- Remove sudoers file 'zabbix' in favour of new IPFire managed 'zabbix_agentd' and user managed 'zabbix_agentd_user' which is included in the backup - Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to new zabbix_agentd_user sudoers file if it was modified by user.
Signed-off-by: Robin Roevens robin.roevens@disroot.org --- config/backup/includes/zabbix_agentd | 4 ++-- config/rootfiles/packages/zabbix_agentd | 3 ++- config/zabbix_agentd/sudoers | 14 ++++---------- config/zabbix_agentd/sudoers_user | 16 ++++++++++++++++ lfs/zabbix_agentd | 4 +++- src/paks/zabbix_agentd/update.sh | 22 ++++++++++++++++++---- 6 files changed, 45 insertions(+), 18 deletions(-) create mode 100644 config/zabbix_agentd/sudoers_user
diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index 4be365297..834766992 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,5 +1,5 @@ -/etc/sudoers.d/zabbix +/etc/sudoers.d/zabbix_agentd_user /etc/zabbix_agentd/zabbix_agentd.conf /etc/zabbix_agentd/scripts/ /etc/zabbix_agentd/zabbix_agentd.d/ -/usr/lib/zabbix/ +/usr/lib/zabbix/ \ No newline at end of file diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index c6e0c5634..b5325c636 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -1,6 +1,7 @@ etc/logrotate.d/zabbix_agentd etc/rc.d/init.d/zabbix_agentd -etc/sudoers.d/zabbix +etc/sudoers.d/zabbix_agentd +etc/sudoers.d/zabbix_agentd_user etc/zabbix_agentd etc/zabbix_agentd/scripts etc/zabbix_agentd/zabbix_agentd.conf diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..cb4263ff6 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -1,17 +1,11 @@ # Include file for sudoers file # -# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) -# e.g. /usr/bin/openssl or /usr/sbin/smartctl +# This is needed for some IPFire specific userparameters to be able to execute commands that only run as root (using sudo) # -# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! +# DO NOT CHANGE THIS FILE. This file is managed by IPFire, will be overwritten on next addon upgrade and is not +# included in the backup. # -# Some hints: -# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file, -# you might end up locking yourself out of your system! -# - Append the full path incl. parameters to each command, using "," as separator. -# - Only add commands you really need. Zabbix should not have more rights than it has to. -# -# Append / edit the following list of commands to fit your needs: +# To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status diff --git a/config/zabbix_agentd/sudoers_user b/config/zabbix_agentd/sudoers_user new file mode 100644 index 000000000..61cbc417b --- /dev/null +++ b/config/zabbix_agentd/sudoers_user @@ -0,0 +1,16 @@ +# Include file for sudoers file +# +# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) +# e.g. /usr/bin/openssl or /usr/sbin/smartctl +# +# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! +# +# Some hints: +# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file, +# you might end up locking yourself out of your system! +# - Append the full path incl. parameters to each command, using "," as separator. +# - Only add commands you really need. Zabbix should not have more rights than it has to. +# +# Uncomment the following line and edit the example of commands to fit your needs: + +#zabbix ALL=(ALL) NOPASSWD: <custom command 1>, <custom command 2>, ... diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 025a0f0db..f8fbdae5e 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -124,7 +124,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install sudoers include file install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ - /etc/sudoers.d/zabbix + /etc/sudoers.d/zabbix_agentd + install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers_user \ + /etc/sudoers.d/zabbix_agentd_user
# Install include file for backup install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \ diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 68bba4f80..a41e72ab4 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,11 +22,25 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Check if old sudoers file exists and remove if it was not modified +# or rename to the new zabbix_agentd_user file if it was. +if [ -f /etc/sudoers.d/zabbix.user ]; then + mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix +fi + +if [ -f /etc/sudoers.d/zabbix ]; then + blake2=$(b2sum /etc/sudoers.d/zabbix | cut -f1 -d" ") + # from commits 5737a22 & 06fc617 + if [ "$blake2" == "b0f73b107fd3842efc7ef3e30f6d948235aa07d533715476c2d3f58c08379193fdde9ff69aa6e0f5eb6cf4a98b2ed2a6f003f23078a57aff239b34cc29e62a98" ] || \ + [ "$blake2" == "0628c416a1f217b0962a8ce6d1e339bdb0f0427d86fc06b2e40b63487ffc1a3543562d16f7f954d7fb92cee9764f0261c1663a39dd50bc73fd9b772575c56cfc" ]; then + rm -vf /etc/sudoers.d/zabbix + else + mv -v /etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user + fi +fi + extract_backup_includes ./uninstall.sh ./install.sh
-# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix -if [ -e /etc/sudoers.d/zabbix.user ]; then - mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix -fi