[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

From: "sysadmin" (bugzilla.gnome.org) <bugzilla gnome org>
To: gnome-infrastructure gnome org
Subject: [Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
Date: Fri, 29 Oct 2010 21:36:22 +0000 (UTC)

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #19 from Owen Taylor <otaylor redhat com> 2010-10-29 21:36:16 UTC ---
(In reply to comment #18)

> > Basically if you have commit access to l10n.gnome.org you can make the account
> > do whatever you want, so I don't think locking down the key too hard has a
> > point. Readable-as-web-service-user seems about as good as we can easily do.
> 
> Ok so the question is do we wand d-l to run the equivalent of git push directly
> to git.gnome.org? It does open things up a bit more, but in the worst possible
> case, someone reverts the commits and it is only language files. You seem to be
> of the opinion that it is ok to give users enough rope to hang themselves. I'm
> still working out the details of how things in gnome-land work :)

Yes, you get some extra security if:

 A) You run the git push as a different user so the gnomeweb user can't read
the ssh key
 B) You run the git push with a fixed set of options, so exploiting holes in
our setup with tricky git push options is harder

But on the other hand automated commits to git seem hard enough to do without
an extra layer. You can't just do something like cron/fishpoll something like:

 ( cd $gnomeweb/checkouts/some_directory && git push )

Because hooks in some_directory will run and you might as well have run the git
push as the original user. So you'd need to figure out how to disable git hooks
when running the push command. (And also worry about what affect git push
options in .git/config have on the push.) If possible at all, then the solution
might not be too bad, but I don't think it's that important and worth blocking
getting something working on.

The essential layers of security here are:

 - The security of the web app
 - The security of restricting commits to be to .po files in the po/ directory
(shouldn't be able to commit to po/Makefile.*)

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]