adblock.sh as an unprivileged user; Store the whitelists in /var/; #64

8 years ago · 3864f8104d
parent 4b2ae71ffe
commit 3864f8104d
4 changed files with 18 additions and 7 deletions
--- a/roles/dns_adblocking/tasks/main.yml
+++ b/roles/dns_adblocking/tasks/main.yml
@ -8,6 +8,9 @@
  template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
  notify:
  - restart dnsmasq
+  
+- name: The dnsmasq directory created
+  file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup

 - name: Enforce the dnsmasq AppArmor policy
  shell: aa-enforce usr.sbin.dnsmasq
@ -21,11 +24,18 @@
  template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755

 - name: Adblock script added to cron
-  cron: name="Adblock hosts update" minute="10" hour="2" job="/opt/adblock.sh"
+  cron: 
+    name: Adblock hosts update
+    minute: 10
+    hour: 2
+    job: /opt/adblock.sh
+    user: dnsmasq

 - name: Update adblock hosts
  shell: >
    /opt/adblock.sh
+  become: true
+  become_user: dnsmasq

 - name: Dnsmasq enabled and started
  service: name=dnsmasq state=started enabled=yes
--- a/roles/dns_adblocking/templates/adblock.sh
+++ b/roles/dns_adblocking/templates/adblock.sh
@ -7,7 +7,7 @@ ENDPOINT_IP6="::"
 IPV6="Y"

 #Delete the old block.hosts to make room for the updates
-rm -f /etc/block.hosts
+rm -f /var/lib/dnsmasq/block.hosts

 echo 'Downloading hosts lists...'
 #Download and process the files needed to make the lists (enable/add more, if you want)
@ -32,9 +32,9 @@ then
    #Filter the blacklist, supressing whitelist matches
    #  This is relatively slow =-(
    echo 'Filtering white list...'
-    egrep -v "^[[:space:]]*$" /etc/white.list | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - /tmp/block.build.before > /etc/block.hosts
+    egrep -v "^[[:space:]]*$" /etc/white.list | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - /tmp/block.build.before > /var/lib/dnsmasq/block.hosts
 else
-    cat /tmp/block.build.before > /etc/block.hosts
+    cat /tmp/block.build.before > /var/lib/dnsmasq/block.hosts
 fi

 if [ "$IPV6" = "Y" ]
@ -42,7 +42,7 @@ then
    safe_pattern=$(printf '%s\n' "$ENDPOINT_IP4" | sed 's/[[\.*^$(){}?+|/]/\\&/g')
    safe_addition=$(printf '%s\n' "$ENDPOINT_IP6" | sed 's/[\&/]/\\&/g')
    echo 'Adding ipv6 support...'
-    sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /etc/block.hosts
+    sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /var/lib/dnsmasq/block.hosts
 fi

 service dnsmasq restart
--- a/roles/dns_adblocking/templates/dnsmasq.conf.j2
+++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2
@ -130,7 +130,7 @@ bind-interfaces
 #no-hosts
 # or if you want it to read another file, as well as /etc/hosts, use
 # this.
-addn-hosts=/etc/block.hosts
+addn-hosts=/var/lib/dnsmasq/block.hosts

 # Set this (and domain: see below) if you want to have a domain
 # automatically added to simple names in a hosts-file.
--- a/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2
+++ b/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2
@ -13,7 +13,8 @@
  /etc/dnsmasq.conf r,
  /etc/dnsmasq.d/ r,
  /etc/dnsmasq.d/* r,
-  /etc/block.hosts r,
+  /var/lib/dnsmasq/ r,
+  /var/lib/dnsmasq/block.hosts r,

  /usr/sbin/dnsmasq mr,