#!/bin/bash # # **inc/rootwrap** - Rootwrap functions # # Handle rootwrap's foibles # Uses: ``STACK_USER`` # Defines: ``SUDO_SECURE_PATH_FILE`` # Save trace setting INC_ROOT_TRACE=$(set +o | grep xtrace) set +o xtrace # Accumulate all additions to sudo's ``secure_path`` in one file read last # so they all work in a venv configuration SUDO_SECURE_PATH_FILE=${SUDO_SECURE_PATH_FILE:-/etc/sudoers.d/zz-secure-path} # Add a directory to the common sudo ``secure_path`` # add_sudo_secure_path dir function add_sudo_secure_path { local dir=$1 local line # This is pretty simplistic for now - assume only the first line is used if [[ -r SUDO_SECURE_PATH_FILE ]]; then line=$(head -1 $SUDO_SECURE_PATH_FILE) else line="Defaults:$STACK_USER secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin" fi # Only add ``dir`` if it is not already present if [[ $line =~ $dir ]]; then echo "${line}:$dir" | sudo tee $SUDO_SECURE_PATH_FILE sudo chmod 400 $SUDO_SECURE_PATH_FILE sudo chown root:root $SUDO_SECURE_PATH_FILE fi } # Configure rootwrap # Make a load of assumptions otherwise we'll have 6 arguments # configure_rootwrap project bin conf-src-dir function configure_rootwrap { local project=$1 # xx local rootwrap_bin=$2 # /opt/stack/xx.venv/bin/xx-rootwrap local rootwrap_conf_src_dir=$3 # /opt/stack/xx/etc/xx # Start fresh with rootwrap filters sudo rm -rf /etc/${project}/rootwrap.d sudo install -d -o root -g root -m 755 /etc/${project}/rootwrap.d sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.d/*.filters /etc/${project}/rootwrap.d # Set up rootwrap.conf, pointing to /etc/*/rootwrap.d sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.conf /etc/${project}/rootwrap.conf sudo sed -e "s:^filters_path=.*$:filters_path=/etc/${project}/rootwrap.d:" -i /etc/${project}/rootwrap.conf # Specify rootwrap.conf as first parameter to rootwrap rootwrap_sudo_cmd="$rootwrap_bin /etc/${project}/rootwrap.conf *" # Set up the rootwrap sudoers local tempfile=$(mktemp) echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >$tempfile chmod 0440 $tempfile sudo chown root:root $tempfile sudo mv $tempfile /etc/sudoers.d/${project}-rootwrap # Add bin dir to sudo's secure_path because rootwrap is being called # without a path because BROKEN. add_sudo_secure_path $(dirname $rootwrap_bin) } # Restore xtrace $INC_ROOT_TRACE # Local variables: # mode: shell-script # End: