Index: sysutils/google-compute-engine-oslogin/Makefile =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/Makefile @@ -0,0 +1,46 @@ +# $FreeBSD$ + +PORTNAME= google-compute-engine-oslogin +DISTVERSION= 1.1.2 +CATEGORIES= sysutils + +MAINTAINER= helen.koike@collabora.com +COMMENT= OS Login Guest Environment for Google Compute Engine + +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/../LICENSE + +LIB_DEPENDS= libcurl.so:ftp/curl \ + libjson-c.so:devel/json-c +RUN_DEPENDS= gsed:textproc/gsed \ + ${LOCALBASE}/lib/pam_mkhomedir.so:security/pam_mkhomedir + +USES= gmake +USE_LDCONFIG= yes +USE_GCC= any +USE_GITHUB= yes +GH_ACCOUNT= GoogleCloudPlatform +GH_PROJECT= compute-image-packages +GH_TAGNAME= 20171213 +MAKE_ARGS= JSON_INCLUDE_PATH=${LOCALBASE}/include/json-c \ + BIN_INSTALL_PATH=/bin \ + PAM_INSTALL_PATH=/lib \ + AUTHKEYS_INSTALL_PATH=/bin \ + NSS_LIBRARY_SONAME=nss_oslogin.so.1 + +WRKSRC_SUBDIR= google_compute_engine_oslogin + +PLIST_SUB= DISTVERSION=${DISTVERSION} + +post-patch: + @${REINPLACE_CMD} -e 's|/etc/sudoers.d|${PREFIX}/etc/sudoers.d|g ; \ + s|/usr/bin|${PREFIX}/bin|g' ${WRKSRC}/bin/google_oslogin_control + +post-install: + ${LN} -sf libnss_${PORTNAME}-${DISTVERSION}.so ${STAGEDIR}${PREFIX}/lib/nss_oslogin.so.1 + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/google_authorized_keys \ + ${STAGEDIR}${PREFIX}/lib/libnss_google-compute-engine-oslogin-${DISTVERSION}.so \ + ${STAGEDIR}${PREFIX}/lib/pam_oslogin_admin.so \ + ${STAGEDIR}${PREFIX}/lib/pam_oslogin_login.so + +.include Index: sysutils/google-compute-engine-oslogin/distinfo =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1514471176 +SHA256 (GoogleCloudPlatform-compute-image-packages-1.1.2-20171213_GH0.tar.gz) = 483d97c6d64cd7d9002247db63af8cb591e526a09ce52fd8d545c66da3ebb181 +SIZE (GoogleCloudPlatform-compute-image-packages-1.1.2-20171213_GH0.tar.gz) = 131055 Index: sysutils/google-compute-engine-oslogin/files/patch-Makefile =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/files/patch-Makefile @@ -0,0 +1,11 @@ +--- Makefile.orig 2017-12-13 23:47:59 UTC ++++ Makefile +@@ -15,7 +15,7 @@ AUTHKEYS_INSTALL_PATH = /usr/bin + JSON_INCLUDE_PATH = /usr/include/json-c + INCLUDE_FLAGS = -I$(JSON_INCLUDE_PATH) + +-CXX = g++ ++CXX ?= g++ + CXXFLAGS += -fPIC# -Wall + PAMFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared + NSSFLAGS = $(LDFLAGS) $(INCLUDE_FLAGS) -shared -Wl,-soname,$(NSS_LIBRARY_SONAME) Index: sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/files/patch-bin_google__oslogin__control @@ -0,0 +1,51 @@ +--- bin/google_oslogin_control.orig 2017-12-13 23:47:59 UTC ++++ bin/google_oslogin_control +@@ -65,29 +65,31 @@ overwrite_file() { + + remove_from_config() { + config=$1 +- sed -i "/${added_comment}/,+1d" ${config}.new ++ gsed -i "/${added_comment}/,+1d" ${config}.new + } + + remove_from_nss_config() { +- sed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new ++ gsed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new + } + + add_to_sshd_config() { + remove_from_config ${sshd_config} +- sed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new +- sed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new ++ gsed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new ++ gsed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new + } + + add_to_nss_config() { + remove_from_nss_config +- sed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new ++ gsed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new ++ # Replace compat by files (as compat cannot be used with other sources) ++ gsed -i '/^passwd:/ s/compat/files/' ${nss_config}.new + } + + add_to_pam_config() { + remove_from_config ${pam_config} +- sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new +- sed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new +- sed -i "/pam_loginuid.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new ++ gsed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new ++ gsed -i "/account.*pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new ++ gsed -i "/session.*pam_permit.so/ a${added_comment}\n${pam_homedir}" ${pam_config}.new + } + + restart_service() { +@@ -100,7 +102,7 @@ restart_service() { + fi + fi + if which service > /dev/null 2>&1; then +- if service --status-all | grep -Fq ${service}; then ++ if service -e | grep -Fq ${service}; then + echo "Restarting ${service}." + service ${service} restart + return $? Index: sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/files/patch-nss__module_nss__oslogin.cc @@ -0,0 +1,38 @@ +--- nss_module/nss_oslogin.cc.orig 2017-12-13 23:47:59 UTC ++++ nss_module/nss_oslogin.cc +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -150,4 +151,27 @@ int _nss_oslogin_getpwent_r(struct passw + } + return NSS_STATUS_SUCCESS; + } ++ ++NSS_METHOD_PROTOTYPE(__nss_compat_getpwnam_r); ++NSS_METHOD_PROTOTYPE(__nss_compat_getpwuid_r); ++NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r); ++NSS_METHOD_PROTOTYPE(__nss_compat_setpwent); ++NSS_METHOD_PROTOTYPE(__nss_compat_endpwent); ++ ++static ns_mtab methods[] = { ++ { NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, (void*)_nss_oslogin_getpwnam_r }, ++ { NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, (void*)_nss_oslogin_getpwuid_r }, ++ { NSDB_PASSWD, "getpwent_r", __nss_compat_getpwent_r, (void*)_nss_oslogin_getpwent_r }, ++ { NSDB_PASSWD, "endpwent", __nss_compat_endpwent, (void*)_nss_oslogin_endpwent }, ++ { NSDB_PASSWD, "setpwent", __nss_compat_setpwent, (void*)_nss_oslogin_setpwent }, ++}; ++ ++ns_mtab * ++nss_module_register (const char *name, unsigned int *size, ++ nss_module_unregister_fn *unregister) ++{ ++ *size = sizeof (methods) / sizeof (methods[0]); ++ *unregister = NULL; ++ return (methods); ++} + } // extern "C" Index: sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__admin.cc @@ -0,0 +1,28 @@ +--- pam_module/pam_oslogin_admin.cc.orig 2017-12-13 23:47:59 UTC ++++ pam_module/pam_oslogin_admin.cc +@@ -14,7 +14,6 @@ + + #define PAM_SM_ACCOUNT + #include +-#include + #include + #include + #include +@@ -47,7 +46,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + int pam_result = PAM_SUCCESS; + const char *user_name; + if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) { +- pam_syslog(pamh, LOG_INFO, "Could not get pam user."); ++ syslog(LOG_INFO, "Could not get pam user."); + return pam_result; + } + string str_user_name(user_name); +@@ -77,7 +76,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + if (HttpGet(url.str(), &response, &http_code) && http_code == 200 && + ParseJsonToAuthorizeResponse(response)) { + if (!file_exists) { +- pam_syslog(pamh, LOG_INFO, ++ syslog(LOG_INFO, + "Granting sudo permissions to organization user %s.", + user_name); + std::ofstream sudoers_file; Index: sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/files/patch-pam__module_pam__oslogin__login.cc @@ -0,0 +1,37 @@ +--- pam_module/pam_oslogin_login.cc.orig 2017-12-13 23:47:59 UTC ++++ pam_module/pam_oslogin_login.cc +@@ -14,7 +14,6 @@ + + #define PAM_SM_ACCOUNT + #include +-#include + #include + #include + #include +@@ -45,7 +44,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + int pam_result = PAM_PERM_DENIED; + const char *user_name; + if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) { +- pam_syslog(pamh, LOG_INFO, "Could not get pam user."); ++ syslog(LOG_INFO, "Could not get pam user."); + return pam_result; + } + string str_user_name(user_name); +@@ -88,7 +87,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + chown(users_filename.c_str(), 0, 0); + chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP); + } +- pam_syslog(pamh, LOG_INFO, ++ syslog(LOG_INFO, + "Granting login permission for organization user %s.", + user_name); + pam_result = PAM_SUCCESS; +@@ -96,7 +95,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_hand + if (file_exists) { + remove(users_filename.c_str()); + } +- pam_syslog(pamh, LOG_INFO, ++ syslog(LOG_INFO, + "Denying login permission for organization user %s.", user_name); + + pam_result = PAM_PERM_DENIED; Index: sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/files/patch-utils_oslogin__utils.cc @@ -0,0 +1,18 @@ +--- utils/oslogin_utils.cc.orig 2017-12-13 23:47:59 UTC ++++ utils/oslogin_utils.cc +@@ -218,7 +218,14 @@ bool ValidatePasswd(struct passwd* resul + } + } + if (strlen(result->pw_shell) == 0) { +- if (!buf->AppendString("/bin/bash", &result->pw_shell, errnop)) { ++ if (!buf->AppendString("/bin/sh", &result->pw_shell, errnop)) { ++ return false; ++ } ++ } ++ ++ // If shell is set to /bin/bash, fallback to /bin/sh ++ if (strcmp(result->pw_shell, "/bin/bash") == 0 ) { ++ if (!buf->AppendString("/bin/sh", &result->pw_shell, errnop)) { + return false; + } + } Index: sysutils/google-compute-engine-oslogin/pkg-descr =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/pkg-descr @@ -0,0 +1,19 @@ +This package enables Google Cloud OS Login features on Google Compute Engine +instances. +The OS Login package has the following components: + +- Authorized Keys Command to fetch SSH keys from the user's OS Login profile and +make them available to sshd. +- NSS Module provides support for making OS Login user and group information +available to the system, using NSS (Name Service Switch) functionality. +- PAM Module provides authorization and authentication support allowing the +system to use data stored in Google Cloud IAM permissions to control both, the +ability to log into an instance, and to perform operations as root (sudo). +- Utils provides common code to support the components listed above. + +In addition to the main components, there are also utilities for packaging and +installing these components: + +- bin contains a shell script for (de)activating the package components. + +WWW: https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_oslogin Index: sysutils/google-compute-engine-oslogin/pkg-plist =================================================================== --- /dev/null +++ sysutils/google-compute-engine-oslogin/pkg-plist @@ -0,0 +1,6 @@ +bin/google_authorized_keys +bin/google_oslogin_control +lib/libnss_google-compute-engine-oslogin-%%DISTVERSION%%.so +lib/nss_oslogin.so.1 +lib/pam_oslogin_admin.so +lib/pam_oslogin_login.so