From 3b636391f7ea17d89f15a4ede65a82eeef44198b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 10 Apr 2013 13:13:54 -0300 Subject: Refactor to not use setuid and not bypass the git daemon --- manifests/instance.pp | 53 ++++++++++++++++++++++++++---------------------- templates/deploy.sh.erb | 7 ------- templates/refresh.sh.erb | 14 ++++++------- 3 files changed, 35 insertions(+), 39 deletions(-) diff --git a/manifests/instance.pp b/manifests/instance.pp index 3c76365..f6c635f 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -1,7 +1,7 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false, $adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki', $account_creation_password = false, $add_plugins = false, $disable_plugins = false, - $protocol = 'https') { + $protocol = 'https', $owner = $name, $group = $name) { $desc = $description ? { false => $title, @@ -13,23 +13,30 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description file { "/etc/ikiwiki/$name.setup": ensure => present, content => template('ikiwiki/ikiwiki.setup.erb'), - owner => www-data, - group => www-data, + owner => root, + group => $owner, mode => 640, notify => Exec["ikiwiki_refresh_${name}"], } - exec { "ikiwiki_refresh_${name}": - command => "/usr/local/sbin/ikiwiki-refresh $name $instance", + exec { "ikiwiki_refresh_${name}_${instance}": + command => "/usr/local/sbin/ikiwiki-refresh $name $instance $owner $group", user => root, refreshonly => true, } - + + exec { "ssh-keygen-ikiwiki-${name}_${instance}": + command => "ssh-keygen -t rsa -P '' -f ${ikiwiki::sites_folder}/${name}/.ssh/id_rsa": + creates => "${ikiwiki::sites_folder}/${name}/.ssh/id_rsa", + user => $owner, + group => $group, + } + if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}_src"]) { file { "${ikiwiki::sites_folder}/${name}/${instance}_src": ensure => directory, - owner => www-data, - group => www-data, + owner => $owner, + group => $group, recurse => true, notify => Exec["ikiwiki_refresh_${name}"], require => File["${ikiwiki::sites_folder}/${name}"], @@ -39,8 +46,8 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}"]) { file { "${ikiwiki::sites_folder}/${name}/${instance}": ensure => directory, - owner => www-data, - group => www-data, + owner => $owner, + group => $group, recurse => true, require => File["${ikiwiki::sites_folder}/${name}"], } @@ -54,21 +61,19 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description } } - # The post-update hook should have www-data as owner so - # gitolite can do a setuid to it and write to ikiwiki - # folders without messing the permission scheme. - # - # The same is valid for the cgi. - # - # See http://ikiwiki.info/rcs/git/ - # http://ikiwiki.info/forum/multi-user_setup_of_ikiwiki__44___gitolite_and_apache2_in_Debian_Sid/ - # - file { [ "/var/git/repositories/${name}.git/hooks/post-update", - "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi" ]: + file { "/var/git/repositories/${name}.git/hooks/post-update": + ensure => present, + owner => $ikiwiki::git_implementation, + group => $ikiwiki::git_implementation, + mode => 0755, + require => File["/etc/ikiwiki/$name.setup"], + } + + file { "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi": ensure => present, - owner => www-data, - group => gitolite, - mode => 6550, + owner => $owner, + group => $group, + mode => 0550, require => File["/etc/ikiwiki/$name.setup"], } } diff --git a/templates/deploy.sh.erb b/templates/deploy.sh.erb index 91aee0e..4ebbf1d 100644 --- a/templates/deploy.sh.erb +++ b/templates/deploy.sh.erb @@ -5,10 +5,6 @@ INSTANCE="$2" BASE="<%= scope.lookupvar('ikiwiki::sites_folder') %>" SITE=$BASE/$NAME CONF="/etc/ikiwiki" -WEB_OWNER="www-data" -WEB_GROUP="www-data" -REPO_OWNER="<%= scope.lookupvar('ikiwiki::git_implementation') %>" -REPO_GROUP="<%= scope.lookupvar('ikiwiki::git_implementation') %>" REPO="/var/git/repositories/$NAME.git" if [ -z "$INSTANCE" ]; then @@ -43,6 +39,3 @@ if [ ! -d "$REPO" ]; then touch $REPO/git-daemon-export-ok ( cd $REPO/$NAME.git && git --bare update-server-info ) fi - -# Refresh the instance -ikiwiki-refresh $NAME $INSTANCE diff --git a/templates/refresh.sh.erb b/templates/refresh.sh.erb index 4308934..41b5296 100644 --- a/templates/refresh.sh.erb +++ b/templates/refresh.sh.erb @@ -2,11 +2,11 @@ NAME="$1" INSTANCE="$2" +WEB_OWNER="$3" +WEB_GROUP="$4" BASE="<%= scope.lookupvar('ikiwiki::sites_folder') %>" -SITE=$BASE/$NAME +SITE="$BASE/$NAME" CONF="/etc/ikiwiki" -WEB_OWNER="www-data" -WEB_GROUP="www-data" REPO_OWNER="<%= scope.lookupvar('ikiwiki::git_implementation') %>" REPO_GROUP="<%= scope.lookupvar('ikiwiki::git_implementation') %>" REPO="/var/git/repositories/$NAME.git" @@ -30,11 +30,9 @@ fi ikiwiki --setup /etc/ikiwiki/$NAME.setup # Fix permissions -chown -R $WEB_OWNER.$WEB_GROUP $SITE/"$INSTANCE"_src $SITE/$INSTANCE chown -R $REPO_OWNER.$REPO_GROUP $REPO -chown $WEB_OWNER.$REPO_GROUP $REPO/hooks/post-update -chown $WEB_OWNER.$REPO_GROUP $SITE/$INSTANCE/ikiwiki.cgi +chown -R $WEB_OWNER.$WEB_GROUP $SITE/"$INSTANCE"_src $SITE/$INSTANCE # Setuid/setgid -chmod 6550 $REPO/hooks/post-update -chmod 6550 $SITE/$INSTANCE/ikiwiki.cgi +chmod 0755 $REPO/hooks/post-update +chmod 0550 $SITE/$INSTANCE/ikiwiki.cgi -- cgit v1.2.3