[dak/master] make use of dak-unpriv
allow our tempfile/tempdir generating function to chmod/chgrp the created
files/directories
use that to have the processed uploads and the lintian tagfile readable by
the dak-unpriv user/group
run lintian sudo-ed to dak-unpriv
Signed-off-by: Joerg Jaspert <joerg@debian.org>
---
dak/dakdb/update86.py | 45 +++++++++++++++++++++++++++++++++++++++++++++
dak/update_db.py | 2 +-
daklib/archive.py | 7 ++++---
daklib/checks.py | 8 +++++---
daklib/config.py | 4 ++--
daklib/utils.py | 18 ++++++++++++++----
6 files changed, 71 insertions(+), 13 deletions(-)
create mode 100755 dak/dakdb/update86.py
mode change 100644 => 100755 daklib/config.py
mode change 100644 => 100755 daklib/utils.py
diff --git a/dak/dakdb/update86.py b/dak/dakdb/update86.py
new file mode 100755
index 0000000..0d2f405
--- /dev/null
+++ b/dak/dakdb/update86.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+# coding=utf8
+
+"""
+Unprivileged group into the database config table
+
+@contact: Debian FTP Master <ftpmaster@debian.org>
+@copyright: 2012 Joerg Jaspert <joerg@debian.org>
+@license: GNU General Public License version 2 or later
+"""
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+################################################################################
+
+import psycopg2
+from daklib.dak_exceptions import DBUpdateError
+from daklib.config import Config
+
+################################################################################
+def do_update(self):
+ print __doc__
+ try:
+ cnf = Config()
+
+ c = self.db.cursor()
+ c.execute("INSERT INTO config (name, value) VALUES('unprivgroup', 'dak-unpriv')")
+ c.execute("UPDATE config SET value = '86' WHERE name = 'db_revision'")
+ self.db.commit()
+
+ except psycopg2.ProgrammingError as msg:
+ self.db.rollback()
+ raise DBUpdateError('Unable to apply sick update 86, rollback issued. Error message: {0}'.format(msg))
diff --git a/dak/update_db.py b/dak/update_db.py
index 5568cae..cf327b0 100755
--- a/dak/update_db.py
+++ b/dak/update_db.py
@@ -46,7 +46,7 @@ from daklib.daklog import Logger
################################################################################
Cnf = None
-required_database_schema = 82
+required_database_schema = 86
################################################################################
diff --git a/daklib/archive.py b/daklib/archive.py
index a55bfab..13cec35 100644
--- a/daklib/archive.py
+++ b/daklib/archive.py
@@ -618,11 +618,12 @@ class ArchiveUpload(object):
cnf = Config()
session = self.transaction.session
- self.directory = tempfile.mkdtemp(dir=cnf.get('Dir::TempPath'))
+ (None, self.directory) = utils.temp_dirname(parent=cnf.get('Dir::TempPath'),
+ mode=0o2750, cnf.unprivgroup)
with FilesystemTransaction() as fs:
src = os.path.join(self.original_directory, self.original_changes.filename)
dst = os.path.join(self.directory, self.original_changes.filename)
- fs.copy(src, dst)
+ fs.copy(src, dst, mode=0o640)
self.changes = upload.Changes(self.directory, self.original_changes.filename, self.keyrings)
@@ -631,7 +632,7 @@ class ArchiveUpload(object):
dst = os.path.join(self.directory, f.filename)
if not os.path.exists(src):
continue
- fs.copy(src, dst)
+ fs.copy(src, dst, mode=0o640)
source = self.changes.source
if source is not None:
diff --git a/daklib/checks.py b/daklib/checks.py
index 63b56da..de18094 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -566,7 +566,7 @@ class LintianCheck(Check):
except yaml.YAMLError as msg:
raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))
- fd, temp_filename = utils.temp_filename()
+ fd, temp_filename = utils.temp_filename(mode=0o644)
temptagfile = os.fdopen(fd, 'w')
for tags in lintiantags.itervalues():
for tag in tags:
@@ -575,8 +575,10 @@ class LintianCheck(Check):
changespath = os.path.join(upload.directory, changes.filename)
try:
- # FIXME: no shell
- cmd = "lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
+ if cnf.unpribgroup:
+ cmd = "sudo -H -u {0} -- /usr/bin/lintian --show-overrides --tags-from-file {1} {2}".format(cnf.unprivgroup, temp_filename, changespath)
+ else:
+ cmd = "/usr/bin/lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
result, output = commands.getstatusoutput(cmd)
finally:
os.unlink(temp_filename)
diff --git a/daklib/config.py b/daklib/config.py
old mode 100644
new mode 100755
index 51b7931..c79582c
--- a/daklib/config.py
+++ b/daklib/config.py
@@ -119,7 +119,8 @@ class Config(object):
"""
for field in [('db_revision', None, int),
('defaultsuitename', 'unstable', str),
- ('exportpath', '', str)
+ ('exportpath', '', str),
+ ('unprivgroup', None, str)
]:
setattr(self, 'get_%s' % field[0], lambda s=None, x=field[0], y=field[1], z=field[2]: self.get_db_value(x, y, z))
setattr(Config, '%s' % field[0], property(fget=getattr(self, 'get_%s' % field[0])))
@@ -133,4 +134,3 @@ class Config(object):
return get_suite(suitename)
defaultsuite = property(get_defaultsuite)
-
diff --git a/daklib/utils.py b/daklib/utils.py
old mode 100644
new mode 100755
index 377d191..93f4c0d
--- a/daklib/utils.py
+++ b/daklib/utils.py
@@ -1441,7 +1441,7 @@ def clean_symlink (src, dest, root):
################################################################################
-def temp_filename(directory=None, prefix="dak", suffix=""):
+def temp_filename(directory=None, prefix="dak", suffix="", mode=None, group=None):
"""
Return a secure and unique filename by pre-creating it.
If 'directory' is non-null, it will be the directory the file is pre-created in.
@@ -1451,11 +1451,16 @@ def temp_filename(directory=None, prefix="dak", suffix=""):
Returns a pair (fd, name).
"""
- return tempfile.mkstemp(suffix, prefix, directory)
+ (tfd, tfname) = tempfile.mkstemp(suffix, prefix, directory)
+ if mode:
+ os.chmod(tfname, mode)
+ if group:
+ os.chown(tfname, -1, group)
+ return (tfd, tfname)
################################################################################
-def temp_dirname(parent=None, prefix="dak", suffix=""):
+def temp_dirname(parent=None, prefix="dak", suffix="", mode=None, group=None):
"""
Return a secure and unique directory by pre-creating it.
If 'parent' is non-null, it will be the directory the directory is pre-created in.
@@ -1465,7 +1470,12 @@ def temp_dirname(parent=None, prefix="dak", suffix=""):
Returns a pathname to the new directory
"""
- return tempfile.mkdtemp(suffix, prefix, parent)
+ (tfd, tfname) = tempfile.mkdtemp(suffix, prefix, parent)
+ if mode:
+ os.chmod(tfname, mode)
+ if group:
+ os.chown(tfname, -1, group)
+ return (tfd, tfname)
################################################################################
--
1.7.2.5
Reply to: