diff --git a/.github/workflows/cpack.yml b/.github/workflows/cpack.yml index d469939e..85d52eb1 100644 --- a/.github/workflows/cpack.yml +++ b/.github/workflows/cpack.yml @@ -60,11 +60,11 @@ jobs: if: ${{ matrix.distro.name == 'ubuntu' }} shell: bash run: | - apt -y update - apt-get -y install software-properties-common - add-apt-repository -y ppa:git-core/ppa - apt -y update - apt -y install git + apt-get update + apt-get install --yes software-properties-common + add-apt-repository --yes ppa:git-core/ppa + apt-get update + apt-get install --yes git git --version - name: install contemporary Git in runner container if RedHat 8 or 9 @@ -123,7 +123,7 @@ jobs: DEBIAN_FRONTEND: noninteractive shell: bash run: | - apt -y install ./build/ziti-edge-tunnel-*.deb + apt-get -y install ./build/ziti-edge-tunnel-*.deb - name: install package artifact in runner container if RedHat if: ${{ matrix.arch.cmake == 'ci-linux-x64' && matrix.distro.name == 'redhat' }} diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index 1ff9f43c..f2c465b1 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -30,13 +30,22 @@ if [ "$1" = "configure" ]; then chmod 0770 "@ZITI_IDENTITY_DIR@" find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:ziti "{}" + -exec chmod 0400 "{}" + - policykit_version=$(dpkg-query -Wf '${Version;5}' policykit-1 | cut -d . -f 2) - systemd_version=$(dpkg-query -Wf '${Version;3}' systemd) + # sort ascending the installed and max policykit versions, saving the highest version, so we + # can ensure the installed version is less than the max version + policykit_version="$(dpkg-query -Wf '${Version}' policykit-1)" + max_policykit_version="0.106" + highest_policykit_version="$(printf '%s\n' ${policykit_version} ${max_policykit_version} | sort -V | tail -n1)" - # install PolicyKit policy if using policykit < 0.106 (https://askubuntu.com/questions/1287924/whats-going-on-with-policykit) - if [ ${policykit_version} -lt 106 ]; then - # ... the set-llmnr action was exposed with v243 (https://github.com/systemd/systemd/commit/52aaef0f5dc81b9a08d720f551eac53ac88aa596) - if [ ${systemd_version} -ge 243 ]; then + # sort ascending the installed and min systemd versions, saving the lowest version, so we can ensure the installed + # version is greater than or equal to the min version + systemd_version=$(dpkg-query -Wf '${Version}' systemd) + min_systemd_version="243" + lowest_systemd_version="$(printf '%s\n' ${systemd_version} ${min_systemd_version} | sort -V | head -n1)" + + # install PolicyKit policy if < v0.106 (https://askubuntu.com/questions/1287924/whats-going-on-with-policykit) + if [ ${policykit_version} != ${max_policykit_version} ] && [ ${max_policykit_version} = ${highest_policykit_version} ]; then + # run as root unless systemd >= v243 (required set-llmnr introduced v243 https://github.com/systemd/systemd/commit/52aaef0f5dc81b9a08d720f551eac53ac88aa596) + if [ ${systemd_version} = ${min_systemd_version} ] || [ ${min_systemd_version} = ${lowest_systemd_version} ]; then cp "@CPACK_SHARE_DIR@/@ZITI_POLKIT_PKLA_FILE@.sample" "/var/lib/polkit-1/localauthority/10-vendor.d/@ZITI_POLKIT_PKLA_FILE@" db_set ziti_edge_tunnel/install_pkla true else diff --git a/scripts/install-ubuntu.bash b/scripts/install-ubuntu.bash index 1bc3190f..b5b87bad 100755 --- a/scripts/install-ubuntu.bash +++ b/scripts/install-ubuntu.bash @@ -35,5 +35,5 @@ sudo chmod +r /usr/share/keyrings/openziti.gpg echo "deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable ${UBUNTU_LTS} main" \ | sudo tee /etc/apt/sources.list.d/openziti.list >/dev/null -sudo apt update -sudo apt install -y ziti-edge-tunnel +sudo apt-get update +sudo apt-get install --yes ziti-edge-tunnel