diff --git a/Makefile b/Makefile index d6ea721f..a5ab8e32 100644 --- a/Makefile +++ b/Makefile @@ -449,6 +449,9 @@ deb: | dist build-deb/usr/lib/snclient \ build-deb/usr/bin \ build-deb/lib/systemd/system \ + build-deb/lib/sysusers.d \ + build-deb/lib/tmpfiles.d \ + build-deb/etc/sudoers.d \ build-deb/etc/logrotate.d \ build-deb/usr/share/doc/snclient \ build-deb/usr/share/doc/snclient \ @@ -467,6 +470,9 @@ deb: | dist cp ./dist/snclient.ini ./dist/server.crt ./dist/server.key ./dist/cacert.pem ./build-deb/etc/snclient cp -p ./dist/snclient build-deb/usr/bin/snclient cp ./packaging/snclient.service build-deb/lib/systemd/system/ + cp ./packaging/snclient.sysusers build-deb/lib/sysusers.d/snclient.conf + cp ./packaging/snclient.tmpfiles build-deb/lib/tmpfiles.d/snclient.conf + cp ./packaging/snclient.sudoers build-deb/etc/sudoers.d/snclient cp ./packaging/snclient.logrotate build-deb/etc/logrotate.d/snclient cp Changes build-deb/usr/share/doc/snclient/Changes dch --empty --create --newversion "$(VERSION)" --package "snclient" -D "UNRELEASED" --urgency "low" -c build-deb/usr/share/doc/snclient/changelog "new upstream release" @@ -484,6 +490,8 @@ deb: | dist chmod 755 \ build-deb/usr/bin/snclient \ build-deb/usr/lib/snclient/node_exporter + chmod 0750 build-deb/etc/sudoers.d + chmod 0440 build-deb/etc/sudoers.d/snclient cp -p dist/snclient.1 build-deb/usr/share/man/man1/snclient.1 gzip -n -9 build-deb/usr/share/man/man1/snclient.1 @@ -497,6 +505,9 @@ deb: | dist rpm: | dist rm -rf snclient-$(VERSION) cp ./packaging/snclient.service dist/ + cp ./packaging/snclient.sysusers dist/ + cp ./packaging/snclient.tmpfiles dist/ + cp ./packaging/snclient.sudoers dist/ cp ./packaging/snclient.spec dist/ sed -i dist/snclient.spec -e 's|^Version: .*|Version: $(VERSION)|' sed -i dist/snclient.spec -e 's|^BuildArch: .*|BuildArch: $(RPM_ARCH)|' @@ -531,6 +542,11 @@ apk: | dist cp ./packaging/APKBUILD dist/ cp ./packaging/snclient.initd dist/ cp ./packaging/snclient.post-install dist/ + cp ./packaging/snclient.pre-upgrade dist/ + cp ./packaging/snclient.post-upgrade dist/ + cp ./packaging/snclient.pre-deinstall dist/ + cp ./packaging/snclient.post-deinstall dist/ + cp ./packaging/snclient.sudoers dist/ sed -i dist/APKBUILD -e 's|^pkgver=.*|pkgver=$(VERSION)|' sed -i dist/APKBUILD -e 's|^arch=.*|arch=$(RPM_ARCH)|' cp -rp dist snclient-$(VERSION) diff --git a/packaging/APKBUILD b/packaging/APKBUILD index 3a082a95..67107ec3 100644 --- a/packaging/APKBUILD +++ b/packaging/APKBUILD @@ -6,9 +6,10 @@ pkgdesc="SNClient (Secure Naemon Client) is a general-purpose monitoring agent." url="https://github.com/Consol-Monitoring/snclient/" arch="all" license="MIT" -depends="openrc logrotate" +depends="openrc logrotate sudo" makedepends="" -source="snclient snclient.confd server.key server.crt cacert.pem snclient.logrotate README.md LICENSE snclient.1 snclient.8 snclient.initd node_exporter" +install="$pkgname.post-install $pkgname.pre-upgrade $pkgname.post-upgrade $pkgname.pre-deinstall $pkgname.post-deinstall" +source="snclient snclient.confd server.key server.crt cacert.pem snclient.logrotate snclient.sudoers README.md LICENSE snclient.1 snclient.8 snclient.initd node_exporter" package() { install -Dm755 "$srcdir/snclient" "$pkgdir/usr/bin/snclient" @@ -22,6 +23,9 @@ package() { install -Dm644 "$srcdir/snclient.logrotate" "$pkgdir/etc/logrotate.d/snclient" + install -dm750 "$pkgdir/etc/sudoers.d" + install -Dm440 "$srcdir/snclient.sudoers" "$pkgdir/etc/sudoers.d/snclient" + install -Dm644 "$srcdir/README.md" "$pkgdir/usr/share/doc/$pkgname/README.md" install -Dm644 "$srcdir/LICENSE" "$pkgdir/usr/share/licenses/$pkgname/LICENSE" install -Dm644 "$srcdir/snclient.1" "$pkgdir/usr/share/man/man1/snclient.1" @@ -31,5 +35,7 @@ package() { install -Dm755 "$srcdir/snclient.initd" "$pkgdir/etc/init.d/snclient" - mkdir -p "$pkgdir/var/log/snclient" + # Create directories (ownership set in post-install after user creation) + install -dm750 "$pkgdir/var/lib/snclient" + install -dm750 "$pkgdir/var/log/snclient" } diff --git a/packaging/debian/conffiles b/packaging/debian/conffiles index 781968b5..79cc1ff5 100644 --- a/packaging/debian/conffiles +++ b/packaging/debian/conffiles @@ -3,3 +3,4 @@ /etc/snclient/server.key /etc/snclient/cacert.pem /etc/logrotate.d/snclient +/etc/sudoers.d/snclient diff --git a/packaging/debian/control b/packaging/debian/control index 872f4eb5..390a8f0a 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -3,7 +3,7 @@ Version: UNSET Section: net Priority: optional Architecture: UNSET -Depends: logrotate +Depends: logrotate, systemd Standards-Version: 3.9.8 Suggests: monitoring-plugins-basic Maintainer: Sven Nierlein diff --git a/packaging/debian/postinst b/packaging/debian/postinst index f8b18607..9ff60fd6 100755 --- a/packaging/debian/postinst +++ b/packaging/debian/postinst @@ -13,6 +13,12 @@ case "$1" in /etc/snclient/server.crt \ /etc/snclient/cacert.pem \ || : + if [ -x "/usr/bin/systemd-sysusers" ]; then + systemd-sysusers + fi + if [ -x "/usr/bin/systemd-tmpfiles" ]; then + systemd-tmpfiles --create + fi if [ -x "/usr/bin/deb-systemd-helper" ]; then deb-systemd-helper unmask snclient.service if deb-systemd-helper --quiet was-enabled snclient.service; then diff --git a/packaging/snclient.initd b/packaging/snclient.initd index f7014ca9..b3de181b 100644 --- a/packaging/snclient.initd +++ b/packaging/snclient.initd @@ -5,15 +5,20 @@ supervisor="supervise-daemon" command="/usr/bin/snclient" command_args="--config /etc/snclient/snclient.ini" command_args_background="--pidfile ${pidfile} daemon" -command_user="root:root" -pidfile="/var/run/snclient.pid" +command_user="snclient:snclient" +pidfile="/run/snclient/snclient.pid" +directory="/var/lib/snclient" + +start_pre() { + checkpath --directory --owner snclient:snclient --mode 0755 /run/snclient +} reload() { - ebegin "Reloading acpid configuration" + ebegin "Reloading snclient configuration" ${supervisor} ${RC_SVCNAME} --signal HUP --pidfile "${pidfile}" eend $? } depend() { need net -} +} \ No newline at end of file diff --git a/packaging/snclient.post-deinstall b/packaging/snclient.post-deinstall index 9296a0e2..9fccdd0d 100644 --- a/packaging/snclient.post-deinstall +++ b/packaging/snclient.post-deinstall @@ -2,3 +2,9 @@ # remove leftover additional config files. rm -rf /etc/snclient +rm -rf /var/lib/snclient +rm -rf /var/log/snclient + +# Optionally remove user/group (uncomment if desired) +# deluser snclient 2>/dev/null || true +# delgroup snclient 2>/dev/null || true \ No newline at end of file diff --git a/packaging/snclient.post-install b/packaging/snclient.post-install index f32304a4..14b9b6d3 100644 --- a/packaging/snclient.post-install +++ b/packaging/snclient.post-install @@ -1,4 +1,22 @@ #!/bin/sh +# Create snclient group if it doesn't exist +if ! getent group snclient >/dev/null; then + addgroup -S snclient +fi + +# Create snclient user if it doesn't exist +if ! getent passwd snclient >/dev/null; then + adduser -S -D -H -h /var/lib/snclient -s /sbin/nologin -G snclient -g "Secure Naemon Client" snclient +fi + +# Create and set permissions on directories +install -d -m 0755 -o snclient -g snclient /etc/snclient +install -d -m 0750 -o snclient -g snclient /var/lib/snclient +install -d -m 0750 -o snclient -g snclient /var/log/snclient + +# Fix ownership of config files +chown -R snclient:snclient /etc/snclient + rc-update -q add snclient default -rc-service -q snclient start +rc-service -q snclient start \ No newline at end of file diff --git a/packaging/snclient.post-upgrade b/packaging/snclient.post-upgrade index 93652925..859294b8 100644 --- a/packaging/snclient.post-upgrade +++ b/packaging/snclient.post-upgrade @@ -1,3 +1,15 @@ #!/bin/sh -rc-service -q snclient start +# Ensure user/group exist (in case of upgrade from old version) +if ! getent group snclient >/dev/null; then + addgroup -S snclient +fi + +if ! getent passwd snclient >/dev/null; then + adduser -S -D -H -h /var/lib/snclient -s /sbin/nologin -G snclient -g "Secure Naemon Client" snclient +fi + +# Fix ownership of directories and files +chown -R snclient:snclient /etc/snclient /var/lib/snclient /var/log/snclient 2>/dev/null || true + +rc-service -q snclient restart \ No newline at end of file diff --git a/packaging/snclient.service b/packaging/snclient.service index c8e8b51b..0d20f8cf 100644 --- a/packaging/snclient.service +++ b/packaging/snclient.service @@ -4,14 +4,14 @@ After=network.target [Service] Type=simple -User=root +User=snclient +Group=snclient Restart=on-failure RestartSec=10 -WorkingDirectory=/ +WorkingDirectory=/var/lib/snclient ExecStart=/usr/bin/snclient --config=/etc/snclient/snclient.ini -ExecStartPre=/bin/mkdir -p /var/log/snclient ExecReload=/bin/kill -HUP $MAINPID [Install] diff --git a/packaging/snclient.spec b/packaging/snclient.spec index eff1a782..1ec5c47c 100644 --- a/packaging/snclient.spec +++ b/packaging/snclient.spec @@ -8,7 +8,7 @@ URL: https://github.com/Consol-Monitoring/snclient/ Source0: snclient-%{version}.tar.gz Group: Applications/System Summary: Monitoring Agent -Requires: logrotate +Requires: logrotate, systemd %description SNClient (Secure Naemon Client) is a general purpose monitoring agent designed @@ -41,6 +41,15 @@ It supports Prometheus, NRPE and a REST API HTTP(s) protocol to run checks. %{__mkdir_p} -m 0755 %{buildroot}/lib/systemd/system %{__install} -D -m 0644 -p snclient.service %{buildroot}/lib/systemd/system/snclient.service +%{__mkdir_p} -m 0755 %{buildroot}/lib/sysusers.d +%{__install} -D -m 0644 -p snclient.sysusers %{buildroot}/lib/sysusers.d/snclient.conf + +%{__mkdir_p} -m 0755 %{buildroot}/lib/tmpfiles.d +%{__install} -D -m 0644 -p snclient.tmpfiles %{buildroot}/lib/tmpfiles.d/snclient.conf + +%{__mkdir_p} -m 0755 %{buildroot}/etc/sudoers.d +%{__install} -D -m 0440 -p snclient.sudoers %{buildroot}/etc/sudoers.d/snclient + %{__mkdir_p} -m 0755 %{buildroot}/usr/share/snclient %{__install} -D -m 0644 -p README.md LICENSE %{buildroot}/usr/share/snclient @@ -57,11 +66,17 @@ gzip -n -9 %{buildroot}/usr/share/man/man8/snclient.8 case "$*" in 1) # First installation + # create user and files/folders + systemd-sysusers + systemd-tmpfiles --create + # start service systemctl --system daemon-reload >/dev/null || true systemctl enable snclient.service >/dev/null || true systemctl start snclient.service >/dev/null || true ;; 2) + # Post upgrade permissions fix + systemd-tmpfiles --create # Upgrading systemctl --system daemon-reload >/dev/null || true systemctl try-restart snclient.service >/dev/null || true @@ -106,8 +121,11 @@ exit 0 %attr(0755,root,root) /usr/bin/snclient %attr(0755,root,root) /usr/lib/snclient/node_exporter %attr(0644,root,root) /lib/systemd/system/snclient.service +%attr(0644,root,root) /lib/sysusers.d/snclient.conf +%attr(0644,root,root) /lib/tmpfiles.d/snclient.conf %dir %config(noreplace) /etc/snclient %config(noreplace) %attr(0600,root,root) /etc/snclient/snclient.ini +%config(noreplace) %attr(0440,root,root) /etc/sudoers.d/snclient %config(noreplace) %attr(0600,root,root) /etc/snclient/server.key %config(noreplace) %attr(0600,root,root) /etc/snclient/server.crt %config(noreplace) %attr(0600,root,root) /etc/snclient/cacert.pem diff --git a/packaging/snclient.sudoers b/packaging/snclient.sudoers new file mode 100644 index 00000000..7211b8d7 --- /dev/null +++ b/packaging/snclient.sudoers @@ -0,0 +1 @@ +Defaults:snclient !requiretty diff --git a/packaging/snclient.sysusers b/packaging/snclient.sysusers new file mode 100644 index 00000000..e8eb47ea --- /dev/null +++ b/packaging/snclient.sysusers @@ -0,0 +1,2 @@ +g snclient - - +u snclient - "Secure Naemon Client" /var/lib/snclient diff --git a/packaging/snclient.tmpfiles b/packaging/snclient.tmpfiles new file mode 100644 index 00000000..6b8ce5b8 --- /dev/null +++ b/packaging/snclient.tmpfiles @@ -0,0 +1,7 @@ +d /etc/snclient 0755 snclient snclient - - +Z /etc/snclient - snclient snclient - - + +d /var/lib/snclient 0750 snclient snclient - - +Z /var/lib/snclient - snclient snclient - - + +d /var/log/snclient 0750 snclient snclient - - diff --git a/t/40_e2e_deb_linux_test.go b/t/40_e2e_deb_linux_test.go index 8b2c082b..95cdc68c 100644 --- a/t/40_e2e_deb_linux_test.go +++ b/t/40_e2e_deb_linux_test.go @@ -53,6 +53,13 @@ func TestDEBinstaller(t *testing.T) { for _, file := range requiredFiles { require.FileExistsf(t, file, file+" has been installed") } + requiredFolders := []string{ + "/var/lib/snclient", + "/var/log/snclient", + } + for _, folder := range requiredFolders { + require.DirExistsf(t, folder, folder+" has been created") + } runCmd(t, &cmd{ Cmd: "/usr/bin/snclient", @@ -66,7 +73,7 @@ func TestDEBinstaller(t *testing.T) { Like: []string{`/usr/bin/snclient`, `running`}, }) - // add custom .ini + // add custom .ini with correct ownership for snclient user runCmd(t, &cmd{ Cmd: "sudo", Args: []string{"touch", localDEBINIPath}, @@ -76,6 +83,14 @@ func TestDEBinstaller(t *testing.T) { Args: []string{"chmod", "666", localDEBINIPath}, }) writeFile(t, localDEBINIPath, localTestINI) + runCmd(t, &cmd{ + Cmd: "sudo", + Args: []string{"chown", "snclient:snclient", localDEBINIPath}, + }) + runCmd(t, &cmd{ + Cmd: "sudo", + Args: []string{"chmod", "640", localDEBINIPath}, + }) writeFile(t, `snclient.ini`, localDaemonINI) runCmd(t, &cmd{ @@ -104,7 +119,11 @@ func TestDEBinstaller(t *testing.T) { Like: []string{"OK - CPU load is ok."}, }) - // make logfile readable and check for errors + // make logfolder and logfile readable and check for errors + runCmd(t, &cmd{ + Cmd: "sudo", + Args: []string{"chmod", "755", "/var/log/snclient"}, + }) runCmd(t, &cmd{ Cmd: "sudo", Args: []string{"chmod", "666", "/var/log/snclient/snclient.log"},