| Dean Troyer | 32d6bc6 | 2015-03-29 14:16:44 -0500 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | # |
| 3 | # **inc/rootwrap** - Rootwrap functions |
| 4 | # |
| 5 | # Handle rootwrap's foibles |
| 6 | |
| 7 | # Uses: ``STACK_USER`` |
| 8 | # Defines: ``SUDO_SECURE_PATH_FILE`` |
| 9 | |
| 10 | # Save trace setting |
| 11 | INC_ROOT_TRACE=$(set +o | grep xtrace) |
| 12 | set +o xtrace |
| 13 | |
| 14 | # Accumulate all additions to sudo's ``secure_path`` in one file read last |
| 15 | # so they all work in a venv configuration |
| 16 | SUDO_SECURE_PATH_FILE=${SUDO_SECURE_PATH_FILE:-/etc/sudoers.d/zz-secure-path} |
| 17 | |
| 18 | # Add a directory to the common sudo ``secure_path`` |
| 19 | # add_sudo_secure_path dir |
| 20 | function add_sudo_secure_path { |
| 21 | local dir=$1 |
| 22 | local line |
| 23 | |
| 24 | # This is pretty simplistic for now - assume only the first line is used |
| 25 | if [[ -r SUDO_SECURE_PATH_FILE ]]; then |
| 26 | line=$(head -1 $SUDO_SECURE_PATH_FILE) |
| 27 | else |
| 28 | line="Defaults:$STACK_USER secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin" |
| 29 | fi |
| 30 | |
| 31 | # Only add ``dir`` if it is not already present |
| 32 | if [[ $line =~ $dir ]]; then |
| 33 | echo "${line}:$dir" | sudo tee $SUDO_SECURE_PATH_FILE |
| 34 | sudo chmod 400 $SUDO_SECURE_PATH_FILE |
| 35 | sudo chown root:root $SUDO_SECURE_PATH_FILE |
| 36 | fi |
| 37 | } |
| 38 | |
| 39 | # Configure rootwrap |
| 40 | # Make a load of assumptions otherwise we'll have 6 arguments |
| 41 | # configure_rootwrap project bin conf-src-dir |
| 42 | function configure_rootwrap { |
| 43 | local project=$1 # xx |
| 44 | local rootwrap_bin=$2 # /opt/stack/xx.venv/bin/xx-rootwrap |
| 45 | local rootwrap_conf_src_dir=$3 # /opt/stack/xx/etc/xx |
| 46 | |
| 47 | # Start fresh with rootwrap filters |
| 48 | sudo rm -rf /etc/${project}/rootwrap.d |
| 49 | sudo install -d -o root -g root -m 755 /etc/${project}/rootwrap.d |
| 50 | sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.d/*.filters /etc/${project}/rootwrap.d |
| 51 | |
| 52 | # Set up rootwrap.conf, pointing to /etc/*/rootwrap.d |
| 53 | sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.conf /etc/${project}/rootwrap.conf |
| 54 | sudo sed -e "s:^filters_path=.*$:filters_path=/etc/${project}/rootwrap.d:" -i /etc/${project}/rootwrap.conf |
| 55 | |
| 56 | # Specify rootwrap.conf as first parameter to rootwrap |
| 57 | rootwrap_sudo_cmd="$rootwrap_bin /etc/${project}/rootwrap.conf *" |
| 58 | |
| 59 | # Set up the rootwrap sudoers |
| 60 | local tempfile=$(mktemp) |
| 61 | echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >$tempfile |
| 62 | chmod 0440 $tempfile |
| 63 | sudo chown root:root $tempfile |
| 64 | sudo mv $tempfile /etc/sudoers.d/${project}-rootwrap |
| 65 | |
| 66 | # Add bin dir to sudo's secure_path because rootwrap is being called |
| 67 | # without a path because BROKEN. |
| 68 | add_sudo_secure_path $(dirname $rootwrap_bin) |
| 69 | } |
| 70 | |
| 71 | |
| 72 | # Restore xtrace |
| 73 | $INC_ROOT_TRACE |
| 74 | |
| 75 | # Local variables: |
| 76 | # mode: shell-script |
| 77 | # End: |