ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-30 16:54:20 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix: osh-groupCreate: fix for centos 8.3

Browse source
This commit is contained in:
Stéphane Lesimple 2020-12-08 14:27:55 +00:00
parent 457a8fae82
commit 7707b1c351
No known key found for this signature in database
GPG key ID: 4B4A3289E9D35658
2 changed files with 22 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/tests.yml vendored
View file

@ -20,7 +20,7 @@ jobs:
name: Full
strategy:
matrix:
platform: [centos7@centos:7.7.1908, centos7@centos:7.8.2003, centos7@centos:7.9.2009, centos8@centos:8.1.1911, centos8@centos:8.2.2004, centos8@centos:8.3.2011, debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004]
platform: ['centos7@centos:7.7.1908', 'centos7@centos:7.8.2003', 'centos7@centos:7.9.2009', 'centos8@centos:8.1.1911', 'centos8@centos:8.2.2004', 'centos8@centos:8.3.2011', debian10, debian8, debian9, opensuse150, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004]
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'tests:full')
steps:

41
bin/helper/osh-groupCreate
View file

@ -175,6 +175,27 @@ $fnret->err eq 'OK'
# Building /home/$group
OVH::Bastion::touch_file("/home/$group/allowed.ip");
osh_info("Adjusting permissions...");
my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x');
foreach my $command (
['chown', '-R', "$group:$group", "/home/$group"],
['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"],
['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"],
['chmod', '0664', "/home/$group/allowed.ip"],
)
{
$fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1);
$fnret->err eq 'OK'
or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")");
}
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
}
osh_debug("Adding allowkeeper to group $group");
$fnret = OVH::Bastion::add_user_to_group(group => $group, user => 'allowkeeper', groupType => 'key');
$fnret or HEXIT($fnret);
@ -239,26 +260,6 @@ if (!$no_key) {
$fnret or HEXIT($fnret);
}
osh_info("Adjusting permissions...");
my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x');
foreach my $command (
['chown', '-R', "$group:$group", "/home/$group"],
['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"],
['chmod', '-R', "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"],
['chmod', '0664', "/home/$group/allowed.ip"],
)
{
$fnret = OVH::Bastion::execute(cmd => $command, noisy_stderr => 1);
$fnret->err eq 'OK'
or HEXIT('ERR_CHMOD_FAILED', msg => "Error while running chmod to adjust permissions (" . $fnret->msg . ")");
}
chmod 0751, "/home/$group" if !OVH::Bastion::has_acls();
foreach my $gr ("$group-owner", "$group-gatekeeper", "$group-aclkeeper", "osh-whoHasAccessTo", "osh-auditor") {
OVH::Bastion::sys_setfacl(target => "/home/$group", perms => "g:$gr:x")
or HEXIT('ERR_SETFACL_FAILED', msg => "Error setting ACLs on group homedir");
}
# allowed to sudo for the group
osh_info("Configuring sudoers for this group");
$fnret = OVH::Bastion::execute(cmd => [$OVH::Bastion::BASEPATH . '/bin/sudogen/generate-sudoers.sh', 'create', 'group', $group], must_succeed => 1, noisy_stdout => 1);