#!/bin/bash # # **inc/rootwrap** - Rootwrap functions # # Handle rootwrap's foibles # Uses: ``STACK_USER`` # Defines: ``SUDO_SECURE_PATH_FILE`` # Save trace setting INC_ROOT_TRACE=$(set +o | grep xtrace) set +o xtrace # Accumulate all additions to sudo's ``secure_path`` in one file read last # so they all work in a venv configuration SUDO_SECURE_PATH_FILE=${SUDO_SECURE_PATH_FILE:-/etc/sudoers.d/zz-secure-path} # Add a directory to the common sudo ``secure_path`` # add_sudo_secure_path dir function add_sudo_secure_path { local dir=$1 local line # This is pretty simplistic for now - assume only the first line is used if [[ -r $SUDO_SECURE_PATH_FILE ]]; then line=$(head -1 $SUDO_SECURE_PATH_FILE) else line="Defaults:$STACK_USER secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin" fi # Only add ``dir`` if it is not already present if [[ ! $line =~ $dir ]]; then echo "${line}:$dir" | sudo tee $SUDO_SECURE_PATH_FILE sudo chmod 400 $SUDO_SECURE_PATH_FILE sudo chown root:root $SUDO_SECURE_PATH_FILE fi } # Configure rootwrap # Make a load of assumptions otherwise we'll have 6 arguments # configure_rootwrap project function configure_rootwrap { local project=$1 local project_uc project_uc=$(echo $1|tr a-z A-Z) local bin_dir="${project_uc}_BIN_DIR" bin_dir="${!bin_dir}" local project_dir="${project_uc}_DIR" project_dir="${!project_dir}" local rootwrap_conf_src_dir="${project_dir}/etc/${project}" local rootwrap_bin="${bin_dir}/${project}-rootwrap" # Start fresh with rootwrap filters sudo rm -rf /etc/${project}/rootwrap.d sudo install -d -o root -g root -m 755 /etc/${project}/rootwrap.d sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.d/*.filters /etc/${project}/rootwrap.d # Set up rootwrap.conf, pointing to /etc/*/rootwrap.d sudo install -o root -g root -m 644 $rootwrap_conf_src_dir/rootwrap.conf /etc/${project}/rootwrap.conf sudo sed -e "s:^filters_path=.*$:filters_path=/etc/${project}/rootwrap.d:" -i /etc/${project}/rootwrap.conf # Rely on $PATH set by devstack to determine what is safe to execute # by rootwrap rather than use explicit whitelist of paths in # rootwrap.conf sudo sed -e 's/^exec_dirs=.*/#&/' -i /etc/${project}/rootwrap.conf # Set up the rootwrap sudoers local tempfile tempfile=$(mktemp) # Specify rootwrap.conf as first parameter to rootwrap rootwrap_sudo_cmd="${rootwrap_bin} /etc/${project}/rootwrap.conf *" echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >$tempfile if [ -f ${bin_dir}/${project}-rootwrap-daemon ]; then # rootwrap daemon does not need any parameters rootwrap_sudo_cmd="${rootwrap_bin}-daemon /etc/${project}/rootwrap.conf" echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudo_cmd" >>$tempfile fi chmod 0440 $tempfile sudo chown root:root $tempfile sudo mv $tempfile /etc/sudoers.d/${project}-rootwrap # Add bin dir to sudo's secure_path because rootwrap is being called # without a path because BROKEN. add_sudo_secure_path $(dirname $rootwrap_bin) } # Restore xtrace $INC_ROOT_TRACE # Local variables: # mode: shell-script # End: