Re: SSO support for buildd.d.o / writing to wanna-build from www-data
On 8/3/2019 10:06 PM, Philipp Kern wrote:
> I was pondering to offer a way to give-back packages to regular
> developers using SSO. Could you please add wuiet to the list of sso_rp
> machines?
>
> Secondly I wonder what the best way to write to wanna-build would be.
> There are at least these options:
>
> A) Add a www-data user to our database and provision a .pgpass for it.
> B) Have a way to run a CGI script as wbadm.
> C) Have some kind of RPC mechanism to the wbadm user, probably over Unix
> domain sockets.
>
> Of the three I'd probably prefer B because it is then also easy to write
> to a log file who did what and I don't need to re-run validation, which
> would be necessary for C. But I'm not sure if B is even a possibility.
> And it's likely that I'm missing some obvious other options here.
>
> The script is going to be a short Python script calling out to
> wanna-build after doing a bunch of validation (like ensuring that all
> parameters are effectively ^[a-z0-9-+.]+$ as well as some data checks).
>
> Do you have a preference and/or would mind making one of them work?
The more I think about it the easiest the suexec approach (B) seems to
be. There is not a lot of attack surface here in my book. I also don't
intent to use any kind of web framework with unknown attack surfaces,
but just plain old CGI.
It should also be fine to perform these actions as wbadm, as long as
there's a lookaside log as to who triggered the operation. A separate
user would also need the equivalent of full write access because of
wanna-build's very permissive permission model. (Oh how everything would
be easier if there were a separate RPC server in between.)
Kind regards
Philipp Kern
Reply to: