From bf9117309d68da492fbcbfa465449d2fe14d8d95 Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Fri, 5 Dec 2014 13:13:27 -0800 Subject: [PATCH] environment: make the reproducible environment available via shlib use Make the reproducible enviornment (with a controlled HOME dir) available simply by running shlib.sh. In most cases this would already have been set either via taskd.pl or jobd.pl or git-http-backend-verify or by the git() function, but just to make sure, move the settings outside any function so that any scripts that might be run by hand end up with the same environment as those run automatically. While we're moving things around, also make the $chroot/etc/girocco directory have no write permissions (after creating the contained .gitconfig with write permissions for $mirror_owner). This prevents any foreign vcs "helpers" from leaving turds behind. --- bin/git-http-backend-verify | 9 --------- jailsetup.sh | 2 ++ shlib.sh | 18 ++++++++++-------- 3 files changed, 12 insertions(+), 17 deletions(-) diff --git a/bin/git-http-backend-verify b/bin/git-http-backend-verify index 1d0a08d..14a535c 100755 --- a/bin/git-http-backend-verify +++ b/bin/git-http-backend-verify @@ -16,15 +16,6 @@ set -e . @basedir@/shlib.sh -GIT_CONFIG_NOSYSTEM=1 -GIT_ATTR_NOSYSTEM=1 -XDG_CONFIG_HOME="$cfg_chroot/var/empty" -HOME="$cfg_chroot/etc/girocco" -export GIT_CONFIG_NOSYSTEM -export GIT_ATTR_NOSYSTEM -export XDG_CONFIG_HOME -export HOME - [ -z "$GIT_HTTP_BACKEND_BIN" ] || cfg_git_http_backend_bin="$GIT_HTTP_BACKEND_BIN" [ -n "$cfg_git_http_backend_bin" ] || cfg_git_http_backend_bin=/usr/lib/git-core/git-http-backend diff --git a/jailsetup.sh b/jailsetup.sh index cceaa86..cad77b8 100755 --- a/jailsetup.sh +++ b/jailsetup.sh @@ -130,6 +130,8 @@ chmod g+w etc/passwd etc/group || echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files" chmod go-w etc/passwd etc/girocco etc/girocco/.gitconfig || echo "WARNING: Cannot chmod go-w etc/girocco and/or etc/girocco/.gitconfig" +chmod a-w etc/girocco || + echo "WARNING: Cannot chmod a-w etc/girocco" chmod -R g+w etc/sshkeys etc/sshcerts etc/sshactive 2>/dev/null || echo "WARNING: Cannot chmod g+w the sshkeys, sshcerts and/or sshactive files" diff --git a/shlib.sh b/shlib.sh index 6c4a8b0..e594023 100644 --- a/shlib.sh +++ b/shlib.sh @@ -38,6 +38,16 @@ else . "@basedir@/shlib_vars.sh" fi +# Make sure we have a reproducible environment by using a controlled HOME dir +XDG_CONFIG_HOME="$cfg_chroot/var/empty" +HOME="$cfg_chroot/etc/girocco" +GIT_CONFIG_NOSYSTEM=1 +GIT_ATTR_NOSYSTEM=1 +export XDG_CONFIG_HOME +export HOME +export GIT_CONFIG_NOSYSTEM +export GIT_ATTR_NOSYSTEM + # We cannot use a git() {} or nc_openbsd() {} function to redirect git # and nc_openbsd to the desired executables because when using # "ENV_VAR=xxx func" the various /bin/sh implementations behave in various @@ -65,14 +75,6 @@ git() ( [ "${GIT_SSL_NO_VERIFY+set}" = "set" ] && export GIT_SSL_NO_VERIFY [ "${GIT_TRACE_PACKET+set}" = "set" ] && export GIT_TRACE_PACKET [ "${GIT_USER_AGENT+set}" = "set" ] && export GIT_USER_AGENT - XDG_CONFIG_HOME="$cfg_chroot/var/empty" - HOME="$cfg_chroot/etc/girocco" - GIT_CONFIG_NOSYSTEM=1 - GIT_ATTR_NOSYSTEM=1 - export XDG_CONFIG_HOME - export HOME - export GIT_CONFIG_NOSYSTEM - export GIT_ATTR_NOSYSTEM exec "$cfg_git_bin" "$@" ) -- 2.11.4.GIT