New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added required libs and files for curl with HTTPs by default #1267
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I like it when the recovery system provides
by default support for "usually useful functionality".
Perhaps - if @gdha wants it - a config variable might be added
so that users who really want a minimal recovery system
could exclude things they do not really need in their
particular environment.
There is already COPY_AS_IS_EXCLUDE
but there is no LIBS_EXCLUDE.
Hi @jsmeix, Any suggestion will be appreciated, I just added the libs and files because now curl is added by default and just in order to work over HTTP and HTTPs without issues. Regards, |
I think it would be rather unexpected nowadays Later - preferably only when a user can show some evidence FYI: |
Yes, I've seen that issue ;-) Thx! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perfect @didacog thx
This is a follow up for #1248 |
@didacog COPY_AS_IS=( ... /etc/ssl/certs/* /etc/pki/* ) could lead to security issues. Reason: But by default the ReaR recovery system should not contain |
This is required by curl with https, there are stored de distribution provided certificates installed from packages, nothing confidential. Usually the public verified certs, and not private keys as far as I know. |
@didacog Good catch - try to exclude all private keys. |
I guess this should work:
Let me test and check if more stuff should be excluded before PR. |
@didacog To get comments at the right place inside longer bash arrays COPY_AS_IS=( ${COPY_AS_IS[@]:-} /dev /etc/inputr[c] /etc/protocols /etc/services /etc/rpc /etc/termcap /etc/terminfo /lib*/terminfo /usr/share/terminfo /etc/netconfig /etc/mke2 fs.conf /etc/*-release /etc/localtime /etc/magic /usr/share/misc/magic /etc/dracut.conf /etc/dracut.conf.d /usr/lib/dracut /sbin/modprobe.ksplice-orig /etc/sysctl.conf /etc/sys ctl.d /etc/e2fsck.conf ) # Required by curl with https: # There are stored the distribution provided certificates # installed from packages, nothing confidential. # Usually the public verified certs, and not private keys. # The private keys are stored in /etc/ssl/private (not copied) # In /etc/pki maybe /etc/pki/tls/private is excluded (see below). COPY_AS_IS=( "${COPY_AS_IS[@]}" '/etc/ssl/certs/*' '/etc/pki/*' ) # exclude /dev/shm/*, due to the way we use tar the leading / should be omitted COPY_AS_IS_EXCLUDE=( ${COPY_AS_IS_EXCLUDE[@]:-} dev/shm/\* ) # Exclude /etc/pki/tls/private (cf. above): COPY_AS_IS_EXCLUDE=( "${COPY_AS_IS_EXCLUDE[@]}" '/etc/pki/private/*' ) Note that using ${VAR[@]} without double-quotes is problematic Furthermore I wonder if bash globbing must be |
Exclude possibly private keys in /etc/pki/tls/private from being copied into the ReaR rescue/recovery system. This is a follow up of #1267
I "just merged" #1279 |
This PR will add support for curl (HTTPS)
brief description of changes:
Added required LIBS and files to /usr/share/rear/conf/GNU/Linux.conf and remove them from /usr/share/rear/init/default/010_set_drlm_env.sh
This code has been tested on RHEL/CentOS, SLES/OpenSUSE and Debian/Ubuntu.