184 lines
No EOL
6.7 KiB
Bash
184 lines
No EOL
6.7 KiB
Bash
#!/bin/bash
|
|
|
|
# Security Hardening Script for apt-ostree
|
|
# This script relocates the project from /home/joe/particle-os-tools to /opt/particle-os-tools
|
|
# to eliminate the need for ProtectHome=false and improve security posture
|
|
|
|
set -e
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
OLD_PATH="/home/joe/particle-os-tools"
|
|
NEW_PATH="/opt/particle-os-tools"
|
|
|
|
echo -e "${BLUE}=== apt-ostree Security Hardening ===${NC}"
|
|
echo "This script will relocate the project to improve security:"
|
|
echo " From: $OLD_PATH"
|
|
echo " To: $NEW_PATH"
|
|
echo
|
|
echo "This will eliminate the need for ProtectHome=false in systemd service."
|
|
echo
|
|
|
|
# Check if running as root
|
|
if [[ $EUID -ne 0 ]]; then
|
|
echo -e "${RED}Error: This script must be run as root (sudo)${NC}"
|
|
echo "The relocation requires root privileges to move files to /opt"
|
|
exit 1
|
|
fi
|
|
|
|
# Check if old path exists
|
|
if [ ! -d "$OLD_PATH" ]; then
|
|
echo -e "${RED}Error: Source directory $OLD_PATH does not exist${NC}"
|
|
exit 1
|
|
fi
|
|
|
|
# Check if new path already exists
|
|
if [ -d "$NEW_PATH" ]; then
|
|
echo -e "${YELLOW}Warning: Destination directory $NEW_PATH already exists${NC}"
|
|
read -p "Do you want to backup and replace it? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
echo -e "${BLUE}Backing up existing directory...${NC}"
|
|
mv "$NEW_PATH" "${NEW_PATH}.backup.$(date +%Y%m%d_%H%M%S)"
|
|
else
|
|
echo -e "${RED}Aborting. Please remove or rename $NEW_PATH manually.${NC}"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
echo -e "${BLUE}Step 1: Stopping services...${NC}"
|
|
# Stop the daemon if running
|
|
if systemctl is-active --quiet apt-ostreed.service; then
|
|
echo "Stopping apt-ostreed.service..."
|
|
systemctl stop apt-ostreed.service
|
|
fi
|
|
|
|
echo -e "${BLUE}Step 2: Moving project to /opt...${NC}"
|
|
# Create parent directory
|
|
mkdir -p "$(dirname "$NEW_PATH")"
|
|
|
|
# Move the project
|
|
echo "Moving $OLD_PATH to $NEW_PATH..."
|
|
cp -r "$OLD_PATH" "$NEW_PATH"
|
|
|
|
# Set proper ownership and permissions
|
|
echo "Setting proper ownership and permissions..."
|
|
chown -R root:root "$NEW_PATH"
|
|
chmod -R 755 "$NEW_PATH"
|
|
|
|
echo -e "${BLUE}Step 3: Updating path references...${NC}"
|
|
|
|
# Function to update paths in a file
|
|
update_paths_in_file() {
|
|
local file="$1"
|
|
local description="$2"
|
|
|
|
if [ -f "$file" ]; then
|
|
echo " Updating $description..."
|
|
sed -i "s|$OLD_PATH|$NEW_PATH|g" "$file"
|
|
else
|
|
echo " Warning: $file not found, skipping..."
|
|
fi
|
|
}
|
|
|
|
# Update systemd service files
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service" "systemd service file"
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/systemd-symlinks/apt-ostreed.service" "systemd service symlink"
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/systemd-symlinks/apt-ostree.service" "legacy systemd service symlink"
|
|
|
|
# Update D-Bus service files
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/org.debian.aptostree1.service" "D-Bus activation service"
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/systemd-symlinks/org.debian.aptostree1.service" "D-Bus service symlink"
|
|
|
|
# Update configuration files
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/config/apt-ostreed.yaml" "production configuration"
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/config/apt-ostreed-dev.yaml" "development configuration"
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/config/README.md" "configuration documentation"
|
|
|
|
# Update shell integration paths
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/python/utils/shell_integration.py" "shell integration utility"
|
|
|
|
# Update test and utility scripts
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/run_full_tests.sh" "test runner script"
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/test_apt_layer_fix.sh" "apt-layer test script"
|
|
update_paths_in_file "$NEW_PATH/src/apt-ostree.py/fix_apt_layer_paths.sh" "apt-layer path fix script"
|
|
|
|
echo -e "${BLUE}Step 4: Removing ProtectHome=false from systemd service...${NC}"
|
|
# Remove ProtectHome=false and update ReadWritePaths
|
|
sed -i '/ProtectHome=false/d' "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service"
|
|
sed -i '/ReadWritePaths.*\/home\/joe\/particle-os-tools/d' "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service"
|
|
|
|
# Update PYTHONPATH environment variable
|
|
sed -i "s|PYTHONPATH=.*|PYTHONPATH=$NEW_PATH/src/apt-ostree.py/python|g" "$NEW_PATH/src/apt-ostree.py/apt-ostreed.service"
|
|
|
|
echo -e "${BLUE}Step 5: Updating symlinks...${NC}"
|
|
# Update the symlink for apt-layer.sh
|
|
if [ -L "/usr/local/bin/apt-ostree" ]; then
|
|
echo "Updating apt-ostree symlink..."
|
|
rm "/usr/local/bin/apt-ostree"
|
|
ln -sf "$NEW_PATH/src/apt-ostree.py/python/apt_ostree_new.py" "/usr/local/bin/apt-ostree"
|
|
fi
|
|
|
|
echo -e "${BLUE}Step 6: Reinstalling service files...${NC}"
|
|
# Run the sync script to update service files
|
|
cd "$NEW_PATH/src/apt-ostree.py"
|
|
./sync-service-files.sh
|
|
|
|
echo -e "${BLUE}Step 7: Reloading systemd and D-Bus...${NC}"
|
|
systemctl daemon-reload
|
|
systemctl reload dbus
|
|
|
|
echo -e "${BLUE}Step 8: Testing the daemon...${NC}"
|
|
# Test that the daemon can start
|
|
echo "Testing daemon startup..."
|
|
if systemctl start apt-ostreed.service; then
|
|
echo -e "${GREEN}✓ Daemon started successfully${NC}"
|
|
systemctl stop apt-ostreed.service
|
|
else
|
|
echo -e "${RED}✗ Daemon failed to start${NC}"
|
|
echo "Check the logs with: journalctl -u apt-ostreed.service -n 50"
|
|
exit 1
|
|
fi
|
|
|
|
echo -e "${BLUE}Step 9: Creating backup of old directory...${NC}"
|
|
# Create a backup of the old directory
|
|
BACKUP_PATH="${OLD_PATH}.backup.$(date +%Y%m%d_%H%M%S)"
|
|
echo "Creating backup at $BACKUP_PATH..."
|
|
mv "$OLD_PATH" "$BACKUP_PATH"
|
|
|
|
echo -e "${BLUE}Step 10: Creating symlink from old to new location...${NC}"
|
|
ln -sfn /opt/particle-os-tools /home/joe/particle-os-tools
|
|
echo "Symlink created: /home/joe/particle-os-tools -> /opt/particle-os-tools"
|
|
|
|
echo
|
|
echo -e "${GREEN}=== Security Hardening Complete! ===${NC}"
|
|
echo
|
|
echo "Project has been successfully relocated:"
|
|
echo " From: $OLD_PATH"
|
|
echo " To: $NEW_PATH"
|
|
echo " Backup: $BACKUP_PATH"
|
|
echo
|
|
echo "Security improvements:"
|
|
echo " ✓ Removed ProtectHome=false from systemd service"
|
|
echo " ✓ Project now located in /opt (standard system directory)"
|
|
echo " ✓ Proper ownership and permissions set"
|
|
echo " ✓ All path references updated"
|
|
echo
|
|
echo "Next steps:"
|
|
echo " 1. Update your development environment to use $NEW_PATH"
|
|
echo " 2. Update any IDE/editor workspace paths"
|
|
echo " 3. Test the daemon: sudo systemctl start apt-ostreed.service"
|
|
echo " 4. Run integration tests: cd $NEW_PATH && ./src/apt-ostree.py/run_integration_tests.sh"
|
|
echo
|
|
echo "To restore from backup if needed:"
|
|
echo " sudo mv $BACKUP_PATH $OLD_PATH"
|
|
echo " sudo systemctl stop apt-ostreed.service"
|
|
echo " cd $OLD_PATH/src/apt-ostree.py && ./sync-service-files.sh"
|
|
echo " sudo systemctl daemon-reload"
|
|
echo
|
|
echo -e "${GREEN}Security hardening completed successfully!${NC}" |