]> err.no Git - dak/commitdiff
show-new: run lintian as unprivileged user
authorAnsgar Burchardt <ansgar@debian.org>
Sun, 6 Jan 2013 12:44:51 +0000 (13:44 +0100)
committerAnsgar Burchardt <ansgar@debian.org>
Sun, 6 Jan 2013 12:44:51 +0000 (13:44 +0100)
As dak/examine_package.py is also used by process-new we cannot run
lintian unconditionally as the unprivileged user. Therefore move the
Unpriv{User,Group} setting from the database to a (group-specific)
dak.conf.

config/debian/dak.conf
config/debian/dak.conf-dak [new file with mode: 0644]
dak/examine_package.py
dak/process_new.py
dak/show_new.py
daklib/archive.py
daklib/checks.py
daklib/config.py
daklib/policy.py

index 593960c662f90aac54eea413b3c9b52a93af4861..6eef7119cc389f8a555c52ce9d58b4203a809543 100644 (file)
@@ -379,6 +379,7 @@ Generate-Releases
 }
 
 ByGroup {
+  dak "/srv/ftp-master.debian.org/dak/config/debian/dak.conf-dak";
   ftpteam "";
   backports "/srv/ftp-master.debian.org/dak/config/debian/dak.conf-backports";
 };
diff --git a/config/debian/dak.conf-dak b/config/debian/dak.conf-dak
new file mode 100644 (file)
index 0000000..c46b0a2
--- /dev/null
@@ -0,0 +1,4 @@
+Dinstall {
+  UnprivUser "dak-unpriv";
+  UnprivGroup "dak-unpriv";
+};
index fe83919ea8bccd7ab7cf27ab37fffa3be9ae4a08..7c005783f9a46cff048b24e5eb52e1436050930a 100755 (executable)
@@ -60,6 +60,7 @@ import commands
 import threading
 
 from daklib import utils
+from daklib.config import Config
 from daklib.dbconn import DBConn, get_component_by_package_suite
 from daklib.gpg import SignedFile
 from daklib.regexes import html_escaping, re_html_escaping, re_version, re_spacestrip, \
@@ -77,7 +78,7 @@ printed.copyrights = {}
 package_relations = {}           #: Store relations of packages for later output
 
 # default is to not output html.
-use_html = 0
+use_html = False
 
 ################################################################################
 
@@ -446,7 +447,7 @@ def output_deb_info(suite, filename, packagename, session = None):
         to_print += " "+format_field(key,field_value)+'\n'
     return to_print
 
-def do_command (command, filename, escaped=0):
+def do_command (command, filename, escaped=False):
     o = os.popen("%s %s" % (command, filename))
     if escaped:
         return escaped_text(o.read())
@@ -454,10 +455,20 @@ def do_command (command, filename, escaped=0):
         return formatted_text(o.read())
 
 def do_lintian (filename):
+    cnf = Config()
+    cmd = []
+
+    user = cnf.get('Dinstall::UnprivUser') or None
+    if user is not None:
+        cmd.extend(['sudo', '-H', '-u', user])
+
+    color = 'always'
     if use_html:
-        return do_command("lintian --show-overrides --color html", filename, 1)
-    else:
-        return do_command("lintian --show-overrides --color always", filename, 1)
+        color = 'html'
+
+    cmd.extend(['lintian', '--show-overrides', '--color', color])
+
+    return do_command(' '.join(cmd), filename, escaped=True)
 
 def get_copyright (deb_filename):
     global printed
@@ -604,7 +615,7 @@ def main ():
 
     if Options["Html-Output"]:
         global use_html
-        use_html = 1
+        use_html = True
 
     stdout_fd = sys.stdout
 
index 61eb8ec9f67de76335a3dc8dbca63f827e4f01d3..d1e5802161d575c32e00337fa7005cc7d794a2ae 100755 (executable)
@@ -662,6 +662,8 @@ def do_pkg(upload, session):
     dsc = upload.source
 
     cnf = Config()
+    group = cnf.get('Dinstall::UnprivGroup') or None
+
     #bcc = "X-DAK: dak process-new"
     #if cnf.has_key("Dinstall::Bcc"):
     #    u.Subst["__BCC__"] = bcc + "\nBcc: %s" % (cnf["Dinstall::Bcc"])
@@ -670,7 +672,7 @@ def do_pkg(upload, session):
 
     try:
       with lock_package(upload.changes.source):
-       with UploadCopy(upload) as upload_copy:
+       with UploadCopy(upload, group=group) as upload_copy:
         handler = PolicyQueueUploadHandler(upload, session)
         if handler.get_action() is not None:
             print "PENDING %s\n" % handler.get_action()
index f45ffe9d622616b8767f5d683e40e5bb5e4842df..89d2e82c98b080e11eba9063c27c5f899cbdbc96 100755 (executable)
@@ -153,6 +153,8 @@ def html_footer():
 
 
 def do_pkg(upload_id):
+    cnf = Config()
+
     session = DBConn().session()
     upload = session.query(PolicyQueueUpload).filter_by(id=upload_id).one()
 
@@ -178,8 +180,10 @@ def do_pkg(upload_id):
     htmlfiles_to_process.append(htmlfile)
     sources.append(htmlname)
 
+    group = cnf.get('Dinstall::UnprivGroup') or None
+
     with open(htmlfile, 'w') as outfile:
-      with policy.UploadCopy(upload) as upload_copy:
+      with policy.UploadCopy(upload, group=group) as upload_copy:
         handler = policy.PolicyQueueUploadHandler(upload, session)
         missing = [ (o['type'], o['package']) for o in handler.missing_overrides() ]
         distribution = changes.distribution
index bb9b051a3f05077d734237192fd21bb2945ccddb..6d3d334e8f1cf981a0b1997a39194db1c1057374 100644 (file)
@@ -636,8 +636,9 @@ class ArchiveUpload(object):
         cnf = Config()
         session = self.transaction.session
 
+        group = cnf.get('Dinstall::UnprivGroup') or None
         self.directory = utils.temp_dirname(parent=cnf.get('Dir::TempPath'),
-                                            mode=0o2750, group=cnf.unprivgroup)
+                                            mode=0o2750, group=group)
         with FilesystemTransaction() as fs:
             src = os.path.join(self.original_directory, self.original_changes.filename)
             dst = os.path.join(self.directory, self.original_changes.filename)
index 3a6c78244224cbfab2696d386a6bb4f01a7723fc..664bca3e1c966a28d3ea2c7fd3b0708ff8b794ac 100644 (file)
@@ -638,11 +638,14 @@ class LintianCheck(Check):
 
         changespath = os.path.join(upload.directory, changes.filename)
         try:
-            if cnf.unprivgroup:
-                cmd = "sudo -H -u {0} -- /usr/bin/lintian --show-overrides --tags-from-file {1} {2}".format(cnf.unprivgroup, temp_filename, changespath)
-            else:
-                cmd = "/usr/bin/lintian --show-overrides --tags-from-file {0} {1}".format(temp_filename, changespath)
-            result, output = commands.getstatusoutput(cmd)
+            cmd = []
+
+            user = cnf.get('Dinstall::UnprivUser') or None
+            if user is not None:
+                cmd.extend(['sudo', '-H', '-u', user])
+
+            cmd.extend(['/usr/bin/lintian', '--show-overrides', '--tags-from-file', temp_filename, changespath])
+            result, output = commands.getstatusoutput(" ".join(cmd))
         finally:
             os.unlink(temp_filename)
 
index 339604a1a60f275fda8c10954ecb3f1dde33792d..8eb45e20fa2e3f0e432efefd57aa649d3cf0c6d9 100755 (executable)
@@ -134,7 +134,6 @@ class Config(object):
         for field in [('db_revision',      None,       int),
                       ('defaultsuitename', 'unstable', str),
                       ('exportpath',       '',         str),
-                      ('unprivgroup',      None,       str),
                       ('use_extfiles',     None,       int)
                       ]:
             setattr(self, 'get_%s' % field[0], lambda s=None, x=field[0], y=field[1], z=field[2]: self.get_db_value(x, y, z))
index 41c9c1fe2a1d6e4aa17c688c07f988a436a1f3b8..cdff56a7e0fe2a306b58b41fe3db7c922d4d36f4 100644 (file)
@@ -39,7 +39,7 @@ class UploadCopy(object):
     given by the C{directory} attribute.  The copy will be removed on leaving
     the with-block.
     """
-    def __init__(self, upload):
+    def __init__(self, upload, group=None):
         """initializer
 
         @type  upload: L{daklib.dbconn.PolicyQueueUpload}
@@ -48,6 +48,7 @@ class UploadCopy(object):
 
         self.directory = None
         self.upload = upload
+        self.group = group
 
     def export(self, directory, mode=None, symlink=True, ignore_existing=False):
         """export a copy of the upload
@@ -97,9 +98,17 @@ class UploadCopy(object):
     def __enter__(self):
         assert self.directory is None
 
+        mode = 0o0700
+        symlink = True
+        if self.group is not None:
+            mode = 0o2750
+            symlink = False
+
         cnf = Config()
-        self.directory = tempfile.mkdtemp(dir=cnf.get('Dir::TempPath'))
-        self.export(self.directory, symlink=True)
+        self.directory = utils.temp_dirname(parent=cnf.get('Dir::TempPath'),
+                                            mode=mode,
+                                            group=self.group)
+        self.export(self.directory, symlink=symlink)
         return self
 
     def __exit__(self, *args):