fix: Avoid creation of runtime directories in home (#265)

This commit is contained in:
Jakub Jelen 2023-10-30 14:27:37 +01:00 committed by GitHub
parent 7d50893deb
commit 350a0e562b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 117 additions and 2 deletions

View file

@ -113,7 +113,7 @@
- name: Make sure sshd runtime directory is present - name: Make sure sshd runtime directory is present
ansible.builtin.file: ansible.builtin.file:
path: "{{ __sshd_runtime_directory }}" path: "/run/{{ __sshd_runtime_directory }}"
state: directory state: directory
owner: root owner: root
group: root group: root

View file

@ -1,6 +1,6 @@
--- ---
- name: Install systemd service files - name: Install systemd service files
when: sshd_install_service | bool when: sshd_install_service | bool and ansible_facts['service_mgr'] == 'systemd'
block: block:
- name: Install service unit file - name: Install service unit file
ansible.builtin.template: ansible.builtin.template:

View file

@ -11,8 +11,10 @@ ExecReload=/bin/kill -HUP $MAINPID
KillMode=process KillMode=process
Restart=on-failure Restart=on-failure
RestartPreventExitStatus=255 RestartPreventExitStatus=255
{% if __sshd_runtime_directory is not none %}
RuntimeDirectory={{ __sshd_runtime_directory }} RuntimeDirectory={{ __sshd_runtime_directory }}
RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }} RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
{% endif %}
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -6,5 +6,7 @@ After=auditd.service
[Service] [Service]
ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }} ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }}
StandardInput=socket StandardInput=socket
{% if __sshd_runtime_directory is not none %}
RuntimeDirectory={{ __sshd_runtime_directory }} RuntimeDirectory={{ __sshd_runtime_directory }}
RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }} RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
{% endif %}

View file

@ -0,0 +1,111 @@
---
- name: Test runtime directory
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/systemd/system/sshd.service
- /etc/systemd/system/sshd@.service
- /etc/systemd/system/sshd.socket
- /etc/systemd/system/ssh.service
- /etc/systemd/system/ssh@.service
- /etc/systemd/system/ssh.socket
tasks:
- name: Backup configuration files
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with default options and install service
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_install_service: true
- name: Verify the runtime diretory is created on Debian
tags: tests::verify
when:
- ansible_facts['os_family'] == "Debian"
block:
- name: Stat the default runtime directory
ansible.builtin.stat:
path: /run/sshd
register: run_stat
- name: Check the runtime directory is present
ansible.builtin.assert:
that:
- run_stat.stat.isdir
- run_stat.stat.mode == "0755"
- name: Read the main service file
ansible.builtin.slurp:
src: /etc/systemd/system/ssh.service
register: service
- name: Read the instantiated service file
ansible.builtin.slurp:
src: /etc/systemd/system/ssh@.service
register: service_inst
- name: Read the main socket file
ansible.builtin.slurp:
src: /etc/systemd/system/ssh.socket
register: socket
- name: Check the runtime directory is in service files
ansible.builtin.assert:
that:
- '"RuntimeDirectory=sshd" in service.content | b64decode'
- '"RuntimeDirectoryMode=0755" in service.content | b64decode'
- '"RuntimeDirectory=sshd" in service_inst.content | b64decode'
- '"RuntimeDirectoryMode=0755" in service_inst.content | b64decode'
- name: Verify the RuntimeDirectory is not placed into services when empty
tags: tests::verify
when:
- ansible_facts['os_family'] != "Debian" and ansible_facts['service_mgr'] == 'systemd'
block:
- name: Read the main service file
ansible.builtin.slurp:
src: /etc/systemd/system/sshd.service
register: service
- name: Read the instantiated service file
ansible.builtin.slurp:
src: /etc/systemd/system/sshd@.service
register: service_inst
- name: Read the main socket file
ansible.builtin.slurp:
src: /etc/systemd/system/sshd.socket
register: socket
- name: Check the runtime directory is in service files
ansible.builtin.assert:
that:
- '"RuntimeDirectory=" not in service.content | b64decode'
- '"RuntimeDirectoryMode=" not in service.content | b64decode'
- '"RuntimeDirectory=" not in service_inst.content | b64decode'
- '"RuntimeDirectoryMode=" not in service_inst.content | b64decode'
- name: Verify the runtime diretory is not created in wrong places
tags: tests::verify
block:
- name: Stat the home directory for the runtime directory
ansible.builtin.stat:
path: ~/sshd
register: home_stat
- name: Stat the /run/~ for the runtime directory
ansible.builtin.stat:
path: /run/~
register: run_user_stat
- name: Check the wrong runtime directory is not present
ansible.builtin.assert:
that:
- not home_stat.stat.exists
- not run_user_stat.stat.exists
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml