Don't use winexe anymore but a new rsync.cmd wrapper through ssh

master
Daniel Berteaud 6 years ago
parent 48e1d20b4f
commit 29929e2a9a
  1. 2
      WAPT/control
  2. 14
      rsync.cmd
  3. 37
      setup.py

@ -1,5 +1,5 @@
package : fws-backuppc-agent package : fws-backuppc-agent
version : 1.3.4-1 version : 1.3.4-3
architecture : all architecture : all
section : base section : base
priority : optional priority : optional

@ -0,0 +1,14 @@
@echo off
REM Ensure there's no rsync already running
tasklist /FI "IMAGENAME eq rsync.exe" 2>NUL | find /I /N "rsync.exe">NUL
if "%ERRORLEVEL%"=="0" exit 255
tasklist /FI "IMAGENAME eq vshadow.exe" 2>NUL | find /I /N "vshadow.exe">NUL
if "%ERRORLEVEL%"=="0" exit 255
cd \backuppc
cscript pre-cmd.vbs > NULL
rsync.exe %*
echo '1' > wake.up

@ -8,7 +8,8 @@ uninstallkey = []
variables = { variables = {
'backup_servers': [ '192.168.100.31' ], 'backup_servers': [ '192.168.100.31' ],
'backup_rsync_pass': 's3cretp@ssw0rd' 'backup_rsync_pass': 's3cretp@ssw0rd',
'backup_ssh_keys': []
} }
# Read local variables file if available # Read local variables file if available
@ -17,7 +18,7 @@ if isfile(makepath(programfiles32,'wapt','private','symetric.txt')) and isfile(m
f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read()) f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read())
variables.update(json.loads(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read()))) variables.update(json.loads(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read())))
overrides = ['rsyncd.conf', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe'] overrides = ['rsyncd.conf', 'rsync.cmd', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe']
def install(): def install():
print('Installing BackupPC Agent') print('Installing BackupPC Agent')
@ -37,11 +38,8 @@ def install():
open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsyncd.secrets'),'w').write('backup:%s' % variables['backup_rsync_pass']) open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsyncd.secrets'),'w').write('backup:%s' % variables['backup_rsync_pass'])
# The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one # The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one
print('Adding firewall rules') print('Removing uneeded firewall rules')
run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1])
run('netsh advfirewall firewall add rule name="Agent BackupPC" dir=in action=allow program="%s" enable=yes remoteip=%s' % (makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsync.exe'),','.join(variables['backup_servers'])))
# Port 445 is needed for winexe
run('netsh advfirewall firewall add rule name="remote admin" dir=in action=allow protocol=TCP localport=445 enable=yes remoteip=%s' % ','.join(variables['backup_servers']))
# Create the backup account # Create the backup account
print('Create a local account and add it to the admin group') print('Create a local account and add it to the admin group')
@ -49,25 +47,19 @@ def install():
if 'backup_pass' in variables : if 'backup_pass' in variables :
run('net user lbkp %s' % variables['backup_pass']) run('net user lbkp %s' % variables['backup_pass'])
run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2]) run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2])
print('Writing SSH Keys for the backup account')
# For vista and newer, UAC prevents admin shares, we need to enable it mkdirs(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh'))
print('Enabling remote access to admin shares') open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'),'w').write("\n".join(variables['backup_ssh_keys']))
if windows_version() > Version('6'): run(r'icacls.exe "%s" /inheritance:d' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE,create_if_missing=True) run(r'icacls.exe "%s" /remove:g "*S-1-5-32-545" /t /c /q' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
reg_setvalue(reg_key, 'LocalAccountTokenFilterPolicy', 1, REG_DWORD) run(r'icacls.exe "%s" /remove:g "*S-1-5-11" /t /c /q' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
run(r'icacls.exe "%s" /grant "NT SERVICE\sshd":(R)' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'))
def uninstall(): def uninstall():
print('Removing BackupPC Agent') print('Removing BackupPC Agent')
print('Removing firewall rules')
run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1])
run('netsh advfirewall firewall del rule name="remote admin"', accept_returncodes=[0,1])
print('Removing lbkp from Admin group') print('Removing lbkp from Admin group')
run('net localgroup Administrateurs lbkp /delete', accept_returncodes=[0,2]) run('net localgroup Administrateurs lbkp /delete', accept_returncodes=[0,2])
print('Disabling remote access to admin shares')
if windows_version() > Version('6'):
reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE)
reg_delvalue(reg_key, 'LocalAccountTokenFilterPolicy')
print('Removing files') print('Removing files')
for file in overrides: for file in overrides:
path = makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file) path = makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)
@ -75,13 +67,6 @@ def uninstall():
os.unlink(path) os.unlink(path)
def audit(): def audit():
filter_policy = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system','LocalAccountTokenFilterPolicy')
if not filter_policy :
print(r"key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy doesn't exist")
return "ERROR"
elif int(filter_policy) != 1 :
print("Wrong value for LocalAccountTokenFilterPolicy")
return "ERROR"
for file in overrides + ['rsyncd.secrets','part.cmd' ]: for file in overrides + ['rsyncd.secrets','part.cmd' ]:
if not isfile(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)): if not isfile(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)):
print('%s is missing' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)) print('%s is missing' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file))

Loading…
Cancel
Save