From: Ian Kelling Date: Sat, 4 Sep 2021 00:31:20 +0000 (-0400) Subject: security stuff X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=9fefba0a7ad0f7d9cac32b81f960ae8828de2a66;p=automated-distro-installer security stuff --- diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end index 0204ce5..57b7115 100755 --- a/fai/config/distro-install-common/end +++ b/fai/config/distro-install-common/end @@ -80,10 +80,31 @@ echo "fs.inotify.max_user_watches = 50000" >> $f # applies it. it would be also be applied after a reboot $ROOTCMD sysctl --system +cat >$target/etc/sudoers.d/ianksudoers <<'EOF' +Defaults timestamp_timeout=1440 +# used in bashrc +Defaults env_keep += SUDOD +# always_set_home +# makes ubuntu be like debian +# https://unix.stackexchange.com/a/91572 +Defaults always_set_home +# umask: default setting is to have minimum umask of 0022 +# This lets us have user-specific umasks which are more permissive. +# I did this for transmission and set it's umask gecos on install, +# see there for more info. +Defaults !umask +# i use sudo in cronjobs, it spams the logs rather uselessly +# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands +Defaults:root,iank !log_allowed, !pam_session +# for just the root user, set some env vars +Defaults>root env_file=/etc/rootsudoenv +EOF + +# remove old config line. can be removed eventually. f=$target/etc/sudoers line='iank ALL=(ALL) NOPASSWD: ALL' -if [[ ! -e $f ]] || ! grep -xF "$line" $f; then - echo "$line" >> $f +if grep -qxF "$line" $f; then + sed -i "/^$line/d" $f fi diff --git a/fai/config/scripts/GRUB_PC/11-iank b/fai/config/scripts/GRUB_PC/11-iank index 4ef74c3..5e74374 100755 --- a/fai/config/scripts/GRUB_PC/11-iank +++ b/fai/config/scripts/GRUB_PC/11-iank @@ -350,9 +350,9 @@ f=/etc/ssh/sshd_config grep -xFq "$line" $f || tee -a $f <<<"$line" -# default debian groups (jessie through buster) + adm, sudo, root -for g in cdrom floppy audio dip video plugdev netdev adm sudo; do - if getent gropu $g >/dev/null; then +# default debian groups (jessie through buster) + adm, sudo, root, admin +for g in cdrom floppy audio dip video plugdev netdev adm sudo admin; do + if getent group $g >/dev/null; then usermod -aG $g iank fi done diff --git a/wrt-setup b/wrt-setup index db7f5c9..01c2705 100755 --- a/wrt-setup +++ b/wrt-setup @@ -19,6 +19,8 @@ set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR +[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" + x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} usage() { @@ -74,7 +76,7 @@ scp /a/work/libremanage/libremanage /a/bin/fai/wrt-init /a/bin/fai/wrt-setup-loc #/a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk \ -sudo scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \ +scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \ /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h: scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys