From: Robin Roevens <robin.roevens@disroot.org>
To: development@lists.ipfire.org
Subject: [PATCH v4 4/6] zabbix_agentd: Sudoers file reorganization
Date: Thu, 03 Mar 2022 22:02:52 +0100 [thread overview]
Message-ID: <20220303210254.3116-5-robin.roevens@disroot.org> (raw)
In-Reply-To: <20220303210254.3116-1-robin.roevens@disroot.org>
[-- Attachment #1: Type: text/plain, Size: 6123 bytes --]
- Remove sudoers file 'zabbix' in favour of new IPFire managed
'zabbix_agentd' and user managed 'zabbix_agentd_user' which is
included in the backup
- Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to
new zabbix_agentd_user sudoers file if it was modified by user.
Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
config/backup/includes/zabbix_agentd | 4 ++--
config/rootfiles/packages/zabbix_agentd | 3 ++-
config/zabbix_agentd/sudoers | 14 ++++----------
config/zabbix_agentd/sudoers_user | 16 ++++++++++++++++
lfs/zabbix_agentd | 4 +++-
src/paks/zabbix_agentd/update.sh | 22 ++++++++++++++++++----
6 files changed, 45 insertions(+), 18 deletions(-)
create mode 100644 config/zabbix_agentd/sudoers_user
diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd
index 4be365297..834766992 100644
--- a/config/backup/includes/zabbix_agentd
+++ b/config/backup/includes/zabbix_agentd
@@ -1,5 +1,5 @@
-/etc/sudoers.d/zabbix
+/etc/sudoers.d/zabbix_agentd_user
/etc/zabbix_agentd/zabbix_agentd.conf
/etc/zabbix_agentd/scripts/
/etc/zabbix_agentd/zabbix_agentd.d/
-/usr/lib/zabbix/
+/usr/lib/zabbix/
\ No newline at end of file
diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 66a1087cf..2ea98fc21 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -1,6 +1,7 @@
etc/logrotate.d/zabbix_agentd
etc/rc.d/init.d/zabbix_agentd
-etc/sudoers.d/zabbix
+etc/sudoers.d/zabbix_agentd
+etc/sudoers.d/zabbix_agentd_user
etc/zabbix_agentd
etc/zabbix_agentd/scripts
etc/zabbix_agentd/zabbix_agentd.conf
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index 1b362a4fd..cb4263ff6 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -1,17 +1,11 @@
# Include file for sudoers file
#
-# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
-# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+# This is needed for some IPFire specific userparameters to be able to execute commands that only run as root (using sudo)
#
-# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+# DO NOT CHANGE THIS FILE. This file is managed by IPFire, will be overwritten on next addon upgrade and is not
+# included in the backup.
#
-# Some hints:
-# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
-# you might end up locking yourself out of your system!
-# - Append the full path incl. parameters to each command, using "," as separator.
-# - Only add commands you really need. Zabbix should not have more rights than it has to.
-#
-# Append / edit the following list of commands to fit your needs:
+# To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user
#
Defaults:zabbix !requiretty
zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status
diff --git a/config/zabbix_agentd/sudoers_user b/config/zabbix_agentd/sudoers_user
new file mode 100644
index 000000000..61cbc417b
--- /dev/null
+++ b/config/zabbix_agentd/sudoers_user
@@ -0,0 +1,16 @@
+# Include file for sudoers file
+#
+# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
+# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+#
+# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+#
+# Some hints:
+# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
+# you might end up locking yourself out of your system!
+# - Append the full path incl. parameters to each command, using "," as separator.
+# - Only add commands you really need. Zabbix should not have more rights than it has to.
+#
+# Uncomment the following line and edit the example of commands to fit your needs:
+
+#zabbix ALL=(ALL) NOPASSWD: <custom command 1>, <custom command 2>, ...
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 6e995f40b..929d36628 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -124,7 +124,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install sudoers include file
install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
- /etc/sudoers.d/zabbix
+ /etc/sudoers.d/zabbix_agentd
+ install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers_user \
+ /etc/sudoers.d/zabbix_agentd_user
# Install include file for backup
install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \
diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh
index 68bba4f80..74a47aa66 100644
--- a/src/paks/zabbix_agentd/update.sh
+++ b/src/paks/zabbix_agentd/update.sh
@@ -22,11 +22,25 @@
############################################################################
#
. /opt/pakfire/lib/functions.sh
+
+# Check if old sudoers file exists and remove if it was not modified
+# or rename to the new zabbix_agentd_user file if it was.
+if [ -f /etc/sudoers.d/zabbix.user ]; then
+ mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
+fi
+
+if [ -f /etc/sudoers.d/zabbix ]; then
+ md5=$(md5sum /etc/sudoers.d/zabbix | cut -f1 -d" ")
+ # from commits 5737a22 & 06fc617
+ if [ "$md5" == "dae8daa1bb7cb3d9959d1438ebe84c71" ] || \
+ [ "$md5" == "9bc24158734f0bf7c8697d62bf4c952a" ]; then
+ rm -vf /etc/sudoers.d/zabbix
+ else
+ mv -v /etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user
+ fi
+fi
+
extract_backup_includes
./uninstall.sh
./install.sh
-# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix
-if [ -e /etc/sudoers.d/zabbix.user ]; then
- mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
-fi
--
2.34.1
--
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.
next prev parent reply other threads:[~2022-03-03 21:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-03 21:02 [PATCH v4 0/6] zabbix_agentd: Update to v5.0.21 (LTS) Robin Roevens
2022-03-03 21:02 ` [PATCH v4 1/6] " Robin Roevens
2022-03-03 21:02 ` [PATCH v4 2/6] zabbix_agentd: Fix agent modules dir and few minor bugs Robin Roevens
2022-03-03 21:02 ` [PATCH v4 3/6] zabbix_agentd: Configfile reorganization Robin Roevens
2022-03-03 21:02 ` Robin Roevens [this message]
2022-03-03 21:02 ` [PATCH v4 5/6] zabbix_agentd: By default only listen on GREEN ip Robin Roevens
2022-03-03 21:02 ` [PATCH v4 6/6] zabbix_agentd: Add IPFire specific userparameters Robin Roevens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220303210254.3116-5-robin.roevens@disroot.org \
--to=robin.roevens@disroot.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox