Added DO_SFTP_CHMOD parameter
Also small and not so small fixes
This commit is contained in:
Patrick Van der Veken
parent
d077d8f213
commit
9c298e0c79
@ -16,6 +16,9 @@ SUDO_TRANSFER_USER=""
|
||||
# name of the OS group that should own the SUDO controls files
|
||||
SUDO_OWNER_GROUP="sudoadmin"
|
||||
|
||||
# whether a 'chmod' needs to be executed after each sftp transfer [0=Yes; 1=No]
|
||||
DO_SFTP_CHMOD=0
|
||||
|
||||
# extra arguments/options for the SFTP command
|
||||
SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -b - "
|
||||
|
||||
|
||||
@ -38,6 +38,9 @@
|
||||
# @(#) 2015-08-18: moved essential configuration items of the script into a
|
||||
# @(#) separate configuration file (global/local), fix in
|
||||
# @(#) wait_for_children (VRF 1.2.0) [Patrick Van der Veken]
|
||||
# @(#) 2015-08-26: added DO_SFTP_CHMOD configuration parameter to avoid
|
||||
# @(#) setstat failures with sftp_file() when remote file
|
||||
# @(#) permissions do not allow (VRF 1.2.1) [Patrick Van der Veken]
|
||||
# -----------------------------------------------------------------------------
|
||||
# DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING!
|
||||
#******************************************************************************
|
||||
@ -51,7 +54,7 @@
|
||||
# or LOCAL_CONFIG_FILE instead
|
||||
|
||||
# define the V.R.F (version/release/fix)
|
||||
MY_VRF="1.2.0"
|
||||
MY_VRF="1.2.1"
|
||||
# name of the global configuration file (script)
|
||||
GLOBAL_CONFIG_FILE="manage_sudo.conf"
|
||||
# name of the local configuration file (script)
|
||||
@ -111,6 +114,12 @@ then
|
||||
print -u2 "ERROR: you must define a value for the REMOTE_DIR setting in $0"
|
||||
exit 1
|
||||
fi
|
||||
# DO_SFTP_CHMOD
|
||||
if [[ -z "${DO_SFTP_CHMOD}" ]]
|
||||
then
|
||||
print -u2 "ERROR: you must define a value for the DO_SFTP_CHMOD setting in $0"
|
||||
exit 1
|
||||
fi
|
||||
# SUDO_UPDATE_USER
|
||||
if [[ -z "${SUDO_UPDATE_USER}" ]]
|
||||
then
|
||||
@ -665,17 +674,22 @@ TRANSFER_FILE="${TRANSFER_FILE%!*}"
|
||||
SOURCE_FILE="${TRANSFER_FILE##*/}"
|
||||
OLD_PWD=$(pwd) && cd ${TRANSFER_DIR}
|
||||
|
||||
# transfer, chmod the file to/on the target server (keep STDERR)
|
||||
# chmod is not possible in the used security model as files should be
|
||||
# owned by root, so must be disabled. This requires a fix operation right
|
||||
# after the very first initial SUDO controls distribution:
|
||||
# ./manage_sudo.sh --fix-local --fix-dir=/etc/sudo_controls
|
||||
sftp ${SFTP_ARGS} ${SUDO_TRANSFER_USER}@${TRANSFER_HOST} >/dev/null <<EOT
|
||||
# transfer, (possibly) chmod the file to/on the target server (keep STDERR)
|
||||
if (( DO_SFTP_CHMOD ))
|
||||
then
|
||||
sftp ${SFTP_ARGS} ${SSH_TRANSFER_USER}@${TRANSFER_HOST} >/dev/null <<EOT
|
||||
cd ${REMOTE_DIR}
|
||||
put ${SOURCE_FILE}
|
||||
chmod ${TRANSFER_PERMS} ${SOURCE_FILE}
|
||||
EOT
|
||||
SFTP_RC=$?
|
||||
SFTP_RC=$?
|
||||
else
|
||||
sftp ${SFTP_ARGS} ${SSH_TRANSFER_USER}@${TRANSFER_HOST} >/dev/null <<EOT
|
||||
cd ${REMOTE_DIR}
|
||||
put ${SOURCE_FILE}
|
||||
EOT
|
||||
SFTP_RC=$?
|
||||
fi
|
||||
|
||||
cd ${OLD_PWD}
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ use File::Temp qw(tempfile);
|
||||
|
||||
# ------------------------- CONFIGURATION starts here -------------------------
|
||||
# define the V.R.F (version/release/fix)
|
||||
my $MY_VRF = "1.1.0";
|
||||
my $MY_VRF = "1.1.1";
|
||||
# name of global configuration file (no path, must be located in the script directory)
|
||||
my $global_config_file = "update_sudo.conf";
|
||||
# name of localized configuration file (no path, must be located in the script directory)
|
||||
@ -221,32 +221,15 @@ if ($options{'debug'}) {
|
||||
}
|
||||
$verbose = 1 if ($options{'verbose'});
|
||||
|
||||
# what am I?
|
||||
$os = `uname`;
|
||||
chomp ($os);
|
||||
# who am I?
|
||||
unless ($preview and $global) {
|
||||
if ($< != 0) {
|
||||
do_log ("ERROR: script must be invoked as user 'root' [$hostname]")
|
||||
and exit (1);
|
||||
}
|
||||
}
|
||||
# where am I?
|
||||
unless ($use_fqdn) {
|
||||
$hostname = hostfqdn();
|
||||
} else {
|
||||
$hostname = hostname();
|
||||
}
|
||||
$0 =~ /^(.+[\\\/])[^\\\/]+[\\\/]*$/;
|
||||
my $run_dir = $1 || ".";
|
||||
$run_dir =~ s#/$##; # remove trailing slash
|
||||
|
||||
do_log ("INFO: runtime info: ".getpwuid ($<)."; ${hostname}\@${run_dir}; Perl v$]");
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# check/process configuration files, environment checks
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
# where am I? (1/2)
|
||||
$0 =~ /^(.+[\\\/])[^\\\/]+[\\\/]*$/;
|
||||
my $run_dir = $1 || ".";
|
||||
$run_dir =~ s#/$##; # remove trailing slash
|
||||
|
||||
# don't do anything without configuration file(s)
|
||||
do_log ("INFO: parsing configuration file(s) ...");
|
||||
push (@config_files, "$run_dir/$global_config_file") if (-f "$run_dir/$global_config_file");
|
||||
@ -280,6 +263,25 @@ unless ($preview and $global) {
|
||||
}
|
||||
}
|
||||
|
||||
# what am I?
|
||||
@uname = uname();
|
||||
$os = $uname[0];
|
||||
# who am I?
|
||||
unless ($preview and $global) {
|
||||
if ($< != 0) {
|
||||
do_log ("ERROR: script must be invoked as user 'root' [$hostname]")
|
||||
and exit (1);
|
||||
}
|
||||
}
|
||||
# where am I? (2/2)
|
||||
if ($use_fqdn) {
|
||||
$hostname = hostfqdn();
|
||||
} else {
|
||||
$hostname = hostname();
|
||||
}
|
||||
|
||||
do_log ("INFO: runtime info: ".getpwuid ($<)."; ${hostname}\@${run_dir}; Perl v$]");
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# read aliases for teams, servers and users
|
||||
# result: %aliases
|
||||
@ -632,7 +634,7 @@ exit (0);
|
||||
#******************************************************************************
|
||||
# End of SCRIPT
|
||||
#******************************************************************************
|
||||
|
||||
__END__
|
||||
#******************************************************************************
|
||||
# POD
|
||||
#******************************************************************************
|
||||
@ -679,6 +681,8 @@ Following settings must be configured:
|
||||
|
||||
=over 2
|
||||
|
||||
=item * B<use_fqdn> : whether to use short or FQDN host names
|
||||
|
||||
=item * B<fragments_dir> : target directory for SUDO fragments files
|
||||
|
||||
=item * B<visudo_bin> : path to the visudo tool (for sudo rules syntax checking)
|
||||
@ -738,3 +742,4 @@ S< >Show version of the script.
|
||||
@(#) 2014-12-16: VRF 1.0.2: fixed a problem with the immutable self fragment code [Patrick Van der Veken]
|
||||
@(#) 2015-02-02: VRF 1.0.3: changed 'basename' into 'fileparse' call to support fragment files with extensions [Patrick Van der Veken]
|
||||
@(#) 2015-08-18: VRF 1.1.0: replace uname/hostname syscalls, now support for FQDN via $use_fqdn, other fixes [Patrick Van der Veken]
|
||||
@(#) 2015-08-26: VRF 1.1.1: small and not so small fixes [Patrick Van der Veken]
|
||||
Loading…
x
Reference in New Issue
Block a user