Idea Details

[eHealth] place install scripts in user specified folder

Last activity 06-03-2019 08:09 PM
Kristian Schuster's profile image
09-01-2015 07:16 AM

## What is the use case of the new feature?

----------------------------------------

eHealth updates will succeed even if /tmp  is mounted with option "noexec" for security reasons.

The installer should be more fault-tolerant and don't quit with error messages only because a server is a little more secured.

 

 

## Describe how you envision this new feature being implemented.

-------------------------------------------------------------

At the beginning of the installation process the user has to define a folder where the installation kit is extracted to.

The installer should then place ALL files into this folder. No file should be placed anywhere else.

 

With all files in this particular folder, execution rights for the scripts are guaranteed.

 

For example if the eHealth installation kit was extracted to /opt/eH-installer, then just place all the scripts, that the installer needs for progression, under

/opt/eH-installer/

 

 

## What business problem will be solved by adding this new feature?

----------------------------------------------------------------

After more and more (known) incidents of hacker attacks on companies our customers intensify security measurements. One of the updated IT security policy is, that no server should have /tmp mounted with exec option, so that nothing on /tmp will be executable.

But while eHealth places temporary scripts during the installation/ upgrade process in /tmp and needs these scripts executed to finish the installation/ upgrade successfully, it will always fail and eHealth can't be installed or upgrade on the customer's servers:

 

> Hot fix and customization check complete

> bash: /tmp/ssu2995.ksh: Permission denied

> bash: /tmp/ssu2995.ksh: Permission denied

 

> Checking required processes . . .

> bash: /tmp/ssu2995.ksh: Permission denied

> ./INSTALL.NH[23758]: initInstall[15228]: getNisMode: line 11317: rpcinfo: not found

 

... At least not without a requested change to unmount /tmp and mount it temporarily with exec rights. Due to the German bureaucracy this is quite time-consuming.

 

 

## Describe the importance and urgency

-----------------------------------

More and more customers change their IT security policies and installations or upgrades are done quite regularly. Therefor a soon change of the installer would help our customers a lot.

So:

urgency = high

importance = medium


Comments

07-29-2016 10:42 AM

Hello Margaret (natma01),

 

Are there any news regarding this idea?

 

Thanks and best regards

Kristian

11-23-2015 09:14 AM

Hi Margaret,

 

I would suggest:

.

 

or

 

./tmp

 

or

 

./install-scripts

 

Like mentioned above:
"For example if the eHealth installation kit was extracted to /opt/eH-installer, then just place all the scripts, that the installer needs for progression, under

/opt/eH-installer/"

So if you need sub-folders for all the scripts, that's fine:

 

#!/bin/sh

pwd

path=`echo $0 | sed 's/\/[a-zA-Z0-9_.\-]*$//g'`

mkdir $path/install-scripts

cd $path/install-scripts

pwd

 

You can test this shell script above and start it from anywhere you want. If you put this into your installation script, you can extract all the other scripts into the sub-folder and start them afterwards.

Sure this code needs to be adapted as I just wrote it down real quick as an example.

 

Best Regards

Kristian

11-20-2015 03:29 PM

Where would you suggest we point the extraction to given that the installer is unaware of target machine's directory structure?

09-15-2015 07:39 AM

Hi Margaret,

 

"... At least not without a requested change to unmount /tmp and mount it temporarily with exec rights. Due to the German bureaucracy this is quite time-consuming."

 

Yes, we are aware of that workaround, but it's not really applicable.

From the customer's perspective this means: it is necessary to make the servers vulnerable first to install CA software.

 

For me it seems to be just a little and simple change with a very positive effect.

It would be appreciated if CA changes the path to extract the installation scripts.

 

Thanks and best regards

Kristian

09-11-2015 03:52 PM

Hi, while there's no plan to revise this currently, there is a workaround: change permissions temporarily to allow executions from /tmp during eHealth installation.