-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathinstall.sh
executable file
·220 lines (173 loc) · 7.81 KB
/
install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
#!/usr/bin/env bash
set -eux
# Install the service on a fresh vulnbox. Target should be /home/<servicename>
# You get:
# - $SERVICENAME
# - $INSTALL_DIR
# - An user account with your name ($SERVICENAME)
# For now: use archive repo to get old versions. Not sure if the pin works as expected.
mv /etc/apt/sources.list /etc/apt/sources.list.d/stable.list || true
ls -l /etc/apt/sources.list.d
# echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20240924T203152Z/ bookworm main' > /etc/apt/sources.list.d/legacy.list
echo 'deb [check-valid-until=no] http://HTTPS///snapshot.debian.org/archive/debian/20240924T203152Z/ bookworm main' > /etc/apt/sources.list.d/legacy.list
#echo 'Package: *' > /etc/apt/preferences.d/stable.pref
#echo 'Pin: release a=stable' >> /etc/apt/preferences.d/stable.pref
#echo 'Pin-Priority: 500' >> /etc/apt/preferences.d/stable.pref
#echo 'Package: *' > /etc/apt/preferences.d/legacy.pref
#echo 'Pin: release a=legacy' >> /etc/apt/preferences.d/legacy.pref
#echo 'Pin-Priority: 1' >> /etc/apt/preferences.d/legacy.pref
# pin packages, so that apt upgrade won't touch them
cat - <<'EOF' > /etc/apt/preferences.d/cups.pref
Package: cups
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: libcups2
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: libcupsimage2
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: libcups2-dev
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: libcupsimage2-dev
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-client
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-core-drivers
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-daemon
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-ipp-utils
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-server-common
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-common
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-ppdc
Pin: version 2.4.2-3+deb12u7
Pin-Priority: 999
Package: cups-filters-core-drivers
Pin: version 1.28.17-3
Pin-Priority: 999
Package: cups-browsed
Pin: version 1.28.17-3
Pin-Priority: 999
Package: cups-filters
Pin: version 1.28.17-3
Pin-Priority: 999
Package: libcupsfilters1
Pin: version 1.28.17-3
Pin-Priority: 999
Package: libcupsfilters-dev
Pin: version 1.28.17-3
Pin-Priority: 999
EOF
# 1. Install dependencies
apt-get update
# cups / potential candidate dependencies for downgrade / recommended packages
# cups 2.4.2-3+deb12u7 is likely what we want for now
apt-get install -y --allow-downgrades \
cups=2.4.2-3+deb12u7 \
libcups2=2.4.2-3+deb12u7 \
libcupsimage2=2.4.2-3+deb12u7 \
libcups2-dev=2.4.2-3+deb12u7 \
libcupsimage2-dev=2.4.2-3+deb12u7 \
cups-client=2.4.2-3+deb12u7 \
cups-core-drivers=2.4.2-3+deb12u7 \
cups-daemon=2.4.2-3+deb12u7 \
cups-ipp-utils=2.4.2-3+deb12u7 \
cups-server-common=2.4.2-3+deb12u7 \
cups-common=2.4.2-3+deb12u7 \
cups-filters-core-drivers=1.28.17-3 \
cups-browsed=1.28.17-3 \
cups-filters=1.28.17-3 \
libcupsfilters1=1.28.17-3 \
libcupsfilters-dev=1.28.17-3 \
cups-ppdc=2.4.2-3+deb12u7 \
lpr
apt-get install -y avahi-daemon avahi-autoipd printer-driver-cups-pdf cups-pdf
apt-get install -y net-tools
apt-get install -y python3 python3-pip python3-virtualenv python3-venv build-essential graphicsmagick-imagemagick-compat
# remove snapshot repo again
rm /etc/apt/sources.list.d/legacy.list
# enable logging in cups-browsed
echo 'DebugLogging file stderr' >> /etc/cups/cups-browsed.conf
# enable the udp:631 port (apparently disabled by default)
sed -i 's|^BrowseRemoteProtocols .*|BrowseRemoteProtocols dnssd cups|' /etc/cups/cups-browsed.conf
# Enable management interface / printer sharing / logging. Config file after:
# cupsctl --remote-any --share-printers --debug-logging
cp service/cupsd.conf /etc/cups/cupsd.conf
rm service/cupsd.conf
# cups-browsed should not be too easy to stop
echo 'WantedBy=cups.service' >> /lib/systemd/system/cups-browsed.service
systemctl enable cups-browsed || true # fails in docker
# harden filters
rm -f /usr/lib/cups/filter/foomatic-rip /usr/lib/cups/filter/cupsomatic
touch /usr/lib/cups/filter/foomatic-rip
chmod 0600 /usr/lib/cups/filter/foomatic-rip
chattr +i /usr/lib/cups/filter/foomatic-rip || true # fails in docker
# enable imagemagick pdf conversion
# not sure if necessary with graphicsmagick
sed -i 's|<policy domain="coder" rights="none" pattern="PDF" />|<policy domain="coder" rights="read" pattern="PDF" />|' /etc/ImageMagick-6/policy.xml || true
# 2. Copy/move files
mv service/* "$INSTALL_DIR/"
mkdir -p "$INSTALL_DIR/data"
chown -R "root:$SERVICENAME" "$INSTALL_DIR" # service code: read-only
chmod 0750 $INSTALL_DIR
# service data: rw for python, ro for cups
chown -R "$SERVICENAME:$SERVICENAME" "$INSTALL_DIR/data"
chmod 0750 "$INSTALL_DIR/data"
# CUPS and filters should be able to read all data files
usermod -a -G $SERVICENAME lp
# cups filters should run with group "$SERVICENAME"
sed -i "s|^#Group .*|Group $SERVICENAME|" /etc/cups/cups-files.conf
# CUPS admin account for management scripts
useradd $SERVICENAME-admin
usermod -aG $SERVICENAME $SERVICENAME-admin
usermod -aG lp $SERVICENAME-admin
usermod -aG lpadmin $SERVICENAME-admin
# allow management scripts as admin (with sudo)
echo "$SERVICENAME ALL=($SERVICENAME-admin) NOPASSWD: $INSTALL_DIR/venv/bin/python $INSTALL_DIR/management/add_printer.py *" > /etc/sudoers.d/$SERVICENAME
echo "$SERVICENAME ALL=($SERVICENAME-admin) NOPASSWD: $INSTALL_DIR/venv/bin/python3 $INSTALL_DIR/management/add_printer.py *" >> /etc/sudoers.d/$SERVICENAME
echo "$SERVICENAME ALL=($SERVICENAME-admin) NOPASSWD: $INSTALL_DIR/venv/bin/python $INSTALL_DIR/management/cleanup_expired_printers.py" >> /etc/sudoers.d/$SERVICENAME
echo "$SERVICENAME ALL=($SERVICENAME-admin) NOPASSWD: $INSTALL_DIR/venv/bin/python3 $INSTALL_DIR/management/cleanup_expired_printers.py" >> /etc/sudoers.d/$SERVICENAME
# 3. Create venv
python3 -m venv $INSTALL_DIR/venv
. $INSTALL_DIR/venv/bin/activate
pip install -r $INSTALL_DIR/requirements.txt
# install filters
echo -e "#!/bin/sh\ncd $INSTALL_DIR\nexport PYTHONPATH=$INSTALL_DIR\nexec ${INSTALL_DIR}/venv/bin/python ${INSTALL_DIR}/filters/add_template.py" '"$@"' > /usr/lib/cups/filter/add_template.py
echo -e "#!/bin/sh\ncd $INSTALL_DIR\nexport PYTHONPATH=$INSTALL_DIR\nexec ${INSTALL_DIR}/venv/bin/python ${INSTALL_DIR}/filters/qrcodes.py" '"$@"' > /usr/lib/cups/filter/qrcodes.py
chmod +x /usr/lib/cups/filter/*.py
# init database, set permissions to 0640, init some printers
if ! detect-docker; then
sudo -u "$SERVICENAME" $INSTALL_DIR/venv/bin/python3 "$INSTALL_DIR/init_db.py"
fi
rm "$INSTALL_DIR/init_db.py"
chgrp $SERVICENAME-admin $INSTALL_DIR/data/db.sqlite3 || true
# 4. Configure startup for your service
# service-add-simple "$INSTALL_DIR/venv/bin/python app.py" "$INSTALL_DIR" "Rent-a-printer web interface"
service-add-simple "$INSTALL_DIR/venv/bin/gunicorn -b 0.0.0.0:6310 -w 1 --threads 4 'app:default_app()'" "$INSTALL_DIR" "Rent-a-printer web interface"
# TODO harden against potential RCE in lp/cups
# add cronjob for cleanup
SERVICENAME=$SERVICENAME-admin \
cronjob-add "0,30 * * * * $INSTALL_DIR/venv/bin/python $INSTALL_DIR/management/cleanup_expired_printers.py"
# docker patches - so cups socket available
if detect-docker; then
echo 'root:123456789' | chpasswd
sed -i '/return cups.Connection/i \ \ \ \ cups.setUser("root")' $INSTALL_DIR/management/add_printer.py
sed -i '/return cups.Connection/i \ \ \ \ cups.setPasswordCB(lambda _: "123456789")' $INSTALL_DIR/management/add_printer.py
sed -i '/return cups.Connection/i \ \ \ \ return cups.Connection(host="127.0.0.1")' $INSTALL_DIR/management/add_printer.py
fi
# remove later
#curl -o /usr/local/bin/rmate https://raw.githubusercontent.com/aurora/rmate/master/rmate || true
#sudo chmod +x /usr/local/bin/rmate || true
#apt-get install -y silversearcher-ag