diff options
| -rwxr-xr-x | builddebs | 8 | ||||
| -rw-r--r-- | libpiny/debian/changelog | 6 | ||||
| -rw-r--r-- | libpiny/debian/control | 2 | ||||
| -rw-r--r-- | piny/debian/changelog | 6 | ||||
| -rw-r--r-- | piny/debian/control | 3 | ||||
| -rw-r--r-- | pinyadmin/debian/changelog | 6 | ||||
| -rw-r--r-- | pinyadmin/debian/control | 2 | ||||
| -rw-r--r-- | pinyconfigs/debian/changelog | 6 | ||||
| -rw-r--r-- | pinyconfigs/debian/control | 2 | ||||
| -rw-r--r-- | pinyweb/Makefile | 7 | ||||
| -rw-r--r-- | pinyweb/debian/changelog | 6 | ||||
| -rw-r--r-- | pinyweb/debian/control | 6 | ||||
| -rw-r--r-- | pinyweb/suid/Makefile | 5 | ||||
| -rw-r--r-- | pinyweb/suid/piny-suid.c | 121 |
14 files changed, 178 insertions, 8 deletions
@@ -20,6 +20,14 @@ if [ "$SIGN" == "y" ]; then SIGNARGS=""; else SIGNARGS="-uc -us"; fi for SOURCE in libpiny piny pinyweb pinyadmin pinyconfigs; do (cd "$SOURCE"; debuild $SIGNARGS -tc "$@"); done +if which lintian > /dev/null 2> /dev/null; then + echo + echo -n "Run lintian on packages? (Y/n) " + read -n 1 LINTIAN + echo + if [ "$LINTIAN" != "n" ]; then for CHANGES in *.changes; do echo "$CHANGES"; lintian -I --suppress-tags dir-or-file-in-srv "$CHANGES"; done; fi +fi + echo echo -n "Install packages on this machine? (y/N) " read -n 1 INSTALL diff --git a/libpiny/debian/changelog b/libpiny/debian/changelog index e97c2fe..1fe34bb 100644 --- a/libpiny/debian/changelog +++ b/libpiny/debian/changelog @@ -1,3 +1,9 @@ +libpiny-perl (0.15) unstable; urgency=low + + * Increment standards version. + + -- Julian Blake Kongslie <jblake@omgwallhack.org> Mon, 27 Dec 2010 14:03:13 -0800 + libpiny-perl (0.14) unstable; urgency=low * Support rebuilding a repo's config. diff --git a/libpiny/debian/control b/libpiny/debian/control index df9816f..d066800 100644 --- a/libpiny/debian/control +++ b/libpiny/debian/control @@ -4,7 +4,7 @@ Section: perl Build-depends: debhelper (>= 7) Priority: extra Homepage: http://www.piny.be/piny-code/ -Standards-version: 3.8.4 +Standards-version: 3.9.1 Package: libpiny-perl Architecture: all diff --git a/piny/debian/changelog b/piny/debian/changelog index a2f8a36..c79e3bb 100644 --- a/piny/debian/changelog +++ b/piny/debian/changelog @@ -1,3 +1,9 @@ +piny (0.4) unstable; urgency=low + + * Increment standards version; fix depends. + + -- Julian Blake Kongslie <jblake@omgwallhack.org> Mon, 27 Dec 2010 14:03:24 -0800 + piny (0.3) unstable; urgency=low * Initial release of non-equivs version. diff --git a/piny/debian/control b/piny/debian/control index 5bc9988..b48d72f 100644 --- a/piny/debian/control +++ b/piny/debian/control @@ -2,8 +2,9 @@ Source: piny Maintainer: Julian Blake Kongslie <jblake@omgwallhack.org> Section: admin Priority: extra +Build-depends: debhelper (>= 7) Homepage: http://www.piny.be/piny-code/ -Standards-Version: 3.8.4 +Standards-Version: 3.9.1 Package: piny Architecture: all diff --git a/pinyadmin/debian/changelog b/pinyadmin/debian/changelog index f1c139f..f0f9031 100644 --- a/pinyadmin/debian/changelog +++ b/pinyadmin/debian/changelog @@ -1,3 +1,9 @@ +pinyadmin (0.10) unstable; urgency=low + + * Standards version. + + -- Julian Blake Kongslie <jblake@omgwallhack.org> Mon, 27 Dec 2010 14:03:51 -0800 + pinyadmin (0.9) unstable; urgency=low * Batchmode support in newuser. diff --git a/pinyadmin/debian/control b/pinyadmin/debian/control index b38b225..126b57c 100644 --- a/pinyadmin/debian/control +++ b/pinyadmin/debian/control @@ -4,7 +4,7 @@ Section: admin Build-depends: debhelper (>= 7), texlive-extra-utils Priority: extra Homepage: http://www.piny.be/piny-code/ -Standards-version: 3.8.4 +Standards-version: 3.9.1 Package: pinyadmin Architecture: all diff --git a/pinyconfigs/debian/changelog b/pinyconfigs/debian/changelog index e34f3f8..038fb49 100644 --- a/pinyconfigs/debian/changelog +++ b/pinyconfigs/debian/changelog @@ -1,3 +1,9 @@ +pinyconfigs (0.2) unstable; urgency=low + + * Standards version. + + -- Julian Blake Kongslie <jblake@omgwallhack.org> Mon, 27 Dec 2010 14:04:00 -0800 + pinyconfigs (0.1) unstable; urgency=low * Initial release. diff --git a/pinyconfigs/debian/control b/pinyconfigs/debian/control index fe1c839..1af1c86 100644 --- a/pinyconfigs/debian/control +++ b/pinyconfigs/debian/control @@ -4,7 +4,7 @@ Section: admin Build-depends: debhelper (>= 7) Priority: extra Homepage: http://www.piny.be/piny-code/ -Standards-version: 3.8.4 +Standards-version: 3.9.1 Package: pinyconfigs Architecture: all diff --git a/pinyweb/Makefile b/pinyweb/Makefile index 5b1f010..622f24c 100644 --- a/pinyweb/Makefile +++ b/pinyweb/Makefile @@ -1,5 +1,10 @@ build: + $(MAKE) -C suid install: - install -o root -g root -m 755 -d $(DESTDIR)/usr/lib/cgi-bin + install -o root -g root -m 755 -d $(DESTDIR)/usr/lib/cgi-bin $(DESTDIR)/usr/sbin install -o root -g root -m 755 cgi-bin/* $(DESTDIR)/usr/lib/cgi-bin + install -o root -g www-data -m 4754 suid/piny-suid $(DESTDIR)/usr/sbin + +clean: + $(MAKE) -C suid clean diff --git a/pinyweb/debian/changelog b/pinyweb/debian/changelog index e8e9f8d..2b34122 100644 --- a/pinyweb/debian/changelog +++ b/pinyweb/debian/changelog @@ -1,3 +1,9 @@ +pinyweb (0.2) unstable; urgency=low + + * Adding a setuid wrapper. + + -- Julian Blake Kongslie <jblake@omgwallhack.org> Mon, 27 Dec 2010 13:48:40 -0800 + pinyweb (0.1) unstable; urgency=low * Initial release. diff --git a/pinyweb/debian/control b/pinyweb/debian/control index 6abae90..1a1d795 100644 --- a/pinyweb/debian/control +++ b/pinyweb/debian/control @@ -4,11 +4,11 @@ Section: admin Build-depends: debhelper (>= 7) Priority: extra Homepage: http://www.piny.be/piny-code/ -Standards-version: 3.8.4 +Standards-version: 3.9.1 Package: pinyweb -Architecture: all -Depends: ${perl:Depends}, ${misc:Depends}, libpiny-perl (>= 0.14) +Architecture: any +Depends: ${perl:Depends}, ${misc:Depends}, ${shlibs:Depends}, libpiny-perl (>= 0.14) Description: CGIs for managing piny repositories The CGI programs for day-to-day administrative tasks in the Piny infrastructure. diff --git a/pinyweb/suid/Makefile b/pinyweb/suid/Makefile new file mode 100644 index 0000000..6d67058 --- /dev/null +++ b/pinyweb/suid/Makefile @@ -0,0 +1,5 @@ +piny-suid: piny-suid.c + gcc -Wall -Werror -Os -o $@ $< + +clean: + rm -f piny-suid diff --git a/pinyweb/suid/piny-suid.c b/pinyweb/suid/piny-suid.c new file mode 100644 index 0000000..251e3e1 --- /dev/null +++ b/pinyweb/suid/piny-suid.c @@ -0,0 +1,121 @@ +#include <errno.h> +#include <pwd.h> +#include <regex.h> +#include <stdio.h> +#include <string.h> +#include <sys/types.h> +#include <syslog.h> +#include <unistd.h> + +int main( int argc, char *argv[] ) { + + int err; + + openlog( "piny-suid", LOG_ODELAY, LOG_AUTHPRIV ); + + if ( argc < 3 ) { + syslog( LOG_ERR, "Invalid usage" ); + fprintf( stderr, "Usage: %s username command [args ...]\n", argv[0] ); + return 1; + }; + + regex_t user_reg; + + // Please note that these regular expressions should duplicate the language for usernames described in Piny::User. + if ( ( err = regcomp( &user_reg, "^[a-zA-Z][a-zA-Z0-9_.-]*$", REG_EXTENDED | REG_NOSUB ) ) != 0 ) { + size_t sz = regerror( err, &user_reg, NULL, 0 ); + char buf[sz]; + regerror( err, &user_reg, buf, sz ); + syslog( LOG_CRIT, "Internal error; first regex, %s", buf ); + fprintf( stderr, "Internal error compiling first regular expression: %s\n", buf ); + return 1; + }; + + if ( regexec( &user_reg, argv[1], 0, NULL, 0 ) ) { + syslog( LOG_ERR, "Invalid username '%s' (first regex)", argv[1] ); + fprintf( stderr, "'%s' does not appear to be a valid username!\n", argv[1] ); + return 1; + }; + + regfree( &user_reg ); + + if ( ( err = regcomp( &user_reg, "^(git|ikiwiki)-", REG_EXTENDED | REG_NOSUB ) ) != 0 ) { + size_t sz = regerror( err, &user_reg, NULL, 0 ); + char buf[sz]; + regerror( err, &user_reg, buf, sz ); + syslog( LOG_CRIT, "Internal error: second regex, %s", buf ); + fprintf( stderr, "Internal error compiling second regular expression: %s\n", buf ); + return 1; + }; + + if ( ! regexec( &user_reg, argv[1], 0, NULL, 0 ) ) { + syslog( LOG_ERR, "Invalid username '%s' (second regex)", argv[1] ); + fprintf( stderr, "'%s' does not appear to be a valid username!\n", argv[1] ); + return 1; + }; + + regfree( &user_reg ); + + regex_t cmd_reg; + + if ( ( err = regcomp( &cmd_reg, "/", REG_EXTENDED | REG_NOSUB ) ) != 0 ) { + size_t sz = regerror( err, &cmd_reg, NULL, 0 ); + char buf[sz]; + regerror( err, &cmd_reg, buf, sz ); + syslog( LOG_CRIT, "Internal error: third regex, %s", buf ); + fprintf( stderr, "Internal error compiling third regular expression: %s\n", buf ); + return 1; + }; + + if ( ! regexec( &cmd_reg, argv[2], 0, NULL, 0 ) ) { + syslog( LOG_ERR, "Invalid command '%s' (third regex)", argv[2] ); + fprintf( stderr, "'%s' does not appear to be a valid command!\n", argv[2] ); + return 1; + }; + + regfree( &cmd_reg ); + + struct passwd *pwd = getpwnam( argv[1] ); + + if ( ! pwd ) { + syslog( LOG_ERR, "Invalid username '%s' (getpwnam)", argv[1] ); + fprintf( stderr, "'%s' does not appear to be a valid username!\n", argv[1] ); + return 1; + }; + + if ( pwd->pw_uid < 1000 ) { + syslog( LOG_ERR, "Invalid username '%s' (uid)", argv[1] ); + fprintf( stderr, "'%s' does not appear to be a valid username!\n", argv[1] ); + return 1; + }; + + if ( setregid( pwd->pw_gid, pwd->pw_gid ) != 0 ) { + err = errno; + syslog( LOG_ERR, "Unable to change GID: %s, %s", argv[2], strerror( err ) ); + fprintf( stderr, "Unable to change GID: %s\n", strerror( err ) ); + return 1; + }; + + if ( setreuid( pwd->pw_uid, pwd->pw_uid ) != 0 ) { + err = errno; + syslog( LOG_ERR, "Unable to change UID: %s, %s", argv[2], strerror( err ) ); + fprintf( stderr, "Unable to change UID: %s\n", strerror( err ) ); + return 1; + }; + + size_t sz = snprintf( NULL, 0, "/usr/share/piny-suid/%s", argv[2] ); + char buf[sz]; + snprintf( buf, sz, "/usr/share/piny-suid/%s", argv[2] ); + + char * const env[] = + { NULL + }; + + syslog( LOG_NOTICE, "Going to exec '%s' as '%s'", argv[2], argv[1] ); + execve( buf, argv + 2, env ); + + syslog( LOG_ERR, "Invalid command '%s' (fell past exec)", argv[2] ); + fprintf( stderr, "'%s' does not appear to be a valid command!\n", argv[2] ); + return 1; + +}; |