|
version 1.96, 2024/11/26 22:08:36
|
version 1.97, 2024/11/26 23:54:22
|
|
Line 988 sub check_systemd_security {
|
Line 988 sub check_systemd_security {
|
| $service = 'apache2.service'; |
$service = 'apache2.service'; |
| } |
} |
| system("systemctl daemon-reload"); |
system("systemctl daemon-reload"); |
| if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) { |
if (open(PIPE,"systemctl show $service --property=ProtectHome --property=RestrictSUIDSGID 2>/dev/null |")) { |
| my $protection = <PIPE>; |
my ($protecthome,$suidsgid); |
| |
while (my $line = <PIPE>) { |
| |
chomp($line); |
| |
if ($line =~ /^ProtectHome=(read-only|yes)$/i) { |
| |
$protecthome = 1; |
| |
} elsif ($line =~ /^RestrictSUIDSGID=yes$/i) { |
| |
$suidsgid = 1; |
| |
} |
| |
} |
| close(PIPE); |
close(PIPE); |
| chomp($protection); |
if ($protecthome) { |
| if ($protection =~ /^ProtectHome=(read-only|yes)$/i) { |
return 1; |
| |
} |
| |
if ($suidsgid) { |
| return 1; |
return 1; |
| } |
} |
| } else { |
} else { |
|
Line 2979 sub check_systemd_update {
|
Line 2989 sub check_systemd_update {
|
| if (-d '/etc/systemd/system/'.$service.'.d') { |
if (-d '/etc/systemd/system/'.$service.'.d') { |
| if (-e '/etc/systemd/system/'.$service.'.d/override.conf') { |
if (-e '/etc/systemd/system/'.$service.'.d/override.conf') { |
| if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) { |
if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) { |
| my ($category,$addservice,$protectoff,$linenum,$change, |
my ($category,$addservice,$protectoff,$changeprot,$suidsgidok,$changesug, |
| %lines,@move,@nocat,@ordered); |
$linenum,%lines,@move,@nocat,@ordered); |
| $linenum = 0; |
$linenum = 0; |
| while (my $entry = <$fh>) { |
while (my $entry = <$fh>) { |
| $linenum ++; |
$linenum ++; |
|
Line 3000 sub check_systemd_update {
|
Line 3010 sub check_systemd_update {
|
| push(@{$lines{'Service'}},$entry); |
push(@{$lines{'Service'}},$entry); |
| } else { |
} else { |
| push(@move,$entry); |
push(@move,$entry); |
| $change = $linenum; |
$changeprot = $linenum; |
| } |
} |
| } else { |
} else { |
| if ($category =~ /^Service$/i) { |
if ($category =~ /^Service$/i) { |
|
Line 3008 sub check_systemd_update {
|
Line 3018 sub check_systemd_update {
|
| } else { |
} else { |
| push(@move,'ProtectHome=no'); |
push(@move,'ProtectHome=no'); |
| } |
} |
| $change = $linenum; |
$changeprot = $linenum; |
| } |
} |
| $protectoff = $linenum; |
$protectoff = $linenum; |
| |
} elsif ($entry =~ /^RestrictSUIDSGID\s*=\s*([\w-]+)\s*$/) { |
| |
my $value = $1; |
| |
next if ($suidsgidok); |
| |
if (lc($value) eq 'no') { |
| |
if ($category =~ /^Service$/i) { |
| |
push(@{$lines{'Service'}},$entry); |
| |
} else { |
| |
push(@move,$entry); |
| |
$changesug = $linenum; |
| |
} |
| |
} else { |
| |
if ($category =~ /^Service$/i) { |
| |
push(@{$lines{'Service'}},'RestrictSUIDSGID=no'); |
| |
} else { |
| |
push(@move,'RestrictSUIDSGID=no'); |
| |
} |
| |
$changesug = $linenum; |
| |
} |
| |
$suidsgidok = $linenum; |
| } else { |
} else { |
| next if ($entry =~ /^\s*$/); |
next if ($entry =~ /^\s*$/); |
| if ($category =~ /^Service$/i) { |
if ($category =~ /^Service$/i) { |
|
Line 3030 sub check_systemd_update {
|
Line 3059 sub check_systemd_update {
|
| if (!$protectoff) { |
if (!$protectoff) { |
| push(@{$lines{'Service'}},'ProtectHome=no'); |
push(@{$lines{'Service'}},'ProtectHome=no'); |
| } |
} |
| if ($addservice || $change || !$protectoff) { |
if (!$suidsgidok) { |
| |
push(@{$lines{'Service'}},'RestrictSUIDSGID=no'); |
| |
} |
| |
if ($addservice || $changeprot || !$protectoff || $changesug || !$suidsgidok) { |
| if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { |
if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { |
| if (@ordered) { |
if (@ordered) { |
| foreach my $category (@ordered) { |
foreach my $category (@ordered) { |
|
Line 3047 sub check_systemd_update {
|
Line 3079 sub check_systemd_update {
|
| unless (grep/^ProtectHome\s*=\s*no\s*$/i,@{$lines{$category}}) { |
unless (grep/^ProtectHome\s*=\s*no\s*$/i,@{$lines{$category}}) { |
| print $fh "$item\n"; |
print $fh "$item\n"; |
| } |
} |
| |
} elsif ($item =~ /^RestrictSUIDSGID\s*=\s*no\s*$/i) { |
| |
unless (grep/^RestrictSUIDSGID\s*=\s*no\s*$/i,@{$lines{$category}}) { |
| |
print $fh "$item\n"; |
| |
} |
| } else { |
} else { |
| print $fh "$item\n"; |
print $fh "$item\n"; |
| } |
} |
|
Line 3075 sub check_systemd_update {
|
Line 3111 sub check_systemd_update {
|
| } |
} |
| } else { |
} else { |
| if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { |
if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { |
| print $fh '[Service]'."\n".'ProtectHome=no'."\n"; |
print $fh '[Service]'."\n".'ProtectHome=no'."\n".'RestrictSUIDSGID=no'."\n"; |
| close($fh); |
close($fh); |
| print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf'); |
print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf'); |
| system('systemctl daemon-reload'); |
system('systemctl daemon-reload'); |
![[BACK]](/icons/back.gif){kind=icon}
Return to install.pl CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / doc / install / linux