webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

zabbix_agentd: Sudoers file reorganization

Browse Source 
- Remove sudoers file 'zabbix' in favour of new IPFire managed
  'zabbix_agentd' and user managed 'zabbix_agentd_user' which is
  included in the backup
- Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to
  new zabbix_agentd_user sudoers file if it was modified by user.

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
This commit is contained in:
Robin Roevens
2022-06-30 12:15:53 +02:00
committed by Peter Müller
parent e2d54d57d4
commit 092330b128
6 changed files with 45 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/backup/includes/zabbix_agentd
View File

@@ -1,5 +1,5 @@
/etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user
/etc/zabbix_agentd/zabbix_agentd.conf /etc/zabbix_agentd/zabbix_agentd.conf
/etc/zabbix_agentd/scripts/ /etc/zabbix_agentd/scripts/
/etc/zabbix_agentd/zabbix_agentd.d/ /etc/zabbix_agentd/zabbix_agentd.d/
/usr/lib/zabbix/ /usr/lib/zabbix/

3
config/rootfiles/packages/zabbix_agentd
View File

@@ -1,6 +1,7 @@
etc/logrotate.d/zabbix_agentd etc/logrotate.d/zabbix_agentd
etc/rc.d/init.d/zabbix_agentd etc/rc.d/init.d/zabbix_agentd
etc/sudoers.d/zabbix etc/sudoers.d/zabbix_agentd
etc/sudoers.d/zabbix_agentd_user
etc/zabbix_agentd etc/zabbix_agentd
etc/zabbix_agentd/scripts etc/zabbix_agentd/scripts
etc/zabbix_agentd/zabbix_agentd.conf etc/zabbix_agentd/zabbix_agentd.conf

14
config/zabbix_agentd/sudoers
View File

@@ -1,17 +1,11 @@
# Include file for sudoers file # Include file for sudoers file
# #
# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) # This is needed for some IPFire specific userparameters to be able to execute commands that only run as root (using sudo)
# e.g. /usr/bin/openssl or /usr/sbin/smartctl
# #
# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! # DO NOT CHANGE THIS FILE. This file is managed by IPFire, will be overwritten on next addon upgrade and is not
# included in the backup.
# #
# Some hints: # To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user
# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
# you might end up locking yourself out of your system!
# - Append the full path incl. parameters to each command, using "," as separator.
# - Only add commands you really need. Zabbix should not have more rights than it has to.
#
# Append / edit the following list of commands to fit your needs:
# #
Defaults:zabbix !requiretty Defaults:zabbix !requiretty
zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status

16
config/zabbix_agentd/sudoers_user Normal file
View File

@@ -0,0 +1,16 @@
# Include file for sudoers file
#
# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
# e.g. /usr/bin/openssl or /usr/sbin/smartctl
#
# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
#
# Some hints:
# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
# you might end up locking yourself out of your system!
# - Append the full path incl. parameters to each command, using "," as separator.
# - Only add commands you really need. Zabbix should not have more rights than it has to.
#
# Uncomment the following line and edit the example of commands to fit your needs:
#zabbix ALL=(ALL) NOPASSWD: <custom command 1>, <custom command 2>, ...

4
lfs/zabbix_agentd
View File

@@ -124,7 +124,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install sudoers include file # Install sudoers include file
install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \
/etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd
install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers_user \
/etc/sudoers.d/zabbix_agentd_user
# Install include file for backup # Install include file for backup
install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \ install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \

22
src/paks/zabbix_agentd/update.sh
View File

@@ -22,11 +22,25 @@
############################################################################ ############################################################################
# #
. /opt/pakfire/lib/functions.sh . /opt/pakfire/lib/functions.sh
# Check if old sudoers file exists and remove if it was not modified
# or rename to the new zabbix_agentd_user file if it was.
if [ -f /etc/sudoers.d/zabbix.user ]; then
mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
fi
if [ -f /etc/sudoers.d/zabbix ]; then
blake2=$(b2sum /etc/sudoers.d/zabbix | cut -f1 -d" ")
# from commits 5737a22 & 06fc617
if [ "$blake2" == "b0f73b107fd3842efc7ef3e30f6d948235aa07d533715476c2d3f58c08379193fdde9ff69aa6e0f5eb6cf4a98b2ed2a6f003f23078a57aff239b34cc29e62a98" ] || \
[ "$blake2" == "0628c416a1f217b0962a8ce6d1e339bdb0f0427d86fc06b2e40b63487ffc1a3543562d16f7f954d7fb92cee9764f0261c1663a39dd50bc73fd9b772575c56cfc" ]; then
rm -vf /etc/sudoers.d/zabbix
else
mv -v /etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user
fi
fi
extract_backup_includes extract_backup_includes
./uninstall.sh ./uninstall.sh
./install.sh ./install.sh
# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix
if [ -e /etc/sudoers.d/zabbix.user ]; then
mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
fi