Merge pull request #2881 from holta/usr-sbin_security-norm

Experimentally remove /usr/sbin from non-root users' $PATH, per distro usability/security norms [i.e. do not install /etc/profile.d/zzz_iiab.sh]

roles/1-prep/tasks/raspberry_pi.yml

@@ -1,12 +1,12 @@
 # Specific to Raspberry Pi
 
-- name: Install udev rule /etc/udev/rules.d/92-rtc-i2c.rules from template, to transfer hwclock to system clock at dev creation, if rtc_id is defined and rtc_id != "none"
+- name: Install udev rule /etc/udev/rules.d/92-rtc-i2c.rules from template, to transfer hwclock to system clock at dev creation, if rtc_id is defined and rtc_id != "none" (root:root, 0644 by default)
   template:
     src: 92-rtc-i2c.rules
     dest: /etc/udev/rules.d/92-rtc-i2c.rules
-    owner: root
-    group: root
-    mode: 0644
+    #owner: root
+    #group: root
+    #mode: 0644
   when: rtc_id is defined and rtc_id != "none"
 
 # RTC requires a change to the device tree (and reboot)
@@ -50,7 +50,7 @@
       - cloud-guest-utils    # Contains 'growpart' for resizing a partition during boot, which is normally done with the aid of cloud-init
       - dphys-swapfile       # 2021-07-27: RaspiOS installs this regardless -- autogenerate and use a swap file
       - fake-hwclock         # 2021-07-27: RaspiOS installs this regardless -- save/restore system clock on machines without working RTC hardware
-      - iw                # 2021-07-27: RaspiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/clone-wifi.service.j2
+      - iw                # 2021-07-27: RaspiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/iiab-clone-wifi.service.j2
       - rfkill            # 2021-07-27: RaspiOS installs this regardless -- enable & disable wireless devices
       - wireless-tools    # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions
     state: present
@@ -67,15 +67,15 @@
     name: dphys-swapfile
     state: restarted
 
-- name: Install RPi rootfs resizing (iiab-rpi-max-rootfs.sh) and its systemd service (iiab-rpi-root-resize.service), from templates
+- name: Install RPi rootfs resizing (/usr/sbin/iiab-rpi-max-rootfs.sh) and its systemd service (/etc/systemd/system/iiab-rpi-root-resize.service), from templates (root:root by default)
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: root
-    group: root
+    #owner: root
+    #group: root
     mode: "{{ item.mode }}"
   with_items:
-    - { src: 'iiab-rpi-max-rootfs.sh', dest: '/usr/sbin/iiab-rpi-max-rootfs.sh', mode: '0755'}
+    - { src: 'iiab-rpi-max-rootfs.sh', dest: '/usr/sbin/', mode: '0755'}
     - { src: 'iiab-rpi-root-resize.service', dest: '/etc/systemd/system/iiab-rpi-root-resize.service', mode: '0644'}
 
 - name: Enable RPi rootfs resizing (systemd service iiab-rpi-root-resize.service)

roles/2-common/tasks/main.yml

@@ -43,10 +43,10 @@
     #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
 
 # UNMAINTAINED
-- name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
-  template:
-    dest: /etc/profile.d/zzz_iiab.sh
-    src: zzz_iiab.sh
+#- name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
+#  template:
+#    dest: /etc/profile.d/zzz_iiab.sh
+#    src: zzz_iiab.sh
 
 # UNMAINTAINED
 - include_tasks: net_mods.yml

roles/captiveportal/tasks/enable-or-disable.yml

@@ -36,8 +36,8 @@
     state: absent
   when: not captiveportal_enabled
 
-- name: Run iiab-divert-to-nginx to generate diversion lists for NGINX
-  shell: /usr/sbin/iiab-divert-to-nginx
+- name: Run /usr/sbin/iiab-divert-to-nginx to generate diversion lists for NGINX
+  command: /usr/sbin/iiab-divert-to-nginx
   when: captiveportal_enabled
 
 - name: Delete /etc/dnsmasq.d/capture to make sure dnsmasq is not diverting (if not captiveportal_enabled)

roles/captiveportal/tasks/install.yml

@@ -43,7 +43,7 @@
     - simple.template
     - mac.template
 
-- name: Run iiab-make-cp-servers.py to generate NGINX servers from /opt/iiab/captiveportal/checkurls input list (creates /etc/nginx/sites-available/capture.conf)
+- name: Run /usr/sbin/iiab-make-cp-servers.py to generate NGINX servers from /opt/iiab/captiveportal/checkurls input list (creates /etc/nginx/sites-available/capture.conf)
   command: /usr/sbin/iiab-make-cp-servers.py
   args:
     creates: /etc/nginx/sites-available/capture.conf

roles/firmware/tasks/install.yml

@@ -2,19 +2,19 @@
   include_tasks: download.yml
   when: firmware_downloaded is undefined    # SEE ALSO firmware_installed below
 
-- name: 'Install from template: check-firmware.service, iiab-check-firmware & fw_warn.sh'
+- name: 'Install from template: /usr/bin/iiab-check-firmware, /etc/systemd/system/iiab-check-firmware.service & /etc/profile.d/iiab-firmware-warn.sh'
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
   with_items:
-    - { src: 'check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' }
-    - { src: 'iiab-check-firmware', dest: '/usr/sbin/', mode: '0755' }
-    - { src: 'fw_warn.sh', dest: '/etc/profile.d/', mode: '0644' }
+    - { src: 'iiab-check-firmware', dest: '/usr/bin/', mode: '0755' }
+    - { src: 'iiab-check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' }
+    - { src: 'iiab-firmware-warn.sh', dest: '/etc/profile.d/', mode: '0644' }
 
-- name: Enable & (Re)Start check-firmware.service (also runs on each boot)
+- name: Enable & (Re)Start iiab-check-firmware.service (also runs on each boot)
   systemd:
-    name: check-firmware.service
+    name: iiab-check-firmware.service
     daemon_reload: yes
     state: restarted
     enabled: yes

roles/firmware/templates/iiab-check-firmware.service

@@ -1,11 +1,10 @@
 [Unit]
 Description=Check Firmware service
-Before=clone-wifi.service
+Before=iiab-clone-wifi.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/sbin/iiab-check-firmware
+ExecStart=/usr/bin/iiab-check-firmware
 
 [Install]
 WantedBy=multi-user.target
-

roles/iiab-admin/tasks/admin-user.yml

@@ -14,7 +14,7 @@
     name: "{{ admin_console_group }}"
     state: present
 
-- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
+- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-*) at the command-line
   user:
     name: "{{ iiab_admin_user }}"
     #group: "{{ iiab_admin_user }}"    # Not nec.  Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
@@ -34,7 +34,7 @@
 
 # sudo-prereqs.yml needs to have been run!
 
-- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
+- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands in /usr/bin like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
   #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
   user:
     name: "{{ iiab_admin_user }}"

roles/network/tasks/hostapd.yml

@@ -39,7 +39,7 @@
   set_fact:
     ap0_mac_addr: "{{ ap0_mac.stdout }}"
 
-- name: Use custom 'hostapd' systemd service unit file using ap0
+- name: "Use custom 'hostapd' systemd service unit file using ap0 -- install from template: /etc/systemd/system/hostapd.service, /etc/systemd/system/iiab-clone-wifi.service, /etc/systemd/system/iiab-wifi-test.service, /usr/sbin/iiab-test-wifi"
   template:
     owner: root
     group: root
@@ -48,9 +48,9 @@
     mode: "{{ item.mode  }}"
   with_items:
     - { src: 'hostapd/hostapd.service.j2', dest: '/etc/systemd/system/hostapd.service', mode: '0644' }
-    - { src: 'hostapd/clone-wifi.service.j2', dest: '/etc/systemd/system/clone-wifi.service', mode: '0644' }
-    - { src: 'hostapd/wifi-test.service.j2', dest: '/etc/systemd/system/wifi-test.service', mode: '0644'}
-    - { src: 'hostapd/test-wifi', dest: '/sbin/test-wifi', mode: '0755' }
+    - { src: 'hostapd/iiab-clone-wifi.service.j2', dest: '/etc/systemd/system/iiab-clone-wifi.service', mode: '0644' }
+    - { src: 'hostapd/iiab-wifi-test.service.j2', dest: '/etc/systemd/system/iiab-wifi-test.service', mode: '0644'}
+    - { src: 'hostapd/iiab-test-wifi.j2', dest: '/usr/sbin/iiab-test-wifi', mode: '0755' }
   when: discovered_wireless_iface != "none"
 
 - name: Use custom 'hostapd' systemd service unit file for {{ discovered_wireless_iface }} when not wifi_up_down
@@ -145,8 +145,8 @@
     enabled: no
     daemon_reload: yes    
   with_items:
-    - clone-wifi.service
-    - wifi-test.service
+    - iiab-clone-wifi.service
+    - iiab-wifi-test.service
   when: not wifi_up_down
 
 - name: Enable the Access Point 'hostapd' and ap0 related services
@@ -156,8 +156,8 @@
     daemon_reload: yes
   with_items:
     - hostapd.service
-    - clone-wifi.service
-    - wifi-test.service
+    - iiab-clone-wifi.service
+    - iiab-wifi-test.service
   when: hostapd_enabled and wifi_up_down
 
 - name: Record HOSTAPD_ENABLED to {{ iiab_env_file }}

roles/network/tasks/rpi_debian.yml

@@ -58,7 +58,7 @@
 
 - name: Clone wifi if needed
   systemd:
-    name: clone-wifi
+    name: iiab-clone-wifi
     state: started
   when: discovered_wireless_iface != "none"
   # Whereas sysd-netd-debian.yml uses...

roles/network/tasks/sysd-netd-debian.yml

@@ -53,7 +53,7 @@
 
 - name: Clone wifi if needed
   systemd:
-    name: clone-wifi
+    name: iiab-clone-wifi
     state: started
   when: wifi_up_down and discovered_wireless_iface != "none"
 

roles/network/templates/hostapd/README.ap0

@@ -1,8 +1,8 @@
 start up order
 # network-pre bridge is created
-clone-wifi
+iiab-clone-wifi
 wpa_supplicant #--dbus version does not start the interface directly
-test-wifi  # uses dbus to scan the network grabbing the channel alters hostapd.conf if needed
+iiab-test-wifi  # uses dbus to scan the network grabbing the channel alters hostapd.conf if needed
 hostapd
 
 # network

roles/network/templates/hostapd/hostapd.service.j2

@@ -2,8 +2,8 @@
 Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
 Wants=network-pre.target
 After=network-pre.target
-After=clone-wifi.service
-Requires=clone-wifi.service
+After=iiab-clone-wifi.service
+Requires=iiab-clone-wifi.service
 Before=dhcpcd.service
 Before=wpa_supplicant@{{ discovered_wireless_iface }}.service
 Before=NetworkManager.service

roles/network/templates/hostapd/iiab-test-wifi.j2

@@ -5,7 +5,7 @@ NETPLAN=0
 SSID="NA"
 # when we get here br0 should be available and dbus wpa_supplicant was started if enabled. None
 # of the backends that use wpa_supplicant should be active yet based on the Before= After= lines
-# in the wifi-test.service unit file.
+# in the iiab-wifi-test.service unit file.
 
 # covers systemd-networkd
 if [ -f /etc/wpa_supplicant/wpa_supplicant-$IFACE.conf ]; then

roles/network/templates/hostapd/iiab-wifi-test.service.j2

@@ -12,7 +12,7 @@ Before=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/sbin/test-wifi
+ExecStart=/usr/sbin/iiab-test-wifi
 
 [Install]
 WantedBy=multi-user.target

roles/network/templates/network/iiab-hotspot-off

@@ -3,9 +3,9 @@ sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" {{ iiab_env_file }}
 systemctl disable hostapd
 systemctl stop hostapd
 {% if wifi_up_down %}
-systemctl disable clone-wifi.service
-systemctl disable wifi-test.service
-systemctl stop clone-wifi.service
+systemctl disable iiab-clone-wifi.service
+systemctl disable iiab-wifi-test.service
+systemctl stop iiab-clone-wifi.service
 echo " IIAB hotspot access point Disabled"
 exit 0
 {% else %}

roles/network/templates/network/iiab-hotspot-on

@@ -1,9 +1,9 @@
 #!/bin/bash
 sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=True/" {{ iiab_env_file }}
 {% if wifi_up_down %}
-systemctl enable clone-wifi.service
+systemctl enable iiab-clone-wifi.service
 systemctl enable hostapd
-systemctl enable wifi-test.service
+systemctl enable iiab-wifi-test.service
 echo -e "\nPlease reboot to activate hostapd feature.\n"
 exit 0
 {% else %}

roles/usb_lib/tasks/install.yml

@@ -55,14 +55,14 @@
     group: "{{ apache_user }}"    # 2020-02-13: changed from iiab_admin_user, after discussion on weekly call (#1228, #2222)
     mode: '0775'
 
-- name: 'Install from template: /etc/udev/rules.d/usbmount.rules, /etc/systemd/system/usbmount@.service, /usr/bin/iiab-usb_lib-show-all-on, /usr/bin/iiab-usb_lib-show-all-off'
+- name: 'Install from template: /etc/udev/rules.d/usbmount.rules, /etc/systemd/system/usbmount@.service, /usr/bin/iiab-usb_lib-show-all-on, /usr/bin/iiab-usb_lib-show-all-off, /usr/sbin/iiab-clean-usb.sh'
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
   with_items:
-    - { src: 'usbmount@.service.j2', dest: '/etc/systemd/system/usbmount@.service', mode: '0644' }
     - { src: 'usbmount.rules.j2', dest: '/etc/udev/rules.d/usbmount.rules', mode: '0644' }
+    - { src: 'usbmount@.service.j2', dest: '/etc/systemd/system/usbmount@.service', mode: '0644' }
     - { src: 'iiab-usb_lib-show-all-on', dest: '/usr/bin/', mode: '0755' }
     - { src: 'iiab-usb_lib-show-all-off', dest: '/usr/bin/', mode: '0755' }
     - { src: 'iiab-clean-usb.sh', dest: '/usr/sbin/', mode: '0755' }