packages: nagios-plugin-check_raid/check_raid - secure way of updating sudo...

[glen]

Author: glen                         Date: Wed Sep  9 16:59:38 2009 GMT
Module: packages                      Tag: HEAD
---- Log message:
- secure way of updating sudoers file (skip it will not be valid one)

---- Files affected:
packages/nagios-plugin-check_raid:
   check_raid (1.19 -> 1.20) 

---- Diffs:

================================================================
Index: packages/nagios-plugin-check_raid/check_raid
diff -u packages/nagios-plugin-check_raid/check_raid:1.19 packages/nagios-plugin-check_raid/check_raid:1.20
--- packages/nagios-plugin-check_raid/check_raid:1.19	Wed Sep  9 18:36:09 2009
+++ packages/nagios-plugin-check_raid/check_raid	Wed Sep  9 18:59:33 2009
@@ -331,25 +331,49 @@
 
 ###########################################################################
 sub sudoers {
-	my $f = find_file('/usr/local/etc/sudoers', '/etc/sudoers');
+	my $sudoers = find_file('/usr/local/etc/sudoers', '/etc/sudoers');
+	my $visudo = find_prog('visudo');
 
-	if (! -f $f) { print "Unable to find sudoers file.\n"; return; }
-	if (! -w $f) { print "Unable to write to sudoers file.\n"; return; }
+	die "Unable to find sudoers file.\n" unless -f $sudoers;
+	die "Unable to write to sudoers file.\n" unless -w $sudoers;
+	die "visudo program not found\n" unless -x $visudo;
 
-	print "Updating file $f\n";
-	open SUDOERS, ">>$f";
-    print SUDOERS "ALL  ALL=(root) NOPASSWD: $ipssend getconfig 1 LD\n" if $ipssend;
-    print SUDOERS "ALL  ALL=(root) NOPASSWD: $aaccli container list /full\n" if $aaccli;
-    print SUDOERS "ALL  ALL=(root) NOPASSWD: $mpt_status\n" if $mpt_status and -d "/proc/mpt";
-	print SUDOERS "ALL  ALL=(root) NOPASSWD:/bin/cat /proc/megaide/0/status\n" if -d "/proc/megaide/0";
-	print SUDOERS "ALL  ALL=(root) NOPASSWD:/bin/cat /proc/megaide/1/status\n" if -d "/proc/megaide/1";
+	print "Updating file $sudoers\n";
+
+	# NOTE: secure as visudo itself: /etc is root owned
+	my $new = $sudoers.".new.".$$;
+
+	# setup to have sane perm for new sudoers file
+	umask(0227);
+
+	# insert old sudoers
+	open my $old, '<', $sudoers or die $!;
+	open my $fh, '>', $new or die $!;
+	while (<$old>) {
+		print $fh $_;
+	}
+	close $old or die $!;
+
+	# append new values
+    print $fh "ALL  ALL=(root) NOPASSWD: $ipssend getconfig 1 LD\n" if $ipssend;
+    print $fh "ALL  ALL=(root) NOPASSWD: $aaccli container list /full\n" if $aaccli;
+    print $fh "ALL  ALL=(root) NOPASSWD: $mpt_status\n" if $mpt_status and -d "/proc/mpt";
+	print $fh "ALL  ALL=(root) NOPASSWD:/bin/cat /proc/megaide/0/status\n" if -d "/proc/megaide/0";
+	print $fh "ALL  ALL=(root) NOPASSWD:/bin/cat /proc/megaide/1/status\n" if -d "/proc/megaide/1";
 	foreach my $mr ( glob('/proc/mega*/*/raiddrives*') ) {
-		print SUDOERS "ALL  ALL=(root) NOPASSWD:/bin/cat $mr\n" if -d $mr;
+		print $fh "ALL  ALL=(root) NOPASSWD:/bin/cat $mr\n" if -d $mr;
 	}
+	close $fh;
+
+	# validate sudoers
+	system($visudo, '-c', '-f', $new) == 0 or unlink($new),exit $? >> 8;
+
+	# use the new file
+	rename($new, $old) or die $!;
 
-	close SUDOERS;
 	print "sudoers file updated.\n";
 }
+
 #####################################################################
 $ENV{'BASH_ENV'}='';
 $ENV{'ENV'}='';
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/nagios-plugin-check_raid/check_raid?r1=1.19&r2=1.20&f=u