summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoe Rayhawk <jrayhawk@omgwallhack.org>2019-10-28 16:13:26 -0700
committerJoe Rayhawk <jrayhawk@omgwallhack.org>2019-10-28 16:13:26 -0700
commitbd830ff672d992254361a9c0d0b412ab74eca79a (patch)
tree4ad40c74d9353891fb5b80403a78071963964759
parentff6c62dcb4b5f323172788d1d90c3c3492651da9 (diff)
downloadpiny-code-bd830ff672d992254361a9c0d0b412ab74eca79a.tar.gz
piny-code-bd830ff672d992254361a9c0d0b412ab74eca79a.zip
libpiny: repo: add hooks check and backwards-compatibly delete more configs on destroy()
-rw-r--r--libpiny/lib/Piny/Repo.pm44
1 files changed, 38 insertions, 6 deletions
diff --git a/libpiny/lib/Piny/Repo.pm b/libpiny/lib/Piny/Repo.pm
index 4d3a4d3..67aeed1 100644
--- a/libpiny/lib/Piny/Repo.pm
+++ b/libpiny/lib/Piny/Repo.pm
@@ -231,7 +231,7 @@ sub rebuild {
if( POSIX::access( $s->path, &POSIX::W_OK ) ){
$s->rebuild_git;
} else {
- warn "Read-only git repository detected. Skipping git rebuild.";
+ warn "Unwritable git repository. Skipping git rebuild.";
};
$s->rebuild_apache;
@@ -317,11 +317,31 @@ sub rebuild_git {
chown( 0, 0, $s->path ) or die "Could not change ownership of " . $s->path;
chmod( 00755, $s->path ) or die "Could not change mode of " . $s->path;
+ chown( 0, 0, $s->path . "/hooks" ) or die "Could not change ownership of " . $s->path . "/hooks";
+ chmod( 00755, $s->path . "/hooks" ) or die "Could not change mode of " . $s->path . "/hooks";
+
foreach( "config", "description", "git-daemon-export-ok" ) {
chown( 0, 0, $s->path . "/" . $_ ) or die "Could not change ownership of $_!";
chmod( 00644, $s->path . "/" . $_ ) or die "Could not change mode of $_!";
};
+ # FIXME: most of these are probably unnecessary to check due to limitations of bare repositories.
+ foreach( "applypatch-msg", "pre-applypatch", "post-applypatch", "pre-commit", "prepare-commit-msg", "commit-msg", "post-commit", "pre-rebase", "post-checkout", "post-merge", "pre-push", "pre-receive", "update", "post-receive", "post-update", "push-to-checkout", "pre-auto-gc", "post-rewrite", "sendemail-validate", "fsmonitor-watchman" ) {
+ local $link = $s->path . "/hooks/" . $_;
+ while ( -s $link; ) {
+ $link = readlink( $link );
+ };
+ local ( $dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks ) = stat( $link ) or next;
+ local $name = getpwuid( $uid ) or die "Unable to find name for uid" . $uid . "for hook " . $s->path . "/hooks/" . $_ . "\n";
+ local $group = getgrgid( $gid ) or die "Unable to find group for gid" . $gid . "for hook " . $s->path . "/hooks/" . $_ . "\n";
+ unless ( $name =~ /^(root|iki-$s->shortname)/ ); ) {
+ warn( "Security warning: $link is not owned by user root or iki-$s->shortname!\n" );
+ };
+ unless ( $group =~ /^(root|iki-$s->shortname|git-$s->shortname)$/ ); ) {
+ warn( "Security warning: $link is not owned by group root, iki-$s->shortname, or git-$s->shortname!\n" );
+ };
+ };
+
$s->clear_config;
$s->config->save;
@@ -387,7 +407,7 @@ sub rebuild_ikiwiki {
system( "/usr/bin/sudo", "-H", "-u", $ikiuser->name, "/usr/bin/git", "clone", "--quiet", $s->path, $s->ikiwiki_srcdir ) and die "Could not clone repo to ikiwiki srcdir!";
};
- open( WIKILIST, ">", "/etc/ikiwiki/wikilist.d/" . $s->name . ".conf" ) or die "Could not create wikilist.d file: $!";
+ open( WIKILIST, ">", "/etc/ikiwiki/wikilist.d/" . $s->name ) or die "Could not create wikilist.d file: $!";
print WIKILIST $ikiuser->name . " /etc/ikiwiki/piny/" . $s->name . ".setup\n";
close( WIKILIST ) or die "Could not close wikilist.d file: $!";
@@ -432,7 +452,14 @@ sub destroy_git {
sub destroy_apache {
my ( $s ) = @_;
- foreach( "/etc/apache2/piny/global/" . $s->name, "/etc/apache2/piny/secure/" . $s->name, "/etc/apache2/piny/www/" . $s->name, ) {
+ foreach(
+ "/etc/apache2/piny/global/" . $s->name,
+ "/etc/apache2/piny/global/" . $s->name . ".conf",
+ "/etc/apache2/piny/secure/" . $s->name,
+ "/etc/apache2/piny/secure/" . $s->name . ".conf",
+ "/etc/apache2/piny/www/" . $s->name,
+ "/etc/apache2/piny/www/" . $s->name . ".conf",
+ ) {
if ( -e $_ ) {
unlink( $_ );
};
@@ -448,9 +475,14 @@ sub destroy_ikiwiki {
my $user = Piny::Environment->instance->user;
- if ( -e "/etc/ikiwiki/wikilist.d/" . $s->name ) {
- unlink( "/etc/ikiwiki/wikilist.d/" . $s->name );
- $s->rebuild_wikilist;
+ foreach(
+ "/etc/ikiwiki/wikilist.d/" . $s->name,
+ "/etc/ikiwiki/wikilist.d/" . $s->name . ".conf"
+ ) {
+ if ( -e $_ ) {
+ unlink( $_ );
+ $s->rebuild_wikilist;
+ };
};
foreach( $s->secure_path, $s->config->piny_ikiwikidestdir . $s->name, $s->config->piny_ikiwikisecurepath . "read/" . $s->name, $s->ikiwiki_destdir, $s->ikiwiki_srcdir, "/etc/ikiwiki/piny/" . $s->name . ".setup" ) {