[arch-projects] [dbscripts] [RFC] Perform all database and copy operations using a dedicated user
This patch (in combination with a proper sudoers file) allows to lock down the repository and pool paths such that packagers can only access them using dbscripts. This prevents them from messing with packages and databases manually and causing inconsistencies. This also strengthens the server-side signature verification by disallowing packagers to sneak non-verified packages into the database. --- config | 2 ++ config.local.svn-community | 2 ++ config.local.svn-packages | 2 ++ db-functions | 9 +++++++++ db-move | 2 ++ db-remove | 2 ++ db-repo-add | 2 ++ db-repo-remove | 2 ++ db-update | 4 ++++ 9 files changed, 27 insertions(+) diff --git a/config b/config index 3df6c95..49fe1b5 100644 --- a/config +++ b/config @@ -30,6 +30,8 @@ FILESEXT=".files.tar.gz" PKGEXT=".pkg.tar.?z" SRCEXT=".src.tar.gz" +DBSCRIPTS_USER=dbscripts + # Allowed licenses: get sourceballs only for licenses in this array ALLOWED_LICENSES=('GPL' 'GPL1' 'GPL2' 'LGPL' 'LGPL1' 'LGPL2' 'LGPL2.1') diff --git a/config.local.svn-community b/config.local.svn-community index 105ea66..26bf047 100644 --- a/config.local.svn-community +++ b/config.local.svn-community @@ -9,3 +9,5 @@ STABLE_REPOS=('community') CLEANUP_DESTDIR="/srv/repos/svn-community/package-cleanup" SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-community/source-cleanup" TMPDIR="/srv/repos/svn-community/tmp" + +DBSCRIPTS_USER=dbscripts_community diff --git a/config.local.svn-packages b/config.local.svn-packages index 958a483..f2aa3df 100644 --- a/config.local.svn-packages +++ b/config.local.svn-packages @@ -9,3 +9,5 @@ STABLE_REPOS=('core' 'extra') CLEANUP_DESTDIR="/srv/repos/svn-packages/package-cleanup" SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-packages/source-cleanup" TMPDIR="/srv/repos/svn-packages/tmp" + +DBSCRIPTS_USER=dbscripts_packages diff --git a/db-functions b/db-functions index bb49894..707d35b 100644 --- a/db-functions +++ b/db-functions @@ -536,3 +536,12 @@ arch_svn() { sudo -u "${SVNUSER}" -- /usr/bin/svn --username "${USER}" "${@}" fi } + +switch_user() { + local user + + user=$(whoami) + if [[ $user != $DBSCRIPTS_USER ]]; then + exec sudo -u $DBSCRIPTS_USER "$@" + fi +} diff --git a/db-move b/db-move index 1fa44d4..76ad035 100755 --- a/db-move +++ b/db-move @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi +switch_user "$0" "$@" + args=(${@}) repo_from="${args[0]}" repo_to="${args[1]}" diff --git a/db-remove b/db-remove index 25cb9a7..f4cec84 100755 --- a/db-remove +++ b/db-remove @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi +switch_user "$0" "$@" + repo="$1" arch="$2" pkgbases=(${@:3}) diff --git a/db-repo-add b/db-repo-add index 5d5b653..b1308da 100755 --- a/db-repo-add +++ b/db-repo-add @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi +switch_user "$0" "$@" + repo="$1" arch="$2" pkgfiles=(${@:3}) diff --git a/db-repo-remove b/db-repo-remove index 2a693f4..8ced653 100755 --- a/db-repo-remove +++ b/db-repo-remove @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi +switch_user "$0" "$@" + repo="$1" arch="$2" pkgnames=(${@:3}) diff --git a/db-update b/db-update index 576fe2b..14a1139 100755 --- a/db-update +++ b/db-update @@ -8,6 +8,10 @@ if [ $# -ge 1 ]; then exit 1 fi +find "${STAGING}" -mindepth 1 -maxdepth 1 -type d -exec setfacl -m u:$DBSCRIPTS_USER:rwx:{} \; + +switch_user "$0" "$@" + # Find repos with packages to release staging_repos=($(find "${STAGING}" -mindepth 1 -type f -name "*${PKGEXT}" -printf '%h\n' | sort -u)) if [ $? -ge 1 ]; then -- 1.8.4.2
On Sun, Nov 03, 2013 at 11:14:23AM +0100, Thomas Bächler wrote:
This patch (in combination with a proper sudoers file) allows to lock down the repository and pool paths such that packagers can only access them using dbscripts.
This prevents them from messing with packages and databases manually and causing inconsistencies. This also strengthens the server-side signature verification by disallowing packagers to sneak non-verified packages into the database. --- config | 2 ++ config.local.svn-community | 2 ++ config.local.svn-packages | 2 ++ db-functions | 9 +++++++++ db-move | 2 ++ db-remove | 2 ++ db-repo-add | 2 ++ db-repo-remove | 2 ++ db-update | 4 ++++ 9 files changed, 27 insertions(+)
diff --git a/config b/config index 3df6c95..49fe1b5 100644 --- a/config +++ b/config @@ -30,6 +30,8 @@ FILESEXT=".files.tar.gz" PKGEXT=".pkg.tar.?z" SRCEXT=".src.tar.gz"
+DBSCRIPTS_USER=dbscripts + # Allowed licenses: get sourceballs only for licenses in this array ALLOWED_LICENSES=('GPL' 'GPL1' 'GPL2' 'LGPL' 'LGPL1' 'LGPL2' 'LGPL2.1')
diff --git a/config.local.svn-community b/config.local.svn-community index 105ea66..26bf047 100644 --- a/config.local.svn-community +++ b/config.local.svn-community @@ -9,3 +9,5 @@ STABLE_REPOS=('community') CLEANUP_DESTDIR="/srv/repos/svn-community/package-cleanup" SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-community/source-cleanup" TMPDIR="/srv/repos/svn-community/tmp" + +DBSCRIPTS_USER=dbscripts_community diff --git a/config.local.svn-packages b/config.local.svn-packages index 958a483..f2aa3df 100644 --- a/config.local.svn-packages +++ b/config.local.svn-packages @@ -9,3 +9,5 @@ STABLE_REPOS=('core' 'extra') CLEANUP_DESTDIR="/srv/repos/svn-packages/package-cleanup" SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-packages/source-cleanup" TMPDIR="/srv/repos/svn-packages/tmp" + +DBSCRIPTS_USER=dbscripts_packages diff --git a/db-functions b/db-functions index bb49894..707d35b 100644 --- a/db-functions +++ b/db-functions @@ -536,3 +536,12 @@ arch_svn() { sudo -u "${SVNUSER}" -- /usr/bin/svn --username "${USER}" "${@}" fi } + +switch_user() { + local user + + user=$(whoami)
I'm not sure what sort of security this is meant to introduce, but it's easy to forge a binary called 'whoami' which returns whatever you want and put it higher in your PATH. It's equally easy to override the USER environment var, and even readonly variables like UID. Suggestions: 1) Explicitly call /usr/bin/whoami or /usr/bin/id 2) Maybe there's a way to use sudo directly for authentication as well? Thinking about something with 'sudo -l $binary'. d
+ if [[ $user != $DBSCRIPTS_USER ]]; then + exec sudo -u $DBSCRIPTS_USER "$@" + fi +} diff --git a/db-move b/db-move index 1fa44d4..76ad035 100755 --- a/db-move +++ b/db-move @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + args=(${@}) repo_from="${args[0]}" repo_to="${args[1]}" diff --git a/db-remove b/db-remove index 25cb9a7..f4cec84 100755 --- a/db-remove +++ b/db-remove @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + repo="$1" arch="$2" pkgbases=(${@:3}) diff --git a/db-repo-add b/db-repo-add index 5d5b653..b1308da 100755 --- a/db-repo-add +++ b/db-repo-add @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + repo="$1" arch="$2" pkgfiles=(${@:3}) diff --git a/db-repo-remove b/db-repo-remove index 2a693f4..8ced653 100755 --- a/db-repo-remove +++ b/db-repo-remove @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then exit 1 fi
+switch_user "$0" "$@" + repo="$1" arch="$2" pkgnames=(${@:3}) diff --git a/db-update b/db-update index 576fe2b..14a1139 100755 --- a/db-update +++ b/db-update @@ -8,6 +8,10 @@ if [ $# -ge 1 ]; then exit 1 fi
+find "${STAGING}" -mindepth 1 -maxdepth 1 -type d -exec setfacl -m u:$DBSCRIPTS_USER:rwx:{} \; + +switch_user "$0" "$@" + # Find repos with packages to release staging_repos=($(find "${STAGING}" -mindepth 1 -type f -name "*${PKGEXT}" -printf '%h\n' | sort -u)) if [ $? -ge 1 ]; then -- 1.8.4.2
Am 03.11.2013 14:47, schrieb Dave Reisner:
+switch_user() {rror + local user + + user=$(whoami)
I'm not sure what sort of security this is meant to introduce, but it's easy to forge a binary called 'whoami' which returns whatever you want and put it higher in your PATH. It's equally easy to override the USER environment var, and even readonly variables like UID.
Suggestions:
1) Explicitly call /usr/bin/whoami or /usr/bin/id 2) Maybe there's a way to use sudo directly for authentication as well? Thinking about something with 'sudo -l $binary'.
Actually, now that you mention it, $USER should be sufficient. This check only ensures that we switch users whenever we should. If someone works around it, it will only lead to errors since permissions are insufficient.
On Sun, Nov 3, 2013 at 11:14 AM, Thomas Bächler <thomas@archlinux.org> wrote:
+switch_user() { + local user + + user=$(whoami) + if [[ $user != $DBSCRIPTS_USER ]]; then + exec sudo -u $DBSCRIPTS_USER "$@" + fi +}
Instead of using sudo and adding a convenience hack to the binary, could we use setuid? E.g. The binaries are chown dbscripts_packages:dev (or dbscripts_community:tu) and chmod 4554. Or is the distinction of EUID/RUID a problem here?
Am 03.11.2013 19:06, schrieb Jan Alexander Steffens:
On Sun, Nov 3, 2013 at 11:14 AM, Thomas Bächler <thomas@archlinux.org> wrote:
+switch_user() { + local user + + user=$(whoami) + if [[ $user != $DBSCRIPTS_USER ]]; then + exec sudo -u $DBSCRIPTS_USER "$@" + fi +}
Instead of using sudo and adding a convenience hack to the binary, could we use setuid?
E.g. The binaries are chown dbscripts_packages:dev (or dbscripts_community:tu) and chmod 4554.
What binaries?
On Sun, Nov 3, 2013 at 7:55 PM, Thomas Bächler <thomas@archlinux.org> wrote:
Instead of using sudo and adding a convenience hack to the binary, could we use setuid?
E.g. The binaries are chown dbscripts_packages:dev (or dbscripts_community:tu) and chmod 4554.
What binaries?
Ah, I forgot you can't use setuid on scripts. Never mind.
participants (3)
-
Dave Reisner
-
Jan Alexander Steffens
-
Thomas Bächler