CrowdSec's host-side install (the agent + nftables bouncer the LibrePortal
Traefik plugin talks to) had stayed on blanket sudo throughout the rootless +
de-sudo hardening: `sudo apt-get install crowdsec`, `curl | sudo bash`,
`sudo sed -i /etc/crowdsec/config.yaml`, `sudo touch + sudo chmod /var/log/
crowdsec*.log`, `echo $key | sudo tee /etc/crowdsec/traefik_bouncer.key`,
plus `sudo cscli capi register / console enroll / bouncers add`. None of
those are in the scoped LP_HELPERS / LP_SYSTEM sudoers grant the manager
now holds, so any user who enabled crowdsec would have hit hard sudo
failures on every privileged step.
Follow the libreportal-appcfg / libreportal-bininstall pattern: one new
root-owned helper at /usr/local/lib/libreportal/libreportal-crowdsec
that does every privileged op behind a fixed action vocabulary with strict
argument validation. The manager calls in via runCrowdsec — the scoped
sudoers grants exactly one binary, the same trust boundary the other
helpers rely on.
Actions:
install apt repo + agent + firewall-bouncer + enable +
crowdsecurity/{linux,sshd} collections + reload
(idempotent — skips parts already in place)
services <verb> enable | disable | restart
capi <verb> register | unregister | status
console <verb> enroll <token> | disenroll | status
token format strictly validated
bouncer-traefik-init cscli register + write the manager-owned key file
atomically (returns EXISTS or GENERATED:<key>)
bouncer-priority bouncer yaml nftables priority → -100
(moved from libreportal-appcfg; one helper for
every crowdsec root op)
bind-lapi flip listen_uri to 0.0.0.0:8080 in config.yaml
prometheus <on…|off> flip the prometheus block (validated addr/port)
touch-host-logs create + chmod 0644 /var/log/crowdsec*.log so the
libreportal container can tail them
Wired in via:
- new sudoers Cmnd_Alias entry for the helper in LP_HELPERS
- new helper baked alongside the others by initRootHelpers
(replaces __SYSTEM_DIR__ / __CONTAINERS_DIR__ / __MANAGER__ at
install, with safe runtime fallbacks if unbaked)
- new runCrowdsec dispatch in scripts/docker/command/run_privileged.sh
containers/crowdsec/scripts/crowdsec_install_host.sh now drives the whole
flow through runCrowdsec — every `sudo …` is gone, the compose-toggle sed
uses runFileOp, and the security_crowdsec CFG mirror uses runInstallOp
(configs/ is manager-owned). Net: install script shrinks ~80 lines while
gaining a single auditable trust boundary. crowdsec_fix_priority.sh swung
over to runCrowdsec bouncer-priority too — the appcfg crowdsec_priority
action drops out cleanly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
203 lines
9.2 KiB
Bash
203 lines
9.2 KiB
Bash
#!/bin/bash
|
|
# LibrePortal CrowdSec helper — root-privileged ops for the host-side CrowdSec
|
|
# install (the agent + firewall bouncer the LibrePortal Traefik bouncer talks
|
|
# to). Installed root:root 0755 to /usr/local/lib/libreportal/ by init.sh.
|
|
# Self-contained: each action runs a FIXED set of ops with strictly-validated
|
|
# args, so the scoped sudoers needn't grant the manager blanket apt/cscli/tee/
|
|
# sed/chown on /etc/crowdsec or /var/log. The runtime calls in via
|
|
# `runCrowdsec <action> [args…]` (run_privileged.sh).
|
|
|
|
set -u
|
|
|
|
[[ $EUID -eq 0 ]] || { echo "libreportal-crowdsec: must run as root" >&2; exit 1; }
|
|
|
|
# Baked at install; unbaked copies keep the "__" sentinel.
|
|
SYSTEM_DIR="__SYSTEM_DIR__"
|
|
CONTAINERS_DIR="__CONTAINERS_DIR__"
|
|
MANAGER_USER="__MANAGER__"
|
|
[[ "$SYSTEM_DIR" == *"__"* || -z "$SYSTEM_DIR" ]] && SYSTEM_DIR="/libreportal-system"
|
|
[[ "$CONTAINERS_DIR" == *"__"* || -z "$CONTAINERS_DIR" ]] && CONTAINERS_DIR="/libreportal-containers"
|
|
[[ "$MANAGER_USER" == *"__"* || -z "$MANAGER_USER" ]] && MANAGER_USER="libreportal"
|
|
|
|
CFG_FILE="/etc/crowdsec/config.yaml"
|
|
BOUNCER_CFG="/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml"
|
|
TRAEFIK_KEY_FILE="/etc/crowdsec/traefik_bouncer.key"
|
|
HOST_LOGS=("/var/log/crowdsec.log" "/var/log/crowdsec-firewall-bouncer.log")
|
|
|
|
# --- install: add repo + apt install + initial config -------------------------
|
|
# Idempotent: skips repo add if /etc/apt/sources.list.d/crowdsec_*.list exists,
|
|
# skips apt install if cscli is on PATH, skips collections install if already
|
|
# present.
|
|
crowdsec_install() {
|
|
if ! command -v cscli >/dev/null 2>&1; then
|
|
if ! ls /etc/apt/sources.list.d/crowdsec_*.list >/dev/null 2>&1; then
|
|
curl -fsSL https://install.crowdsec.net | bash >/dev/null 2>&1 || {
|
|
echo "libreportal-crowdsec: failed to add CrowdSec apt repo" >&2; return 1
|
|
}
|
|
fi
|
|
DEBIAN_FRONTEND=noninteractive apt-get install -y -q crowdsec </dev/null >/dev/null 2>&1 || {
|
|
echo "libreportal-crowdsec: apt-get install crowdsec failed" >&2; return 1
|
|
}
|
|
fi
|
|
if ! dpkg -s crowdsec-firewall-bouncer-nftables >/dev/null 2>&1; then
|
|
DEBIAN_FRONTEND=noninteractive apt-get install -y -q crowdsec-firewall-bouncer-nftables </dev/null >/dev/null 2>&1 || {
|
|
echo "libreportal-crowdsec: apt-get install firewall-bouncer failed" >&2; return 1
|
|
}
|
|
fi
|
|
systemctl enable --now crowdsec >/dev/null 2>&1 || true
|
|
systemctl enable --now crowdsec-firewall-bouncer >/dev/null 2>&1 || true
|
|
|
|
# Baseline collections. cscli is idempotent ("already installed" exits 0).
|
|
cscli collections install crowdsecurity/linux >/dev/null 2>&1 || true
|
|
cscli collections install crowdsecurity/sshd >/dev/null 2>&1 || true
|
|
systemctl reload crowdsec >/dev/null 2>&1 || true
|
|
}
|
|
|
|
# --- services {enable|disable|restart} ----------------------------------------
|
|
crowdsec_services() {
|
|
case "${1:-}" in
|
|
enable)
|
|
systemctl enable --now crowdsec || return 1
|
|
systemctl enable --now crowdsec-firewall-bouncer || return 1
|
|
;;
|
|
disable)
|
|
systemctl disable --now crowdsec-firewall-bouncer >/dev/null 2>&1 || true
|
|
systemctl disable --now crowdsec >/dev/null 2>&1 || true
|
|
;;
|
|
restart)
|
|
systemctl restart crowdsec || return 1
|
|
;;
|
|
*) echo "libreportal-crowdsec: services {enable|disable|restart}" >&2; return 2 ;;
|
|
esac
|
|
}
|
|
|
|
# --- capi {register|unregister|status} ----------------------------------------
|
|
# Community blocklist (subscribe + send anonymous attack signals).
|
|
crowdsec_capi() {
|
|
case "${1:-}" in
|
|
register) cscli capi register 2>&1 ;;
|
|
unregister) cscli capi unregister 2>&1 ;;
|
|
status) cscli capi status 2>&1 ;;
|
|
*) echo "libreportal-crowdsec: capi {register|unregister|status}" >&2; return 2 ;;
|
|
esac
|
|
}
|
|
|
|
# --- console {enroll <token>|disenroll|status} --------------------------------
|
|
# SaaS dashboard at app.crowdsec.net. Token strictly validated.
|
|
crowdsec_console() {
|
|
case "${1:-}" in
|
|
enroll)
|
|
local token="${2:-}"
|
|
[[ "$token" =~ ^[A-Za-z0-9_-]{8,128}$ ]] || {
|
|
echo "libreportal-crowdsec: console enroll <token> — invalid token format" >&2
|
|
return 1
|
|
}
|
|
cscli console enroll "$token" 2>&1
|
|
;;
|
|
disenroll) cscli console disenroll 2>&1 ;;
|
|
status) cscli console status 2>&1 ;;
|
|
*) echo "libreportal-crowdsec: console {enroll <token>|disenroll|status}" >&2; return 2 ;;
|
|
esac
|
|
}
|
|
|
|
# --- bouncer-traefik-init: cscli register + write key file --------------------
|
|
# Idempotent: if the bouncer is already registered, skips and prints the existing
|
|
# key-file marker so callers can decide whether to keep or rotate. Returns the
|
|
# fresh key on stdout when newly generated, "EXISTS" when already registered.
|
|
crowdsec_bouncer_traefik_init() {
|
|
if cscli bouncers list -o raw 2>/dev/null | grep -q '^traefik-bouncer'; then
|
|
echo "EXISTS"
|
|
return 0
|
|
fi
|
|
local key
|
|
key=$(cscli bouncers add traefik-bouncer -o raw 2>&1 | tail -1)
|
|
[[ -n "$key" && "$key" != *"error"* ]] || {
|
|
echo "libreportal-crowdsec: cscli bouncers add failed: $key" >&2
|
|
return 1
|
|
}
|
|
# Write the key file: bind-mounted RO into Traefik. Manager-owned so the
|
|
# WebUI/config layer (running as the manager) can read it; mode 0600.
|
|
printf '%s\n' "$key" > "$TRAEFIK_KEY_FILE"
|
|
chown "${MANAGER_USER}:${MANAGER_USER}" "$TRAEFIK_KEY_FILE"
|
|
chmod 0600 "$TRAEFIK_KEY_FILE"
|
|
echo "GENERATED:$key"
|
|
}
|
|
|
|
# --- bind-lapi: set listen_uri to 0.0.0.0:8080 in config.yaml -----------------
|
|
# Traefik talks to LAPI via host.docker.internal:8080. Bouncer API key gates
|
|
# external access (HTTP 401 without it).
|
|
crowdsec_bind_lapi() {
|
|
[[ -f "$CFG_FILE" ]] || { echo "libreportal-crowdsec: $CFG_FILE not found" >&2; return 1; }
|
|
if grep -qE 'listen_uri:[[:space:]]*0\.0\.0\.0:8080' "$CFG_FILE"; then
|
|
echo "ALREADY_BOUND"; return 0
|
|
fi
|
|
sed -i 's|listen_uri:.*|listen_uri: 0.0.0.0:8080|' "$CFG_FILE"
|
|
}
|
|
|
|
# --- prometheus {on <addr> <port>|off} ----------------------------------------
|
|
# Flip CrowdSec's Prometheus metrics endpoint. `on` requires an addr + port the
|
|
# Prometheus container can reach; `off` rebinds to 127.0.0.1.
|
|
crowdsec_prometheus() {
|
|
[[ -f "$CFG_FILE" ]] || { echo "libreportal-crowdsec: $CFG_FILE not found" >&2; return 1; }
|
|
case "${1:-}" in
|
|
on)
|
|
local addr="${2:-}" port="${3:-}"
|
|
[[ "$addr" =~ ^[A-Za-z0-9.-]+$ ]] || { echo "libreportal-crowdsec: invalid addr" >&2; return 1; }
|
|
[[ "$port" =~ ^[0-9]+$ ]] || { echo "libreportal-crowdsec: invalid port" >&2; return 1; }
|
|
sed -i "/^prometheus:/,/^[^[:space:]#]/ {
|
|
s|enabled:.*|enabled: true|
|
|
s|listen_addr:.*|listen_addr: ${addr}|
|
|
s|listen_port:.*|listen_port: ${port}|
|
|
}" "$CFG_FILE"
|
|
;;
|
|
off)
|
|
sed -i "/^prometheus:/,/^[^[:space:]#]/ s|listen_addr:.*|listen_addr: 127.0.0.1|" "$CFG_FILE"
|
|
;;
|
|
*) echo "libreportal-crowdsec: prometheus {on <addr> <port>|off}" >&2; return 2 ;;
|
|
esac
|
|
}
|
|
|
|
# --- touch-host-logs: make crowdsec logs readable by the libreportal container --
|
|
crowdsec_touch_host_logs() {
|
|
local l
|
|
for l in "${HOST_LOGS[@]}"; do
|
|
touch "$l" 2>/dev/null || true
|
|
chmod 0644 "$l" 2>/dev/null || true
|
|
done
|
|
}
|
|
|
|
# --- bouncer-priority: set nftables ipv4/ipv6 priority to -100 -----------------
|
|
# Moved here from libreportal-appcfg.crowdsec_priority. Same transform; lives in
|
|
# the dedicated crowdsec helper so all CrowdSec-touching root ops are in one
|
|
# auditable file.
|
|
crowdsec_bouncer_priority() {
|
|
[[ -f "$BOUNCER_CFG" ]] || { echo "libreportal-crowdsec: $BOUNCER_CFG not found" >&2; return 1; }
|
|
cp "$BOUNCER_CFG" "${BOUNCER_CFG}.bak.$(date +%Y%m%d-%H%M%S)"
|
|
awk -v p="-100" '
|
|
BEGIN { in_v4=0; in_v6=0 }
|
|
/^[[:space:]]*ipv4:/ { in_v4=1; in_v6=0; print; next }
|
|
/^[[:space:]]*ipv6:/ { in_v6=1; in_v4=0; print; next }
|
|
/^[a-zA-Z]/ { in_v4=0; in_v6=0 }
|
|
in_v4 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p) }
|
|
in_v6 && /^[[:space:]]+priority:/ { sub(/priority:.*/, "priority: " p) }
|
|
{ print }
|
|
' "$BOUNCER_CFG" > "${BOUNCER_CFG}.new" && mv "${BOUNCER_CFG}.new" "$BOUNCER_CFG"
|
|
}
|
|
|
|
action="${1:-}"; shift 2>/dev/null || true
|
|
case "$action" in
|
|
install) crowdsec_install ;;
|
|
services) crowdsec_services "${1:-}" ;;
|
|
capi) crowdsec_capi "${1:-}" ;;
|
|
console) crowdsec_console "${1:-}" "${2:-}" ;;
|
|
bouncer-traefik-init) crowdsec_bouncer_traefik_init ;;
|
|
bouncer-priority) crowdsec_bouncer_priority ;;
|
|
bind-lapi) crowdsec_bind_lapi ;;
|
|
prometheus) crowdsec_prometheus "${1:-}" "${2:-}" "${3:-}" ;;
|
|
touch-host-logs) crowdsec_touch_host_logs ;;
|
|
*)
|
|
echo "usage: libreportal-crowdsec {install|services <enable|disable|restart>|capi <register|unregister|status>|console <enroll <token>|disenroll|status>|bouncer-traefik-init|bouncer-priority|bind-lapi|prometheus <on <addr> <port>|off>|touch-host-logs}" >&2
|
|
exit 2
|
|
;;
|
|
esac
|