summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEli Schwartz <eschwartz@archlinux.org>2017-07-25 05:31:19 +0200
committerLukas Fleischer <lfleischer@archlinux.org>2017-07-25 20:12:11 +0200
commitc5302d3a33028f483cc2e01225226d4ae047dd4a (patch)
tree9bc9895223019903b52124bca4b7c8c608f246cf
parent243fb92273de1c8bf5c938a62cb06bd198c97c4c (diff)
downloadaur-c5302d3a33028f483cc2e01225226d4ae047dd4a.tar.gz
aur-c5302d3a33028f483cc2e01225226d4ae047dd4a.tar.xz
Require TUs to explicitly request to overwrite a pkgbase
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the block on non-fast-forward commits. While valid in this case, we should not do so by default, since in at least one case a TU did this without realizing there was an existing package. ( https://aur.archlinux.org/packages/rtmidi/ ) Switch to using allow_overwrite to check for destructive actions. Use .ssh/config "SendEnv" on the TU's side and and sshd_config "AcceptEnv" in the AUR server to specifically request overwrite access. TUs should use: `AUR_OVERWRITE=1 git push --force` Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
-rw-r--r--INSTALL1
-rwxr-xr-xaurweb/git/auth.py2
-rwxr-xr-xaurweb/git/update.py3
-rw-r--r--doc/git-interface.txt6
4 files changed, 11 insertions, 1 deletions
diff --git a/INSTALL b/INSTALL
index 8c9c4dd1..369e1e3f 100644
--- a/INSTALL
+++ b/INSTALL
@@ -76,6 +76,7 @@ read the instructions below.
PasswordAuthentication no
AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
AuthorizedKeysCommandUser aur
+ AcceptEnv AUR_OVERWRITE
9) If you want to enable smart HTTP support with nginx and fcgiwrap, you can
use the following directives:
diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py
index 022b0fff..d02390da 100755
--- a/aurweb/git/auth.py
+++ b/aurweb/git/auth.py
@@ -1,5 +1,6 @@
#!/usr/bin/python3
+import os
import shlex
import re
import sys
@@ -52,6 +53,7 @@ def main():
env_vars = {
'AUR_USER': user,
'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
+ 'AUR_OVERWRITE' : os.environ.get('AUR_OVERWRITE', '0') if account_type > 1 else '0',
}
key = keytype + ' ' + keytext
diff --git a/aurweb/git/update.py b/aurweb/git/update.py
index c9a98d07..16fa2b07 100755
--- a/aurweb/git/update.py
+++ b/aurweb/git/update.py
@@ -238,6 +238,7 @@ def main():
user = os.environ.get("AUR_USER")
pkgbase = os.environ.get("AUR_PKGBASE")
privileged = (os.environ.get("AUR_PRIVILEGED", '0') == '1')
+ allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1')
warn_or_die = warn if privileged else die
if len(sys.argv) == 2 and sys.argv[1] == "restore":
@@ -258,7 +259,7 @@ def main():
conn = aurweb.db.Connection()
# Detect and deny non-fast-forwards.
- if sha1_old != "0" * 40 and not privileged:
+ if sha1_old != "0" * 40 and not allow_overwrite:
walker = repo.walk(sha1_old, pygit2.GIT_SORT_TOPOLOGICAL)
walker.hide(sha1_new)
if next(walker, None) is not None:
diff --git a/doc/git-interface.txt b/doc/git-interface.txt
index 77585126..f9409612 100644
--- a/doc/git-interface.txt
+++ b/doc/git-interface.txt
@@ -33,6 +33,11 @@ users cannot access anything on the server except for the aurweb SSH interface.
The forced command can be configured in the aurweb configuration file and it
usually points to the git-serve program.
+If SSH has been configured to pass on the AUR_OVERWRITE environment variable
+(via SendEnv, see ssh_config(5) for details) and the user's account is a
+registered Trusted User or Developer, this will be passed on to the git-update
+program in order to enable a non-fast-forward push.
+
The INSTALL file in the top-level directory contains detailed instructions on
how to configure sshd(8) to use git-auth for authentication.
@@ -67,6 +72,7 @@ The Git update hook, called git-update, performs several subtasks:
* Prevent from creating branches or tags other than master.
* Deny non-fast-forwards, except for Trusted Users and Developers.
+* Deny blacklisted packages, except for Trusted Users and Developers.
* Verify each new commit (validate meta data, impose file size limits, ...)
* Update package base information and package information in the database.
* Update the named branch and the namespaced HEAD ref of the package.