On Sun, Nov 03, 2013 at 11:14:23AM +0100, Thomas Bächler wrote:
This patch (in combination with a proper sudoers file) allows to lock down the repository and pool paths such that packagers can only access them using dbscripts.
This prevents them from messing with packages and databases manually and causing inconsistencies. This also strengthens the server-side signature verification by disallowing packagers to sneak non-verified packages into the database. --- config | 2 ++ config.local.svn-community | 2 ++ config.local.svn-packages | 2 ++ db-functions | 9 +++++++++ db-move | 2 ++ db-remove | 2 ++ db-repo-add | 2 ++ db-repo-remove | 2 ++ db-update | 4 ++++ 9 files changed, 27 insertions(+)
diff --git a/config b/config index 3df6c95..49fe1b5 100644 --- a/config +++ b/config @@ -30,6 +30,8 @@ FILESEXT=".files.tar.gz" PKGEXT=".pkg.tar.?z" SRCEXT=".src.tar.gz"
+DBSCRIPTS_USER=dbscripts + # Allowed licenses: get sourceballs only for licenses in this array ALLOWED_LICENSES=('GPL' 'GPL1' 'GPL2' 'LGPL' 'LGPL1' 'LGPL2' 'LGPL2.1')
diff --git a/config.local.svn-community b/config.local.svn-community index 105ea66..26bf047 100644 --- a/config.local.svn-community +++ b/config.local.svn-community @@ -9,3 +9,5 @@ STABLE_REPOS=('community') CLEANUP_DESTDIR="/srv/repos/svn-community/package-cleanup" SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-community/source-cleanup" TMPDIR="/srv/repos/svn-community/tmp" + +DBSCRIPTS_USER=dbscripts_community diff --git a/config.local.svn-packages b/config.local.svn-packages index 958a483..f2aa3df 100644 --- a/config.local.svn-packages +++ b/config.local.svn-packages @@ -9,3 +9,5 @@ STABLE_REPOS=('core' 'extra') CLEANUP_DESTDIR="/srv/repos/svn-packages/package-cleanup" SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-packages/source-cleanup" TMPDIR="/srv/repos/svn-packages/tmp" + +DBSCRIPTS_USER=dbscripts_packages diff --git a/db-functions b/db-functions index bb49894..707d35b 100644 --- a/db-functions +++ b/db-functions @@ -536,3 +536,12 @@ arch_svn() { sudo -u "${SVNUSER}" -- /usr/bin/svn --username "${USER}" "${@}" fi } + +switch_user() { + local user + + user=$(whoami)
I'm not sure what sort of security this is meant to introduce, but it's easy to forge a binary called 'whoami' which returns whatever you want and put it higher in your PATH. It's equally easy to override the USER environment var, and even readonly variables like UID. Suggestions: 1) Explicitly call /usr/bin/whoami or /usr/bin/id 2) Maybe there's a way to use sudo directly for authentication as well? Thinking about something with 'sudo -l $binary'. d
+ if [[ $user != $DBSCRIPTS_USER ]]; then + exec sudo -u $DBSCRIPTS_USER "$@" + fi +} diff --git a/db-move b/db-move index 1fa44d4..76ad035 100755 --- a/db-move +++ b/db-move @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + args=(${@}) repo_from="${args[0]}" repo_to="${args[1]}" diff --git a/db-remove b/db-remove index 25cb9a7..f4cec84 100755 --- a/db-remove +++ b/db-remove @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + repo="$1" arch="$2" pkgbases=(${@:3}) diff --git a/db-repo-add b/db-repo-add index 5d5b653..b1308da 100755 --- a/db-repo-add +++ b/db-repo-add @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + repo="$1" arch="$2" pkgfiles=(${@:3}) diff --git a/db-repo-remove b/db-repo-remove index 2a693f4..8ced653 100755 --- a/db-repo-remove +++ b/db-repo-remove @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + repo="$1" arch="$2" pkgnames=(${@:3}) diff --git a/db-update b/db-update index 576fe2b..14a1139 100755 --- a/db-update +++ b/db-update @@ -8,6 +8,10 @@ if [ $# -ge 1 ]; then exit 1 fi
+find "${STAGING}" -mindepth 1 -maxdepth 1 -type d -exec setfacl -m u:$DBSCRIPTS_USER:rwx:{} \; + +switch_user "$0" "$@" + # Find repos with packages to release staging_repos=($(find "${STAGING}" -mindepth 1 -type f -name "*${PKGEXT}" -printf '%h\n' | sort -u)) if [ $? -ge 1 ]; then -- 1.8.4.2