[arch-projects] [dbscripts] [RFC] Perform all database and copy operations using a dedicated user

Dave Reisner d at falconindy.com
Sun Nov 3 08:47:25 EST 2013 

On Sun, Nov 03, 2013 at 11:14:23AM +0100, Thomas Bächler wrote:
> This patch (in combination with a proper sudoers file) allows to lock down
> the repository and pool paths such that packagers can only access them using
> dbscripts.
> 
> This prevents them from messing with packages and databases
> manually and causing inconsistencies. This also strengthens
> the server-side signature verification by disallowing packagers
> to sneak non-verified packages into the database.
> ---
>  config                     | 2 ++
>  config.local.svn-community | 2 ++
>  config.local.svn-packages  | 2 ++
>  db-functions               | 9 +++++++++
>  db-move                    | 2 ++
>  db-remove                  | 2 ++
>  db-repo-add                | 2 ++
>  db-repo-remove             | 2 ++
>  db-update                  | 4 ++++
>  9 files changed, 27 insertions(+)
> 
> diff --git a/config b/config
> index 3df6c95..49fe1b5 100644
> --- a/config
> +++ b/config
> @@ -30,6 +30,8 @@ FILESEXT=".files.tar.gz"
>  PKGEXT=".pkg.tar.?z"
>  SRCEXT=".src.tar.gz"
>  
> +DBSCRIPTS_USER=dbscripts
> +
>  # Allowed licenses: get sourceballs only for licenses in this array
>  ALLOWED_LICENSES=('GPL' 'GPL1' 'GPL2' 'LGPL' 'LGPL1' 'LGPL2' 'LGPL2.1')
>  
> diff --git a/config.local.svn-community b/config.local.svn-community
> index 105ea66..26bf047 100644
> --- a/config.local.svn-community
> +++ b/config.local.svn-community
> @@ -9,3 +9,5 @@ STABLE_REPOS=('community')
>  CLEANUP_DESTDIR="/srv/repos/svn-community/package-cleanup"
>  SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-community/source-cleanup"
>  TMPDIR="/srv/repos/svn-community/tmp"
> +
> +DBSCRIPTS_USER=dbscripts_community
> diff --git a/config.local.svn-packages b/config.local.svn-packages
> index 958a483..f2aa3df 100644
> --- a/config.local.svn-packages
> +++ b/config.local.svn-packages
> @@ -9,3 +9,5 @@ STABLE_REPOS=('core' 'extra')
>  CLEANUP_DESTDIR="/srv/repos/svn-packages/package-cleanup"
>  SOURCE_CLEANUP_DESTDIR="/srv/repos/svn-packages/source-cleanup"
>  TMPDIR="/srv/repos/svn-packages/tmp"
> +
> +DBSCRIPTS_USER=dbscripts_packages
> diff --git a/db-functions b/db-functions
> index bb49894..707d35b 100644
> --- a/db-functions
> +++ b/db-functions
> @@ -536,3 +536,12 @@ arch_svn() {
>  		sudo -u "${SVNUSER}" -- /usr/bin/svn --username "${USER}" "${@}"
>  	fi
>  }
> +
> +switch_user() {
> +	local user
> +
> +	user=$(whoami)

I'm not sure what sort of security this is meant to introduce, but it's
easy to forge a binary called 'whoami' which returns whatever you want
and put it higher in your PATH. It's equally easy to override the USER
environment var, and even readonly variables like UID.

Suggestions:

1) Explicitly call /usr/bin/whoami or /usr/bin/id
2) Maybe there's a way to use sudo directly for authentication as well?
Thinking about something with 'sudo -l $binary'.

d

> +	if [[ $user != $DBSCRIPTS_USER ]]; then
> +		exec sudo -u $DBSCRIPTS_USER "$@"
> +	fi
> +}
> diff --git a/db-move b/db-move
> index 1fa44d4..76ad035 100755
> --- a/db-move
> +++ b/db-move
> @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then
>  	exit 1
>  fi
>  
> +switch_user "$0" "$@"
> +
>  args=(${@})
>  repo_from="${args[0]}"
>  repo_to="${args[1]}"
> diff --git a/db-remove b/db-remove
> index 25cb9a7..f4cec84 100755
> --- a/db-remove
> +++ b/db-remove
> @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then
>  	exit 1
>  fi
>  
> +switch_user "$0" "$@"
> +
>  repo="$1"
>  arch="$2"
>  pkgbases=(${@:3})
> diff --git a/db-repo-add b/db-repo-add
> index 5d5b653..b1308da 100755
> --- a/db-repo-add
> +++ b/db-repo-add
> @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then
>  	exit 1
>  fi
>  
> +switch_user "$0" "$@"
> +
>  repo="$1"
>  arch="$2"
>  pkgfiles=(${@:3})
> diff --git a/db-repo-remove b/db-repo-remove
> index 2a693f4..8ced653 100755
> --- a/db-repo-remove
> +++ b/db-repo-remove
> @@ -8,6 +8,8 @@ if [ $# -lt 3 ]; then
>  	exit 1
>  fi
>  
> +switch_user "$0" "$@"
> +
>  repo="$1"
>  arch="$2"
>  pkgnames=(${@:3})
> diff --git a/db-update b/db-update
> index 576fe2b..14a1139 100755
> --- a/db-update
> +++ b/db-update
> @@ -8,6 +8,10 @@ if [ $# -ge 1 ]; then
>  	exit 1
>  fi
>  
> +find "${STAGING}" -mindepth 1 -maxdepth 1 -type d -exec setfacl -m u:$DBSCRIPTS_USER:rwx:{} \;
> +
> +switch_user "$0" "$@"
> +
>  # Find repos with packages to release
>  staging_repos=($(find  "${STAGING}" -mindepth 1 -type f -name "*${PKGEXT}" -printf '%h\n' | sort -u))
>  if [ $? -ge 1 ]; then
> -- 
> 1.8.4.2
>

More information about the arch-projects mailing list