[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

From: "sysadmin" (bugzilla.gnome.org) <bugzilla gnome org>
To: gnome-infrastructure gnome org
Subject: [Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
Date: Fri, 29 Oct 2010 05:18:27 +0000 (UTC)

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Jeff Schroeder <jeffschroeder> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jeffschroeder computer org

--- Comment #8 from Jeff Schroeder <jeffschroeder computer org> 2010-10-29 05:18:20 UTC ---
Ok so here is the plan of attack...

1.) Setup a password-less ssh key for gnomeweb l10n gnome org  Make the private
key readable by the gnomeweb _user_ only and not the group. l10n.gnome.org has
fairly limited user access as is so the attack vector is lower than many other
servers.

2.) Have create-auth[1] throw down a special ssh key[2] for the gnomeweb user
including the host="boron.canonical.com,91.189.93.2" line when given the
--gnomeweb-hack argument. This restricts ssh connections from that ssh key to
only originate from l10n.gnome.org aka progress.gnome.org aka
boron.canonical.com. 

The patch to do this is attached. Owen or someone else on the sysadmin team
please review it to let me know if this is the right idea. create-auth is going
to get a lot of love later on. Splinter is truncating the full length of the
patch in my browser so look at it raw.

3.) On l10n.gnome.org, configure the git global user (and the d-l process that
commits) to be "Damned-Lies Autocommit", and the global git client email to a
mailinglist that emails all of the translators (if that list exists). This is
for reply to go to the main l10n email list if someone wants to reply to an
auto-checkin.

4.) Write a simple bourne shell git hook that runs these checks:
   a.) [ "$(/usr/bin/whoami)" = "gnomeweb" ]
   b.) [ "$(/usr/bin/id -u)"  = "2184" ]
   c.) [ "$committer_name"  = "Damned-Lies Autocommit" ]
   d.) [ "$committer_email" = "the email for the main l10n list" ]
   e.) If it works[2], logic similar to Claude's pseudocode would be perfect.

I double-checked that whoami runs geteuid(2) (yay strace) so b isn't 100%
necessary. The goal is max paranoia and gracefully die if anything is off. c
and d are easy for anyone to circumvent with "git commit --author", but they
are just an extra layer of sanity checking. e is to make sure that only
translation files are being committed.

5.) Teach d-l how to commit translations to a local git repository and rebase
ontop of changes (hello git.py). The sysadmin team will write a cronjob to
periodically push commits to git.gnome.org as user gnomeweb. I'll address
points 1-3 now and put this off to someone else until at very least after the
Boston Summit.


[1] http://git.gnome.org/sysadmin-bin/tree/create-auth
[2] Example key when I tested this patch on label:
command="/home/admin/bin/run-git-or-special-cmd",no-pty,no-port-forwarding,host="boron.canonical.com,91.189.93.2"
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAoP1vEyT0IiDzmedoe+NKpgJ0pe47pOiaX31/XAntQ5+WWJn2PJDZIGyxBmgSjO8z4pdk7TMV9Bf2ryJRwEnEJDNkAoz1HJM8WUCt0l2SYwS4Qrem2AYHqPJTESrSLkwtEkK4WZrrk00Mp8/dUUBAL3uM5lTKjQuRXZ2PFZFBg79KTP4mrakZ0eTuvvs/jA13Fa8g9q5Ho3A7pe8kpTWCYeqzVbsTMHd1u7s3hiZ5JZhiCHeEOrXN/APtMpSH16wnBjogershs4BzRyAGu2SGcJOs+5jII26tFC3RcFrqTYsaaaplDlZp1j0fKGdQBe+v+SmR6OWFPzlxnhmeQFpqow==
gnomeweb progress gnome org_l10n_autocommit_git_only_key

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]