From 29929e2a9ac6eb192be9a31978b56e51d895b5e9 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 12 Dec 2018 11:53:19 +0100 Subject: [PATCH] Don't use winexe anymore but a new rsync.cmd wrapper through ssh --- WAPT/control | 2 +- rsync.cmd | 14 ++++++++++++++ setup.py | 41 +++++++++++++---------------------------- 3 files changed, 28 insertions(+), 29 deletions(-) create mode 100644 rsync.cmd diff --git a/WAPT/control b/WAPT/control index 81a6d65..c5b1a61 100644 --- a/WAPT/control +++ b/WAPT/control @@ -1,5 +1,5 @@ package : fws-backuppc-agent -version : 1.3.4-1 +version : 1.3.4-3 architecture : all section : base priority : optional diff --git a/rsync.cmd b/rsync.cmd new file mode 100644 index 0000000..f0cca88 --- /dev/null +++ b/rsync.cmd @@ -0,0 +1,14 @@ +@echo off + +REM Ensure there's no rsync already running +tasklist /FI "IMAGENAME eq rsync.exe" 2>NUL | find /I /N "rsync.exe">NUL +if "%ERRORLEVEL%"=="0" exit 255 +tasklist /FI "IMAGENAME eq vshadow.exe" 2>NUL | find /I /N "vshadow.exe">NUL +if "%ERRORLEVEL%"=="0" exit 255 +cd \backuppc + +cscript pre-cmd.vbs > NULL + +rsync.exe %* + +echo '1' > wake.up \ No newline at end of file diff --git a/setup.py b/setup.py index bc6a81d..aa0e611 100644 --- a/setup.py +++ b/setup.py @@ -8,7 +8,8 @@ uninstallkey = [] variables = { 'backup_servers': [ '192.168.100.31' ], - 'backup_rsync_pass': 's3cretp@ssw0rd' + 'backup_rsync_pass': 's3cretp@ssw0rd', + 'backup_ssh_keys': [] } # Read local variables file if available @@ -17,7 +18,7 @@ if isfile(makepath(programfiles32,'wapt','private','symetric.txt')) and isfile(m f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read()) variables.update(json.loads(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read()))) -overrides = ['rsyncd.conf', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe'] +overrides = ['rsyncd.conf', 'rsync.cmd', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe'] def install(): print('Installing BackupPC Agent') @@ -37,51 +38,35 @@ def install(): open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsyncd.secrets'),'w').write('backup:%s' % variables['backup_rsync_pass']) # The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one - print('Adding firewall rules') + print('Removing uneeded firewall rules') run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) - run('netsh advfirewall firewall add rule name="Agent BackupPC" dir=in action=allow program="%s" enable=yes remoteip=%s' % (makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsync.exe'),','.join(variables['backup_servers']))) - # Port 445 is needed for winexe - run('netsh advfirewall firewall add rule name="remote admin" dir=in action=allow protocol=TCP localport=445 enable=yes remoteip=%s' % ','.join(variables['backup_servers'])) # Create the backup account print('Create a local account and add it to the admin group') run('net user lbkp /add', accept_returncodes=[0,2]) - if 'backup_pass' in variables: + if 'backup_pass' in variables : run('net user lbkp %s' % variables['backup_pass']) run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2]) - - # For vista and newer, UAC prevents admin shares, we need to enable it - print('Enabling remote access to admin shares') - if windows_version() > Version('6'): - reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE,create_if_missing=True) - reg_setvalue(reg_key, 'LocalAccountTokenFilterPolicy', 1, REG_DWORD) + print('Writing SSH Keys for the backup account') + mkdirs(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh')) + open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'),'w').write("\n".join(variables['backup_ssh_keys'])) + run(r'icacls.exe "%s" /inheritance:d' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) + run(r'icacls.exe "%s" /remove:g "*S-1-5-32-545" /t /c /q' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) + run(r'icacls.exe "%s" /remove:g "*S-1-5-11" /t /c /q' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) + run(r'icacls.exe "%s" /grant "NT SERVICE\sshd":(R)' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) def uninstall(): print('Removing BackupPC Agent') - print('Removing firewall rules') - run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) - run('netsh advfirewall firewall del rule name="remote admin"', accept_returncodes=[0,1]) print('Removing lbkp from Admin group') run('net localgroup Administrateurs lbkp /delete', accept_returncodes=[0,2]) - print('Disabling remote access to admin shares') - if windows_version() > Version('6'): - reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE) - reg_delvalue(reg_key, 'LocalAccountTokenFilterPolicy') print('Removing files') for file in overrides: - path =makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file) + path = makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file) if isfile(path): os.unlink(path) def audit(): - filter_policy = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system','LocalAccountTokenFilterPolicy') - if not filter_policy : - print(r"key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy doesn't exist") - return "ERROR" - elif int(filter_policy) != 1 : - print("Wrong value for LocalAccountTokenFilterPolicy") - return "ERROR" for file in overrides + ['rsyncd.secrets','part.cmd' ]: if not isfile(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)): print('%s is missing' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file))