Don't use winexe anymore but a new rsync.cmd wrapper through ssh

WAPT/control

@@ -1,5 +1,5 @@
 package           : fws-backuppc-agent
-version           : 1.3.4-1
+version           : 1.3.4-3
 architecture      : all
 section           : base
 priority          : optional

rsync.cmd

@@ -0,0 +1,14 @@
+@echo off
+
+REM Ensure there's no rsync already running
+tasklist /FI "IMAGENAME eq rsync.exe" 2>NUL | find /I /N "rsync.exe">NUL
+if "%ERRORLEVEL%"=="0" exit 255
+tasklist /FI "IMAGENAME eq vshadow.exe" 2>NUL | find /I /N "vshadow.exe">NUL
+if "%ERRORLEVEL%"=="0" exit 255
+cd \backuppc
+
+cscript pre-cmd.vbs > NULL
+
+rsync.exe %*
+
+echo '1' > wake.up

setup.py

@@ -8,7 +8,8 @@ uninstallkey = []
 
 variables = {
     'backup_servers': [ '192.168.100.31' ],
-    'backup_rsync_pass': 's3cretp@ssw0rd'
+    'backup_rsync_pass': 's3cretp@ssw0rd',
+    'backup_ssh_keys': []
 }
 
 # Read local variables file if available
@@ -17,7 +18,7 @@ if isfile(makepath(programfiles32,'wapt','private','symetric.txt')) and isfile(m
     f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read())
     variables.update(json.loads(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read())))
 
-overrides = ['rsyncd.conf', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe']
+overrides = ['rsyncd.conf', 'rsync.cmd', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe']
 
 def install():
     print('Installing BackupPC Agent')
@@ -37,51 +38,35 @@ def install():
     open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsyncd.secrets'),'w').write('backup:%s' % variables['backup_rsync_pass'])
 
     # The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one
-    print('Adding firewall rules')
+    print('Removing uneeded firewall rules')
     run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1])
-    run('netsh advfirewall firewall add rule name="Agent BackupPC" dir=in action=allow program="%s" enable=yes remoteip=%s' % (makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsync.exe'),','.join(variables['backup_servers'])))
-    # Port 445 is needed for winexe
-    run('netsh advfirewall firewall add rule name="remote admin" dir=in action=allow protocol=TCP localport=445 enable=yes remoteip=%s' % ','.join(variables['backup_servers']))
 
     # Create the backup account
     print('Create a local account and add it to the admin group')
     run('net user lbkp /add', accept_returncodes=[0,2])
-    if 'backup_pass' in variables:
+    if 'backup_pass' in variables :
         run('net user lbkp %s' % variables['backup_pass'])
     run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2])
-
-    # For vista and newer, UAC prevents admin shares, we need to enable it
-    print('Enabling remote access to admin shares')
-    if windows_version() > Version('6'):
-        reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE,create_if_missing=True)
-        reg_setvalue(reg_key, 'LocalAccountTokenFilterPolicy', 1, REG_DWORD)
+    print('Writing SSH Keys for the backup account')
+    mkdirs(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh'))
+    open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'),'w').write("\n".join(variables['backup_ssh_keys']))
+    run(r'icacls.exe "%s" /inheritance:d' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
+    run(r'icacls.exe "%s" /remove:g "*S-1-5-32-545" /t /c /q' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
+    run(r'icacls.exe "%s" /remove:g "*S-1-5-11" /t /c /q' %  makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
+    run(r'icacls.exe "%s" /grant "NT SERVICE\sshd":(R)' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
 
 
 def uninstall():
     print('Removing BackupPC Agent')
-    print('Removing firewall rules')
-    run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1])
-    run('netsh advfirewall firewall del rule name="remote admin"', accept_returncodes=[0,1])
     print('Removing lbkp from Admin group')
     run('net localgroup Administrateurs lbkp /delete', accept_returncodes=[0,2])
-    print('Disabling remote access to admin shares')
-    if windows_version() > Version('6'):
-        reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE)
-        reg_delvalue(reg_key, 'LocalAccountTokenFilterPolicy')
     print('Removing files')
     for file in overrides:
-        path =makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)
+        path = makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)
         if isfile(path):
             os.unlink(path)
 
 def audit():
-    filter_policy = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system','LocalAccountTokenFilterPolicy')
-    if not filter_policy :
-        print(r"key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy doesn't exist")
-        return "ERROR"
-    elif int(filter_policy) != 1 :
-        print("Wrong value for LocalAccountTokenFilterPolicy")
-        return "ERROR"
     for file in overrides + ['rsyncd.secrets','part.cmd' ]:
         if not isfile(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)):
             print('%s is missing' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file))