diff options
-rw-r--r-- | libpiny/lib/Piny/Repo.pm | 44 |
1 files changed, 38 insertions, 6 deletions
diff --git a/libpiny/lib/Piny/Repo.pm b/libpiny/lib/Piny/Repo.pm index 4d3a4d3..67aeed1 100644 --- a/libpiny/lib/Piny/Repo.pm +++ b/libpiny/lib/Piny/Repo.pm @@ -231,7 +231,7 @@ sub rebuild { if( POSIX::access( $s->path, &POSIX::W_OK ) ){ $s->rebuild_git; } else { - warn "Read-only git repository detected. Skipping git rebuild."; + warn "Unwritable git repository. Skipping git rebuild."; }; $s->rebuild_apache; @@ -317,11 +317,31 @@ sub rebuild_git { chown( 0, 0, $s->path ) or die "Could not change ownership of " . $s->path; chmod( 00755, $s->path ) or die "Could not change mode of " . $s->path; + chown( 0, 0, $s->path . "/hooks" ) or die "Could not change ownership of " . $s->path . "/hooks"; + chmod( 00755, $s->path . "/hooks" ) or die "Could not change mode of " . $s->path . "/hooks"; + foreach( "config", "description", "git-daemon-export-ok" ) { chown( 0, 0, $s->path . "/" . $_ ) or die "Could not change ownership of $_!"; chmod( 00644, $s->path . "/" . $_ ) or die "Could not change mode of $_!"; }; + # FIXME: most of these are probably unnecessary to check due to limitations of bare repositories. + foreach( "applypatch-msg", "pre-applypatch", "post-applypatch", "pre-commit", "prepare-commit-msg", "commit-msg", "post-commit", "pre-rebase", "post-checkout", "post-merge", "pre-push", "pre-receive", "update", "post-receive", "post-update", "push-to-checkout", "pre-auto-gc", "post-rewrite", "sendemail-validate", "fsmonitor-watchman" ) { + local $link = $s->path . "/hooks/" . $_; + while ( -s $link; ) { + $link = readlink( $link ); + }; + local ( $dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks ) = stat( $link ) or next; + local $name = getpwuid( $uid ) or die "Unable to find name for uid" . $uid . "for hook " . $s->path . "/hooks/" . $_ . "\n"; + local $group = getgrgid( $gid ) or die "Unable to find group for gid" . $gid . "for hook " . $s->path . "/hooks/" . $_ . "\n"; + unless ( $name =~ /^(root|iki-$s->shortname)/ ); ) { + warn( "Security warning: $link is not owned by user root or iki-$s->shortname!\n" ); + }; + unless ( $group =~ /^(root|iki-$s->shortname|git-$s->shortname)$/ ); ) { + warn( "Security warning: $link is not owned by group root, iki-$s->shortname, or git-$s->shortname!\n" ); + }; + }; + $s->clear_config; $s->config->save; @@ -387,7 +407,7 @@ sub rebuild_ikiwiki { system( "/usr/bin/sudo", "-H", "-u", $ikiuser->name, "/usr/bin/git", "clone", "--quiet", $s->path, $s->ikiwiki_srcdir ) and die "Could not clone repo to ikiwiki srcdir!"; }; - open( WIKILIST, ">", "/etc/ikiwiki/wikilist.d/" . $s->name . ".conf" ) or die "Could not create wikilist.d file: $!"; + open( WIKILIST, ">", "/etc/ikiwiki/wikilist.d/" . $s->name ) or die "Could not create wikilist.d file: $!"; print WIKILIST $ikiuser->name . " /etc/ikiwiki/piny/" . $s->name . ".setup\n"; close( WIKILIST ) or die "Could not close wikilist.d file: $!"; @@ -432,7 +452,14 @@ sub destroy_git { sub destroy_apache { my ( $s ) = @_; - foreach( "/etc/apache2/piny/global/" . $s->name, "/etc/apache2/piny/secure/" . $s->name, "/etc/apache2/piny/www/" . $s->name, ) { + foreach( + "/etc/apache2/piny/global/" . $s->name, + "/etc/apache2/piny/global/" . $s->name . ".conf", + "/etc/apache2/piny/secure/" . $s->name, + "/etc/apache2/piny/secure/" . $s->name . ".conf", + "/etc/apache2/piny/www/" . $s->name, + "/etc/apache2/piny/www/" . $s->name . ".conf", + ) { if ( -e $_ ) { unlink( $_ ); }; @@ -448,9 +475,14 @@ sub destroy_ikiwiki { my $user = Piny::Environment->instance->user; - if ( -e "/etc/ikiwiki/wikilist.d/" . $s->name ) { - unlink( "/etc/ikiwiki/wikilist.d/" . $s->name ); - $s->rebuild_wikilist; + foreach( + "/etc/ikiwiki/wikilist.d/" . $s->name, + "/etc/ikiwiki/wikilist.d/" . $s->name . ".conf" + ) { + if ( -e $_ ) { + unlink( $_ ); + $s->rebuild_wikilist; + }; }; foreach( $s->secure_path, $s->config->piny_ikiwikidestdir . $s->name, $s->config->piny_ikiwikisecurepath . "read/" . $s->name, $s->ikiwiki_destdir, $s->ikiwiki_srcdir, "/etc/ikiwiki/piny/" . $s->name . ".setup" ) { |