Re: SSO support for buildd.d.o / writing to wanna-build from www-data

To: Philipp Kern <pkern@debian.org>
Cc: debian-admin@lists.debian.org, debian-wb-team@lists.debian.org
Subject: Re: SSO support for buildd.d.o / writing to wanna-build from www-data
From: Peter Palfrader <weasel@debian.org>
Date: Wed, 7 Aug 2019 08:32:51 +0000
Message-id: <[🔎] 20190807083251.GG17371@sarek.noreply.org>
Mail-followup-to: Philipp Kern <pkern@debian.org>, debian-admin@lists.debian.org, debian-wb-team@lists.debian.org
In-reply-to: <[🔎] 74ec0612-ec88-74bd-48a6-6636020f0cc8@philkern.de>
References: <[🔎] 5744aa1e-756e-d7b6-390c-39c5a13526cf@philkern.de> <[🔎] 74ec0612-ec88-74bd-48a6-6636020f0cc8@philkern.de>

On Sun, 04 Aug 2019, Philipp Kern wrote:

> On 8/3/2019 10:06 PM, Philipp Kern wrote:
> > I was pondering to offer a way to give-back packages to regular
> > developers using SSO. Could you please add wuiet to the list of sso_rp
> > machines?

Sure, please make a ticket.

> > Secondly I wonder what the best way to write to wanna-build would be.
> > There are at least these options:
> > 
> > A) Add a www-data user to our database and provision a .pgpass for it.
> > B) Have a way to run a CGI script as wbadm.
> > C) Have some kind of RPC mechanism to the wbadm user, probably over Unix
> > domain sockets.
> > 
> > Of the three I'd probably prefer B because it is then also easy to write
> > to a log file who did what and I don't need to re-run validation, which
> > would be necessary for C. But I'm not sure if B is even a possibility.
> > And it's likely that I'm missing some obvious other options here.
> > 
> > The script is going to be a short Python script calling out to
> > wanna-build after doing a bunch of validation (like ensuring that all
> > parameters are effectively ^[a-z0-9-+.]+$ as well as some data checks).
> > 
> > Do you have a preference and/or would mind making one of them work?
> 
> The more I think about it the easiest the suexec approach (B) seems to
> be. There is not a lot of attack surface here in my book. I also don't
> intent to use any kind of web framework with unknown attack surfaces,
> but just plain old CGI.
> 
> It should also be fine to perform these actions as wbadm, as long as
> there's a lookaside log as to who triggered the operation. A separate
> user would also need the equivalent of full write access because of
> wanna-build's very permissive permission model. (Oh how everything would
> be easier if there were a separate RPC server in between.)

suexec is a pain.  It requires things live in /var/www for one, and it
doesn't get any nicer after that.

The way to run your scripts as a specific user is to make them an
application server (as in django, pylons, or anything really).  If
you're doing python, then the wsgi interface is the thing to use.

Then apache can easily launch your wsgi thing as a specific user and
voila.

We would probably prefer that user to not be wbadm but something like
wbadm-web that has its own directories and only the pg access that it
really needs.

Cheers,
-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Reply to:

Follow-Ups:
- Re: SSO support for buildd.d.o / writing to wanna-build from www-data
  - From: Philipp Kern <pkern@debian.org>

References:
- SSO support for buildd.d.o / writing to wanna-build from www-data
  - From: Philipp Kern <pkern@debian.org>
- Re: SSO support for buildd.d.o / writing to wanna-build from www-data
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Please give back erlang-p1-mqtree 1.0.3-3 on mips
Next by Date: Re: SSO support for buildd.d.o / writing to wanna-build from www-data
Previous by thread: Re: SSO support for buildd.d.o / writing to wanna-build from www-data
Next by thread: Re: SSO support for buildd.d.o / writing to wanna-build from www-data
Index(es):
- Date
- Thread