5284e28af7
Pulls the 5 privileged helpers out of deploy/files/usr/local/{libexec,sbin}/
into top-level scripts/{libexec,sbin}/. They are application-inherent code
(invoked at runtime via sudo from l4d2host/l4d2web), not deploy artifacts —
the previous nesting under deploy/files/ confused source-of-truth with
install-target FHS layout.
deploy/ now means "reference exemplar": README explaining the target
layout, plus example sudoers / sysctl / sandbox-resolv.conf / env
templates / curated systemd units (the ones ckn-bw's reactor emits).
Anyone building a fresh deployment (other than ckn-bw) reads this tree.
Dead static artifacts deleted: left4me-apply-cake helper, left4me-cake
+ left4me-nft-mark service units, cake.env, left4me-mark.nft, and the
superseded deploy-test-server.sh installer.
Tests split to match the new shape:
- scripts/tests/{test_overlay,test_script_sandbox,test_systemctl_helper,
test_journalctl_helper,test_helpers_use_fixed_paths,test_sudoers_grants}.py
with shared fixtures in conftest.py
- deploy/tests/test_example_units.py (renamed from test_deploy_artifacts.py)
— slimmed to lock down the curated example units, sysctl, env templates
l4d2host/tests/test_overlay_helper.py: helper-source path updated to
scripts/libexec/left4me-overlay (was building the path segment-by-segment
under deploy/files/, missed by the path-prefix grep during pre-flight).
Runtime install-target paths (/usr/local/{libexec,sbin}/) unchanged, so
l4d2host/service_control.py, l4d2web/services/overlay_builders.py, the
sudoers grants, and the systemd units all keep their existing path
references.
Requires the matching ckn-bw change to bundles/left4me/items.py
(install_left4me_scripts repointed from /opt/left4me/src/deploy/files/...
to /opt/left4me/src/scripts/...). Left4me lands first so a fresh
git_deploy exposes the new source path before the bundle apply runs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
38 lines
1.4 KiB
Python
38 lines
1.4 KiB
Python
"""Audit the script→sudoers contract.
|
|
|
|
The sudoers file in `deploy/files/etc/sudoers.d/left4me` is a reference
|
|
example; ckn-bw ships its own verbatim copy under
|
|
`bundles/left4me/files/etc/sudoers.d/left4me`. The two are expected to
|
|
match. This test lives under `scripts/tests/` because the contract being
|
|
audited is about *scripts* (which paths the `left4me` uid can sudo into)
|
|
even though the file it reads is in `deploy/`.
|
|
"""
|
|
from conftest import DEPLOY
|
|
|
|
|
|
SUDOERS = DEPLOY / "files/etc/sudoers.d/left4me"
|
|
|
|
|
|
def test_sudoers_allows_only_left4me_helpers_not_raw_system_tools():
|
|
sudoers = SUDOERS.read_text()
|
|
|
|
assert (
|
|
"left4me ALL=(root) NOPASSWD: "
|
|
"/usr/local/libexec/left4me/left4me-systemctl *"
|
|
) in sudoers
|
|
assert (
|
|
"left4me ALL=(root) NOPASSWD: "
|
|
"/usr/local/libexec/left4me/left4me-journalctl *"
|
|
) in sudoers
|
|
assert "/usr/local/libexec/left4me/left4me-overlay mount *" in sudoers
|
|
assert "/usr/local/libexec/left4me/left4me-overlay umount *" in sudoers
|
|
assert (
|
|
"left4me ALL=(root) NOPASSWD: "
|
|
"/usr/local/libexec/left4me/left4me-script-sandbox"
|
|
) in sudoers
|
|
assert "/bin/systemctl" not in sudoers
|
|
assert "/usr/bin/systemctl" not in sudoers
|
|
assert "/bin/journalctl" not in sudoers
|
|
assert "/usr/bin/journalctl" not in sudoers
|
|
assert "/bin/mount" not in sudoers
|
|
assert "/bin/umount" not in sudoers
|