Date: Tue, 29 Jan 2013 04:03:15 +0000 (UTC) From: Mark Linimon <linimon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r246056 - projects/portbuild/admin/tools Message-ID: <201301290403.r0T43FDG045034@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: linimon (doc,ports committer) Date: Tue Jan 29 04:03:15 2013 New Revision: 246056 URL: http://svnweb.freebsd.org/changeset/base/246056 Log: Rework this to have two users instead of one: portbuild and additionally srcbuild. srcbuild will have the tasks of base installation, vcs updates, and setup for apache, crontabs, and etc/rc.d scripts. This is a new requirement for security reasons, so that the portbuild user cannot either own or affect any of these functions. srcbuild trusts root and portbuild trusts srcbuild but srcbuild must not trust portbuild. The separation is still a WIP. Modified: projects/portbuild/admin/tools/mkportbuild Modified: projects/portbuild/admin/tools/mkportbuild ============================================================================== --- projects/portbuild/admin/tools/mkportbuild Tue Jan 29 03:41:10 2013 (r246055) +++ projects/portbuild/admin/tools/mkportbuild Tue Jan 29 04:03:15 2013 (r246056) @@ -7,6 +7,7 @@ # DEFAULT_PORTBUILD_USER="portbuild" +DEFAULT_SRCBUILD_USER="srcbuild" DEFAULT_VCS_CHECKOUT_COMMAND="svn checkout" DEFAULT_VCS_REPOSITORY="svn://svn.FreeBSD.org" DEFAULT_ZFS_VOLUME="a" @@ -21,6 +22,10 @@ if [ -z "${PORTBUILD_USER}" ]; then echo "You must export PORTBUILD_USER, for example, export PORTBUILD_USER=${DEFAULT_PORTBUILD_USER}." exit 1 fi +if [ -z "${SRCBUILD_USER}" ]; then + echo "You must export SRCBUILD_USER, for example, export SRCBUILD_USER=${DEFAULT_SRCBUILD_USER}." + exit 1 +fi if [ -z "${VCS_CHECKOUT_COMMAND}" ]; then VCS_CHECKOUT_COMMAND="${DEFAULT_VCS_CHECKOUT_COMMAND}" fi @@ -52,37 +57,55 @@ if [ -z "${name}" ]; then exit 1 fi -mountpoint=`zfs list -H -t filesystem -o mountpoint ${ZFS_VOLUME}` -if [ ! -z "${mountpoint}" ]; then +mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}` +if [ ! -z "${mounted}" ]; then echo "ZFS volume ${ZFS_VOLUME} is mounted. I'll unmount it for you then remount it later." - zfs umount ${ZFS_VOLUME} || exit 1 + zfs umount ${ZFS_VOLUME} 2> /dev/null +fi + +# create a place to hold all portbuild-managed files. All other ZFS_VOLUME +# files are managed by srcbuild. +if [ ! -d ${ZFS_MOUNTPOINT}/portbuild ]; then + zfs create ${ZFS_VOLUME}/portbuild || exit 1 fi -# reset the "zfsadmin" permission set if it already exists. -zfs unallow -s @zfsadmin ${ZFS_VOLUME} 2> /dev/null +# reset the "zfsalladmin" permission set if it already exists. +zfs unallow -s @zfsalladmin ${ZFS_VOLUME} 2> /dev/null +zfs unallow -u ${SRCBUILD_USER} ${ZFS_VOLUME} 2> /dev/null + +# reset the "zfsportbuildadmin" permission set if it already exists. +zfs unallow -s @zfsportbuildadmin ${ZFS_VOLUME} 2> /dev/null zfs unallow -u ${PORTBUILD_USER} ${ZFS_VOLUME} 2> /dev/null -# create the "zfsadmin" permission set. -zfs allow -s @zfsadmin ${ZFS_PERMISSIONSET} ${ZFS_VOLUME} || exit 1 +# create the "zfsalladmin" permission set. +zfs allow -s @zfsalladmin ${ZFS_PERMISSIONSET} ${ZFS_VOLUME} || exit 1 -# delegate the "zfsadmin" permission set to the PORTBUILD_USER. -zfs allow -du ${PORTBUILD_USER} @zfsadmin ${ZFS_VOLUME} || exit 1 -zfs allow -lu ${PORTBUILD_USER} @zfsadmin ${ZFS_VOLUME} || exit 1 +# create the "zfsportbuildadmin" permission set. +zfs allow -s @zfsportbuildadmin ${ZFS_PERMISSIONSET} ${ZFS_VOLUME}/portbuild || exit 1 -echo "results of ZFS operations:" -zfs list ${ZFS_VOLUME} -zfs allow ${ZFS_VOLUME} +# delegate the "zfsalladmin" permission set to the SRCBUILD_USER. +zfs allow -du ${SRCBUILD_USER} @zfsalladmin ${ZFS_VOLUME} || exit 1 +zfs allow -lu ${SRCBUILD_USER} @zfsalladmin ${ZFS_VOLUME} || exit 1 -chown ${PORTBUILD_USER}:${PORTBUILD_USER} ${ZFS_MOUNTPOINT} || exit 1 -mountpoint=`zfs list -H -t filesystem -o mountpoint ${ZFS_VOLUME}` -if [ -z "${mountpoint}" ]; then +mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}` +if [ -z "${mounted}" -o "${mounted}" = "no" ]; then echo "ZFS volume ${ZFS_VOLUME} is not mounted. I'll remount it for you." - su -m ${PORTBUILD_USER} -c "zfs mount ${ZFS_VOLUME}" || exit 1 + zfs mount ${ZFS_VOLUME} || exit 1 fi -# create a place to hold the repository -if [ ! -d ${ZFS_MOUNTPOINT}/portbuild ]; then - su -m ${PORTBUILD_USER} -c "zfs create ${ZFS_VOLUME}/portbuild" || exit 1 +df -g + +# delegate the "zfsportbuildadmin" permission set to the PORTBUILD_USER. +zfs allow -du ${PORTBUILD_USER} @zfsportbuildadmin ${ZFS_VOLUME}/portbuild || exit 1 + +echo "results of ZFS operations:" +zfs list ${ZFS_VOLUME} +zfs allow ${ZFS_VOLUME} + +mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}/portbuild` +if [ -z "${mounted}" -o "${mounted}" = "no" ]; then + echo "ZFS volume ${ZFS_VOLUME}/portbuild is not mounted. I'll (re)mount it for you." + zfs mount ${ZFS_VOLUME}/portbuild || exit 1 fi echo "checking out the repository ..."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301290403.r0T43FDG045034>