+# -*- coding: utf-8 -*-
+#
# Copyright 2012 GRNET S.A. All rights reserved.
#
# Redistribution and use in source and binary forms, with or
# interpreted as representing official policies, either expressed
# or implied, of GRNET S.A.
-import re
-import sys
+"""This module hosts OS-specific code common to all Unix-like OSs."""
from image_creator.os_type import OSBase, sysprep
class Unix(OSBase):
-
+ """OS class for Unix"""
sensitive_userdata = [
+ '.history',
'.bash_history',
'.gnupg',
'.ssh',
- '.mozilla',
- '.thunderbird'
+ '.kamakirc',
+ '.kamaki.history'
]
- def __init__(self, rootdev, ghandler, output):
- super(Unix, self).__init__(rootdev, ghandler, output)
-
- self.meta["USERS"] = " ".join(self._get_passworded_users())
- # Delete the USERS metadata if empty
- if not len(self.meta['USERS']):
- self.out.warn("No passworded users found!")
- del self.meta['USERS']
-
-
- def _get_passworded_users(self):
- users = []
- regexp = re.compile('(\S+):((?:!\S+)|(?:[^!*]\S+)|):(?:\S*:){6}')
-
- for line in self.g.cat('/etc/shadow').splitlines():
- match = regexp.match(line)
- if not match:
- continue
-
- user, passwd = match.groups()
- if len(passwd) > 0 and passwd[0] == '!':
- self.out.warn("Ignoring locked %s account." % user)
- else:
- users.append(user)
-
- return users
-
- @sysprep(enabled=False)
- def remove_user_accounts(self, print_header=True):
- """Remove all user accounts with id greater than 1000"""
-
- if print_header:
- self.out.output("Removing all user accounts with id greater than "
- "1000")
-
- if 'USERS' not in self.meta:
- return
-
- # Remove users from /etc/passwd
- passwd = []
- removed_users = {}
- metadata_users = self.meta['USERS'].split()
- for line in self.g.cat('/etc/passwd').splitlines():
- fields = line.split(':')
- if int(fields[2]) > 1000:
- removed_users[fields[0]] = fields
- # remove it from the USERS metadata too
- if fields[0] in metadata_users:
- metadata_users.remove(fields[0])
+ def _mountpoints(self):
+ """Return mountpoints in the correct order.
+ / should be mounted before /boot or /usr, /usr befor /usr/bin ...
+ """
+ mps = self.image.g.inspect_get_mountpoints(self.root)
+
+ def compare(a, b):
+ if len(a[0]) > len(b[0]):
+ return 1
+ elif len(a[0]) == len(b[0]):
+ return 0
else:
- passwd.append(':'.join(fields))
-
- self.meta['USERS'] = " ".join(metadata_users)
-
- # Delete the USERS metadata if empty
- if not len(self.meta['USERS']):
- del self.meta['USERS']
+ return -1
+ mps.sort(compare)
- self.g.write('/etc/passwd', '\n'.join(passwd) + '\n')
+ for mp in mps:
+ yield mp
- # Remove the corresponding /etc/shadow entries
- shadow = []
- for line in self.g.cat('/etc/shadow').splitlines():
- fields = line.split(':')
- if fields[0] not in removed_users:
- shadow.append(':'.join(fields))
+ def _do_mount(self, readonly):
+ """Mount partitions in the correct order"""
- self.g.write('/etc/shadow', "\n".join(shadow) + '\n')
+ critical_mpoints = ('/', '/etc', '/root', '/home', '/var')
- # Remove the corresponding /etc/group entries
- group = []
- for line in self.g.cat('/etc/group').splitlines():
- fields = line.split(':')
- # Remove groups tha have the same name as the removed users
- if fields[0] not in removed_users:
- group.append(':'.join(fields))
+ mopts = 'ro' if readonly else 'rw'
+ for mp, dev in self._mountpoints():
+ try:
+ self.image.g.mount_options(mopts, dev, mp)
+ except RuntimeError as msg:
+ if mp in critical_mpoints:
+ self.out.warn('unable to mount %s. Reason: %s' % (mp, msg))
+ return False
+ else:
+ self.out.warn('%s (ignored)' % msg)
- self.g.write('/etc/group', '\n'.join(group) + '\n')
+ return True
- # Remove home directories
- for home in [field[5] for field in removed_users.values()]:
- if self.g.is_dir(home) and home.startswith('/home/'):
- self.g.rm_rf(home)
-
- @sysprep()
- def cleanup_passwords(self, print_header=True):
- """Remove all passwords and lock all user accounts"""
-
- if print_header:
- self.out.output("Cleaning up passwords & locking all user "
- "accounts")
-
- shadow = []
-
- for line in self.g.cat('/etc/shadow').splitlines():
- fields = line.split(':')
- if fields[1] not in ('*', '!'):
- fields[1] = '!'
-
- shadow.append(":".join(fields))
-
- self.g.write('/etc/shadow', "\n".join(shadow) + '\n')
-
- @sysprep()
- def cleanup_cache(self, print_header=True):
+ @sysprep('Removing files under /var/cache')
+ def cleanup_cache(self):
"""Remove all regular files under /var/cache"""
- if print_header:
- self.out.output('Removing files under /var/cache')
-
- self.foreach_file('/var/cache', self.g.rm, ftype='r')
+ self._foreach_file('/var/cache', self.image.g.rm, ftype='r')
- @sysprep()
- def cleanup_tmp(self, print_header=True):
+ @sysprep('Removing files under /tmp and /var/tmp')
+ def cleanup_tmp(self):
"""Remove all files under /tmp and /var/tmp"""
- if print_header:
- self.out.output('Removing files under /tmp and /var/tmp')
+ self._foreach_file('/tmp', self.image.g.rm_rf, maxdepth=1)
+ self._foreach_file('/var/tmp', self.image.g.rm_rf, maxdepth=1)
- self.foreach_file('/tmp', self.g.rm_rf, maxdepth=1)
- self.foreach_file('/var/tmp', self.g.rm_rf, maxdepth=1)
-
- @sysprep()
- def cleanup_log(self, print_header=True):
+ @sysprep('Emptying all files under /var/log')
+ def cleanup_log(self):
"""Empty all files under /var/log"""
- if print_header:
- self.out.output('Emptying all files under /var/log')
-
- self.foreach_file('/var/log', self.g.truncate, ftype='r')
+ self._foreach_file('/var/log', self.image.g.truncate, ftype='r')
- @sysprep(enabled=False)
- def cleanup_mail(self, print_header=True):
+ @sysprep('Removing files under /var/mail & /var/spool/mail', enabled=False)
+ def cleanup_mail(self):
"""Remove all files under /var/mail and /var/spool/mail"""
- if print_header:
- self.out.output('Removing files under /var/mail & /var/spool/mail')
+ if self.image.g.is_dir('/var/spool/mail'):
+ self._foreach_file('/var/spool/mail', self.image.g.rm_rf,
+ maxdepth=1)
- self.foreach_file('/var/spool/mail', self.g.rm_rf, maxdepth=1)
- self.foreach_file('/var/mail', self.g.rm_rf, maxdepth=1)
+ self._foreach_file('/var/mail', self.image.g.rm_rf, maxdepth=1)
- @sysprep()
- def cleanup_userdata(self, print_header=True):
+ @sysprep('Removing sensitive user data')
+ def cleanup_userdata(self):
"""Delete sensitive userdata"""
- homedirs = ['/root'] + self.ls('/home/')
+ homedirs = ['/root']
+ if self.image.g.is_dir('/home/'):
+ homedirs += self._ls('/home/')
- if print_header:
- self.out.output("Removing sensitive user data under %s" %
- " ".join(homedirs))
+ action = self.image.g.rm_rf
+ if self._scrub_support:
+ action = self.image.g.scrub_file
+ else:
+ self.out.warn("Sensitive data won't be scrubbed (not supported)")
for homedir in homedirs:
for data in self.sensitive_userdata:
fname = "%s/%s" % (homedir, data)
- if self.g.is_file(fname):
- self.g.scrub_file(fname)
+ if self.image.g.is_file(fname):
+ action(fname)
+ elif self.image.g.is_dir(fname):
+ self._foreach_file(fname, action, ftype='r')
# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :