USAGE for gen_sudoers.sh v1.0.3: gen_sudoers.sh {-full|-limited} [-y [-f]] [-L <log>] [-D] or gen_sudoers.sh [-h|-man] DESCRIPTION: This script generates a sudoers file for the OS user that owns /p4/common, which is expected to be the same user that the Perforce Helix Core service runs as (typically 'perforce'). By default, the sudoers file is generated for review. If the '-y' option is specified, the newly generated files is installed as the live sudoers file by copying to /etc/sudoers.d/<OSUSER> and adjusting permissions to 0400. If '-full' (full sudo) is specified, a one-line sudoers file is generated that looks something like this: perforce ALL=(ALL) NOPASSWD: ALL If '-limited' is specified, a limited sudoers file is generated granting only necessary access to the perforce user. If the sudoers file already exits, it will not be updated unless '-f' (force) is proivided. The limited sudoers is recommended for production deployments. OPTIONS: -full Specify '-full' to indicate that a sudoers file is to be generated granting full root access to the server machine. The '-full' or '-limited' option must be specified. This option is discouraged as it is not as secure as the '-limited' option. -limited Specify '-limited' to indicate that a sudoers file is to be generated granting limited access to the server machine. The '-full' or '-limited' option must be specified. This option is recommended for optimal security. -y This is confirmation to install the generated sudoers as the live sudoers file. -f Specify '-f' to overwite an existing limited sudoers file, /etc/sudoers.d/<OSUSER> -L <log> Specify the path to a log file, or the special value 'off' to disable logging. By default, all output (stdout and stderr) goes to: /root/gen_sudoers.<Datestamp>.log NOTE: This script is self-logging. That is, output displayed on the screen is simultaneously captured in the log file. -D Enable bash 'set -x' extreme debugging verbosity. HELP OPTIONS: -h Display short help message -man Display man-style help message EXAMPLES: EXAMPLE 1: Generate a limited sudoers file for review. cd /p4/sdp/Server/Unix/setup ./gen_sudoers.sh -limited EXAMPLE 2: Generate a limited sudoers file and install it. cd /p4/sdp/Server/Unix/setup ./gen_sudoers.sh -limited -y EXAMPLE 3: Generate a limited sudoers file and install it, replacing an existing one. cd /p4/sdp/Server/Unix/setup ./gen_sudoers.sh -limited -f -y EXAMPLE 4: Generate a full sudoers file and install it, replacing an cd /p4/sdp/Server/Unix/setup ./gen_sudoers.sh -full -f -y
# | Change | User | Description | Committed | |
---|---|---|---|---|---|
#2 | 30782 | C. Thomas Tyler |
Added new install_sdp.sh script and supporting documentation. The new install_sdp.sh makes SDP independent of the separate Helix Installer software (the reset_sdp.sh script). The new script greatly improves the installation experience for new server machines. It is ground up rewrite of the reset_sdp.sh script. The new script preserves the desired behaviors of the original Helix Installer script, but is focused on the use case of a fresh install on a new server machine. With this focus, the scripts does not have any "reset" logic, making it completely safe. Added various files and functionalityfrom Helix Installer into SDP. * Added firewalld templates to SDP, and added ufw support. * Improved sudoers generation. * Added bash shell templates. This script also installs in the coming SDP Package structure. New installs use a modified SDP structure that makes it so the /p4/sdp and /p4/common now point to folders on the local OS volume rather than the /hxepots volume. The /hxdepots volume, which is often NFS mounted, is still used for depots and checkpoints, and for backups. The new structure uses a new /opt/perforce/helix-sdp structure under which /p4/sdp and /p4/common point. This structure also contains the expaneded SDP tarball, downloads, helix_binaries, etc. This change represents the first of 3-phase rollout of the new package structure. In this first phase, the "silent beta" phase, the new structure is used for new installations only. This phase requires no changes to released SDP scripts except for mkdirs.sh, and even that script remains backward-compatible with the old structure if used independently of install_sdp.sh. If used with install_sdp.sh, the new structure is used. In the second phase (targeted for SPD 2024.2 release), the sdp_upgrade.sh script will convert existing installations to the new structure. In the third phase (targeted for SDP 2025.x), this script will be incorporated into OS pacakge installations for the helix-sdp package. Perforce internal wikis have more detail on this change. #review-30783 |
||
#1 | 30681 | C. Thomas Tyler |
Added gen_sudoers.sh script to generate a sudoers file for perforce OSUSER. This generates a more secure limited sudoers file. Previously, adding a sudoers entry for the OSUSER (usually 'perforce') was done only by the Helix Installer. In the Helix Installer variant, a single "one-size-filts-all" sudoers file was used, with the following characteristics: * The instances for Helix Core services were referenced with a '*' wildcard to match all SDP instances, which has since been determined to introduce a vulnerability. In this new script, the wildcard is replaced with separate entries for each SDP instance. * There were entries for all known paths of utilities like lslocks, setcap, and getcap. This new script generates the correct path valid for the current machine. With this change, the functionality will be available in the SDP directly. This new gen_sudoers.sh script can be called by mkdirs.sh directly to update the sudoers file each time a new SDP instance is added, if the new '-fs' (full sudo) or '-ls' (limited sudoers) entries are used. There is no change to the default behavior of mkdirs.sh; only a change if new options are utilized. This script comes with docs and examples for the new script as well as doc changes for mkdirs.sh. (Also added missing documentation for the '-no_enable' option). Further changes needed: * Add doc reference in SDP_Guide.Unix.adoc |