summaryrefslogtreecommitdiff
path: root/per-service
diff options
context:
space:
mode:
authorAndy Doan <andy.doan@linaro.org>2016-08-05 14:40:24 -0500
committerAndy Doan <andy.doan@linaro.org>2016-08-25 14:00:01 +0000
commit2714daa7b1b3e89af209a66375e13c1a002d59b0 (patch)
treea54f9c6453c18bcba5dc2f35ba273bfa995f6771 /per-service
parent50e62e0934220e3f5528eca2b309ca837b88e549 (diff)
downloadansible-playbooks-2714daa7b1b3e89af209a66375e13c1a002d59b0.tar.gz
git: remove use of suexec
Due to the way we manage our repos on disk (umask 0022) you don't need to run our cgi code as "git". Actually doing so makes things *less* secure since the git user has write permissions. This change allows apache to run our cgi as "nobody" and also maintain our document root permissions and ownership more sanely. gitweb.conf requires updating for private repos because we need to access gitolite APIs as the "git" user. Change-Id: If20733de2856a6ed64c5e4df79d07826c4f62d21 Reviewed-on: https://review.linaro.org/13634 Reviewed-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
Diffstat (limited to 'per-service')
-rw-r--r--per-service/git-servers/files/dev-private-git.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/dev-private-review.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/git-ara-mdk.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/git.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/lhg-review.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/projectara-git.linaro.org.conf3
-rw-r--r--per-service/git-servers/files/projectara-review.linaro.org.conf3
-rw-r--r--per-service/git-servers/roles/apache-conf/tasks/main.yml10
-rw-r--r--per-service/git-servers/roles/apache-website/tasks/main.yml19
-rw-r--r--per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi1
-rw-r--r--per-service/git-servers/roles/apache-website/templates/gitweb.cgi1
-rw-r--r--per-service/git-servers/roles/apache-website/templates/sudoers_gitweb2
-rw-r--r--per-service/git-servers/roles/gitweb/templates/gitweb.conf18
-rw-r--r--per-service/git-servers/roles/install-deps/tasks/main.yml11
14 files changed, 13 insertions, 70 deletions
diff --git a/per-service/git-servers/files/dev-private-git.linaro.org.conf b/per-service/git-servers/files/dev-private-git.linaro.org.conf
index 1a220ee..b32b288 100644
--- a/per-service/git-servers/files/dev-private-git.linaro.org.conf
+++ b/per-service/git-servers/files/dev-private-git.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
LDAPCacheEntries 2048
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/dev-private-review.linaro.org.conf b/per-service/git-servers/files/dev-private-review.linaro.org.conf
index ca58687..f3ae95a 100644
--- a/per-service/git-servers/files/dev-private-review.linaro.org.conf
+++ b/per-service/git-servers/files/dev-private-review.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
LDAPCacheEntries 2048
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/git-ara-mdk.linaro.org.conf b/per-service/git-servers/files/git-ara-mdk.linaro.org.conf
index a9200ab..dc30543 100644
--- a/per-service/git-servers/files/git-ara-mdk.linaro.org.conf
+++ b/per-service/git-servers/files/git-ara-mdk.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
<VirtualHost *:80>
ServerName {{ git_host }}
ServerAdmin webmaster@linaro.org
diff --git a/per-service/git-servers/files/git.linaro.org.conf b/per-service/git-servers/files/git.linaro.org.conf
index 2f3d843..28979e5 100644
--- a/per-service/git-servers/files/git.linaro.org.conf
+++ b/per-service/git-servers/files/git.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
<VirtualHost *:80>
ServerName {{ git_host }}
ServerAlias {{ inventory_hostname }}
diff --git a/per-service/git-servers/files/lhg-review.linaro.org.conf b/per-service/git-servers/files/lhg-review.linaro.org.conf
index 5a80a38..8f30f2b 100644
--- a/per-service/git-servers/files/lhg-review.linaro.org.conf
+++ b/per-service/git-servers/files/lhg-review.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
LDAPCacheEntries 1024
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/projectara-git.linaro.org.conf b/per-service/git-servers/files/projectara-git.linaro.org.conf
index 6793c89..6cb7d2e 100644
--- a/per-service/git-servers/files/projectara-git.linaro.org.conf
+++ b/per-service/git-servers/files/projectara-git.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
LDAPCacheEntries 1024
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/files/projectara-review.linaro.org.conf b/per-service/git-servers/files/projectara-review.linaro.org.conf
index 94b0984..90161aa 100644
--- a/per-service/git-servers/files/projectara-review.linaro.org.conf
+++ b/per-service/git-servers/files/projectara-review.linaro.org.conf
@@ -2,9 +2,6 @@
ServerSignature Off
ServerTokens Prod
-Suexec On
-SuexecUserGroup {{ git_user }} {{ git_user }}
-
LDAPCacheEntries 1024
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
diff --git a/per-service/git-servers/roles/apache-conf/tasks/main.yml b/per-service/git-servers/roles/apache-conf/tasks/main.yml
index cfc1ac9..2831406 100644
--- a/per-service/git-servers/roles/apache-conf/tasks/main.yml
+++ b/per-service/git-servers/roles/apache-conf/tasks/main.yml
@@ -14,16 +14,6 @@
- install
- apache-conf
-- name: Enable git-main Apache modules
- apache2_module: name={{ item }}
- with_items:
- - suexec
- notify: restart-apache
- when: hosttype in ["git-main", "git-slave"]
- tags:
- - install
- - apache-conf
-
- name: Enable git-android Apache modules
apache2_module: name={{ item }}
with_items:
diff --git a/per-service/git-servers/roles/apache-website/tasks/main.yml b/per-service/git-servers/roles/apache-website/tasks/main.yml
index 680e4cb..2dacffe 100644
--- a/per-service/git-servers/roles/apache-website/tasks/main.yml
+++ b/per-service/git-servers/roles/apache-website/tasks/main.yml
@@ -2,25 +2,19 @@
- name: Create Apache root dir
file: state=directory
- group={{ git_user }}
- owner={{ git_user }}
- mode=0755
path={{ apache_root }}/{{ git_host }}
+ group=root owner=root mode=0755
-- name: Install Apache git-http-backend suexec script
+- name: Install Apache git-http-backend script
template: src=git-http-backend.cgi
dest={{ apache_root }}/{{ git_host }}/git-http-backend.cgi
- owner={{ git_user }}
- group={{ git_user }}
- mode=0550
+ owner=root group=root mode=0550
when: hosttype in ["git-main", "git-slave"] and server_access == "public"
-- name: Install Apache gitweb suexec script
+- name: Install Apache gitweb script
template: src=gitweb.cgi
dest={{ apache_root }}/{{ git_host }}/gitweb.cgi
- owner={{ git_user }}
- group={{ git_user }}
- mode=0550
+ owner=root group=root mode=0550
when: hosttype in ["git-main", "git-slave"]
- name: Copy robots.txt file
@@ -33,3 +27,6 @@
- name: Apply caching patch to gitweb
patch: src=gitweb.diff dest=/usr/share/gitweb/gitweb.cgi backup=yes
when: hosttype in ["git-main", "git-slave"] and server_access == "public"
+
+- name: Add sudoers entry for gitolite-can-read
+ template: src=sudoers_gitweb dest=/etc/sudoers.d/gitweb mode=0440
diff --git a/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi b/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi
index b84afb5..7480307 100644
--- a/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi
+++ b/per-service/git-servers/roles/apache-website/templates/git-http-backend.cgi
@@ -1,6 +1,5 @@
#!/bin/sh
# {{ MANAGED_HEADER }}
-# suexec wrapper for git-http-backend
export GIT_PROJECT_ROOT={{ repo_root }}
{% if server_access == "public" %}
diff --git a/per-service/git-servers/roles/apache-website/templates/gitweb.cgi b/per-service/git-servers/roles/apache-website/templates/gitweb.cgi
index b109411..e102ae2 100644
--- a/per-service/git-servers/roles/apache-website/templates/gitweb.cgi
+++ b/per-service/git-servers/roles/apache-website/templates/gitweb.cgi
@@ -1,6 +1,5 @@
#!/bin/sh
# {{ MANAGED_HEADER }}
-# suexec wrapper for gitweb.cgi
export GIT_PROJECT_ROOT={{ repo_root }}
{% if server_access == "public" %}
diff --git a/per-service/git-servers/roles/apache-website/templates/sudoers_gitweb b/per-service/git-servers/roles/apache-website/templates/sudoers_gitweb
new file mode 100644
index 0000000..cbd4fe6
--- /dev/null
+++ b/per-service/git-servers/roles/apache-website/templates/sudoers_gitweb
@@ -0,0 +1,2 @@
+# MANAGED BY ANSIBLE
+www-data ALL=NOPASSWD: {{tools_checkout_dir}}/linaro-git-tools/gitolite-tools/gitolite-can-read
diff --git a/per-service/git-servers/roles/gitweb/templates/gitweb.conf b/per-service/git-servers/roles/gitweb/templates/gitweb.conf
index 2326d2f..69eaeab 100644
--- a/per-service/git-servers/roles/gitweb/templates/gitweb.conf
+++ b/per-service/git-servers/roles/gitweb/templates/gitweb.conf
@@ -51,28 +51,16 @@ $omit_owner = 1;
$projects_list_description_width = 100;
{% if server_access == "private" %}
-BEGIN {
- $ENV{HOME} = "/home/{{ git_user }}";
- $ENV{GL_BINDIR} = "/home/{{ git_user }}/gitolite/src";
- $ENV{GL_LIBDIR} = "/home/{{ git_user }}/gitolite/src/lib";
-};
-# Pull in gitolite's perl API module. Among other things, this also sets the
-# GL_REPO_BASE environment variable.
-use lib $ENV{GL_LIBDIR};
-use Gitolite::Easy;
-
-# Now get the user name. If nothing found, default to "gitweb", so make sure
+# Get the user name. If nothing found, default to "gitweb", so make sure
# gitweb does not have access to sensible data.
my ($user_name, $rest) = split('; ', $cgi->remote_user, 2);
-$ENV{GL_USER} = $user_name || "gitweb";
+$user_name = $user_name || "gitweb";
$export_auth_hook = sub {
my $repo = shift;
# gitweb passes us the full repo path; we need to strip the beginning and
# the end to get the repo name as it is specified in gitolite conf
return unless $repo =~ s/^\Q$projectroot\E\/?(.+)\.git$/$1/;
-
- # call Easy.pm's 'can_read' function
- return can_read($repo);
+ return 0 == system("sudo", "-u", "git", "/srv/linaro-git-tools/gitolite-tools/gitolite-can-read", $user_name, $repo);
};
{% endif %}
diff --git a/per-service/git-servers/roles/install-deps/tasks/main.yml b/per-service/git-servers/roles/install-deps/tasks/main.yml
index 8002381..0a78aa0 100644
--- a/per-service/git-servers/roles/install-deps/tasks/main.yml
+++ b/per-service/git-servers/roles/install-deps/tasks/main.yml
@@ -26,14 +26,3 @@
- git
- install
- update
-
-- name: Install main git special OS dependencies
- apt: name={{ item }}
- with_items:
- - apache2-suexec-custom
- when: hosttype in ["git-main", "git-slave"]
- tags:
- - deps
- - git
- - install
- - update