Burathar
/
xscreensaver-yubilock
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Fix install script, add screensaver graphic program killer

master
Burathar 4 years ago
parent
0eef14bda5
commit
1ec9d54caf
9 changed files with 267 additions and 56 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      bin/config_system.ini
  2. 3
      bin/config_user.ini
  3. 157
      bin/install.sh
  4. 41
      bin/kill_screensaver_graphic_program.sh
  5. 0
      bin/uninstall.sh
  6. 7
      bin/xscreensaver_yubilock.py
  7. 2
      config_example.ini
  8. 16
      debian/yubilock.service
  9. 91
      install.sh

6
bin/config_system.ini
Unescape View File

@ -0,0 +1,6 @@
[USERCONFIG]
remove_sudo_timestamp_when_locking = true
[HOSTCONFIG]
logfile = log.log
loglevel = 10

3
bin/config_user.ini
Unescape View File

@ -0,0 +1,3 @@
[USERCONFIG]
yubikey_serial = 12345678
remove_sudo_timestamp_when_locking = true

157
bin/install.sh
Unescape View File

@ -0,0 +1,157 @@
#! /bin/bash
install_dir='/opt/yubilock/'
logging_dir='/var/log/yubilock/'
script_dir="$(dirname $(readlink -f $0))"
# exit when any command fails
set -e
# Make sure running as root
if [ `id -u` -ne 0 ]; then
echo 'Please run as root'
exit 1
fi
# Ask for user parameters
echo "This installer is meant to install the yubilock service for one user. Please specifiy for wich user you want to install xscreensaver-yubilock"
read -p 'Username: ' username
userid=`id -u "$username" 2>/dev/null` || ( echo "$username is not a user on this system" && exit 1 )
[ "$userid" -lt 1000 ] && echo "User $username seems to be a systemuser (uid: $userid). Please specify a normal user." && exit 1
echo "Allowed yubikey serials can be set systemwide in ${install_dir}config.ini, or per user in \$HOME/.yubilock. Do you wish to add one or more for $username now?"
read -p "Add Yubikey serial? (Y/n) " add_serial
[ -z "$add_serial" ] && add_serial='yes' # if no input, assume yes
case ${add_serial:0:1} in
y|Y|1 )
add_serial='yes';;
* )
add_serial='no';;
esac
if [ "$add_serial" = 'yes' ]; then
if ! ykman -v >/dev/null 2>&1 ; then
echo "yubikey-manager doesn't seem to be installed. Do you want to install it? ('no' means you'll have to add your yubikey serial manually later)"
read -p "Install yubikey-manager? (Y/n) " install_ykman
[ -z "$install_ykman" ] && install_ykman='yes' # if no input, assume yes
case ${install_ykman:0:1} in
y|Y|1 )
apt-get install -y yubikey-manager;;
* )
break 3;;
esac
fi
echo "Please make sure your yubikey(s) are plugged in. Then press any key to continue"
read -n 1 -s -r
serials=`ykman list | sed -e 's#.*:\ \(\)#\1#' | tr '\n' ','` # List all keys, get the serials, and comma separate them
serials="${serials%?}" # Remove trailing comma
echo "The following serial(s) will be added to your config file: $serials"
fi
echo "Do you want the daemon to be started by systemd? (you'll have to start it manually every login session if you choose no)"
read -p "Use Systemd? (Y/n) " use_systemd
[ -z "$use_systemd" ] && use_systemd='yes' # if no input, assume yes
case ${use_systemd:0:1} in
y|Y|1 )
use_systemd='yes';;
* )
use_systemd='no';;
esac
echo "== Making sure python3 and virtualenv are installed =="
python3 --version || apt-get install -y python3
python3 -m venv -h >/dev/null 2>&1 || apt-get install -y python3-venv
echo "== Create yubilock group =="
addgroup --system yubilock
echo "== Add $username to yubilock group =="
usermod -a -G yubilock "$username"
echo "== Create virualenv =="
[ -f "$install_dir/venv/bin/activate" ] || python3 -m venv "$install_dir/venv"
. "$install_dir/venv/bin/activate"
pip install setuptools wheel
pip install -r "$script_dir/requirements.txt"
echo "== Copy over application files =="
cp "$script_dir/bin/xscreensaver_yubilock.py" "$install_dir"
cp "$script_dir/bin/uninstall.sh" "$install_dir"
cp "$script_dir/bin/kill_screensaver_graphic_program.sh" "$install_dir"
cp "$script_dir/bin/config_system.ini" "$install_dir/config.ini"
chown -R root:yubilock "$install_dir"
chmod 771 "$install_dir"
# Add yubikey serials to config
if [ -n "$serials" ]; then
homedir=`eval echo ~"$username"`
echo "Homedir: $homedir"
[ -f "$homedir/.yubilock" ] || ( cp "$script_dir/bin/config_user.ini" "$homedir/.yubilock" && chown "$username:$username" "$homedir/.yubilock")
sed -i "s+^yubikey_serial.*+yubikey_serial\ =\ $serials+g" "$homedir/.yubilock"
echo "Add yubikey serial(s) to $homedir/.yubilock"
fi
echo "== Create logging directory =="
mkdir -p "$logging_dir"
chown --from=root:root root:yubilock "$logging_dir"
chmod 775 "$logging_dir"
sed -i "s+^logfile\ =.*+logfile\ =\ ${logging_dir}daemon.log+g" "$install_dir/config.ini"
echo "== Fix udev usb rights for yubilock group =="
cp "$script_dir/debian/91-usbftdi.rules" '/etc/udev/rules.d/'
chown root:root '/etc/udev/rules.d/91-usbftdi.rules'
udevadm control --reload-rules
if [ "$use_systemd" = 'yes' ]; then
echo "== Enable as systemd service =="
mkdir -p "/home/$username/.config/systemd/user"
cp "$script_dir/debian/yubilock.service" "/home/$username/.config/systemd/user"
sed -i "s+^ExecStart=.*+ExecStart=${install_dir}venv/bin/python ${install_dir}xscreensaver_yubilock.py -v+g" "/home/$username/.config/systemd/user/yubilock.service"
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user daemon-reload'
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user enable yubilock.service'
# su is used for systemctl user units because systemctl matches executing uid to unit owner uid. See:
# https://unix.stackexchange.com/questions/483948/inspect-unit-status-for-user-units-with-systemctl-as-root/485063#485063
else
# Make sure service is removed if previously installed
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user stop yubilock.service >/dev/null 2>&1'
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user disable yubilock.service >/dev/null 2>&1'
rm "/home/$username/.config/systemd/user/yubilock.service" >/dev/null 2>&1
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user daemon-reload'
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user reset-failed'
fi
echo "== xscreensaver-yubilock is installed! =="
echo "== to enable yubilock, please restart your device ==
exit 0
# Due to loginctl not updating user groups, the user has to restart before the service can be started.
if [ "$use_systemd" = 'yes' ]; then
echo "Do you wish to start the daemon now? WARNING: If the specified yubikey is not plugged in, your machine will lock. Alternatively, you can start the service using 'sudo systemctl start yubilock.service' or wait for next login."
read -p "Start daemon? (y/N) " start_daemon
[ -z "$start_daemon" ] && start_daemon='no' # if no input, assume no
case ${start_daemon:0:1} in
n|N|0 )
;;
* )
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user start yubilock.service';;
esac
fi
exit 0
#(Uninstall script)

41
bin/kill_screensaver_graphic_program.sh
Unescape View File

@ -0,0 +1,41 @@
#! /bin/bash
function help () {
echo "Usage: $0 [OPTIONS] <file>"
echo "Cleans up xscreensaver graphic programs left behind after killing xscreensaver itself."
echo " -u specify a username for which to kill xscreensaver artifacts"
echo " -h display this output"
exit 1
}
while getopts ':u:' opt ; do
case "$opt" in
u)
username="${OPTARG}"
userid=`id -u "$username" 2>/dev/null` || { echo "$username is not a user on this system" && exit 1 ;}
[ "$userid" -lt 1000 ] && echo "User $username seems to be a systemuser (uid: $userid). Please specify a normal user." && exit 1
;;
h) help ;;
:)
echo "$0: Must supply an argument to -$OPTARG." >&2
exit 1
;;
?)
echo "Invalid option: -${OPTARG}."
exit 2
;;
esac
done
username="${username:-$USER}"
homedir=`eval echo "~$username"`
selected_graphic_nr=`grep selected "$homedir/.xscreensaver" | cut -f 2`
regex='/\\n\\/'
graphic_process_name=`cat "$homedir/.xscreensaver" | awk "$regex && ++n == "$selected_graphic_nr" {getline; print; exit}" | cut -f 5 | cut -d ' ' -f 1 `
echo "graphic_process_name: $graphic_process_name"
[ -z "$graphic_process_name" ] && { echo Could not find selected graphic application && exit 1; }
graphic_processes=`ps -U "$username" | grep "$graphic_process_name" | awk '{$1=$1};1' | cut -d ' ' -f 1 | tr '\n' ' ' ` || { echo "No screensaver graphic processes were found for $username" && exit 0; }
echo "graphic_processes: $graphic_processes"
[ -z "$graphic_processes" ] && { echo "No xscreensaver graphic processes seem to be running for $username" && exit 0; }
process_count=`echo $graphic_processes | wc -w`
kill $graphic_processes && echo "killed $process_count screensaver graphic processes for $username"

0
uninstall.sh → bin/uninstall.sh
Unescape View File

7
xscreensaver_yubilock.py → bin/xscreensaver_yubilock.py
Unescape View File

@ -18,9 +18,10 @@ from logzero import logger
from usb.core import USBError from usb.core import USBError
script_dir = os.path.dirname(os.path.realpath(__file__)) script_dir = os.path.dirname(os.path.realpath(__file__))
home_dir = os.path.expanduser("~")
config = ConfigParser() config = ConfigParser()
config.read(f"{script_dir}/config.ini") config.read([f"{script_dir}/config.ini", f"{home_dir}/.yubilock"])
yubikey_serials = config["USERCONFIG"]["yubikey_serial"].split(',') yubikey_serials = config["USERCONFIG"]["yubikey_serial"].split(',')
# Convert stringlist to intlist # Convert stringlist to intlist
@ -50,7 +51,7 @@ def execute(command: str, shell_on: bool = False, background: bool = False):
def lock_screen(): def lock_screen():
if args.dummy : if args.dummy :
return return
if config.getboolean('HOSTCONFIG', 'remove_sudo_timestamp_when_locking', fallback=True): if config.getboolean('USERCONFIG', 'remove_sudo_timestamp_when_locking', fallback=True):
execute('sudo -K', shell_on=True) execute('sudo -K', shell_on=True)
execute('DISPLAY=:0 xscreensaver-command -lock', shell_on=True) execute('DISPLAY=:0 xscreensaver-command -lock', shell_on=True)
return return
@ -64,6 +65,7 @@ def unlock_screen():
if xscreensaver_pid != 'null': if xscreensaver_pid != 'null':
execute('kill %s' % xscreensaver_pid, shell_on=True) execute('kill %s' % xscreensaver_pid, shell_on=True)
execute(f"{script_dir}/kill_screensaver_graphic_program.sh", shell_on=True)
# restart xscreensaver process # restart xscreensaver process
execute('DISPLAY=:0 xscreensaver -no-splash&', shell_on=True, background = True) execute('DISPLAY=:0 xscreensaver -no-splash&', shell_on=True, background = True)
@ -149,6 +151,7 @@ def get_hid_event_monitor():
if __name__ == "__main__": if __name__ == "__main__":
args = get_args() args = get_args()
execute('id > /tmp/id.txt &', shell_on=True, background = True)
setup_logger(config.get("HOSTCONFIG", "logfile", setup_logger(config.get("HOSTCONFIG", "logfile",
fallback="log.log")) fallback="log.log"))

2
config_example.ini
Unescape View File

@ -1,8 +1,8 @@
# Make a copy of this file, rename it to config.ini, and replace the yubikey serial # Make a copy of this file, rename it to config.ini, and replace the yubikey serial
[USERCONFIG] [USERCONFIG]
yubikey_serial = 12345678 yubikey_serial = 12345678
remove_sudo_timestamp_when_locking = true
[HOSTCONFIG] [HOSTCONFIG]
logfile = log.log logfile = log.log
loglevel = 10 loglevel = 10
remove_sudo_timestamp_when_locking = true

16
debian/yubilock.service vendored
Unescape View File

@ -1,21 +1,13 @@
[Unit] [Unit]
Description=Yubikey activated xscreensaver locker/unlocker Description=Yubikey activated xscreensaver locker/unlocker
After=syslog.target multi-user.target lightdm.service
Requires=lightdm.service
#Requires=syslog.socket #Requires=syslog.socket
#Documentation=man:rsyslogd(8) Documentation=https://git.sciuro.org/Burathar/xscreensaver-yubilock
#Documentation=https://www.rsyslog.com/doc/
[Service] [Service]
#Type=simple Type=simple
ExecStart=/opt/yublilock/venv/bin/python /opt/yubilock/xscreensaver_yubilock.py -v ExecStart=/opt/yublilock/venv/bin/python /opt/yubilock/xscreensaver_yubilock.py -v
User=yubilock
#StandardOutput=null #StandardOutput=null
#Restart=on-failure Restart=on-failure
# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
#LimitNOFILE=16384
[Install] [Install]
WantedBy=multi-user.target WantedBy=default.target

91
install.sh
Unescape View File

@ -19,7 +19,7 @@ read -p 'Username: ' username
userid=`id -u "$username" 2>/dev/null` || ( echo "$username is not a user on this system" && exit 1 ) userid=`id -u "$username" 2>/dev/null` || ( echo "$username is not a user on this system" && exit 1 )
[ "$userid" -lt 1000 ] && echo "User $username seems to be a systemuser (uid: $userid). Please specify a normal user." && exit 1 [ "$userid" -lt 1000 ] && echo "User $username seems to be a systemuser (uid: $userid). Please specify a normal user." && exit 1
echo "Allowed yubikey serials can be set in {$install_dir}config.ini. Do you wish to add one or more automaticaly now?" echo "Allowed yubikey serials can be set systemwide in ${install_dir}config.ini, or per user in \$HOME/.yubilock. Do you wish to add one or more for $username now?"
read -p "Add Yubikey serial? (Y/n) " add_serial read -p "Add Yubikey serial? (Y/n) " add_serial
[ -z "$add_serial" ] && add_serial='yes' # if no input, assume yes [ -z "$add_serial" ] && add_serial='yes' # if no input, assume yes
case ${add_serial:0:1} in case ${add_serial:0:1} in
@ -30,7 +30,7 @@ case ${add_serial:0:1} in
esac esac
if [ "$add_serial" = 'yes' ]; then if [ "$add_serial" = 'yes' ]; then
if ! ykman -v >/dev/null 2>&1 ; then if ! ykman -v >/dev/null 2>&1 ; then
echo "yubikey-manager doesn't seem to be installed. Do you want to install it? ('no' means you'll have to add your yubikey serial manually later" echo "yubikey-manager doesn't seem to be installed. Do you want to install it? ('no' means you'll have to add your yubikey serial manually later)"
read -p "Install yubikey-manager? (Y/n) " install_ykman read -p "Install yubikey-manager? (Y/n) " install_ykman
[ -z "$install_ykman" ] && install_ykman='yes' # if no input, assume yes [ -z "$install_ykman" ] && install_ykman='yes' # if no input, assume yes
case ${install_ykman:0:1} in case ${install_ykman:0:1} in
@ -61,77 +61,86 @@ esac
echo "Create yubilock user" echo "== Making sure python3 and virtualenv are installed =="
adduser --system --home "$install_dir" --shell "/usr/sbin/nologin" --group --gecos "xscreensaver yubilock daemon" -q 'yubilock'
echo "Making sure python3 and virtualenv are installed"
python3 --version || apt-get install -y python3 python3 --version || apt-get install -y python3
python3 -m venv -h >/dev/null 2>&1 || apt-get install -y python3-venv python3 -m venv -h >/dev/null 2>&1 || apt-get install -y python3-venv
echo "Create virualenv"
echo "== Create yubilock group =="
addgroup --system yubilock
echo "== Add $username to yubilock group =="
usermod -a -G yubilock "$username"
echo "== Create virualenv =="
[ -f "$install_dir/venv/bin/activate" ] || python3 -m venv "$install_dir/venv" [ -f "$install_dir/venv/bin/activate" ] || python3 -m venv "$install_dir/venv"
. "$install_dir/venv/bin/activate" . "$install_dir/venv/bin/activate"
pip install setuptools wheel pip install setuptools wheel
pip install -r "$script_dir/requirements.txt" pip install -r "$script_dir/requirements.txt"
echo "Copy over application files"
cp "$script_dir/xscreensaver_yubilock.py" "$install_dir"
cp "$script_dir/uninstall.sh" "$install_dir"
cp "$script_dir/config_example.ini" "$install_dir/config.ini"
# Remove first line from config echo "== Copy over application files =="
sed -i '1d' "$install_dir/config.ini" cp "$script_dir/bin/xscreensaver_yubilock.py" "$install_dir"
cp "$script_dir/bin/uninstall.sh" "$install_dir"
cp "$script_dir/bin/kill_screensaver_graphic_program.sh" "$install_dir"
cp "$script_dir/bin/config_system.ini" "$install_dir/config.ini"
chown -R root:yubilock "$install_dir"
chmod 771 "$install_dir"
# Add yubikey serials to config # Add yubikey serials to config
[ -n "$serials" ] && sed -i "s+^yubikey_serial\ =.*+yubikey_serial\ =\ $serials+g" "$install_dir/config.ini" if [ -n "$serials" ]; then
homedir=`eval echo ~"$username"`
echo "Homedir: $homedir"
[ -f "$homedir/.yubilock" ] || ( cp "$script_dir/bin/config_user.ini" "$homedir/.yubilock" && chown "$username:$username" "$homedir/.yubilock")
sed -i "s+^yubikey_serial.*+yubikey_serial\ =\ $serials+g" "$homedir/.yubilock"
echo "Add yubikey serial(s) to $homedir/.yubilock"
fi
chown -R yubilock:yubilock "$install_dir"
chown root:yubilock "$install_dir"
chmod 775 "$install_dir"
echo "Create logging directory" echo "== Create logging directory =="
mkdir -p "$logging_dir" mkdir -p "$logging_dir"
chown --from=root:root root:yubilock "$logging_dir" chown --from=root:root root:yubilock "$logging_dir"
chmod 775 "$logging_dir" chmod 775 "$logging_dir"
sed -i "s+^logfile\ =.*+logfile\ =\ ${logging_dir}daemon.log+g" "$install_dir/config.ini" sed -i "s+^logfile\ =.*+logfile\ =\ ${logging_dir}daemon.log+g" "$install_dir/config.ini"
echo "Allow yubilock user access to X host"
touch "$install_dir/.Xauthority"
chown yubilock:yubilock "$install_dir/.Xauthority"
hexkey=`sudo -u $username xauth list | cut -d ' ' -f 5`
export XAUTHORITY="/opt/yubilock/.Xauthority"
echo sudo -u yubilock xauth add \":0\" . "$hexkey"
sudo -u yubilock xauth add ":0" . "$hexkey"
echo "Fix udev usb rights for yubilock" echo "== Fix udev usb rights for yubilock group =="
cp "$script_dir/debian/91-usbftdi.rules" '/etc/udev/rules.d/' cp "$script_dir/debian/91-usbftdi.rules" '/etc/udev/rules.d/'
chown root:root '/etc/udev/rules.d/91-usbftdi.rules' chown root:root '/etc/udev/rules.d/91-usbftdi.rules'
udevadm control --reload-rules udevadm control --reload-rules
if [ "$use_systemd" = 'yes' ]; then if [ "$use_systemd" = 'yes' ]; then
echo "Enable as systemd service" echo "== Enable as systemd service =="
cp "$script_dir/debian/yubilock.service" "/etc/systemd/system" mkdir -p "/home/$username/.config/systemd/user"
sed -i "s+^ExecStart=.*+ExecStart=${install_dir}venv/bin/python ${install_dir}xscreensaver_yubilock.py+g" '/etc/systemd/system/yubilock.service' cp "$script_dir/debian/yubilock.service" "/home/$username/.config/systemd/user"
systemctl enable yubilock.service sed -i "s+^ExecStart=.*+ExecStart=${install_dir}venv/bin/python ${install_dir}xscreensaver_yubilock.py -v+g" "/home/$username/.config/systemd/user/yubilock.service"
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user daemon-reload'
su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user enable yubilock.service'
# su is used for systemctl user units because systemctl matches executing uid to unit owner uid. See:
# https://unix.stackexchange.com/questions/483948/inspect-unit-status-for-user-units-with-systemctl-as-root/485063#485063
else else
# Make sure service is not previously installed # Make sure service is removed if previously installed
systemctl stop yubilock.service >/dev/null 2>&1 su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user stop yubilock.service >/dev/null 2>&1'
systemctl disable yubilock.service >/dev/null 2>&1 su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user disable yubilock.service >/dev/null 2>&1'
rm '/etc/systemd/system/yubilock.service' >/dev/null 2>&1 rm "/home/$username/.config/systemd/user/yubilock.service" >/dev/null 2>&1
rm '/usr/lib/systemd/system/yubilock.service' >/dev/null 2>&1 su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user daemon-reload'
systemctl daemon-reload su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user reset-failed'
systemctl reset-failed
fi fi
echo "xscreensaver-yubilock is installed!" echo "== xscreensaver-yubilock is installed! =="
echo "== to enable yubilock, please restart your device ==
exit 0
# Due to loginctl not updating user groups, the user has to restart before the service can be started.
if [ "$use_systemd" = 'yes' ]; then if [ "$use_systemd" = 'yes' ]; then
echo "Do you wish to start the daemon now? WARNING: If the specified yubikey is not plugged in, your machine will lock. Alternatively, you can start the service using 'sudo systemctl start yubilock.service' or wait for next login." echo "Do you wish to start the daemon now? WARNING: If the specified yubikey is not plugged in, your machine will lock. Alternatively, you can start the service using 'sudo systemctl start yubilock.service' or wait for next login."
read -p "Start daemon? (y/N) " start_daemon read -p "Start daemon? (y/N) " start_daemon
@ -140,7 +149,7 @@ if [ "$use_systemd" = 'yes' ]; then
n|N|0 ) n|N|0 )
;; ;;
* ) * )
systemctl start yubilock.service;; su "$username" -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user start yubilock.service';;
esac esac
fi fi

Write Preview
Loading…
Cancel
Save