diff mbox series

[v5,4/6] zabbix_agentd: Sudoers file reorganization

Message ID	20220630101555.13438-5-robin.roevens@disroot.org
State	Accepted
Commit	092330b128e39a548f37a9bd38b809fc3be62adb
Headers	From: Robin Roevens <robin.roevens@disroot.org> To: development@lists.ipfire.org Subject: [PATCH v5 4/6] zabbix_agentd: Sudoers file reorganization Date: Thu, 30 Jun 2022 12:15:53 +0200 Message-Id: <20220630101555.13438-5-robin.roevens@disroot.org> In-Reply-To: <20220630101555.13438-1-robin.roevens@disroot.org> References: <20220630101555.13438-1-robin.roevens@disroot.org> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit country: NL(-0.01), ip: 178.21.23.139(0.00)]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RCVD_COUNT_THREE(0.00)[4]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; DKIM_TRACE(0.00)[disroot.org:+]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[] Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	zabbix_agentd: Update to v6.0.6 (LTS) \| [v5,0/6] zabbix_agentd: Update to v6.0.6 (LTS) [v5,1/6] zabbix_agentd: Update to v6.0.6 (LTS) [v5,2/6] zabbix_agentd: Fix agent modules dir and few minor bugs [v5,3/6] zabbix_agentd: Configfile reorganization [v5,4/6] zabbix_agentd: Sudoers file reorganization [v5,5/6] zabbix_agentd: By default only listen on GREEN ip [v5,6/6] zabbix_agentd: Add IPFire specific userparameters

Commit Message

Robin Roevens June 30, 2022, 10:15 a.m. UTC

  - Remove sudoers file 'zabbix' in favour of new IPFire managed
  'zabbix_agentd' and user managed 'zabbix_agentd_user' which is
  included in the backup
- Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to
  new zabbix_agentd_user sudoers file if it was modified by user.

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
---
 config/backup/includes/zabbix_agentd    |  4 ++--
 config/rootfiles/packages/zabbix_agentd |  3 ++-
 config/zabbix_agentd/sudoers            | 14 ++++----------
 config/zabbix_agentd/sudoers_user       | 16 ++++++++++++++++
 lfs/zabbix_agentd                       |  4 +++-
 src/paks/zabbix_agentd/update.sh        | 22 ++++++++++++++++++----
 6 files changed, 45 insertions(+), 18 deletions(-)
 create mode 100644 config/zabbix_agentd/sudoers_user

diff mbox series

Patch

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd
index 4be365297..834766992 100644
--- a/config/backup/includes/zabbix_agentd
+++ b/config/backup/includes/zabbix_agentd
@@ -1,5 +1,5 @@ 
-/etc/sudoers.d/zabbix
+/etc/sudoers.d/zabbix_agentd_user
 /etc/zabbix_agentd/zabbix_agentd.conf
 /etc/zabbix_agentd/scripts/
 /etc/zabbix_agentd/zabbix_agentd.d/
-/usr/lib/zabbix/
+/usr/lib/zabbix/
\ No newline at end of file
diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index c6e0c5634..b5325c636 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -1,6 +1,7 @@ 
 etc/logrotate.d/zabbix_agentd
 etc/rc.d/init.d/zabbix_agentd
-etc/sudoers.d/zabbix
+etc/sudoers.d/zabbix_agentd
+etc/sudoers.d/zabbix_agentd_user
 etc/zabbix_agentd
 etc/zabbix_agentd/scripts
 etc/zabbix_agentd/zabbix_agentd.conf
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index 1b362a4fd..cb4263ff6 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -1,17 +1,11 @@ 
 # Include file for sudoers file
 #
-# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
-# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+# This is needed for some IPFire specific userparameters to be able to execute commands that only run as root (using sudo)
 #
-# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+# DO NOT CHANGE THIS FILE. This file is managed by IPFire, will be overwritten on next addon upgrade and is not
+#                          included in the backup.
 #
-# Some hints:
-# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
-#   you might end up locking yourself out of your system!
-# - Append the full path incl. parameters to each command, using "," as separator.
-# - Only add commands you really need. Zabbix should not have more rights than it has to.
-#
-# Append / edit the following list of commands to fit your needs:
+# To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user
 #
 Defaults:zabbix !requiretty
 zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status
diff --git a/config/zabbix_agentd/sudoers_user b/config/zabbix_agentd/sudoers_user
new file mode 100644
index 000000000..61cbc417b
--- /dev/null
+++ b/config/zabbix_agentd/sudoers_user
@@ -0,0 +1,16 @@ 
+# Include file for sudoers file
+#
+# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
+# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+#
+# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+#
+# Some hints:
+# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
+#   you might end up locking yourself out of your system!
+# - Append the full path incl. parameters to each command, using "," as separator.
+# - Only add commands you really need. Zabbix should not have more rights than it has to.
+#
+# Uncomment the following line and edit the example of commands to fit your needs:
+
+#zabbix ALL=(ALL) NOPASSWD: <custom command 1>, <custom command 2>, ...
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 025a0f0db..f8fbdae5e 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -124,7 +124,9 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Install sudoers include file
 	install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \
-		/etc/sudoers.d/zabbix
+		/etc/sudoers.d/zabbix_agentd
+	install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers_user \
+		/etc/sudoers.d/zabbix_agentd_user
 
 	# Install include file for backup
 	install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \
diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh
index 68bba4f80..a41e72ab4 100644
--- a/src/paks/zabbix_agentd/update.sh
+++ b/src/paks/zabbix_agentd/update.sh
@@ -22,11 +22,25 @@ 
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+
+# Check if old sudoers file exists and remove if it was not modified
+# or rename to the new zabbix_agentd_user file if it was.
+if [ -f /etc/sudoers.d/zabbix.user ]; then
+	mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
+fi
+
+if [ -f /etc/sudoers.d/zabbix ]; then
+	blake2=$(b2sum /etc/sudoers.d/zabbix | cut -f1 -d" ")
+    # from commits 5737a22 & 06fc617
+	if [ "$blake2" == "b0f73b107fd3842efc7ef3e30f6d948235aa07d533715476c2d3f58c08379193fdde9ff69aa6e0f5eb6cf4a98b2ed2a6f003f23078a57aff239b34cc29e62a98" ] || \
+	   [ "$blake2" == "0628c416a1f217b0962a8ce6d1e339bdb0f0427d86fc06b2e40b63487ffc1a3543562d16f7f954d7fb92cee9764f0261c1663a39dd50bc73fd9b772575c56cfc" ]; then
+		rm -vf /etc/sudoers.d/zabbix
+	else
+		mv -v /etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user
+	fi
+fi
+
 extract_backup_includes
 ./uninstall.sh
 ./install.sh
 
-# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix
-if [ -e /etc/sudoers.d/zabbix.user ]; then
-	mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
-fi