[dak/master] show-new: run lintian as unprivileged user
As dak/examine_package.py is also used by process-new we cannot run
lintian unconditionally as the unprivileged user. Therefore move the
Unpriv{User,Group} setting from the database to a (group-specific)
dak.conf.
---
config/debian/dak.conf | 1 +
config/debian/dak.conf-dak | 4 ++++
dak/examine_package.py | 23 +++++++++++++++++------
dak/process_new.py | 4 +++-
dak/show_new.py | 6 +++++-
daklib/archive.py | 3 ++-
daklib/checks.py | 13 ++++++++-----
daklib/config.py | 1 -
daklib/policy.py | 15 ++++++++++++---
9 files changed, 52 insertions(+), 18 deletions(-)
create mode 100644 config/debian/dak.conf-dak
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 593960c..6eef711 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -379,6 +379,7 @@ Generate-Releases
}
ByGroup {
+ dak "/srv/ftp-master.debian.org/dak/config/debian/dak.conf-dak";
ftpteam "";
backports "/srv/ftp-master.debian.org/dak/config/debian/dak.conf-backports";
};
diff --git a/config/debian/dak.conf-dak b/config/debian/dak.conf-dak
new file mode 100644
index 0000000..c46b0a2
--- /dev/null
+++ b/config/debian/dak.conf-dak
@@ -0,0 +1,4 @@
+Dinstall {
+ UnprivUser "dak-unpriv";
+ UnprivGroup "dak-unpriv";
+};
diff --git a/dak/examine_package.py b/dak/examine_package.py
index fe83919..7c00578 100755
--- a/dak/examine_package.py
+++ b/dak/examine_package.py
@@ -60,6 +60,7 @@ import commands
import threading
from daklib import utils
+from daklib.config import Config
from daklib.dbconn import DBConn, get_component_by_package_suite
from daklib.gpg import SignedFile
from daklib.regexes import html_escaping, re_html_escaping, re_version, re_spacestrip, \
@@ -77,7 +78,7 @@ printed.copyrights = {}
package_relations = {} #: Store relations of packages for later output
# default is to not output html.
-use_html = 0
+use_html = False
################################################################################
@@ -446,7 +447,7 @@ def output_deb_info(suite, filename, packagename, session = None):
to_print += " "+format_field(key,field_value)+'\n'
return to_print
-def do_command (command, filename, escaped=0):
+def do_command (command, filename, escaped=False):
o = os.popen("%s %s" % (command, filename))
if escaped:
return escaped_text(o.read())
@@ -454,10 +455,20 @@ def do_command (command, filename, escaped=0):
return formatted_text(o.read())
def do_lintian (filename):
+ cnf = Config()
+ cmd = []
+
+ user = cnf.get('Dinstall::UnprivUser') or None
+ if user is not None:
+ cmd.extend(['sudo', '-H', '-u', user])
+
+ color = 'always'
if use_html:
- return do_command("lintian --show-overrides --color html", filename, 1)
- else:
- return do_command("lintian --show-overrides --color always", filename, 1)
+ color = 'html'
+
+ cmd.extend(['lintian', '--show-overrides', '--color', color])
+
+ return do_command(' '.join(cmd), filename, escaped=True)
def get_copyright (deb_filename):
global printed
@@ -604,7 +615,7 @@ def main ():
if Options["Html-Output"]:
global use_html
- use_html = 1
+ use_html = True
stdout_fd = sys.stdout
diff --git a/dak/process_new.py b/dak/process_new.py
index 61eb8ec..d1e5802 100755
--- a/dak/process_new.py
+++ b/dak/process_new.py
@@ -662,6 +662,8 @@ def do_pkg(upload, session):
dsc = upload.source
cnf = Config()
+ group = cnf.get('Dinstall::UnprivGroup') or None
+
#bcc = "X-DAK: dak process-new"
#if cnf.has_key("Dinstall::Bcc"):
# u.Subst["__BCC__"] = bcc + "\nBcc: %s" % (cnf["Dinstall::Bcc"])
@@ -670,7 +672,7 @@ def do_pkg(upload, session):
try:
with lock_package(upload.changes.source):
- with UploadCopy(upload) as upload_copy:
+ with UploadCopy(upload, group=group) as upload_copy:
handler = PolicyQueueUploadHandler(upload, session)
if handler.get_action() is not None:
print "PENDING %s\n" % handler.get_action()
diff --git a/dak/show_new.py b/dak/show_new.py
index f45ffe9..89d2e82 100755
--- a/dak/show_new.py
+++ b/dak/show_new.py
@@ -153,6 +153,8 @@ def html_footer():
def do_pkg(upload_id):
+ cnf = Config()
+
session = DBConn().session()
upload = session.query(PolicyQueueUpload).filter_by(id=upload_id).one()
@@ -178,8 +180,10 @@ def do_pkg(upload_id):
htmlfiles_to_process.append(htmlfile)
sources.append(htmlname)
+ group = cnf.get('Dinstall::UnprivGroup') or None
+
with open(htmlfile, 'w') as outfile:
- with policy.UploadCopy(upload) as upload_copy:
+ with policy.UploadCopy(upload, group=group) as upload_copy:
handler = policy.PolicyQueueUploadHandler(upload, session)
missing = [ (o['type'], o['package']) for o in handler.missing_overrides() ]
distribution = changes.distribution
diff --git a/daklib/archive.py b/daklib/archive.py
index bb9b051..6d3d334 100644
--- a/daklib/archive.py
+++ b/daklib/archive.py
@@ -636,8 +636,9 @@ class ArchiveUpload(object):
cnf = Config()
session = self.transaction.session
+ group = cnf.get('Dinstall::UnprivGroup') or None
self.directory = utils.temp_dirname(parent=cnf.get('Dir::TempPath'),
- mode=0o2750, group=cnf.unprivgroup)
+ mode=0o2750, group=group)
with FilesystemTransaction() as fs:
src = os.path.join(self.original_directory, self.original_changes.filename)
dst = os.path.join(self.directory, self.original_changes.filename)
diff --git a/daklib/checks.py b/daklib/checks.py
index 3a6c782..664bca3 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -638,11 +638,14 @@ class LintianCheck(Check):
changespath = os.path.join(upload.directory, changes.filename)
try:
- if cnf.unprivgroup:
- cmd = "sudo -H -u {0} -- /usr/bin/lintian --show-overrides --tags-from-file {1} {2}".format(cnf.unprivgroup, temp_filename, changespath)
- else:
- cmd = "/usr/bin/lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
- result, output = commands.getstatusoutput(cmd)
+ cmd = []
+
+ user = cnf.get('Dinstall::UnprivUser') or None
+ if user is not None:
+ cmd.extend(['sudo', '-H', '-u', user])
+
+ cmd.extend(['/usr/bin/lintian', '--show-overrides', '--tags-from-file', temp_filename, changespath])
+ result, output = commands.getstatusoutput(" ".join(cmd))
finally:
os.unlink(temp_filename)
diff --git a/daklib/config.py b/daklib/config.py
index 339604a..8eb45e2 100755
--- a/daklib/config.py
+++ b/daklib/config.py
@@ -134,7 +134,6 @@ class Config(object):
for field in [('db_revision', None, int),
('defaultsuitename', 'unstable', str),
('exportpath', '', str),
- ('unprivgroup', None, str),
('use_extfiles', None, int)
]:
setattr(self, 'get_%s' % field[0], lambda s=None, x=field[0], y=field[1], z=field[2]: self.get_db_value(x, y, z))
diff --git a/daklib/policy.py b/daklib/policy.py
index 41c9c1f..cdff56a 100644
--- a/daklib/policy.py
+++ b/daklib/policy.py
@@ -39,7 +39,7 @@ class UploadCopy(object):
given by the C{directory} attribute. The copy will be removed on leaving
the with-block.
"""
- def __init__(self, upload):
+ def __init__(self, upload, group=None):
"""initializer
@type upload: L{daklib.dbconn.PolicyQueueUpload}
@@ -48,6 +48,7 @@ class UploadCopy(object):
self.directory = None
self.upload = upload
+ self.group = group
def export(self, directory, mode=None, symlink=True, ignore_existing=False):
"""export a copy of the upload
@@ -97,9 +98,17 @@ class UploadCopy(object):
def __enter__(self):
assert self.directory is None
+ mode = 0o0700
+ symlink = True
+ if self.group is not None:
+ mode = 0o2750
+ symlink = False
+
cnf = Config()
- self.directory = tempfile.mkdtemp(dir=cnf.get('Dir::TempPath'))
- self.export(self.directory, symlink=True)
+ self.directory = utils.temp_dirname(parent=cnf.get('Dir::TempPath'),
+ mode=mode,
+ group=self.group)
+ self.export(self.directory, symlink=symlink)
return self
def __exit__(self, *args):
--
1.7.2.5
Reply to: