[aur-dev] [PATCH 2/2] Require TUs to explicitly request to overwrite a pkgbase
Eli Schwartz
eschwartz at archlinux.org
Fri Jul 21 04:13:40 UTC 2017
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the
block on non-fast-forward commits. While valid in this case, we should
not do so by default, since in at least one case a TU did this without
realizing there was an existing package.
( https://aur.archlinux.org/packages/rtmidi/ )
Use .ssh/config "SendEnv" on the TU's side and and sshd_config
"AcceptEnv" in the AUR server to specifically request privileged access.
TUs should use: `export AUR_PRIVILEGED=1; git push`
Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
---
INSTALL | 1 +
aurweb/git/auth.py | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/INSTALL b/INSTALL
index 8c9c4dd..22bbe33 100644
--- a/INSTALL
+++ b/INSTALL
@@ -76,6 +76,7 @@ read the instructions below.
PasswordAuthentication no
AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
AuthorizedKeysCommandUser aur
+ AcceptEnv AUR_PRIVILEGED
9) If you want to enable smart HTTP support with nginx and fcgiwrap, you can
use the following directives:
diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py
index 022b0ff..9aab417 100755
--- a/aurweb/git/auth.py
+++ b/aurweb/git/auth.py
@@ -51,7 +51,7 @@ def main():
env_vars = {
'AUR_USER': user,
- 'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
+ 'AUR_PRIVILEGED': os.environ.get('AUR_PRIVILEGED', '0') if account_type > 1 else '0',
}
key = keytype + ' ' + keytext
--
2.13.3
More information about the aur-dev
mailing list