[debian-edu-commits] [Git][debian-edu/debian-edu-config][mr/cron-2-systemd-timers] 6 commits: Allow root access to cups via SystemGroups
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Thu Aug 10 10:19:16 BST 2023
Mike Gabriel pushed to branch mr/cron-2-systemd-timers at Debian Edu / debian-edu-config
Commits:
5f5b2ecb by Guido Berhoerster at 2023-08-10T08:31:12+02:00
Allow root access to cups via SystemGroups
root access is allowed in the default configuration and e.g. necessary for
services like debian-edu-cups-queue-autoflush.service to work.
Closes #1043397
- - - - -
08f4cf77 by Guido Berhoerster at 2023-08-10T07:07:40+00:00
Configure gosa not to use STARTTLS since TLS is already used
ldapTLS configures the use of STARTTLS, not TLS per se which is enabled by the
use of ldaps: protcol in URLs. Closes #1041322
- - - - -
0401de82 by Guido Berhoerster at 2023-08-10T07:08:22+00:00
cf3/promises.cf: fix typo and allow connections from localhost and network
- - - - -
385f9033 by Mike Gabriel at 2023-08-10T11:18:41+02:00
d/changelog: update from Git log
- - - - -
5da55e56 by Mike Gabriel at 2023-08-10T09:19:04+00:00
Convert CRON configuration to systemd timers.
- - - - -
9ec5fe82 by Mike Gabriel at 2023-08-10T09:19:04+00:00
sbin/*-for-netgroup-hosts: Some noop + white-spacing beautifications.
- - - - -
19 changed files:
- Makefile
- cf3/promises.cf
- debian/changelog
- debian/debian-edu-config.cron.daily
- debian/debian-edu-config.cron.hourly
- + debian/debian-edu-config.debian-edu-cups-queue-autoflush.service
- + debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer
- + debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service
- + debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer
- + debian/debian-edu-config.debian-edu-fsautoresize.service
- + debian/debian-edu-config.debian-edu-fsautoresize.timer
- + debian/debian-edu-config.debian-edu-update-netblock.service
- + debian/debian-edu-config.debian-edu-update-netblock.timer
- debian/rules
- etc/cups/cups-files-debian-edu.conf
- + sbin/debian-edu-cups-queue-autoflush-for-netgroup-hosts
- + sbin/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
- + sbin/debian-edu-fsautoresize-for-netgroup-hosts
- share/debian-edu-config/gosa.conf.template
Changes:
=====================================
Makefile
=====================================
@@ -8,7 +8,11 @@ PROGS = \
debian-edu-copy-pki \
$(NULL)
-SPROGS = debian-edu-fsautoresize \
+SPROGS = \
+ debian-edu-cups-queue-autoflush-for-netgroup-hosts \
+ debian-edu-cups-queue-autoreenable-for-netgroup-hosts \
+ debian-edu-fsautoresize \
+ debian-edu-fsautoresize-for-netgroup-hosts \
debian-edu-ltsp-chroot \
debian-edu-ltsp-install \
debian-edu-ltsp-initrd \
=====================================
cf3/promises.cf
=====================================
@@ -8,9 +8,9 @@
body server control
# Debian Edu specific
{
- allowconnects => { "10.0.0.0.0/8" };
- allowallconnects => { "10.0.0.0.0/8" };
- trustkeysfrom => { "10.0.0.0.0/8" };
+ allowconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ allowallconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ trustkeysfrom => { "127.0.0.1", "::1", "10.0.0.0/8" };
maxconnections => "15";
denybadclocks => "false";
allowusers => { "root" };
=====================================
debian/changelog
=====================================
@@ -1,14 +1,69 @@
debian-edu-config (2.12.34) UNRELEASED; urgency=medium
+ [ Mike Gabriel ]
* Start 2.12.34 development.
+ * debian/debian-edu-config.lintian-overrides:
+ + Update existing overrides (line numbers and such).
+ + Drop missing-systemd-service-for-init.d-script overrides. Systemd service
+ files are now provided.
+ + Drop init.d-script-does-not-implement-status-option override for
+ fetch-ldap-cert. Init script is now gone.
+ * testsuite: Install to pkglibexecdir rather than libexecdir. Thanks lintian.
+ * Makefile: Adjust white-spacing in variable declarations.
+ * Makefile: Use $(NULL) variable at end of file lists. Allow for better git-
+ patch readability.
+
+ [ Daniel Teichmann ]
+ * etc/dhcp/dhcp-debian-edu.conf:
+ + ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966).
+ * share/debian-edu-config/tools/gosa-remove:
+ + Fix kadmin.local, Use '-force' to disable interaction via stdin.
- d/changelog entries will be written on release
- using the git commit messages.
-
- Use 'gbp dch --since 2.12.33'
- to write d/changelog entries since that last release.
-
- -- Mike Gabriel <sunweaver at debian.org> Sat, 01 Jul 2023 06:05:45 +0200
+ [ Guido Berhoerster ]
+ * ldap-tools/ldap-createuser-krb5:
+ + Fix user creation. (Closes: #1042456).
+ Remove Samba NT4 domain support, add samba user using smbpasswd.
+ Add root CA for new users (copied from gosa-create).
+ + Fix new UID/GID selection.
+ Exclude special users (UID/GID >= 10000) when looking for the highest
+ UID/GID.
+ + Add CLI options for uid/gid/department.
+ Also ensure script is run as root.
+ + Add additional attributes based on template users.
+ + Add support for additional groups.
+ + Send welcome email in order to create maildir.
+ Without this the maildir in /var/mail/<user> will not exist and Dovecot
+ will refuse to let the user log in as it cannot create this directory.
+ + Set LDAP password when creating users.
+ This allows users to use GOsa² to change their password.
+ * Add systemd services for configuring Chromium/Firefox from LDAP.
+ Factor out logic from init script into separate script which are then called
+ from both the init script and systemd services.
+ * Add systemd service enabling NAT for thin clients.
+ * Add systemd service for fetching the RootCA file from the main server.
+ * Drop init script for fetching LDAP SSL public key from legacy main servers.
+ This drops support for clients running behind a main server based on Debian
+ Edu stretch. (Closes: #1030116).
+ * Update debian/rules for init scripts and systemd services. (Closes:
+ #1039166).
+ * Generate a random password for the icinga/icingaweb databases.
+ (Closes: #1040015).
+ * update-dlw-krb5-keytabs: Handle missing/empty diskless-workstation-hosts.
+ * Followup fixes for ntpsec transition.
+ * Add systemd support to debian-edu-restart-services: This uses a list
+ of service units which was compiled on a main server + ltsp
+ installation. Uses stop and start to force restart
+ reverse-dependencies. It also makes sure that drop in files are
+ recognized. (Closes: #1042940).
+ * Configure gosa not to use STARTTLS since TLS is already used. ldapTLS
+ configures the use of STARTTLS, not TLS per se which is enabled by the
+ use of ldaps: protcol in URLs. (Closes: #1041322).
+ * Allow root access to cups via SystemGroups. 'root' access is allowed in
+ the default configuration and e.g. necessary for services like
+ debian-edu-cups-queue-autoflush.service to work. (Closes: #1043397).
+ * cf3/promises.cf: fix typo and allow connections from localhost and network.
+
+ -- Mike Gabriel <sunweaver at debian.org> Mon, 07 Aug 2023 17:02:13 +0200
debian-edu-config (2.12.33) unstable; urgency=medium
=====================================
debian/debian-edu-config.cron.daily
=====================================
@@ -3,12 +3,7 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
-# Automatically flush print queues every night if the
-# host is a member of the cups-queue-autoflush-hosts netgroup.
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
- if innetgr -h $hostname cups-queue-autoflush-hosts ; then
- /usr/share/debian-edu-config/tools/cups-queue-autoflush
- fi
-done
+# regularly run CUPS Queue autoflush if configured via netgroups
+debian-edu-cups-queue-autoflush-for-netgroup-hosts
=====================================
debian/debian-edu-config.cron.hourly
=====================================
@@ -3,21 +3,10 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
+# regularly run fsautoresize if configured via netgroups
+debian-edu-fsautoresize-for-netgroup-hosts
- # Automatically extend full LVM volumes if the host is a member of
- # the fsautoresize-hosts netgroup.
- if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
- innetgr -h $hostname fsautoresize-hosts ; then
- debian-edu-fsautoresize -n
- fi
-
- # Automatically restart disabled print queues every hour if the
- # host is a member of the cups-queue-autoreenable-hosts netgroup.
- if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
- innetgr -h $hostname cups-queue-autoreenable-hosts ; then
- /usr/share/debian-edu-config/tools/cups-queue-autoreenable
- fi
-done
+# regularly run CUPS Queue autoreenable if configured via netgroups
+debian-edu-cups-queue-autoreenable-for-netgroup-hosts
=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoflush.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-flush CUPS queues on hosts configured via the cups-queue-autoflush-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-cups-queue-autoflush-for-netgroup-hosts
=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoflush.service every day.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target
=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-reenable CUPS queues on hosts configured via the cups-queue-autoreenable-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoreenable.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target
=====================================
debian/debian-edu-config.debian-edu-fsautoresize.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run fsautoresize regularly on hosts configured via the fsautoresize-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-fsautoresize-for-netgroup-hosts
=====================================
debian/debian-edu-config.debian-edu-fsautoresize.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-fsautoresize.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target
=====================================
debian/debian-edu-config.debian-edu-update-netblock.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Update netblock according to netblock-hosts netgroup configuration.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-update-netblock auto
=====================================
debian/debian-edu-config.debian-edu-update-netblock.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-update-netblock.service every 5 minutes
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
=====================================
debian/rules
=====================================
@@ -21,6 +21,10 @@ override_dh_installsystemd:
dh_installsystemd --no-start --name enable-nat
dh_installsystemd --no-start --name fetch-rootca-cert
dh_installsystemd --no-start --name firefox-ldapconf
+ dh_installsystemd --no-start --name debian-edu-fsautoresize
+ dh_installsystemd --no-start --name debian-edu-update-netblock
+ dh_installsystemd --no-start --name debian-edu-cups-queue-autoflush
+ dh_installsystemd --no-start --name debian-edu-cups-queue-autoreenable
override_dh_installman:
dh_installman
=====================================
etc/cups/cups-files-debian-edu.conf
=====================================
@@ -1,4 +1,4 @@
-SystemGroup lpadmin printer-admins
+SystemGroup root lpadmin printer-admins
AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PageLog /var/log/cups/page_log
=====================================
sbin/debian-edu-cups-queue-autoflush-for-netgroup-hosts
=====================================
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically flush print queues every night if the
+ # host is a member of the cups-queue-autoflush-hosts netgroup.
+ if innetgr -h $hostname cups-queue-autoflush-hosts ; then
+ exec /usr/share/debian-edu-config/tools/cups-queue-autoflush
+ fi
+
+done
=====================================
sbin/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
=====================================
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically restart disabled print queues every hour if the
+ # host is a member of the cups-queue-autoreenable-hosts netgroup.
+ if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
+ innetgr -h $hostname cups-queue-autoreenable-hosts ; then
+ exec /usr/share/debian-edu-config/tools/cups-queue-autoreenable
+ fi
+
+done
=====================================
sbin/debian-edu-fsautoresize-for-netgroup-hosts
=====================================
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically extend full LVM volumes if the host is a member of
+ # the fsautoresize-hosts netgroup.
+ if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
+ innetgr -h $hostname fsautoresize-hosts ; then
+ exec debian-edu-fsautoresize -n
+ fi
+
+done
=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -376,7 +376,7 @@
mailUserCreation=""
mailFolderCreation=""
imapTimeout="10"
- ldapTLS="true"
+ ldapTLS="false"
honourIvbbAttributes="false"
enableSnapshots="false"
snapshotBase="ou=snapshots,dc=skole,dc=skolelinux,dc=no"
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6048ff5dcfca35b4a52ecac0ae380d64d68f2744...9ec5fe82ad2b5c65ac0284713cbbbb4cf8d25a92
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6048ff5dcfca35b4a52ecac0ae380d64d68f2744...9ec5fe82ad2b5c65ac0284713cbbbb4cf8d25a92
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230810/85222b8f/attachment-0001.htm>
More information about the debian-edu-commits
mailing list