90 lines
3.0 KiB
Bash
90 lines
3.0 KiB
Bash
#!/bin/bash
|
|
#
|
|
# **inc/rootwrap** - Rootwrap functions
|
|
#
|
|
# Handle rootwrap's foibles
|
|
|
|
# Uses: ``STACK_USER``
|
|
# Defines: ``SUDO_SECURE_PATH_FILE``
|
|
|
|
# Save trace setting
|
|
INC_ROOT_TRACE=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
# Accumulate all additions to sudo's ``secure_path`` in one file read last
|
|
# so they all work in a venv configuration
|
|
SUDO_SECURE_PATH_FILE=${SUDO_SECURE_PATH_FILE:-/etc/sudoers.d/zz-secure-path}
|
|
|
|
# Add a directory to the common sudo ``secure_path``
|
|
# add_sudo_secure_path dir
|
|
function add_sudo_secure_path {
|
|
local dir=$1
|
|
local line
|
|
|
|
# This is pretty simplistic for now - assume only the first line is used
|
|
if [[ -r $SUDO_SECURE_PATH_FILE ]]; then
|
|
line=$(head -1 $SUDO_SECURE_PATH_FILE)
|
|
else
|
|
line="Defaults:$STACK_USER secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin"
|
|
fi
|
|
|
|
# Only add ``dir`` if it is not already present
|
|
if [[ ! $line =~ $dir ]]; then
|
|
echo "${line}:$dir" | sudo tee $SUDO_SECURE_PATH_FILE
|
|
sudo chmod 400 $SUDO_SECURE_PATH_FILE
|
|
sudo chown root:root $SUDO_SECURE_PATH_FILE
|
|
fi
|
|
}
|
|
|
|
# Configure rootwrap
|
|
# Make a load of assumptions otherwise we'll have 6 arguments
|
|
# configure_rootwrap project
|
|
function configure_rootwrap {
|
|
local project=$1
|
|
local project_uc
|
|
project_uc=$(echo $1|tr a-z A-Z)
|
|
local bin_dir="${project_uc}_BIN_DIR"
|
|
bin_dir="${!bin_dir}"
|
|
local project_dir="${project_uc}_DIR"
|
|
project_dir="${!project_dir}"
|
|
|
|
local rootwrap_conf_src_dir="${project_dir}/etc/${project}"
|
|
local rootwrap_bin="${bin_dir}/${project}-rootwrap"
|
|
|
|
# Start fresh with rootwrap filters
|
|
sudo rm -rf /etc/${project}/rootwrap.d
|
|
sudo install -d -o root -g root -m 755 /etc/${project}/rootwrap.d
|
|
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.d/*.filters /etc/${project}/rootwrap.d
|
|
|
|
# Set up rootwrap.conf, pointing to /etc/*/rootwrap.d
|
|
sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.conf /etc/${project}/rootwrap.conf
|
|
sudo sed -e "s:^filters_path=.*$:filters_path=/etc/${project}/rootwrap.d:" -i /etc/${project}/rootwrap.conf
|
|
|
|
# Set up the rootwrap sudoers
|
|
local tempfile
|
|
tempfile=$(mktemp)
|
|
# Specify rootwrap.conf as first parameter to rootwrap
|
|
rootwrap_sudo_cmd="${rootwrap_bin} /etc/${project}/rootwrap.conf *"
|
|
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >$tempfile
|
|
if [ -f ${bin_dir}/${project}-rootwrap-daemon ]; then
|
|
# rootwrap daemon does not need any parameters
|
|
rootwrap_sudo_cmd="${rootwrap_bin}-daemon /etc/${project}/rootwrap.conf"
|
|
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >>$tempfile
|
|
fi
|
|
chmod 0440 $tempfile
|
|
sudo chown root:root $tempfile
|
|
sudo mv $tempfile /etc/sudoers.d/${project}-rootwrap
|
|
|
|
# Add bin dir to sudo's secure_path because rootwrap is being called
|
|
# without a path because BROKEN.
|
|
add_sudo_secure_path $(dirname $rootwrap_bin)
|
|
}
|
|
|
|
|
|
# Restore xtrace
|
|
$INC_ROOT_TRACE
|
|
|
|
# Local variables:
|
|
# mode: shell-script
|
|
# End:
|