[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Frederic Peters fpeters changed:

   What|Removed |Added

 CC||fpet...@0d.be

--- Comment #49 from Frederic Peters fpet...@0d.be 2013-12-02 10:05:28 UTC ---
For reference I sent this bugreport to the new system, it has been assigned an
ID of [gnome.org #14045].

That would be https://rt.gnome.org/SelfService/Display.html?id=14045 but it's
not public.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Andrea Veri andrea.veri changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||OBSOLETE

--- Comment #48 from Andrea Veri andrea.v...@gmail.com 2013-11-21 14:57:00 
UTC ---
The GNOME Infrastructure Team is currently migrating its bug / issue tracker
away from Bugzilla to Request Tracker and therefore all the currently open bugs
have been closed and marked as OBSOLETE.

The following move will also act as a cleanup for very old and ancient tickets
that were still living on Bugzilla. If your issue still hasn't been fixed as of
today please report it again on the relevant RT queue.

More details about the available queues you can report the bug against can be
found at https://wiki.gnome.org/Sysadmin/RequestTracker.

Thanks for your patience,

the GNOME Infrastructure Team

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #46 from Owen Taylor otay...@redhat.com 2013-09-06 16:05:38 UTC 
---
Created an attachment (id=254271)
 View: https://bugzilla.gnome.org/attachment.cgi?id=254271
 Review: https://bugzilla.gnome.org/review?bug=599066attachment=254271

run-git-or-special-cmd: check the git directory

Check that the directory being accessed is in /git and has the
correct hooks.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #45 from Owen Taylor otay...@redhat.com 2013-09-06 16:02:59 UTC 
---
Created an attachment (id=254268)
 View: https://bugzilla.gnome.org/attachment.cgi?id=254268
 Review: https://bugzilla.gnome.org/review?bug=599066attachment=254268

create-auth: Fix up --translation-user option

The handling of --translation-user had some quirks - for example,
specifying --translation-user would silently force on inclusion
of all GIT users. Rearrange option handling for --translation-user
so that it works in a more expected way.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #47 from Owen Taylor otay...@redhat.com 2013-09-06 17:37:20 UTC 
---
(In reply to comment #44)
 I don't see much point in having a separate user to do the push on the client
 side. The only point would be if the sudo'ed command tried to restrict exactly
 what was pushed - if you can push anything then there is no security
 improvement at all. And duplicating complicated checks on client and server
 seems like too much.

Thinking about it, there is one significant thing you do get out of a sudo
setup which is preventing a directory traversal (or other read-only)
vulnerability from exposing the private key for someone to take and try to do
stuff on their own system. But hopefully locking the key to one IP *mostly*
handles that. So there would be some advantage, but I don't see it as blocking
getting something going.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Andrea Veri andrea.veri changed:

   What|Removed |Added

 CC||andrea.v...@gmail.com

--- Comment #40 from Andrea Veri andrea.v...@gmail.com 2013-08-24 12:44:34 
UTC ---
Here's how the final setup is looking like:

1. the translations user was added into LDAP and an SSH key pair was generated
for this user, the key is currently living in
/usr/local/www/gnomeweb/.ssh/translations_rsa on progress.gnome.org. The
translations user has its own switch on create-auth, and it's currently not
part of the gnomevcs group. The gnomeweb user has access to the file in rw, the
file is not group accessible.

2. create-auth is restricting access to the translations user making sure the
user itself can only reach git.gnome.org from boron.canonical.com, in addition
it can't get a pty allocated. More details at
https://git.gnome.org/browse/sysadmin-bin/tree/create-auth#n40. Thanks Jeff for
your past work on this.

3. Owen's hook has been committed to sysadmin-bin and enabled globally. The
hook will make sure that the only committable files are: PO/help files, with
the addition of the LINGUAS line on Makefile.am.

4. The only downside of the whole setup is the translations_rsa file being
handled by gnomeweb, which is the user that is currently running the
damned-lies service. I did ask Claude to properly implement a way to really use
the translations user for making the commit. 

I personally don't see any grave security issue in this, we do have a lot of
checks in place already and removing an offending key is a matter of a few
seconds in case an attacker will gain access to the gnomeweb user but having a
command that gets executed by an user != from gnomeweb itself would be indeed
nice, that way even if an attacker will gain access to the gnomeweb user by
hacking the damned-lies app, the ssh key won't be accessible at all given it
being chowned to the translations:translations user in 0600 mode.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #41 from Andrea Veri andrea.v...@gmail.com 2013-08-24 12:50:56 
UTC ---
Owen, if you feel the whole setup is fine, we can go ahead and add the relevant
switch on damned-lies web UI so that the whole process goes to production.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #36 from Owen Taylor otay...@redhat.com 2013-08-06 15:17:44 UTC 
---
Created an attachment (id=250984)
 View: https://bugzilla.gnome.org/attachment.cgi?id=250984
 Review: https://bugzilla.gnome.org/review?bug=599066attachment=250984

Add a pre-receive hook that limits the translations user

Before we allow the 'translations' user to commit, check that the
change is something expect l10n.gnome.org - a change to a .po file,
a LINGUAS file, or the addition of a language to a help Makefile.am.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #34 from Olav Vitters bugzilla-gn...@vitters.nl 2012-01-04 
08:34:54 UTC ---
Nobody. I lack the knowledge for sure.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #32 from Olav Vitters bugzilla-gn...@vitters.nl 2011-08-10 
14:44:29 UTC ---
I looked at the script, but it only gives a SSH key full access to the GNOME
git repository. I thought we wanted to limit what could be committed?

Anyway, I have very limited knowledge regarding Git.

Owen: Thoughts?

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #30 from Petr Kovar pk...@volny.cz 2011-06-21 13:26:37 UTC ---
Hey guys, are there any plans on working on this feature during this (3.1/3.2)
development cycle? Needless to say, GNOME translators would (still) really
appreciate it. TIA

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #28 from Jeff Schroeder jeffschroe...@computer.org 2010-11-04 
01:52:26 UTC ---
@Owen: It seems impossible given a user with write access to a repository to
somehow deny them write access if the hook that checks their access is removed.

Also, the only people capable of doing that are sysadmin or gitadmin team
members. It seems like a reasonable enough tradeoff.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Olav Vitters bugzilla-gnome changed:

   What|Removed |Added

 CC||bugzilla-gn...@vitters.nl

--- Comment #22 from Olav Vitters bugzilla-gn...@vitters.nl 2010-10-30 
13:02:25 UTC ---
How do you handle the server side? Loads of Git repositories run under the
gnomecvs user. Most have the common GNOME git hook, so you can do a pre-push
check. However, not all have the common git hook, allowing this translation
user to commit to them.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #24 from Olav Vitters bugzilla-gn...@vitters.nl 2010-10-30 
22:10:10 UTC ---
Jeff: You only checked the repositories in /git? I thought we had repositories
in other locations as well (not only git VM), but forgot details.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #25 from Jeff Schroeder jeffschroe...@computer.org 2010-10-30 
23:09:11 UTC ---
I looked at /etc/cgitrc and /git/cgit.repositories. In those files, there are
no repositories under anywhere but /git. If there are, they won't need the
translation user to commit files to them. Also, they need to be fixed and put
under /git.

If you can find any more by all means lets fix them and put them under /git. At
very least, a symlink would do.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #10 from Owen Taylor otay...@redhat.com 2010-10-29 14:34:34 UTC 
---
(In reply to comment #8)
 Splinter is truncating the full length of the
 patch in my browser so look at it raw.

I don't see this - the Splinter review view seems to show everything for me.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #11 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 
14:45:07 UTC ---
@owen: Must be a bleeding edge chromium issue. Any problems with me merging the
patch to create-auth and adding an ssh key to gnomeweb? I tested it with ldapvi
and it worked fine.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #12 from Owen Taylor otay...@redhat.com 2010-10-29 14:48:24 UTC 
---
(In reply to comment #11)
 @owen: Must be a bleeding edge chromium issue. Any problems with me merging 
 the
 patch to create-auth and adding an ssh key to gnomeweb? I tested it with 
 ldapvi
 and it worked fine.

I didn't review the patch. (That's not the same as having objections, but some
care with create-auth is important.) I can try to get to it later today, though
I'm not necessarily the authoritative person for create-auth these days.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Owen Taylor otaylor changed:

   What|Removed |Added

 Attachment #173458|none|needs-work
 status||

--- Comment #15 from Owen Taylor otay...@redhat.com 2010-10-29 20:07:18 UTC 
---
Review of attachment 173458:
 -- (https://bugzilla.gnome.org/review?bug=599066attachment=173458)

Main problem I have with this is that I don't think we should be recyclign the
gnomeweb user for this. Otherwise comments are pretty superficial.

::: create-auth
@@ +29,3 @@
 GNOMECVS=0
 GNOMEGIT=0
+GNOMEWEB=0

GNOMEWEB isn't at all like the other variables or options here, this would have
to be GNOMEWEB_USER or something.

But I don't like using the gnomeweb user for this. gnomeweb is about editing
web config, viewing web logs, etc. Doesn't seem like it should be in the same
permissions bucket as committing translations changes to Git  I don't see
any real connection other than that the process is running as gnomeweb (is it?)
on l10n.gnome.org. I would expect a separate user 'translations' or something.

@@ +130,3 @@

+if not GNOMEWEB and gnomeweb in users:
+users.remove('gnomeweb')

Probably harmless, but makes no code sense to me

@@ +184,3 @@
 #file.write (command=\/usr/bin/cvs
server\,no-pty,no-port-forwarding )
+if GNOMEWEB and user['uid'] == gnomeweb:
+file.write
(command=\/home/admin/bin/run-git-or-special-cmd\,no-pty,no-port-forwarding,host=\boron.canonical.com,91.189.93.2\
)

Belt and suspenders doesn't make sense to me - either host or IP, why both?

@@ +257,3 @@
+if '--gnomeweb-hack' in group_list:
+GNOMEWEB=1
+group_list = filter (lambda x: x != '--gnomeweb-hack', group_list)

What's a hack about it?

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #16 from Claude Paroz cla...@2xlibre.net 2010-10-29 20:24:30 UTC 
---
(In reply to comment #15)
 Review of attachment 173458 [details]:
(...)
 But I don't like using the gnomeweb user for this. gnomeweb is about editing
 web config, viewing web logs, etc. Doesn't seem like it should be in the same
 permissions bucket as committing translations changes to Git  I don't 
 see
 any real connection other than that the process is running as gnomeweb (is 
 it?)
 on l10n.gnome.org. I would expect a separate user 'translations' or something.

The question is whether we will authorize DL itself to push updates (gnomeweb
user then makes sense), or if this will be done in a separate script (as Jeff
suggested before). I'm not completely opposed to the latter, but it adds some
more complexity (one more layer to maintain) and would add some delay between
coordinator submission and arrival in real git branch. Note that especially on
release time, this can be important. And I'm not sure it adds more security,
does it?

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #17 from Owen Taylor otay...@redhat.com 2010-10-29 20:27:32 UTC 
---
(In reply to comment #8)
 Ok so here is the plan of attack...
 
 1.) Setup a password-less ssh key for gnome...@l10n.gnome.org. Make the 
 private
 key readable by the gnomeweb _user_ only and not the group. l10n.gnome.org has
 fairly limited user access as is so the attack vector is lower than many other
 servers.

Is damned lies really running as gnomeweb? Thought we pretty much gave up on
running web services under a non-apache user.

Basically if you have commit access to l10n.gnome.org you can make the account
do whatever you want, so I don't think locking down the key too hard has a
point. Readable-as-web-service-user seems about as good as we can easily do.

 2.) Have create-auth[1] throw down a special ssh key[2] for the gnomeweb user
 including the host=boron.canonical.com,91.189.93.2 line when given the
 --gnomeweb-hack argument. This restricts ssh connections from that ssh key to
 only originate from l10n.gnome.org aka progress.gnome.org aka
 boron.canonical.com. 
 
 The patch to do this is attached. Owen or someone else on the sysadmin team
 please review it to let me know if this is the right idea. create-auth is 
 going
 to get a lot of love later on. Splinter is truncating the full length of the
 patch in my browser so look at it raw.

See separate review.

 3.) On l10n.gnome.org, configure the git global user (and the d-l process that
 commits) to be Damned-Lies Autocommit, and the global git client email to a
 mailinglist that emails all of the translators (if that list exists). This is
 for reply to go to the main l10n email list if someone wants to reply to an
 auto-checkin.

I think nore...@gnome.org would be better. (Check that that's what we use for
bugzilla mail, etc.) Mail aliases imply accountability for responses. Also, I
would make the name something meaningful - Damned-Lies is an implementation
detail.

 4.) Write a simple bourne shell git hook that runs these checks:
a.) [ $(/usr/bin/whoami) = gnomeweb ]
b.) [ $(/usr/bin/id -u)  = 2184 ]
c.) [ $committer_name  = Damned-Lies Autocommit ]
d.) [ $committer_email = the email for the main l10n list ]
e.) If it works[2], logic similar to Claude's pseudocode would be perfect.
 
 I double-checked that whoami runs geteuid(2) (yay strace) so b isn't 100%
 necessary. The goal is max paranoia and gracefully die if anything is off. c
 and d are easy for anyone to circumvent with git commit --author, but they
 are just an extra layer of sanity checking. e is to make sure that only
 translation files are being committed.

Hmmm, not really a fan of belt-and-suspenders-and-duct-tape. Adding easily
circumventable checks just adds potential breakage without security. I'd do a
single check that we are confident in. /usr/bin/whoami = translation user
seems good enough to me. If you can subvert that, you can subvert the operation
of the shell script and the system to the point where that single check working
doesn't matter. 

 5.) Teach d-l how to commit translations to a local git repository and rebase
 ontop of changes (hello git.py). The sysadmin team will write a cronjob to
 periodically push commits to git.gnome.org as user gnomeweb. I'll address
 points 1-3 now and put this off to someone else until at very least after the
 Boston Summit.

This part is all up to the damned lies maintainers - though that they already
had code. Transifex certainly does.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #18 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 
21:14:54 UTC ---
(In reply to comment #17)
 (In reply to comment #8)
  Ok so here is the plan of attack...
  
  1.) Setup a password-less ssh key for gnome...@l10n.gnome.org. Make the 
  private
  key readable by the gnomeweb _user_ only and not the group. l10n.gnome.org 
  has
  fairly limited user access as is so the attack vector is lower than many 
  other
  servers.
 
 Is damned lies really running as gnomeweb? Thought we pretty much gave up on
 running web services under a non-apache user.

We run django apps as user gnomeweb. mod_wsgi is very flexible and gives
advantages to running things this way. The tomboy online webapp, snowy, runs as
gnomeweb as well.

 Basically if you have commit access to l10n.gnome.org you can make the account
 do whatever you want, so I don't think locking down the key too hard has a
 point. Readable-as-web-service-user seems about as good as we can easily do.

Ok so the question is do we wand d-l to run the equivalent of git push directly
to git.gnome.org? It does open things up a bit more, but in the worst possible
case, someone reverts the commits and it is only language files. You seem to be
of the opinion that it is ok to give users enough rope to hang themselves. I'm
still working out the details of how things in gnome-land work :)

  2.) Have create-auth[1] throw down a special ssh key[2] for the gnomeweb 
  user
  including the host=boron.canonical.com,91.189.93.2 line when given the
  --gnomeweb-hack argument. This restricts ssh connections from that ssh key 
  to
  only originate from l10n.gnome.org aka progress.gnome.org aka
  boron.canonical.com. 
  
  The patch to do this is attached. Owen or someone else on the sysadmin team
  please review it to let me know if this is the right idea. create-auth is 
  going
  to get a lot of love later on. Splinter is truncating the full length of the
  patch in my browser so look at it raw.
 
 See separate review.

I agree with almost all of it, but can't respond indepth or do anything about
it until later tomorrow or this weekend. That whole real life thing.

  3.) On l10n.gnome.org, configure the git global user (and the d-l process 
  that
  commits) to be Damned-Lies Autocommit, and the global git client email to 
  a
  mailinglist that emails all of the translators (if that list exists). This 
  is
  for reply to go to the main l10n email list if someone wants to reply to an
  auto-checkin.
 
 I think nore...@gnome.org would be better. (Check that that's what we use for
 bugzilla mail, etc.) Mail aliases imply accountability for responses. Also, I
 would make the name something meaningful - Damned-Lies is an implementation
 detail.

That is all arbitrary and subject to change.

  4.) Write a simple bourne shell git hook that runs these checks:
 a.) [ $(/usr/bin/whoami) = gnomeweb ]
 b.) [ $(/usr/bin/id -u)  = 2184 ]
 c.) [ $committer_name  = Damned-Lies Autocommit ]
 d.) [ $committer_email = the email for the main l10n list ]
 e.) If it works[2], logic similar to Claude's pseudocode would be 
  perfect.
  
  I double-checked that whoami runs geteuid(2) (yay strace) so b isn't 100%
  necessary. The goal is max paranoia and gracefully die if anything is off. c
  and d are easy for anyone to circumvent with git commit --author, but they
  are just an extra layer of sanity checking. e is to make sure that only
  translation files are being committed.
 
 Hmmm, not really a fan of belt-and-suspenders-and-duct-tape. Adding easily
 circumventable checks just adds potential breakage without security. I'd do a
 single check that we are confident in. /usr/bin/whoami = translation user
 seems good enough to me. If you can subvert that, you can subvert the 
 operation
 of the shell script and the system to the point where that single check 
 working
 doesn't matter.

History and smart people like Dan Walsh and Bruce Schneier have taught me
security works best in layers. However, I'm still fairly new to how we handle
things so this list will be shortened to a and e.

  5.) Teach d-l how to commit translations to a local git repository and 
  rebase
  ontop of changes (hello git.py). The sysadmin team will write a cronjob to
  periodically push commits to git.gnome.org as user gnomeweb. I'll address
  points 1-3 now and put this off to someone else until at very least after 
  the
  Boston Summit.
 
 This part is all up to the damned lies maintainers - though that they already
 had code. Transifex certainly does.

Claude seems to be of the opinion d-l should do that. If you're ok with it, I'm
ok with it.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Jeff Schroeder jeffschroeder changed:

   What|Removed |Added

 Attachment #173458|0   |1
is obsolete||

--- Comment #20 from Jeff Schroeder jeffschroe...@computer.org 2010-10-30 
00:40:38 UTC ---
Created an attachment (id=173543)
 View: https://bugzilla.gnome.org/attachment.cgi?id=173543
 Review: https://bugzilla.gnome.org/review?bug=599066attachment=173543

Version 3 addressing all of owen's comments

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #21 from Jeff Schroeder jeffschroe...@computer.org 2010-10-30 
00:42:36 UTC ---
I've created a translations user with the shell set to /sbin/nologin and tested
the script:

[r...@label ~]# /tmp/create-auth --translation-user gnomeweb webusers bugzilla
Added 1 user:
translations

[r...@label ~]# cd /etc/sshd/users/translations/
[r...@label translations]# cat authorized_keys 
command=/home/admin/bin/run-git-or-special-cmd,no-pty,no-port-forwarding,host=91.189.93.2
ssh-rsa
B3NzaC1yc2EBIwAAAQEAoP1vEyT0IiDzmedoe+NKpgJ0pe47pOiaX31/XAntQ5+WWJn2PJDZIGyxBmgSjO8z4pdk7TMV9Bf2ryJRwEnEJDNkAoz1HJM8WUCt0l2SYwS4Qrem2AYHqPJTESrSLkwtEkK4WZrrk00Mp8/dUUBAL3uM5lTKjQuRXZ2PFZFBg79KTP4mrakZ0eTuvvs/jA13Fa8g9q5Ho3A7pe8kpTWCYeqzVbsTMHd1u7s3hiZ5JZhiCHeEOrXN/APtMpSH16wnBjogershs4BzRyAGu2SGcJOs+5jII26tFC3RcFrqTYsaaaplDlZp1j0fKGdQBe+v+SmR6OWFPzlxnhmeQFpqow==
gnome...@progress.gnome.org_l10n_autocommit_git_only_key
[r...@label translations]# /tmp/create-auth gnomeweb webusers bugzilla
Removed 1 user:
translations

Once this is in I'll update puppet and then write the git commit hook.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #7 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 
05:15:00 UTC ---
Created an attachment (id=173457)
 View: https://bugzilla.gnome.org/attachment.cgi?id=173457
 Review: https://bugzilla.gnome.org/review?bug=599066attachment=173457

create-auth patch

This is pretty ugly, but there doesn't seem like a super clean way to do this.
The create-auth script needs a bit of refactoring to not make me cry.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Jeff Schroeder jeffschroeder changed:

   What|Removed |Added

 Attachment #173457|0   |1
is obsolete||

--- Comment #9 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 
05:32:01 UTC ---
Created an attachment (id=173458)
 View: https://bugzilla.gnome.org/attachment.cgi?id=173458
 Review: https://bugzilla.gnome.org/review?bug=599066attachment=173458

Version 2

Forgot a global GNOMEWEB statement before. Not strictly necessary and works
without, but it fits with the rest of the existing coding style.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Gil Forcada gforcada changed:

   What|Removed |Added

 CC||gforc...@gnome.org

--- Comment #6 from Gil Forcada gforc...@gnome.org 2010-10-26 10:53:31 UTC ---
So to resume and maybe ger my hands dirty with it... What should do this git
hook?

- check that only po files are changed/added
- check the user (as per Owen's comment)
- anything else?

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Paul Cutler pcutler changed:

   What|Removed |Added

 Status|UNCONFIRMED |NEW
 CC||pcut...@gnome.org
 Ever Confirmed|0   |1

--- Comment #5 from Paul Cutler pcut...@gnome.org 2010-07-11 19:01:59 UTC ---
Alexandro,

Can you take another look at the code per Owen's comments?  Please ping Claude
if you have questions on the functionality needed.

Thanks.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure

[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

[sysadmin]

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

--- Comment #1 from Claude Paroz cla...@2xlibre.net 2009-10-20 18:22:17 CEST 
---
This of course is only valid for UI translations, not documentation where image
files and Makefile.am have to be touched. But this could be done in a second
step.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the QA contact of the bug.
You are watching the assignee of the bug.
___
gnome-infrastructure mailing list
gnome-infrastructure@gnome.org
http://mail.gnome.org/mailman/listinfo/gnome-infrastructure