admin:services:apt-dater
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
admin:services:apt-dater [2014/10/22 13:07] – [Configuration de sudo pour apt-dater] zertrin | admin:services:apt-dater [2020/04/26 00:13] (Version actuelle) – klafyvel | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
[[: | [[: | ||
- | Chaque serveur de FedeRez est configuré pour être mis à jour via [[http:// | + | Chaque serveur de FedeRez est configuré pour être mis à jour via [[http:// |
+ | ======= Comment faire les mises à jour ? ======= | ||
- | ====== Infos générales ====== | + | {{page> |
- | TODO | + | ======= Installation sur les hosts ======= |
- | ====== Mise en place ====== | + | {{page> |
- | ===== Liens (potentiellement) utiles ===== | + | {{page> |
- | * Site officiel : http:// | + | ======= Le contrôleur ======= |
- | * Référence pour la config et la sécurisation d' | + | |
- | ===== Installation sur les machine managées ===== | + | {{page> |
- | Installation du paquet : | + | ====== Liens (potentiellement) utiles ====== |
- | | + | |
- | + | | |
- | ===== Configuration ===== | + | |
- | + | ||
- | ==== Ajout d'un utilisateur dédié ==== | + | |
- | + | ||
- | adduser --quiet --system --home / | + | |
- | + | ||
- | ==== Configuration de SSH pour apt-dater ==== | + | |
- | + | ||
- | On n' | + | |
- | + | ||
- | mkdir -m 0700 ~aptdater/ | + | |
- | + | ||
- | Ajout de la clef d'un admin dans le authorized_keys d' | + | |
- | + | ||
- | cat << EOF >> ~aptdater/.ssh/authorized_keys | + | |
- | command=" | + | |
- | EOF | + | |
- | + | ||
- | chown aptdater: -R ~aptdater/ | + | |
- | + | ||
- | ==== Configuration | + | |
- | + | ||
- | cat << " | + | |
- | # package installation is denied | + | |
- | aptdater ALL = (root) NOPASSWD: | + | |
- | | + | |
- | aptdater ALL = (root) NOPASSWD: / | + | |
- | aptdater ALL = (root) NOPASSWD: / | + | |
- | aptdater ALL = (root) NOPASSWD: / | + | |
- | EOF | + | |
- | + | ||
- | chmod 0440 / | + | |
- | + | ||
- | ==== Limitation de la priorité | + | |
- | + | ||
- | printf " | + | |
- | + | ||
- | ==== Création d'un wrapper pour sécuriser apt-dater ==== | + | |
- | + | ||
- | À placer dans ''/ | + | |
- | + | ||
- | <code bash> | + | |
- | #!/bin/sh | + | |
- | + | ||
- | set -e | + | |
- | set -u | + | |
- | + | ||
- | # Explicitly set the PATH to that of ENV_SUPATH in / | + | |
- | # various other variables. For details, see: | + | |
- | # https://wiki.ubuntu.com/ | + | |
- | export PATH=/ | + | |
- | export ENV= | + | |
- | export CDPATH= | + | |
- | + | ||
- | LOGGER="/ | + | |
- | APT_DATER_HOST="/ | + | |
- | KILL="/bin/ | + | |
- | SLEEP="/ | + | |
- | + | ||
- | # Install command allowed? | + | |
- | INSTALL_ALLOWED=" | + | |
- | if [ " | + | |
- | if [ " | + | |
- | INSTALL_ALLOWED=" | + | |
- | fi | + | |
- | fi | + | |
- | + | ||
- | illegal_command() { | + | |
- | # Do not log SSH_ORIGINAL_COMMAND for security reasons | + | |
- | $LOGGER " | + | |
- | # Default deny | + | |
- | $KILL -9 $PPID | + | |
- | exit 0 | + | |
- | } | + | |
- | + | ||
- | check_ssh_command() { | + | |
- | if [ " | + | |
- | # not in the form of apt-dater-host upgrade | + | |
- | illegal_command | + | |
- | fi | + | |
- | + | ||
- | if [ " | + | |
- | # not invoking apt-dater-host | + | |
- | illegal_command | + | |
- | else | + | |
- | # Remove the 1st arg with later replace it with the | + | |
- | # fully qualified path to apt-dater-host | + | |
- | shift | + | |
- | fi | + | |
- | + | ||
- | COMMAND=" | + | |
- | shift | + | |
- | + | ||
- | if [ " | + | |
- | $APT_DATER_HOST $COMMAND | + | |
- | elif [ " | + | |
- | # Don't kill the shell session right away when | + | |
- | # upgrading/ | + | |
- | $APT_DATER_HOST $COMMAND && $SLEEP 0.5 | + | |
- | elif [ " | + | |
- | if [ " | + | |
- | # Don't kill the shell session right away when | + | |
- | # upgrading/ | + | |
- | $APT_DATER_HOST $COMMAND $* && $SLEEP 0.5 | + | |
- | else | + | |
- | illegal_command | + | |
- | fi | + | |
- | fi | + | |
- | } | + | |
- | + | ||
- | if [ -z " | + | |
- | illegal_command | + | |
- | fi | + | |
- | + | ||
- | case " | + | |
- | *\&*) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | *\(*) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | *\{*) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | *\;*) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | *\>*) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | *\`*) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | *\|*) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | apt-dater-host\ refresh) | + | |
- | check_ssh_command $SSH_ORIGINAL_COMMAND | + | |
- | ;; | + | |
- | apt-dater-host\ upgrade) | + | |
- | check_ssh_command $SSH_ORIGINAL_COMMAND | + | |
- | ;; | + | |
- | apt-dater-host\ install\ *) | + | |
- | check_ssh_command $SSH_ORIGINAL_COMMAND | + | |
- | ;; | + | |
- | apt-dater-host\ kernel) | + | |
- | check_ssh_command $SSH_ORIGINAL_COMMAND | + | |
- | ;; | + | |
- | *) | + | |
- | illegal_command | + | |
- | ;; | + | |
- | esac | + | |
- | </ | + | |
- | + | ||
- | En oubliant pas de le rendre exécutable: | + | |
- | chmod 0755 / | ||
admin/services/apt-dater.1413976071.txt.gz · Dernière modification : 2014/10/22 13:07 de zertrin