diff options
author | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2023-02-19 11:31:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2023-02-19 12:23:06 +0000 |
commit | f0837147f4963a85132f0fd51845756ce45d1ecc (patch) | |
tree | e892e20df021d8db9dc69df162448c0aff00b0f3 /apt | |
parent | Completely stop and start apache in dehydrated hook to ensure OCSP renewals. (diff) | |
download | service-tools-f0837147f4963a85132f0fd51845756ce45d1ecc.tar.xz service-tools-f0837147f4963a85132f0fd51845756ce45d1ecc.zip |
Adding apt tools.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to 'apt')
-rw-r--r-- | apt/Makefile | 80 | ||||
-rwxr-xr-x | apt/bin/apt-install | 68 | ||||
-rwxr-xr-x | apt/bin/apt-remove | 67 | ||||
-rw-r--r-- | apt/share/man/Makefile | 59 | ||||
-rw-r--r-- | apt/share/man/apt-install.1.rst | 123 | ||||
-rw-r--r-- | apt/share/man/man.in | 19 |
6 files changed, 416 insertions, 0 deletions
diff --git a/apt/Makefile b/apt/Makefile new file mode 100644 index 0000000..6b3744b --- /dev/null +++ b/apt/Makefile @@ -0,0 +1,80 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +SHELL := sh -e + +SCRIPTS = bin/* + +all: build + +test: + @echo -n "Checking for syntax errors with sh... " + @for SCRIPT in $(SCRIPTS); \ + do \ + sh -n $${SCRIPT}; \ + echo -n "."; \ + done + @echo " done." + + @echo -n "Checking for bashisms... " + @if [ -x /usr/bin/checkbashisms ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + checkbashisms -f -x $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: devscripts not installed, skipping checkbashisms."; \ + fi + @echo " done." + + @echo -n "Checking with shellcheck... " + @if [ -x /usr/bin/shellcheck ]; \ + then \ + for SCRIPT in $(SCRIPTS); \ + do \ + shellcheck -e SC2039 $${SCRIPT}; \ + echo -n "."; \ + done; \ + else \ + echo "Note: shellcheck not installed, skipping shellcheck."; \ + fi + @echo " done." + +build: + +install: build + mkdir -p $(DESTDIR)/usr/bin + cp -r bin/* $(DESTDIR)/usr/bin + +uninstall: + for FILE in bin/*; \ + do \ + rm -f $(DESTDIR)/usr/bin/$$(basename $${FILE}); \ + done + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR)/usr/bin || true + + rmdir --ignore-fail-on-non-empty --parents $(DESTDIR) || true + +clean: + +distclean: + +reinstall: uninstall install diff --git a/apt/bin/apt-install b/apt/bin/apt-install new file mode 100755 index 0000000..2427361 --- /dev/null +++ b/apt/bin/apt-install @@ -0,0 +1,68 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" +OPTIONS="${*}" + +Usage () +{ + echo "Usage: ${PROGRAM} PACKAGE" >&2 + echo "Usage: ${PROGRAM} PACKAGE1 PACKAGE2 ..." >&2 + echo + echo "See ${PROGRAM}(1) for more information." + + exit 1 +} + +if [ -z "${OPTIONS}" ] +then + Usage +fi + +for OPTION in ${OPTIONS} +do + case "${OPTION}" in + -*) + # abort if options are trying to be used + Usage + ;; + + /*) + # abort if local deb files are trying to be installed + Usage + ;; + + .*) + # abort if local deb files are trying to be installed + echo "Debug: ." + Usage + ;; + esac +done + +# ignore local apt configuration files +APT_CONFIG="" +export APT_CONFIG + +apt update +apt install "${OPTIONS}" diff --git a/apt/bin/apt-remove b/apt/bin/apt-remove new file mode 100755 index 0000000..655246e --- /dev/null +++ b/apt/bin/apt-remove @@ -0,0 +1,67 @@ +#!/bin/sh + +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +set -e + +PROGRAM="$(basename "${0}")" +OPTIONS="${*}" + +Usage () +{ + echo "Usage: ${PROGRAM} PACKAGE" >&2 + echo "Usage: ${PROGRAM} PACKAGE1 PACKAGE2 ..." >&2 + echo + echo "See ${PROGRAM}(1) for more information." + + exit 1 +} + +if [ -z "${OPTIONS}" ] +then + Usage +fi + +for OPTION in ${OPTIONS} +do + case "${OPTION}" in + -*) + # abort if options are trying to be used + Usage + ;; + + /*) + # abort if local deb files are trying to be installed + Usage + ;; + + .*) + # abort if local deb files are trying to be installed + echo "Debug: ." + Usage + ;; + esac +done + +# ignore local apt configuration files +APT_CONFIG="" +export APT_CONFIG + +apt remove --purge "${OPTIONS}" diff --git a/apt/share/man/Makefile b/apt/share/man/Makefile new file mode 100644 index 0000000..a6d6bf2 --- /dev/null +++ b/apt/share/man/Makefile @@ -0,0 +1,59 @@ +# Open Infrastructure: service-tools + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# Depends: python3-docutils + +RST2MAN = rst2man \ + --no-datestamp \ + --no-generator \ + --strict \ + --strip-comments \ + --tab-width=4 \ + --verbose + +VERSION := $(shell cat ../../../VERSION.txt) + +SHELL := sh -e + +all: build + +build: man + +man: man.in *.rst + @echo -n "Creating manpages... " + + @for FILE in *.rst; \ + do \ + cp man.in $$(basename $${FILE} .rst); \ + $(RST2MAN) $${FILE} | \ + sed -e '/^.\\" Man page generated/d' \ + -e '/^.\\" Generated by/d' \ + -e "s|^\(.TH .*\) \(\"\" \"\"\) |\1 $${VERSION} service-tools |" \ + >> $$(basename $${FILE} .rst); \ + echo -n "."; \ + done + + @echo " done." + +clean: + rm -f *.[0-9] + +distclean: clean + +rebuild: clean build diff --git a/apt/share/man/apt-install.1.rst b/apt/share/man/apt-install.1.rst new file mode 100644 index 0000000..f446ea9 --- /dev/null +++ b/apt/share/man/apt-install.1.rst @@ -0,0 +1,123 @@ +.. Open Infrastructure: service-tools + +.. Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.. +.. SPDX-License-Identifier: GPL-3.0+ +.. +.. This program is free software: you can redistribute it and/or modify +.. it under the terms of the GNU General Public License as published by +.. the Free Software Foundation, either version 3 of the License, or +.. (at your option) any later version. +.. +.. This program is distributed in the hope that it will be useful, +.. but WITHOUT ANY WARRANTY; without even the implied warranty of +.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.. GNU General Public License for more details. +.. +.. You should have received a copy of the GNU General Public License +.. along with this program. If not, see <https://www.gnu.org/licenses/>. + +=========== +apt-install +=========== + +------------------------------------------------------------------------ +securely allow unprivileged users to install packages via apt using sudo +------------------------------------------------------------------------ + +:manual section: 1 +:manual group: Open Infrastructure + +Synopsis +======== + +| **sudo apt-install** PACKAGE +| **sudo apt-install** PACKAGE1 PACKAGE2 ... + +Description +=========== + +**apt-install** securely allows unprivileged users to install packages via apt using sudo. + +Some background information +=========================== + +| **Use case** +| On managed systems by a group of system administrators, it would be nice to allow +| unprivileged users to install the packages they like from the pre-configured +| Debian repositories. +| +| **Unsecure via sudo** +| Traditionally this has been done by granting the unprivileged users to run +| sudo with e.g.: +| "user ALL=NOPASSWD: /usr/bin/apt, /usr/bin/apt-get" +| (see sudoers(5) for information about sudoers, the configuration file for sudo). +| +| **Using local apt configuration** +| Using sudo as above allows for custom apt options to be passed as arguments, e.g.: +| sudo apt update -o APT::Update::Pre-Invoke::="/bin/sh" +| +| Or refering to local apt configuration file: +| sudo APT_CONFIG=~/apt.conf apt update +| +| **Installing local debian packages** +| Unfortunatly this allows to not just install packages from the repositories, +| but also to install local packages: +| sudo apt install ./root-shell.deb +| +| Creating a Debian package that contains a wrapper for a root shell or invokes +| a shell as root during within the maintainer scripts is left to the reader, +| however, there's a example available here: +| https://git.open-infrastructure.net/software/root-shell/ + +| **Using wrapper scripts for apt install and apt remove** +| The apt-install and apt-remove wrapper drop parameters as well as file and path +| arguments to ensure only packages from the configured Debian repositories can be +| installed. + +sudo configuration +================== + +| Users can be granted sudo rights for apt-install and apt-remove via sudoers(5): +| "user ALL=NOPASSWD: /usr/bin/apt-install, /usr/bin/apt-remove" + +| It might make sense to also allow unprivileged users to allow updating the system: +| "user ALL=NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /usr/bin/apt dist-upgrade" + +Warning +======= + +| Granting users local access to a system is always a security risk. +| Giving local users the ability to install packages even more so. + +| While the apt-install and apt-remove wrappers do prevent installing malicious packages, +| bugs in any of the packages within the configured Debian repositories can be exploited. + +See also +======== + +| apt(8), +| sudo(8), +| sudoers(5) + +Homepage +======== + +More information about service-tools and the Open Infrastructure project can be +found on the homepage (https://open-infrastructure.net). + +Contact +======= + +Bug reports, feature requests, help, patches, support and everything else are +welcome on the Open Infrastructure Software Mailing List +<software@lists.open-infrastructure.net>. + +Debian specific bugs can also be reported in the Debian Bug Tracking System +(https://bugs.debian.org). + +Authors +======= + +service-tools were written by Daniel Baumann +<daniel.baumann@open-infrastructure.net> and others. diff --git a/apt/share/man/man.in b/apt/share/man/man.in new file mode 100644 index 0000000..f95ca67 --- /dev/null +++ b/apt/share/man/man.in @@ -0,0 +1,19 @@ +.\" Open Infrastructure: service-tools +.\" +.\" Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +.\" +.\" SPDX-License-Identifier: GPL-3.0+ +.\" +.\" This program is free software: you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <https://www.gnu.org/licenses/>. +.\" |