[Fedora-infrastructure-list] Package Version Control Scripts
Mike McGrath
mmcgrath at fedoraproject.org
Fri Aug 11 23:19:42 UTC 2006
On 8/4/06, Toshio Kuratomi <toshio at tiki-lounge.com> wrote:
> Following up on what was discussed in the meeting and the list of
> requirements from the previous email, here are the scripts I'm currently
> working on to setup the bzr repository.
>
> * scponly-repo.sh: This is the first script to run. It sets up the
> chroot environment. A portion of this script should be made into a cron
> job that periodically refreshes the programs and libraries within the
> chroot (to limit the time that the chroot is vulnerable to exploits.)
> - A portion of this script needs to be run by root.
> - This script labels files for SELinux. If SELinux is not enabled on
> the server this lands on we'll want to comment that out.
> - A portion of the script sets up a passwd and group file within the
> chroot. I suspect that this is not necessary.
>
> * setup-repo.sh: This script imports one of the cvs-seed tarballs from
> cvs.fedora.redhat.com into the new repository. It sets up a sample
> within the embargo directory as well.
>
> * repo.conf: Apache configuration file to enable access to the repo over
> http. Note that this allows bzr to access the repository over ssh. It
> is not a web-front end. There is a separate cgi script which I haven't
> yet worked with that can be used for that.
>
> * user.sh: Sets up one user with an account on the system; adding them
> to appropriate groups and etc. This is incomplete until I tie it into
> the accounts system to retrieve the ssh key. In the future, user
> information should be created by the accountsdb.
>
> * user-setup.sh: This script sets up default groups (vcsuser and
> security) that are used by the acls. It also creates a vcsguest account
> that allows anonymous logins. After implementing http retrieval on my
> test machine, I don't think this is necessary any longer. Anonymous
> access can use http to retrieve public information. Read-write access
> and access to private information will go through sftp.
>
> * sshd_config: Replacement sshd configuration. Changes:
> - AuthorizedKeysFile is changed to explicitly reference /home/%u
> instead of the user's home directory. This is so vcusers have their
> keys extracted from /home/%u instead of their home directory (which is
> within the chroot). vcsusers do not have access to change ssh keys on
> the server, this has to be done through the accounts db.
> - PermitEmptyPasswords, PasswordAuthentication: This is to enable
> anonymous ssh login to the chroot. Since anonymous access is going to
> happen over http, this should no longer be necessary.
> - Subsystem sftp: enabled sftp for bzr.
>
> Everything is a work in progress but my main thrust right now is
> creating good ACLs and testing what the limitations are.
>
> -Toshio
Hey Toshio, I'm going to have some free time to set this up soon, I
seem to remember you mentioning you had updated scripts. If they
happen to be ready now send them to the list and I'll get them
started.
-Mike
More information about the Fedora-infrastructure-list
mailing list