Zuul versions of sudo grep checks
Old legacy jobs will continue to want tocheck that the test user isn't using sudo if sudo has been disabled. Add a zuul version of the checker script and update the sudo rules to allow the zuul user to run it. Change-Id: I10720cdec309dc8418b6cf7e9badf9a04aa8e98e
This commit is contained in:
parent
98ee420cb8
commit
a4331953bd
|
@ -0,0 +1,61 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2012 Hewlett-Packard Development Company, L.P.
|
||||
# Copyright 2013 OpenStack Foundation
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# Find out if zuul has attempted to run any sudo commands by checking
|
||||
# the auth.log or secure log or messages files before and after a test run.
|
||||
|
||||
PATTERN="sudo.*zuul.*:.*\(incorrect password attempts\|command not allowed\)"
|
||||
if [ -f /var/log/auth.log ]; then
|
||||
OLDLOGFILE=/var/log/auth.log.1
|
||||
LOGFILE=/var/log/auth.log
|
||||
elif [ -f /var/log/secure ]; then
|
||||
OLDLOGFILE=$( ls /var/log/secure-* | sort | tail -n1 )
|
||||
LOGFILE=/var/log/secure
|
||||
elif [ -f /var/log/messages ]; then
|
||||
OLDLOGFILE=$( ls /var/log/messages-* | sort | tail -n1 )
|
||||
LOGFILE=/var/log/messages
|
||||
else
|
||||
echo "*** Could not find auth.log/secure/messages log for sudo tracing"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
pre)
|
||||
rm -fr /tmp/zuul-sudo-log
|
||||
mkdir /tmp/zuul-sudo-log
|
||||
if [ -f "$OLDLOGFILE" ]; then
|
||||
stat -c %Y $OLDLOGFILE > /tmp/zuul-sudo-log/mtime-pre
|
||||
else
|
||||
echo "0" > /tmp/zuul-sudo-log/mtime-pre
|
||||
fi
|
||||
grep -h "$PATTERN" $LOGFILE > /tmp/zuul-sudo-log/pre
|
||||
exit 0
|
||||
;;
|
||||
post)
|
||||
if [ -f "$OLDLOGFILE" ]; then
|
||||
stat -c %Y $OLDLOGFILE > /tmp/zuul-sudo-log/mtime-post
|
||||
else
|
||||
echo "0" > /tmp/zuul-sudo-log/mtime-post
|
||||
fi
|
||||
if ! diff /tmp/zuul-sudo-log/mtime-pre /tmp/zuul-sudo-log/mtime-post > /dev/null; then
|
||||
echo "diff"
|
||||
grep -h "$PATTERN" $OLDLOGFILE > /tmp/zuul-sudo-log/post
|
||||
fi
|
||||
grep -h "$PATTERN" $LOGFILE >> /tmp/zuul-sudo-log/post
|
||||
diff /tmp/zuul-sudo-log/pre /tmp/zuul-sudo-log/post
|
||||
;;
|
||||
esac
|
|
@ -15,8 +15,13 @@ useradd -m zuul -g zuul -s /bin/bash
|
|||
cat > /etc/sudoers.d/zuul << EOF
|
||||
zuul ALL=(ALL) NOPASSWD:ALL
|
||||
EOF
|
||||
|
||||
chmod 0440 /etc/sudoers.d/zuul
|
||||
|
||||
cat > /etc/sudoers.d/zuul-sudo-grep <<EOF
|
||||
zuul ALL = NOPASSWD:/usr/local/jenkins/slave_scripts/zuul-sudo-grep.sh
|
||||
EOF
|
||||
chmod 0440 /etc/sudoers.d/zuul-sudo-grep
|
||||
|
||||
visudo -c || die "Error setting zuul sudo!"
|
||||
|
||||
# this was copied from outside the chroot by extras.d
|
||||
|
|
Loading…
Reference in New Issue