Setup install file

config_example.ini

@@ -4,4 +4,5 @@ yubikey_serial = 12345678
 
 [HOSTCONFIG]
 logfile = log.log
-remove_sudo_timestamp_when_locking = true
+loglevel = 10
+remove_sudo_timestamp_when_locking = true

debian/91-usbftdi.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", GROUP="yubilock" MODE="0664"

debian/yubilock.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Yubikey activated xscreensaver locker/unlocker
+After=syslog.target multi-user.target lightdm.service
+Requires=lightdm.service
+#Requires=syslog.socket
+#Documentation=man:rsyslogd(8)
+#Documentation=https://www.rsyslog.com/doc/
+
+[Service]
+#Type=simple
+ExecStart=/opt/yublilock/venv/bin/python /opt/yubilock/xscreensaver_yubilock.py -v
+User=yubilock
+#StandardOutput=null
+#Restart=on-failure
+
+# Increase the default a bit in order to allow many simultaneous
+# files to be monitored, we might need a lot of fds.
+#LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target

install.sh

@@ -0,0 +1,72 @@
+#! /bin/bash
+
+install_dir='/opt/yubilock/'
+logging_dir='/var/log/yubilock/'
+
+script_dir="$(dirname $(readlink -f $0))"
+# exit when any command fails
+set -e
+
+# Make sure running as root
+if [ `id -u` -ne 0 ]; then
+   echo 'Please run as root'
+   exit 1
+fi
+
+echo "Create yubilock user"
+adduser --system --home "$install_dir" --shell "/usr/sbin/nologin" --group --gecos "xscreensaver yubilock daemon" -q 'yubilock' 
+
+echo "Making sure python3 and virtualenv are installed"
+python3 --version || apt-get install python3
+python3 -m venv -h >/dev/null 2>&1 || apt-get install python3-venv
+
+
+echo "Create virualenv"
+[ -f "$install_dir/venv/bin/activate" ] || python3 -m venv "$install_dir/venv"
+. "$install_dir/venv/bin/activate"
+pip install setuptools wheel
+pip install -r "$script_dir/requirements.txt"
+
+
+echo "Copy over application files"
+cp "$script_dir/xscreensaver_yubilock.py" "$install_dir"
+cp "$script_dir/uninstall.sh" "$install_dir"
+cp "$script_dir/config_example.ini" "$install_dir/config.ini"
+
+# Remove first line from config
+sed -i '1d' "$install_dir/config.ini"
+
+chown -R yubilock:yubilock "$install_dir"
+chown root:yubilock "$install_dir"
+chmod 775 "$install_dir"
+
+
+echo "Create logging directory"
+mkdir -p "$logging_dir"
+chown --from=root:root root:yubilock "$logging_dir"
+chmod 775 "$logging_dir"
+sed -i "s+^logfile\ =.*+logfile\ =\ ${logging_dir}daemon.log+g" "$install_dir/config.ini"
+
+
+echo "Allow yubilock user access to X host"
+touch "$install_dir/.Xauthority"
+chown yubilock:yubilock "$install_dir/.Xauthority"
+hexkey=`sudo -u link xauth list | cut -d ' ' -f 5`
+export XAUTHORITY="/opt/yubilock/.Xauthority"
+echo sudo -u yubilock xauth add \":0\" . "$hexkey"
+sudo -u yubilock xauth add ":0" . "$hexkey"
+
+
+echo "Fix udev usb rights for yubilock"
+cp "$script_dir/debian/91-usbftdi.rules" '/etc/udev/rules.d/'
+chown root:root '/etc/udev/rules.d/91-usbftdi.rules'
+udevadm control --reload-rules
+
+
+echo "Enable as systemd service"
+cp "$script_dir/debian/yubilock.service" "/etc/systemd/system"
+sed -i "s+^ExecStart=.*+ExecStart=${install_dir}venv/bin/python ${install_dir}xscreensaver_yubilock.py+g" '/etc/systemd/system/yubilock.service'
+systemctl enable yubilock.service
+
+
+#(Uninstall script)

xscreensaver_yubilock.py

@@ -3,6 +3,7 @@
 #TODO:
 # - resolve exploit where key is plugged in and out quickly, resulting in an unlocked state
 
+import os
 import sys
 import subprocess
 import argparse
@@ -16,8 +17,10 @@ import logzero
 from logzero import logger
 from usb.core import USBError
 
+script_dir = os.path.dirname(os.path.realpath(__file__))
+
 config = ConfigParser()
-config.read("config.ini")
+config.read(f"{script_dir}/config.ini")
 
 yubikey_serials = config["USERCONFIG"]["yubikey_serial"].split(',')
 # Convert stringlist to intlist