OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	05/09/2024 07:15:07 AM	rwxr-xr-x
📄 __init__.py	14 bytes	04/20/2023 09:31:09 PM	rw-r--r--
📁 __pycache__	-	05/09/2024 07:15:08 AM	rwxr-xr-x
📄 cc_ansible.py	8.37 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_apk_configure.py	5.75 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_apt_configure.py	32.46 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_apt_pipelining.py	2.82 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_bootcmd.py	2.87 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_byobu.py	3.67 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ca_certs.py	8.06 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_chef.py	13.79 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_disable_ec2_metadata.py	2.04 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_disk_setup.py	32.34 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_fan.py	3.11 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_final_message.py	3.41 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_growpart.py	19.42 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_grub_dpkg.py	5.49 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_install_hotplug.py	3.81 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_keyboard.py	2.08 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_keys_to_console.py	3.63 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_landscape.py	4.86 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_locale.py	1.88 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_lxd.py	17.96 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_mcollective.py	6.2 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_migrator.py	3.51 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_mounts.py	19.03 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ntp.py	19.7 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_package_update_upgrade_install.py	4.42 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_phone_home.py	5.5 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_power_state_change.py	7.65 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_puppet.py	13.74 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_refresh_rmc_and_interface.py	5.48 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_reset_rmc.py	4.53 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_resizefs.py	10.56 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_resolv_conf.py	5.01 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_rh_subscription.py	17.05 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_rightscale_userdata.py	4.3 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_rsyslog.py	9.77 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_runcmd.py	2.92 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_salt_minion.py	5.54 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_scripts_per_boot.py	1.68 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_scripts_per_instance.py	1.83 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_scripts_per_once.py	1.78 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_scripts_user.py	1.87 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_scripts_vendor.py	2.31 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_seed_random.py	4.81 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_set_hostname.py	4.89 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_set_passwords.py	11.05 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_snap.py	6.39 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_spacewalk.py	3.52 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ssh.py	14.03 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ssh_authkey_fingerprints.py	4.24 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ssh_import_id.py	5.82 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_timezone.py	1.44 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ubuntu_advantage.py	16.88 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ubuntu_autoinstall.py	4.56 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_ubuntu_drivers.py	4.63 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_update_etc_hosts.py	5.11 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_update_hostname.py	3.63 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_users_groups.py	7.6 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_wireguard.py	9.28 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_write_files.py	6.75 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_write_files_deferred.py	1.68 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_yum_add_repo.py	7.47 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 cc_zypper_add_repo.py	6.68 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 modules.py	11.43 KB	04/20/2023 09:31:09 PM	rw-r--r--
📄 schema.py	43.14 KB	04/20/2023 09:31:09 PM	rw-r--r--
📁 schemas	-	05/09/2024 07:15:08 AM	rwxr-xr-x

Editing: cc_users_groups.py

# Copyright (C) 2012 Canonical Ltd.
#
# Author: Ben Howard <ben.howard@canonical.com>
#
# This file is part of cloud-init. See LICENSE file for license information.

"Users and Groups: Configure users and groups"

from logging import Logger
from textwrap import dedent

from cloudinit import log as logging
from cloudinit.cloud import Cloud

# Ensure this is aliased to a name not 'distros'
# since the module attribute 'distros'
# is a list of distros that are supported, not a sub-module
from cloudinit.config import Config
from cloudinit.config.schema import MetaSchema, get_meta_doc
from cloudinit.distros import ug_util
from cloudinit.settings import PER_INSTANCE

MODULE_DESCRIPTION = """\
This module configures users and groups. For more detailed information on user
options, see the :ref:`Including users and groups<yaml_examples>` config
example.

Groups to add to the system can be specified under the ``groups`` key as
a string of comma-separated groups to create, or a list. Each item in
the list should either contain a string of a single group to create,
or a dictionary with the group name as the key and string of a single user as
a member of that group or a list of users who should be members of the group.

.. note::
   Groups are added before users, so any users in a group list must
   already exist on the system.

Users to add can be specified as a string or list under the ``users`` key.
Each entry in the list should either be a string or a dictionary. If a string
is specified, that string can be comma-separated usernames to create or the
reserved string ``default`` which represents the primary admin user used to
access the system. The ``default`` user varies per distribution and is
generally configured in ``/etc/cloud/cloud.cfg`` by the ``default_user`` key.

Each ``users`` dictionary item must contain either a ``name`` or ``snapuser``
key, otherwise it will be ignored. Omission of ``default`` as the first item
in the ``users`` list skips creation the default user. If no ``users`` key is
provided the default behavior is to create the default user via this config::

users:
 - default

.. note::
    Specifying a hash of a user's password with ``passwd`` is a security risk
    if the cloud-config can be intercepted. SSH authentication is preferred.

.. note::
    If specifying a sudo rule for a user, ensure that the syntax for the rule
    is valid, as it is not checked by cloud-init.

.. note::
    Most of these configuration options will not be honored if the user
    already exists. The following options are the exceptions; they are applied
    to already-existing users: ``plain_text_passwd``, ``hashed_passwd``,
    ``lock_passwd``, ``sudo``, ``ssh_authorized_keys``, ``ssh_redirect_user``.

The ``user`` key can be used to override the ``default_user`` configuration
defined in ``/etc/cloud/cloud.cfg``. The ``user`` value should be a dictionary
which supports the same config keys as the ``users`` dictionary items.
"""

meta: MetaSchema = {
    "id": "cc_users_groups",
    "name": "Users and Groups",
    "title": "Configure users and groups",
    "description": MODULE_DESCRIPTION,
    "distros": ["all"],
    "examples": [
        dedent(
            """\
        # Add the ``default_user`` from /etc/cloud/cloud.cfg.
        # This is also the default behavior of cloud-init when no `users` key
        # is provided.
        users:
        - default
        """
        ),
        dedent(
            """\
        # Add the 'admingroup' with members 'root' and 'sys' and an empty
        # group cloud-users.
        groups:
        - admingroup: [root,sys]
        - cloud-users
        """
        ),
        dedent(
            """\
        # Skip creation of the <default> user and only create newsuper.
        # Password-based login is rejected, but the github user TheRealFalcon
        # and the launchpad user falcojr can SSH as newsuper. The default
        # shell for newsuper is bash instead of system default.
        users:
        - name: newsuper
          gecos: Big Stuff
          groups: users, admin
          sudo: ALL=(ALL) NOPASSWD:ALL
          shell: /bin/bash
          lock_passwd: true
          ssh_import_id:
            - lp:falcojr
            - gh:TheRealFalcon
        """
        ),
        dedent(
            """\
        # On a system with SELinux enabled, add youruser and set the
        # SELinux user to 'staff_u'. When omitted on SELinux, the system will
        # select the configured default SELinux user.
        users:
        - default
        - name: youruser
          selinux_user: staff_u
        """
        ),
        dedent(
            """\
        # To redirect a legacy username to the <default> user for a
        # distribution, ssh_redirect_user will accept an SSH connection and
        # emit a message telling the client to ssh as the <default> user.
        # SSH clients will get the message:
        users:
        - default
        - name: nosshlogins
          ssh_redirect_user: true
        """
        ),
        dedent(
            """\
        # Override any ``default_user`` config in /etc/cloud/cloud.cfg with
        # supplemental config options.
        # This config will make the default user to mynewdefault and change
        # the user to not have sudo rights.
        ssh_import_id: [chad.smith]
        user:
          name: mynewdefault
          sudo: null
        """
        ),
    ],
    "frequency": PER_INSTANCE,
    "activate_by_schema_keys": [],
}

__doc__ = get_meta_doc(meta)

LOG = logging.getLogger(__name__)

# NO_HOME and NEED_HOME are mutually exclusive options
NO_HOME = ("no_create_home", "system")
NEED_HOME = ("ssh_authorized_keys", "ssh_import_id", "ssh_redirect_user")

def handle(
    name: str, cfg: Config, cloud: Cloud, log: Logger, args: list
) -> None:
    (users, groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
    (default_user, _user_config) = ug_util.extract_default(users)
    cloud_keys = cloud.get_public_ssh_keys() or []

for (name, members) in groups.items():
        cloud.distro.create_group(name, members)

for (user, config) in users.items():

no_home = [key for key in NO_HOME if config.get(key)]
        need_home = [key for key in NEED_HOME if config.get(key)]
        if no_home and need_home:
            raise ValueError(
                f"Not creating user {user}. Key(s) {', '.join(need_home)}"
                f" cannot be provided with {', '.join(no_home)}"
            )

ssh_redirect_user = config.pop("ssh_redirect_user", False)
        if ssh_redirect_user:
            if "ssh_authorized_keys" in config or "ssh_import_id" in config:
                raise ValueError(
                    "Not creating user %s. ssh_redirect_user cannot be"
                    " provided with ssh_import_id or ssh_authorized_keys"
                    % user
                )
            if ssh_redirect_user not in (True, "default"):
                raise ValueError(
                    "Not creating user %s. Invalid value of"
                    " ssh_redirect_user: %s. Expected values: true, default"
                    " or false." % (user, ssh_redirect_user)
                )
            if default_user is None:
                LOG.warning(
                    "Ignoring ssh_redirect_user: %s for %s."
                    " No default_user defined."
                    " Perhaps missing cloud configuration users: "
                    " [default, ..].",
                    ssh_redirect_user,
                    user,
                )
            else:
                config["ssh_redirect_user"] = default_user
                config["cloud_public_ssh_keys"] = cloud_keys

cloud.distro.create_user(user, **config)

# vi: ts=4 expandtab