From b002651ff9c2e3dd6ed8764823ae7d96322513ed Mon Sep 17 00:00:00 2001 From: Tzafrir Cohen Date: Mon, 19 Dec 2011 16:39:43 +0000 Subject: rapid-tunneling: no more rapid-tunneling "user" * suders entry runs as root. * use a sudoers.d file if possible (only thing in Debian). * Version bumped to 1.12. git-svn-id: svn+ssh://xorcom/home/svn/debs/components/rapid-tunneling@10209 283159da-0705-0410-b60c-f2062b4bb6ad --- Makefile | 5 +++- debian/changelog | 8 ++++++ debian/control | 2 +- debian/rapid-tunneling-gui.install | 1 + debian/rapid-tunneling-gui.postinst | 53 ------------------------------------- debian/rapid-tunneling-gui.prerm | 22 --------------- gui/checkra.php | 4 +-- gui/index.php | 2 +- rapid-tunneling.spec | 20 ++++++++------ sudoers | 3 +++ 10 files changed, 32 insertions(+), 88 deletions(-) delete mode 100644 debian/rapid-tunneling-gui.postinst delete mode 100644 debian/rapid-tunneling-gui.prerm create mode 100644 sudoers diff --git a/Makefile b/Makefile index 9c070cc..13c6465 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,8 @@ SPEC = rapid-tunneling.spec SCRIPTS = rapid-tunneling rapid-tunneling-status rtadm rt-from-remote \ rt_handle_uploaded_key -CONFIGS = rtadm.config support_env rapid-tunneling.conf gui.htpasswd rtadm.bash_completion +CONFIGS = rtadm.config support_env rapid-tunneling.conf gui.htpasswd \ + rtadm.bash_completion sudoers GUI = gui DOCS = README ChangeLog rapid-tunneling.8 rapid-tunneling-status.8 SOURCES = Makefile $(SPEC) $(SCRIPTS) $(CONFIGS) $(GUI) .placeholder $(DOCS) @@ -77,5 +78,7 @@ install: install -m 644 rapid-tunneling.conf $(DESTDIR)/etc/httpd/conf.d/ install -m 755 -d $(DESTDIR)/etc/bash_completion.d install -m 644 rtadm.bash_completion $(DESTDIR)/etc/bash_completion.d/rtadm + install -m 755 -d $(DESTDIR)/etc/sudoers.d + install -m 644 sudoers $(DESTDIR)/etc/sudoers.d/rapid-tunneling .PHONY: clean diff --git a/debian/changelog b/debian/changelog index 8b91cb1..be87be3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +rapid-tunneling (1.12) unstable; urgency=low + + * rapid-tunneling-gui: No user created (just use root). + * rapid-tunneling-gui: Use a sudoers file. + * Use my @debian.org address. + + -- Tzafrir Cohen Mon, 19 Dec 2011 17:27:18 +0200 + rapid-tunneling (1.11) unstable; urgency=low * Include upstream ChangeLog. diff --git a/debian/control b/debian/control index 1e78cdd..e7d7964 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: rapid-tunneling Section: net Priority: extra Maintainer: Alex Landau -Uploaders: Tzafrir Cohen +Uploaders: Tzafrir Cohen Build-Depends: cdbs, debhelper (>= 7), asciidoc Standards-Version: 3.9.2 Homepage: http://www.xorcom.com/ diff --git a/debian/rapid-tunneling-gui.install b/debian/rapid-tunneling-gui.install index 9b09d37..81851ff 100644 --- a/debian/rapid-tunneling-gui.install +++ b/debian/rapid-tunneling-gui.install @@ -1,2 +1,3 @@ usr/share/rapid-tunneling/www etc/rapid-tunneling/gui.htpasswd +etc/sudoers.d/rapid-tunneling diff --git a/debian/rapid-tunneling-gui.postinst b/debian/rapid-tunneling-gui.postinst deleted file mode 100644 index a84148b..0000000 --- a/debian/rapid-tunneling-gui.postinst +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh -# postinst script for rapid-tunneling -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -SUDOERS=/etc/sudoers -user="asterisk" -TEXT="Defaults>$user !lecture -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling-status" - -case "$1" in - configure) - # add a user with uid=gid=0 - if ! getent passwd rapid-tunneling >/dev/null ; then - useradd -d /var/lib/rapid-tunneling/home -m -u 0 -g 0 -o rapid-tunneling - fi - # FIXME: use sudoers.d - if ! fgrep -q "$TEXT" $SUDOERS; then echo "$TEXT" >> $SUDOERS; fi - # FIXME: reloading httpd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - - diff --git a/debian/rapid-tunneling-gui.prerm b/debian/rapid-tunneling-gui.prerm deleted file mode 100644 index 5730c27..0000000 --- a/debian/rapid-tunneling-gui.prerm +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -set -e - -SUDOERS=/etc/sudoers -user="asterisk" -TEXT="Defaults>$user !lecture -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling-status" - -case "$1" in - remove|upgrade|deconfigure) - fgrep -v "$TEXT" $SUDOERS > ${SUDOERS}.tmp && cp ${SUDOERS}.tmp $SUDOERS && rm ${SUDOERS}.tmp - # TODO: reload httpd? - ;; -esac - -#DEBHELPER# - -exit 0 - - diff --git a/gui/checkra.php b/gui/checkra.php index 13c2d94..4354b73 100644 --- a/gui/checkra.php +++ b/gui/checkra.php @@ -6,7 +6,7 @@ 0) $pid = trim($pid[0]); else @@ -20,7 +20,7 @@ $pid = $res[0]; $status = $res[1]; if (isset($_REQUEST["action"]) && $_REQUEST["action"] == "disconnect" && $pid != "" && ($status == 0 || $status == 1)) { // stop it - exec("sudo -H -u rapid-tunneling /usr/sbin/rapid-tunneling-status -s"); + exec("sudo -H /usr/sbin/rapid-tunneling-status -s"); $res = get_status(); $pid = $res[0]; $status = $res[1]; diff --git a/gui/index.php b/gui/index.php index 423db56..7f3eecf 100644 --- a/gui/index.php +++ b/gui/index.php @@ -42,7 +42,7 @@ if (isset($_REQUEST["submit"])) break; } # FIXME: insecure temporary file /tmp/ra.log - system("sudo -H -u rapid-tunneling rapid-tunneling ". + system("sudo -H rapid-tunneling ". $_FILES["filename"]["tmp_name"]." >/tmp/ra.log 2>&1", $ret); if ($ret != 0) $error = "Invalid or corrupt file. Please try again."; diff --git a/rapid-tunneling.spec b/rapid-tunneling.spec index 77adfa6..4773cb8 100644 --- a/rapid-tunneling.spec +++ b/rapid-tunneling.spec @@ -1,6 +1,6 @@ Summary: Xorcom RapidTunneling (tm) Name: rapid-tunneling -Version: 1.11 +Version: 1.12 Release: 1 License: GPLv2+ Group: Applications/Internet @@ -73,19 +73,17 @@ fi SUDOERS=/etc/sudoers user="asterisk" TEXT="Defaults>$user !lecture -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling-status" +$user ALL= NOPASSWD:/usr/sbin/rapid-tunneling +$user ALL= NOPASSWD:/usr/sbin/rapid-tunneling-status" if ! fgrep -q "$TEXT" $SUDOERS; then echo "$TEXT" >> $SUDOERS; fi service httpd reload %postun gui if [ "$1" = 0 ]; then + # Not optimal, but better than nothing. Only proper fix + # is suddoers.d: SUDOERS=/etc/sudoers - user="asterisk" - TEXT="Defaults>$user !lecture -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling -$user ALL=(rapid-tunneling) NOPASSWD:/usr/sbin/rapid-tunneling-status" - fgrep -v "$TEXT" $SUDOERS > ${SUDOERS}.tmp && cp ${SUDOERS}.tmp $SUDOERS && rm ${SUDOERS}.tmp + sed -i -e "/NOPASSWD:\/usr\/sbin\/rapid-tunneling/d" /etc/sudoers fi service httpd reload @@ -113,8 +111,14 @@ service httpd reload %{_datadir}/rapid-tunneling/www %config(noreplace) /etc/rapid-tunneling/gui.htpasswd %config /etc/httpd/conf.d/rapid-tunneling.conf +%config /etc/sudoers.d/rapid-tunneling %changelog +* Mon Dec 19 2011 Tzafrir Cohen 1.12-1 +- Removed separate rapid-tunneling "user". +- Work around a bug in centos5 sudo: no more permanent "connecting". +- Separate sudoers file added for e.g. Centos6. + * Tue Jun 14 2011 Tzafrir Cohen 1.11-1 - Only create rapid-tunneling user in scripts of -gui - Don't delete created users (rpmlint, Elad) diff --git a/sudoers b/sudoers new file mode 100644 index 0000000..ff802d5 --- /dev/null +++ b/sudoers @@ -0,0 +1,3 @@ +Defaults>asterisk !lecture +asterisk ALL= NOPASSWD:/usr/sbin/rapid-tunneling +asterisk ALL= NOPASSWD:/usr/sbin/rapid-tunneling-status -- cgit v1.2.3