From 3864f8104dea1d464e6697912c13e649878f4d73 Mon Sep 17 00:00:00 2001 From: Evgeniy Ivanov Date: Sat, 20 Aug 2016 17:25:06 +0300 Subject: [PATCH] adblock.sh as an unprivileged user; Store the whitelists in /var/; #64 --- roles/dns_adblocking/tasks/main.yml | 12 +++++++++++- roles/dns_adblocking/templates/adblock.sh | 8 ++++---- roles/dns_adblocking/templates/dnsmasq.conf.j2 | 2 +- roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 | 3 ++- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index aa72a4c..27dabe1 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -8,6 +8,9 @@ template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 notify: - restart dnsmasq + +- name: The dnsmasq directory created + file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup - name: Enforce the dnsmasq AppArmor policy shell: aa-enforce usr.sbin.dnsmasq @@ -21,11 +24,18 @@ template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755 - name: Adblock script added to cron - cron: name="Adblock hosts update" minute="10" hour="2" job="/opt/adblock.sh" + cron: + name: Adblock hosts update + minute: 10 + hour: 2 + job: /opt/adblock.sh + user: dnsmasq - name: Update adblock hosts shell: > /opt/adblock.sh + become: true + become_user: dnsmasq - name: Dnsmasq enabled and started service: name=dnsmasq state=started enabled=yes diff --git a/roles/dns_adblocking/templates/adblock.sh b/roles/dns_adblocking/templates/adblock.sh index a6a8858..6619649 100644 --- a/roles/dns_adblocking/templates/adblock.sh +++ b/roles/dns_adblocking/templates/adblock.sh @@ -7,7 +7,7 @@ ENDPOINT_IP6="::" IPV6="Y" #Delete the old block.hosts to make room for the updates -rm -f /etc/block.hosts +rm -f /var/lib/dnsmasq/block.hosts echo 'Downloading hosts lists...' #Download and process the files needed to make the lists (enable/add more, if you want) @@ -32,9 +32,9 @@ then #Filter the blacklist, supressing whitelist matches # This is relatively slow =-( echo 'Filtering white list...' - egrep -v "^[[:space:]]*$" /etc/white.list | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - /tmp/block.build.before > /etc/block.hosts + egrep -v "^[[:space:]]*$" /etc/white.list | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - /tmp/block.build.before > /var/lib/dnsmasq/block.hosts else - cat /tmp/block.build.before > /etc/block.hosts + cat /tmp/block.build.before > /var/lib/dnsmasq/block.hosts fi if [ "$IPV6" = "Y" ] @@ -42,7 +42,7 @@ then safe_pattern=$(printf '%s\n' "$ENDPOINT_IP4" | sed 's/[[\.*^$(){}?+|/]/\\&/g') safe_addition=$(printf '%s\n' "$ENDPOINT_IP6" | sed 's/[\&/]/\\&/g') echo 'Adding ipv6 support...' - sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /etc/block.hosts + sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /var/lib/dnsmasq/block.hosts fi service dnsmasq restart diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index d28cfac..316f11a 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -130,7 +130,7 @@ bind-interfaces #no-hosts # or if you want it to read another file, as well as /etc/hosts, use # this. -addn-hosts=/etc/block.hosts +addn-hosts=/var/lib/dnsmasq/block.hosts # Set this (and domain: see below) if you want to have a domain # automatically added to simple names in a hosts-file. diff --git a/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 b/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 index 9afbb34..cf4a1e4 100644 --- a/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 +++ b/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 @@ -13,7 +13,8 @@ /etc/dnsmasq.conf r, /etc/dnsmasq.d/ r, /etc/dnsmasq.d/* r, - /etc/block.hosts r, + /var/lib/dnsmasq/ r, + /var/lib/dnsmasq/block.hosts r, /usr/sbin/dnsmasq mr,