed ["ssh"]
, GitHome.installedFor "root"
+ , User.hasSomePassword "root"
-- Harden the system, but only once root's authorized_keys
-- is safely in place.
, check (Ssh.hasAuthorizedKeys "root") $
Ssh.passwordAuthentication False
- , check (Ssh.hasAuthorizedKeys "root") $
- User.lockedPassword "root"
- , Apt.installed ["vim"]
, User.sshAccountFor "joey"
, Apt.installed ["sudo"]
-- nopasswd because no password is set up for joey.
, "sudoer joey" ==>
"/etc/sudoers" `File.containsLine` "joey ALL=(ALL:ALL) NOPASSWD:ALL"
+ , User.hasSomePassword "joey"
, GitHome.installedFor "joey"
+ , Apt.installed ["vim", "screen"]
-- I use postfix, or no MTA.
, Apt.removed ["exim4"] `onChange` Apt.autoRemove
]
diff --git a/Property/User.hs b/Property/User.hs
index 661a6f8a..6bdff2ea 100644
--- a/Property/User.hs
+++ b/Property/User.hs
@@ -22,6 +22,12 @@ nuked user _ = check (isJust <$> homedir user) $ cmdProperty "userdel"
]
`describe` ("nuked user " ++ user)
+{- Only ensures that the user has some password set. It may or may
+ - not be the password from the PrivData. -}
+hasSomePassword :: UserName -> Property
+hasSomePassword user = check ((/= HasPassword) <$> getPasswordStatus user) $
+ hasPassword user
+
hasPassword :: UserName -> Property
hasPassword user = Property (user ++ " has password") $
withPrivData (Password user) $ \password -> makeChange $
@@ -37,11 +43,19 @@ lockedPassword user = check (not <$> isLockedPassword user) $ cmdProperty "passw
]
`describe` ("locked " ++ user ++ " password")
-isLockedPassword :: UserName -> IO Bool
-isLockedPassword user = parse . words <$> readProcess "passwd" ["-S", user]
+data PasswordStatus = NoPassword | LockedPassword | HasPassword
+ deriving (Eq)
+
+getPasswordStatus :: UserName -> IO PasswordStatus
+getPasswordStatus user = parse . words <$> readProcess "passwd" ["-S", user]
where
- parse (_:"L":_) = True
- parse _ = False
+ parse (_:"L":_) = LockedPassword
+ parse (_:"NP":_) = NoPassword
+ parse (_:"P":_) = HasPassword
+ parse _ = NoPassword
+
+isLockedPassword :: UserName -> IO Bool
+isLockedPassword user = (== LockedPassword) <$> getPasswordStatus user
homedir :: UserName -> IO (Maybe FilePath)
homedir user = catchMaybeIO $ homeDirectory <$> getUserEntryForName user