Created
June 17, 2013 13:06
-
-
Save leehambley/5796720 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/rvm/bin/our_ruby_wrapper -w | |
require 'optparse' | |
# | |
# Documentation for this dark corner of the Debian package manager can be | |
# found at the following places: | |
# | |
# * http://matrix.umcs.lublin.pl/cgi-bin/dwww/usr/share/doc/sysv-rc/README.policy-rc.d.gz | |
# * http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s-disableserv | |
# * http://packages.debian.org/wheezy/policyrcd-script-zg2 | |
# | |
# Information about the decisions being made by this script can be found | |
# in /var/log/syslog on ubuntu. (See `logger` below) | |
# | |
# Usage: | |
# | |
# This script is called by invoke-rc.d (a simple wrapper around directly | |
# using the init.d scripts themselves. This invoke-rc.d applies a local | |
# policy, when /usr/sbin/profile-rc.d exists, and is executable it is run | |
# and it's exit code is consulted. | |
# This is a simple, naïve implementation of a policy to disallow the | |
# staring of services which protonet manages with Runit, but installs from | |
# the normal Debian/Ubuntu package sources. | |
# | |
runit_managed_packages = %w{apache2 smbd nmbd dnsmasq nginx | |
rabbitmq-server} | |
options = {} | |
OptionParser.new do |opts| | |
opts.banner = "Usage: #{$0} [options] <initdscript ID> <actions> <runlevel>" | |
opts.on("", "--quiet", "Run verbosely") do |v| | |
options[:quiet] = v | |
end | |
opts.on("", "--list", "List policy in a human readable way") do | |
warn "--list option not supported" | |
abort | |
end | |
end.parse! | |
initscript_id, actions, runlevel = ARGV.take(3) | |
unless options[:quiet] | |
puts "Script ID: #{initscript_id} Actions: #{actions} Runlevel: #{runlevel}" | |
end | |
if runit_managed_packages.include?(initscript_id.downcase) | |
puts "Denying (Code: 101)" unless options[:quiet] | |
`logger protonet policy-rc.d Denying installation with #{ARGV.inspect}` | |
exit 101 | |
else | |
puts "Allowing (Code: 0)" unless options[:quiet] | |
`logger protonet policy-rc.d Allowing installation with #{ARGV.inspect}` | |
exit 0 | |
end |
Author
leehambley
commented
Jun 17, 2013
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment