From 9c298e0c79a1d2c5c6191582aa22d7e6a30dbad7 Mon Sep 17 00:00:00 2001 From: Patrick Van der Veken Date: Wed, 26 Aug 2015 15:02:03 +0200 Subject: [PATCH] Added DO_SFTP_CHMOD parameter Also small and not so small fixes --- manage_sudo.conf | 3 +++ manage_sudo.sh | 30 +++++++++++++++++++------- update_sudo.pl | 55 ++++++++++++++++++++++++++---------------------- 3 files changed, 55 insertions(+), 33 deletions(-) diff --git a/manage_sudo.conf b/manage_sudo.conf index b08284f..56e9c27 100644 --- a/manage_sudo.conf +++ b/manage_sudo.conf @@ -16,6 +16,9 @@ SUDO_TRANSFER_USER="" # name of the OS group that should own the SUDO controls files SUDO_OWNER_GROUP="sudoadmin" +# whether a 'chmod' needs to be executed after each sftp transfer [0=Yes; 1=No] +DO_SFTP_CHMOD=0 + # extra arguments/options for the SFTP command SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -b - " diff --git a/manage_sudo.sh b/manage_sudo.sh index 72f09f2..282021e 100644 --- a/manage_sudo.sh +++ b/manage_sudo.sh @@ -38,6 +38,9 @@ # @(#) 2015-08-18: moved essential configuration items of the script into a # @(#) separate configuration file (global/local), fix in # @(#) wait_for_children (VRF 1.2.0) [Patrick Van der Veken] +# @(#) 2015-08-26: added DO_SFTP_CHMOD configuration parameter to avoid +# @(#) setstat failures with sftp_file() when remote file +# @(#) permissions do not allow (VRF 1.2.1) [Patrick Van der Veken] # ----------------------------------------------------------------------------- # DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING! #****************************************************************************** @@ -51,7 +54,7 @@ # or LOCAL_CONFIG_FILE instead # define the V.R.F (version/release/fix) -MY_VRF="1.2.0" +MY_VRF="1.2.1" # name of the global configuration file (script) GLOBAL_CONFIG_FILE="manage_sudo.conf" # name of the local configuration file (script) @@ -111,6 +114,12 @@ then print -u2 "ERROR: you must define a value for the REMOTE_DIR setting in $0" exit 1 fi +# DO_SFTP_CHMOD +if [[ -z "${DO_SFTP_CHMOD}" ]] +then + print -u2 "ERROR: you must define a value for the DO_SFTP_CHMOD setting in $0" + exit 1 +fi # SUDO_UPDATE_USER if [[ -z "${SUDO_UPDATE_USER}" ]] then @@ -665,17 +674,22 @@ TRANSFER_FILE="${TRANSFER_FILE%!*}" SOURCE_FILE="${TRANSFER_FILE##*/}" OLD_PWD=$(pwd) && cd ${TRANSFER_DIR} -# transfer, chmod the file to/on the target server (keep STDERR) -# chmod is not possible in the used security model as files should be -# owned by root, so must be disabled. This requires a fix operation right -# after the very first initial SUDO controls distribution: -# ./manage_sudo.sh --fix-local --fix-dir=/etc/sudo_controls -sftp ${SFTP_ARGS} ${SUDO_TRANSFER_USER}@${TRANSFER_HOST} >/dev/null </dev/null </dev/null < : whether to use short or FQDN host names + =item * B : target directory for SUDO fragments files =item * B : path to the visudo tool (for sudo rules syntax checking) @@ -737,4 +741,5 @@ S< >Show version of the script. @(#) 2014-12-16: VRF 1.0.1: added SELinux context [Patrick Van der Veken] @(#) 2014-12-16: VRF 1.0.2: fixed a problem with the immutable self fragment code [Patrick Van der Veken] @(#) 2015-02-02: VRF 1.0.3: changed 'basename' into 'fileparse' call to support fragment files with extensions [Patrick Van der Veken] -@(#) 2015-08-18: VRF 1.1.0: replace uname/hostname syscalls, now support for FQDN via $use_fqdn, other fixes [Patrick Van der Veken] \ No newline at end of file +@(#) 2015-08-18: VRF 1.1.0: replace uname/hostname syscalls, now support for FQDN via $use_fqdn, other fixes [Patrick Van der Veken] +@(#) 2015-08-26: VRF 1.1.1: small and not so small fixes [Patrick Van der Veken] \ No newline at end of file