[debian-edu-commits] [Git][debian-edu/debian-edu-config][mr/cron-2-systemd-timers] 6 commits: Allow root access to cups via SystemGroups

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Thu Aug 10 10:19:16 BST 2023



Mike Gabriel pushed to branch mr/cron-2-systemd-timers at Debian Edu / debian-edu-config


Commits:
5f5b2ecb by Guido Berhoerster at 2023-08-10T08:31:12+02:00
Allow root access to cups via SystemGroups

root access is allowed in the default configuration and e.g. necessary for
services like debian-edu-cups-queue-autoflush.service to work.
Closes #1043397

- - - - -
08f4cf77 by Guido Berhoerster at 2023-08-10T07:07:40+00:00
Configure gosa not to use STARTTLS since TLS is already used

ldapTLS configures the use of STARTTLS, not TLS per se which is enabled by the
use of ldaps: protcol in URLs. Closes #1041322

- - - - -
0401de82 by Guido Berhoerster at 2023-08-10T07:08:22+00:00
cf3/promises.cf: fix typo and allow connections from localhost and network

- - - - -
385f9033 by Mike Gabriel at 2023-08-10T11:18:41+02:00
d/changelog: update from Git log

- - - - -
5da55e56 by Mike Gabriel at 2023-08-10T09:19:04+00:00
Convert CRON configuration to systemd timers.

- - - - -
9ec5fe82 by Mike Gabriel at 2023-08-10T09:19:04+00:00
sbin/*-for-netgroup-hosts: Some noop + white-spacing beautifications.

- - - - -


19 changed files:

- Makefile
- cf3/promises.cf
- debian/changelog
- debian/debian-edu-config.cron.daily
- debian/debian-edu-config.cron.hourly
- + debian/debian-edu-config.debian-edu-cups-queue-autoflush.service
- + debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer
- + debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service
- + debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer
- + debian/debian-edu-config.debian-edu-fsautoresize.service
- + debian/debian-edu-config.debian-edu-fsautoresize.timer
- + debian/debian-edu-config.debian-edu-update-netblock.service
- + debian/debian-edu-config.debian-edu-update-netblock.timer
- debian/rules
- etc/cups/cups-files-debian-edu.conf
- + sbin/debian-edu-cups-queue-autoflush-for-netgroup-hosts
- + sbin/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
- + sbin/debian-edu-fsautoresize-for-netgroup-hosts
- share/debian-edu-config/gosa.conf.template


Changes:

=====================================
Makefile
=====================================
@@ -8,7 +8,11 @@ PROGS = \
 	debian-edu-copy-pki \
 	$(NULL)
 
-SPROGS = debian-edu-fsautoresize \
+SPROGS = \
+	debian-edu-cups-queue-autoflush-for-netgroup-hosts \
+	debian-edu-cups-queue-autoreenable-for-netgroup-hosts \
+	debian-edu-fsautoresize \
+	debian-edu-fsautoresize-for-netgroup-hosts \
 	debian-edu-ltsp-chroot \
 	debian-edu-ltsp-install \
 	debian-edu-ltsp-initrd \


=====================================
cf3/promises.cf
=====================================
@@ -8,9 +8,9 @@
 body server control
 # Debian Edu specific
 {
-      allowconnects         => { "10.0.0.0.0/8" };
-      allowallconnects      => { "10.0.0.0.0/8" };
-      trustkeysfrom         => { "10.0.0.0.0/8" };
+      allowconnects         => { "127.0.0.1", "::1", "10.0.0.0/8" };
+      allowallconnects      => { "127.0.0.1", "::1", "10.0.0.0/8" };
+      trustkeysfrom         => { "127.0.0.1", "::1", "10.0.0.0/8" };
       maxconnections        => "15";
       denybadclocks         => "false";
       allowusers            => { "root" };


=====================================
debian/changelog
=====================================
@@ -1,14 +1,69 @@
 debian-edu-config (2.12.34) UNRELEASED; urgency=medium
 
+  [ Mike Gabriel ]
   * Start 2.12.34 development.
+  * debian/debian-edu-config.lintian-overrides:
+    + Update existing overrides (line numbers and such).
+    + Drop missing-systemd-service-for-init.d-script overrides. Systemd service
+      files are now provided.
+    + Drop init.d-script-does-not-implement-status-option override for
+      fetch-ldap-cert. Init script is now gone.
+  * testsuite: Install to pkglibexecdir rather than libexecdir. Thanks lintian.
+  * Makefile: Adjust white-spacing in variable declarations.
+  * Makefile: Use $(NULL) variable at end of file lists. Allow for better git-
+    patch readability.
+
+  [ Daniel Teichmann ]
+  * etc/dhcp/dhcp-debian-edu.conf:
+    + ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966).
+  * share/debian-edu-config/tools/gosa-remove:
+    + Fix kadmin.local, Use '-force' to disable interaction via stdin.
 
-    d/changelog entries will be written on release
-    using the git commit messages.
-
-    Use 'gbp dch --since 2.12.33'
-    to write d/changelog entries since that last release.
-
- -- Mike Gabriel <sunweaver at debian.org>  Sat, 01 Jul 2023 06:05:45 +0200
+  [ Guido Berhoerster ]
+  * ldap-tools/ldap-createuser-krb5:
+    + Fix user creation. (Closes: #1042456).
+      Remove Samba NT4 domain support, add samba user using smbpasswd.
+      Add root CA for new users (copied from gosa-create).
+    + Fix new UID/GID selection.
+      Exclude special users (UID/GID >= 10000) when looking for the highest
+      UID/GID.
+    + Add CLI options for uid/gid/department.
+      Also ensure script is run as root.
+    + Add additional attributes based on template users.
+    + Add support for additional groups.
+    + Send welcome email in order to create maildir.
+      Without this the maildir in /var/mail/<user> will not exist and Dovecot
+      will refuse to let the user log in as it cannot create this directory.
+    + Set LDAP password when creating users.
+      This allows users to use GOsa² to change their password.
+  * Add systemd services for configuring Chromium/Firefox from LDAP.
+    Factor out logic from init script into separate script which are then called
+    from both the init script and systemd services.
+  * Add systemd service enabling NAT for thin clients.
+  * Add systemd service for fetching the RootCA file from the main server.
+  * Drop init script for fetching LDAP SSL public key from legacy main servers.
+    This drops support for clients running behind a main server based on Debian
+    Edu stretch. (Closes: #1030116).
+  * Update debian/rules for init scripts and systemd services. (Closes:
+    #1039166).
+  * Generate a random password for the icinga/icingaweb databases.
+    (Closes: #1040015).
+  * update-dlw-krb5-keytabs: Handle missing/empty diskless-workstation-hosts.
+  * Followup fixes for ntpsec transition.
+  * Add systemd support to debian-edu-restart-services: This uses a list
+    of service units which was compiled on a main server + ltsp
+    installation. Uses stop and start to force restart
+    reverse-dependencies. It also makes sure that drop in files are
+    recognized. (Closes: #1042940).
+  * Configure gosa not to use STARTTLS since TLS is already used. ldapTLS
+    configures the use of STARTTLS, not TLS per se which is enabled by the
+    use of ldaps: protcol in URLs. (Closes: #1041322).
+  * Allow root access to cups via SystemGroups. 'root' access is allowed in
+    the default configuration and e.g. necessary for services like
+    debian-edu-cups-queue-autoflush.service to work. (Closes: #1043397).
+  * cf3/promises.cf: fix typo and allow connections from localhost and network.
+
+ -- Mike Gabriel <sunweaver at debian.org>  Mon, 07 Aug 2023 17:02:13 +0200
 
 debian-edu-config (2.12.33) unstable; urgency=medium
 


=====================================
debian/debian-edu-config.cron.daily
=====================================
@@ -3,12 +3,7 @@
 PATH=/bin:/usr/bin:/sbin:/usr/sbin
 export PATH
 
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
 
-# Automatically flush print queues every night if the
-# host is a member of the cups-queue-autoflush-hosts netgroup.
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
-    if innetgr -h $hostname cups-queue-autoflush-hosts ; then
-	/usr/share/debian-edu-config/tools/cups-queue-autoflush
-    fi
-done
+# regularly run CUPS Queue autoflush if configured via netgroups
+debian-edu-cups-queue-autoflush-for-netgroup-hosts


=====================================
debian/debian-edu-config.cron.hourly
=====================================
@@ -3,21 +3,10 @@
 PATH=/bin:/usr/bin:/sbin:/usr/sbin
 export PATH
 
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
 
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
+# regularly run fsautoresize if configured via netgroups
+debian-edu-fsautoresize-for-netgroup-hosts
 
-    # Automatically extend full LVM volumes if the host is a member of
-    # the fsautoresize-hosts netgroup.
-    if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
-	innetgr -h $hostname fsautoresize-hosts ; then
-        debian-edu-fsautoresize -n
-    fi
-
-    # Automatically restart disabled print queues every hour if the
-    # host is a member of the cups-queue-autoreenable-hosts netgroup.
-    if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
-	innetgr -h $hostname cups-queue-autoreenable-hosts ; then
-	/usr/share/debian-edu-config/tools/cups-queue-autoreenable
-    fi
-done
+# regularly run CUPS Queue autoreenable if configured via netgroups
+debian-edu-cups-queue-autoreenable-for-netgroup-hosts


=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoflush.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-flush CUPS queues on hosts configured via the cups-queue-autoflush-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-cups-queue-autoflush-for-netgroup-hosts


=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoflush.service every day.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target


=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-reenable CUPS queues on hosts configured via the cups-queue-autoreenable-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-cups-queue-autoreenable-for-netgroup-hosts


=====================================
debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoreenable.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target


=====================================
debian/debian-edu-config.debian-edu-fsautoresize.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run fsautoresize regularly on hosts configured via the fsautoresize-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-fsautoresize-for-netgroup-hosts


=====================================
debian/debian-edu-config.debian-edu-fsautoresize.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-fsautoresize.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target


=====================================
debian/debian-edu-config.debian-edu-update-netblock.service
=====================================
@@ -0,0 +1,6 @@
+[Unit]
+Description=Update netblock according to netblock-hosts netgroup configuration.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-update-netblock auto


=====================================
debian/debian-edu-config.debian-edu-update-netblock.timer
=====================================
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-update-netblock.service every 5 minutes
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target


=====================================
debian/rules
=====================================
@@ -21,6 +21,10 @@ override_dh_installsystemd:
 	dh_installsystemd --no-start --name enable-nat
 	dh_installsystemd --no-start --name fetch-rootca-cert
 	dh_installsystemd --no-start --name firefox-ldapconf
+	dh_installsystemd --no-start --name debian-edu-fsautoresize
+	dh_installsystemd --no-start --name debian-edu-update-netblock
+	dh_installsystemd --no-start --name debian-edu-cups-queue-autoflush
+	dh_installsystemd --no-start --name debian-edu-cups-queue-autoreenable
 
 override_dh_installman:
 	dh_installman


=====================================
etc/cups/cups-files-debian-edu.conf
=====================================
@@ -1,4 +1,4 @@
-SystemGroup lpadmin printer-admins
+SystemGroup root lpadmin printer-admins
 AccessLog /var/log/cups/access_log
 ErrorLog /var/log/cups/error_log
 PageLog /var/log/cups/page_log


=====================================
sbin/debian-edu-cups-queue-autoflush-for-netgroup-hosts
=====================================
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+	# Automatically flush print queues every night if the
+	# host is a member of the cups-queue-autoflush-hosts netgroup.
+	if innetgr -h $hostname cups-queue-autoflush-hosts ; then
+		exec /usr/share/debian-edu-config/tools/cups-queue-autoflush
+	fi
+
+done


=====================================
sbin/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
=====================================
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+	# Automatically restart disabled print queues every hour if the
+	# host is a member of the cups-queue-autoreenable-hosts netgroup.
+	if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
+	   innetgr -h $hostname cups-queue-autoreenable-hosts ; then
+		exec /usr/share/debian-edu-config/tools/cups-queue-autoreenable
+	fi
+
+done


=====================================
sbin/debian-edu-fsautoresize-for-netgroup-hosts
=====================================
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+	# Automatically extend full LVM volumes if the host is a member of
+	# the fsautoresize-hosts netgroup.
+	if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
+	   innetgr -h $hostname fsautoresize-hosts ; then
+		exec debian-edu-fsautoresize -n
+	fi
+
+done


=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -376,7 +376,7 @@
         mailUserCreation=""
         mailFolderCreation=""
         imapTimeout="10"
-        ldapTLS="true"
+        ldapTLS="false"
         honourIvbbAttributes="false"
         enableSnapshots="false"
         snapshotBase="ou=snapshots,dc=skole,dc=skolelinux,dc=no"



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6048ff5dcfca35b4a52ecac0ae380d64d68f2744...9ec5fe82ad2b5c65ac0284713cbbbb4cf8d25a92

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/6048ff5dcfca35b4a52ecac0ae380d64d68f2744...9ec5fe82ad2b5c65ac0284713cbbbb4cf8d25a92
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230810/85222b8f/attachment-0001.htm>


More information about the debian-edu-commits mailing list