[Fedora-infrastructure-list] Package Version Control Scripts

Mike McGrath mmcgrath at fedoraproject.org
Fri Aug 11 23:19:42 UTC 2006 

On 8/4/06, Toshio Kuratomi <toshio at tiki-lounge.com> wrote:
> Following up on what was discussed in the meeting and the list of
> requirements from the previous email, here are the scripts I'm currently
> working on to setup the bzr repository.
>
> * scponly-repo.sh: This is the first script to run.  It sets up the
> chroot environment.  A portion of this script should be made into a cron
> job that periodically refreshes the programs and libraries within the
> chroot (to limit the time that the chroot is vulnerable to exploits.)
>   - A portion of this script needs to be run by root.
>   - This script labels files for SELinux.  If SELinux is not enabled on
> the server this lands on we'll want to comment that out.
>   - A portion of the script sets up a passwd and group file within the
> chroot.  I suspect that this is not necessary.
>
> * setup-repo.sh: This script imports one of the cvs-seed tarballs from
> cvs.fedora.redhat.com into the new repository.  It sets up a sample
> within the embargo directory as well.
>
> * repo.conf: Apache configuration file to enable access to the repo over
> http.  Note that this allows bzr to access the repository over ssh.  It
> is not a web-front end.  There is a separate cgi script which I haven't
> yet worked with that can be used for that.
>
> * user.sh: Sets up one user with an account on the system; adding them
> to appropriate groups and etc.  This is incomplete until I tie it into
> the accounts system to retrieve the ssh key.  In the future, user
> information should be created by the accountsdb.
>
> * user-setup.sh: This script sets up default groups (vcsuser and
> security) that are used by the acls.  It also creates a vcsguest account
> that allows anonymous logins.  After implementing http retrieval on my
> test machine, I don't think this is necessary any longer.  Anonymous
> access can use http to retrieve public information.  Read-write access
> and access to private information will go through sftp.
>
> * sshd_config: Replacement sshd configuration.  Changes:
>   - AuthorizedKeysFile is changed to explicitly reference /home/%u
> instead of the user's home directory.  This is so vcusers have their
> keys extracted from /home/%u instead of their home directory (which is
> within the chroot).  vcsusers do not have access to change ssh keys on
> the server, this has to be done through the accounts db.
>   - PermitEmptyPasswords, PasswordAuthentication: This is to enable
> anonymous ssh login to the chroot.  Since anonymous access is going to
> happen over http, this should no longer be necessary.
>   - Subsystem sftp: enabled sftp for bzr.
>
> Everything is a work in progress but my main thrust right now is
> creating good ACLs and testing what the limitations are.
>
> -Toshio

Hey Toshio, I'm going to have some free time to set this up soon, I
seem to remember you mentioning you had updated scripts.  If they
happen to be ready now send them to the list and I'll get them
started.

           -Mike

More information about the Fedora-infrastructure-list mailing list