obel1x/fedora-OEMDRV
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Make usersetting applied when not sudo rule and no write to nc/sw- repository ist allowed #3

New Issue
Open
opened 2026-03-16 15:21:44 +01:00 by obel1x · 1 comment
obel1x commented 2026-03-16 15:21:44 +01:00
Owner
Copy Link
Copy Source

Currently scripts are running fine, when user is clientadmin and has rigths to write into nextcloud sw repository.

When run as non admin, the user is not allowed to:

  • Change anything at /opt/sys_config/system setup and /opt/sys_config/client_software
  • Change anything at nextcloud

But it should be possible:

  • to download the newest client_software from server
    -- local cache may be possible, but it MUST NOT happen, that user can inject own code -> rsync to make 1:1 copy of server?
  • maybe also download the newest complete /opt/sys_config/system setup while maintaining the actual config (maybe serversided)
  • And after updating/downloading stuff, the user may execute only user- defined installations/configurations like
    • Desktop Symbols
    • Nextcloud Sync-dirs etc

May other thoughts about this....

Currently scripts are running fine, when user is clientadmin and has rigths to write into nextcloud sw repository. When run as non admin, the user is not allowed to: - Change anything at /opt/sys_config/system setup and /opt/sys_config/client_software - Change anything at nextcloud But it should be possible: - to download the newest client_software from server -- local cache may be possible, but it MUST NOT happen, that user can inject own code -> rsync to make 1:1 copy of server? - maybe also download the newest complete /opt/sys_config/system setup while maintaining the actual config (maybe serversided) - And after updating/downloading stuff, the user may execute only user- defined installations/configurations like - - Desktop Symbols - - Nextcloud Sync-dirs etc May other thoughts about this....
obel1x commented 2026-05-08 09:17:52 +02:00
Author
Owner
Copy Link
Copy Source

Solutions:

  1. Change the rule definition: sudo_admin_rules should ONLY allow the execution of sync_clients.sh and NOT allow any other thing to do as root. Then anyone, that is allowed to logon to this hosts will always get that rule assigned by group. Now he can execute it as root. But he will not be able to change anything on this pc, including the directories or file in the installation path.
    This is a nice and clean solution which that system was intended for.

  2. On the other hand: The user logon will maybe get slow, so this task could be done at system boot-time. Also the complex sudo-rule could then get obsolete, which would be nice for admins.
    So at system start the Freeipa-Installcheck is done everytime. This is executed by root before logon screen and after network - so at the right time and the right context.
    Maybe that script should also do the git fetch to the latest versions instead of the logon script.
    But there is a problem with the webdav-token as they are only available in user-context. So upping the pulled changes to NC would still be the task of the user.

Solutions: 1. Change the rule definition: sudo_admin_rules should ONLY allow the execution of sync_clients.sh and NOT allow any other thing to do as root. Then anyone, that is allowed to logon to this hosts will always get that rule assigned by group. Now he can execute it as root. But he will not be able to change anything on this pc, including the directories or file in the installation path. This is a nice and clean solution which that system was intended for. 2. On the other hand: The user logon will maybe get slow, so this task could be done at system boot-time. Also the complex sudo-rule could then get obsolete, which would be nice for admins. So at system start the Freeipa-Installcheck is done everytime. This is executed by root before logon screen and after network - so at the right time and the right context. Maybe that script should also do the git fetch to the latest versions instead of the logon script. But there is a problem with the webdav-token as they are only available in user-context. So upping the pulled changes to NC would still be the task of the user.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
obel1x (Daniel Pätzold)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: obel1x/fedora-OEMDRV#3
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?