[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Frederic Peters fpeters changed: What|Removed |Added CC||fpet...@0d.be --- Comment #49 from Frederic Peters fpet...@0d.be 2013-12-02 10:05:28 UTC --- For reference I sent this bugreport to the new system, it has been assigned an ID of [gnome.org #14045]. That would be https://rt.gnome.org/SelfService/Display.html?id=14045 but it's not public. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Andrea Veri andrea.veri changed: What|Removed |Added Status|NEW |RESOLVED Resolution||OBSOLETE --- Comment #48 from Andrea Veri andrea.v...@gmail.com 2013-11-21 14:57:00 UTC --- The GNOME Infrastructure Team is currently migrating its bug / issue tracker away from Bugzilla to Request Tracker and therefore all the currently open bugs have been closed and marked as OBSOLETE. The following move will also act as a cleanup for very old and ancient tickets that were still living on Bugzilla. If your issue still hasn't been fixed as of today please report it again on the relevant RT queue. More details about the available queues you can report the bug against can be found at https://wiki.gnome.org/Sysadmin/RequestTracker. Thanks for your patience, the GNOME Infrastructure Team -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #46 from Owen Taylor otay...@redhat.com 2013-09-06 16:05:38 UTC --- Created an attachment (id=254271) View: https://bugzilla.gnome.org/attachment.cgi?id=254271 Review: https://bugzilla.gnome.org/review?bug=599066attachment=254271 run-git-or-special-cmd: check the git directory Check that the directory being accessed is in /git and has the correct hooks. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #45 from Owen Taylor otay...@redhat.com 2013-09-06 16:02:59 UTC --- Created an attachment (id=254268) View: https://bugzilla.gnome.org/attachment.cgi?id=254268 Review: https://bugzilla.gnome.org/review?bug=599066attachment=254268 create-auth: Fix up --translation-user option The handling of --translation-user had some quirks - for example, specifying --translation-user would silently force on inclusion of all GIT users. Rearrange option handling for --translation-user so that it works in a more expected way. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #47 from Owen Taylor otay...@redhat.com 2013-09-06 17:37:20 UTC --- (In reply to comment #44) I don't see much point in having a separate user to do the push on the client side. The only point would be if the sudo'ed command tried to restrict exactly what was pushed - if you can push anything then there is no security improvement at all. And duplicating complicated checks on client and server seems like too much. Thinking about it, there is one significant thing you do get out of a sudo setup which is preventing a directory traversal (or other read-only) vulnerability from exposing the private key for someone to take and try to do stuff on their own system. But hopefully locking the key to one IP *mostly* handles that. So there would be some advantage, but I don't see it as blocking getting something going. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Andrea Veri andrea.veri changed: What|Removed |Added CC||andrea.v...@gmail.com --- Comment #40 from Andrea Veri andrea.v...@gmail.com 2013-08-24 12:44:34 UTC --- Here's how the final setup is looking like: 1. the translations user was added into LDAP and an SSH key pair was generated for this user, the key is currently living in /usr/local/www/gnomeweb/.ssh/translations_rsa on progress.gnome.org. The translations user has its own switch on create-auth, and it's currently not part of the gnomevcs group. The gnomeweb user has access to the file in rw, the file is not group accessible. 2. create-auth is restricting access to the translations user making sure the user itself can only reach git.gnome.org from boron.canonical.com, in addition it can't get a pty allocated. More details at https://git.gnome.org/browse/sysadmin-bin/tree/create-auth#n40. Thanks Jeff for your past work on this. 3. Owen's hook has been committed to sysadmin-bin and enabled globally. The hook will make sure that the only committable files are: PO/help files, with the addition of the LINGUAS line on Makefile.am. 4. The only downside of the whole setup is the translations_rsa file being handled by gnomeweb, which is the user that is currently running the damned-lies service. I did ask Claude to properly implement a way to really use the translations user for making the commit. I personally don't see any grave security issue in this, we do have a lot of checks in place already and removing an offending key is a matter of a few seconds in case an attacker will gain access to the gnomeweb user but having a command that gets executed by an user != from gnomeweb itself would be indeed nice, that way even if an attacker will gain access to the gnomeweb user by hacking the damned-lies app, the ssh key won't be accessible at all given it being chowned to the translations:translations user in 0600 mode. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #41 from Andrea Veri andrea.v...@gmail.com 2013-08-24 12:50:56 UTC --- Owen, if you feel the whole setup is fine, we can go ahead and add the relevant switch on damned-lies web UI so that the whole process goes to production. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #36 from Owen Taylor otay...@redhat.com 2013-08-06 15:17:44 UTC --- Created an attachment (id=250984) View: https://bugzilla.gnome.org/attachment.cgi?id=250984 Review: https://bugzilla.gnome.org/review?bug=599066attachment=250984 Add a pre-receive hook that limits the translations user Before we allow the 'translations' user to commit, check that the change is something expect l10n.gnome.org - a change to a .po file, a LINGUAS file, or the addition of a language to a help Makefile.am. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #34 from Olav Vitters bugzilla-gn...@vitters.nl 2012-01-04 08:34:54 UTC --- Nobody. I lack the knowledge for sure. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #32 from Olav Vitters bugzilla-gn...@vitters.nl 2011-08-10 14:44:29 UTC --- I looked at the script, but it only gives a SSH key full access to the GNOME git repository. I thought we wanted to limit what could be committed? Anyway, I have very limited knowledge regarding Git. Owen: Thoughts? -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #30 from Petr Kovar pk...@volny.cz 2011-06-21 13:26:37 UTC --- Hey guys, are there any plans on working on this feature during this (3.1/3.2) development cycle? Needless to say, GNOME translators would (still) really appreciate it. TIA -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #28 from Jeff Schroeder jeffschroe...@computer.org 2010-11-04 01:52:26 UTC --- @Owen: It seems impossible given a user with write access to a repository to somehow deny them write access if the hook that checks their access is removed. Also, the only people capable of doing that are sysadmin or gitadmin team members. It seems like a reasonable enough tradeoff. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Olav Vitters bugzilla-gnome changed: What|Removed |Added CC||bugzilla-gn...@vitters.nl --- Comment #22 from Olav Vitters bugzilla-gn...@vitters.nl 2010-10-30 13:02:25 UTC --- How do you handle the server side? Loads of Git repositories run under the gnomecvs user. Most have the common GNOME git hook, so you can do a pre-push check. However, not all have the common git hook, allowing this translation user to commit to them. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #24 from Olav Vitters bugzilla-gn...@vitters.nl 2010-10-30 22:10:10 UTC --- Jeff: You only checked the repositories in /git? I thought we had repositories in other locations as well (not only git VM), but forgot details. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #25 from Jeff Schroeder jeffschroe...@computer.org 2010-10-30 23:09:11 UTC --- I looked at /etc/cgitrc and /git/cgit.repositories. In those files, there are no repositories under anywhere but /git. If there are, they won't need the translation user to commit files to them. Also, they need to be fixed and put under /git. If you can find any more by all means lets fix them and put them under /git. At very least, a symlink would do. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #10 from Owen Taylor otay...@redhat.com 2010-10-29 14:34:34 UTC --- (In reply to comment #8) Splinter is truncating the full length of the patch in my browser so look at it raw. I don't see this - the Splinter review view seems to show everything for me. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #11 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 14:45:07 UTC --- @owen: Must be a bleeding edge chromium issue. Any problems with me merging the patch to create-auth and adding an ssh key to gnomeweb? I tested it with ldapvi and it worked fine. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #12 from Owen Taylor otay...@redhat.com 2010-10-29 14:48:24 UTC --- (In reply to comment #11) @owen: Must be a bleeding edge chromium issue. Any problems with me merging the patch to create-auth and adding an ssh key to gnomeweb? I tested it with ldapvi and it worked fine. I didn't review the patch. (That's not the same as having objections, but some care with create-auth is important.) I can try to get to it later today, though I'm not necessarily the authoritative person for create-auth these days. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Owen Taylor otaylor changed: What|Removed |Added Attachment #173458|none|needs-work status|| --- Comment #15 from Owen Taylor otay...@redhat.com 2010-10-29 20:07:18 UTC --- Review of attachment 173458: -- (https://bugzilla.gnome.org/review?bug=599066attachment=173458) Main problem I have with this is that I don't think we should be recyclign the gnomeweb user for this. Otherwise comments are pretty superficial. ::: create-auth @@ +29,3 @@ GNOMECVS=0 GNOMEGIT=0 +GNOMEWEB=0 GNOMEWEB isn't at all like the other variables or options here, this would have to be GNOMEWEB_USER or something. But I don't like using the gnomeweb user for this. gnomeweb is about editing web config, viewing web logs, etc. Doesn't seem like it should be in the same permissions bucket as committing translations changes to Git I don't see any real connection other than that the process is running as gnomeweb (is it?) on l10n.gnome.org. I would expect a separate user 'translations' or something. @@ +130,3 @@ +if not GNOMEWEB and gnomeweb in users: +users.remove('gnomeweb') Probably harmless, but makes no code sense to me @@ +184,3 @@ #file.write (command=\/usr/bin/cvs server\,no-pty,no-port-forwarding ) +if GNOMEWEB and user['uid'] == gnomeweb: +file.write (command=\/home/admin/bin/run-git-or-special-cmd\,no-pty,no-port-forwarding,host=\boron.canonical.com,91.189.93.2\ ) Belt and suspenders doesn't make sense to me - either host or IP, why both? @@ +257,3 @@ +if '--gnomeweb-hack' in group_list: +GNOMEWEB=1 +group_list = filter (lambda x: x != '--gnomeweb-hack', group_list) What's a hack about it? -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #16 from Claude Paroz cla...@2xlibre.net 2010-10-29 20:24:30 UTC --- (In reply to comment #15) Review of attachment 173458 [details]: (...) But I don't like using the gnomeweb user for this. gnomeweb is about editing web config, viewing web logs, etc. Doesn't seem like it should be in the same permissions bucket as committing translations changes to Git I don't see any real connection other than that the process is running as gnomeweb (is it?) on l10n.gnome.org. I would expect a separate user 'translations' or something. The question is whether we will authorize DL itself to push updates (gnomeweb user then makes sense), or if this will be done in a separate script (as Jeff suggested before). I'm not completely opposed to the latter, but it adds some more complexity (one more layer to maintain) and would add some delay between coordinator submission and arrival in real git branch. Note that especially on release time, this can be important. And I'm not sure it adds more security, does it? -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #17 from Owen Taylor otay...@redhat.com 2010-10-29 20:27:32 UTC --- (In reply to comment #8) Ok so here is the plan of attack... 1.) Setup a password-less ssh key for gnome...@l10n.gnome.org. Make the private key readable by the gnomeweb _user_ only and not the group. l10n.gnome.org has fairly limited user access as is so the attack vector is lower than many other servers. Is damned lies really running as gnomeweb? Thought we pretty much gave up on running web services under a non-apache user. Basically if you have commit access to l10n.gnome.org you can make the account do whatever you want, so I don't think locking down the key too hard has a point. Readable-as-web-service-user seems about as good as we can easily do. 2.) Have create-auth[1] throw down a special ssh key[2] for the gnomeweb user including the host=boron.canonical.com,91.189.93.2 line when given the --gnomeweb-hack argument. This restricts ssh connections from that ssh key to only originate from l10n.gnome.org aka progress.gnome.org aka boron.canonical.com. The patch to do this is attached. Owen or someone else on the sysadmin team please review it to let me know if this is the right idea. create-auth is going to get a lot of love later on. Splinter is truncating the full length of the patch in my browser so look at it raw. See separate review. 3.) On l10n.gnome.org, configure the git global user (and the d-l process that commits) to be Damned-Lies Autocommit, and the global git client email to a mailinglist that emails all of the translators (if that list exists). This is for reply to go to the main l10n email list if someone wants to reply to an auto-checkin. I think nore...@gnome.org would be better. (Check that that's what we use for bugzilla mail, etc.) Mail aliases imply accountability for responses. Also, I would make the name something meaningful - Damned-Lies is an implementation detail. 4.) Write a simple bourne shell git hook that runs these checks: a.) [ $(/usr/bin/whoami) = gnomeweb ] b.) [ $(/usr/bin/id -u) = 2184 ] c.) [ $committer_name = Damned-Lies Autocommit ] d.) [ $committer_email = the email for the main l10n list ] e.) If it works[2], logic similar to Claude's pseudocode would be perfect. I double-checked that whoami runs geteuid(2) (yay strace) so b isn't 100% necessary. The goal is max paranoia and gracefully die if anything is off. c and d are easy for anyone to circumvent with git commit --author, but they are just an extra layer of sanity checking. e is to make sure that only translation files are being committed. Hmmm, not really a fan of belt-and-suspenders-and-duct-tape. Adding easily circumventable checks just adds potential breakage without security. I'd do a single check that we are confident in. /usr/bin/whoami = translation user seems good enough to me. If you can subvert that, you can subvert the operation of the shell script and the system to the point where that single check working doesn't matter. 5.) Teach d-l how to commit translations to a local git repository and rebase ontop of changes (hello git.py). The sysadmin team will write a cronjob to periodically push commits to git.gnome.org as user gnomeweb. I'll address points 1-3 now and put this off to someone else until at very least after the Boston Summit. This part is all up to the damned lies maintainers - though that they already had code. Transifex certainly does. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #18 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 21:14:54 UTC --- (In reply to comment #17) (In reply to comment #8) Ok so here is the plan of attack... 1.) Setup a password-less ssh key for gnome...@l10n.gnome.org. Make the private key readable by the gnomeweb _user_ only and not the group. l10n.gnome.org has fairly limited user access as is so the attack vector is lower than many other servers. Is damned lies really running as gnomeweb? Thought we pretty much gave up on running web services under a non-apache user. We run django apps as user gnomeweb. mod_wsgi is very flexible and gives advantages to running things this way. The tomboy online webapp, snowy, runs as gnomeweb as well. Basically if you have commit access to l10n.gnome.org you can make the account do whatever you want, so I don't think locking down the key too hard has a point. Readable-as-web-service-user seems about as good as we can easily do. Ok so the question is do we wand d-l to run the equivalent of git push directly to git.gnome.org? It does open things up a bit more, but in the worst possible case, someone reverts the commits and it is only language files. You seem to be of the opinion that it is ok to give users enough rope to hang themselves. I'm still working out the details of how things in gnome-land work :) 2.) Have create-auth[1] throw down a special ssh key[2] for the gnomeweb user including the host=boron.canonical.com,91.189.93.2 line when given the --gnomeweb-hack argument. This restricts ssh connections from that ssh key to only originate from l10n.gnome.org aka progress.gnome.org aka boron.canonical.com. The patch to do this is attached. Owen or someone else on the sysadmin team please review it to let me know if this is the right idea. create-auth is going to get a lot of love later on. Splinter is truncating the full length of the patch in my browser so look at it raw. See separate review. I agree with almost all of it, but can't respond indepth or do anything about it until later tomorrow or this weekend. That whole real life thing. 3.) On l10n.gnome.org, configure the git global user (and the d-l process that commits) to be Damned-Lies Autocommit, and the global git client email to a mailinglist that emails all of the translators (if that list exists). This is for reply to go to the main l10n email list if someone wants to reply to an auto-checkin. I think nore...@gnome.org would be better. (Check that that's what we use for bugzilla mail, etc.) Mail aliases imply accountability for responses. Also, I would make the name something meaningful - Damned-Lies is an implementation detail. That is all arbitrary and subject to change. 4.) Write a simple bourne shell git hook that runs these checks: a.) [ $(/usr/bin/whoami) = gnomeweb ] b.) [ $(/usr/bin/id -u) = 2184 ] c.) [ $committer_name = Damned-Lies Autocommit ] d.) [ $committer_email = the email for the main l10n list ] e.) If it works[2], logic similar to Claude's pseudocode would be perfect. I double-checked that whoami runs geteuid(2) (yay strace) so b isn't 100% necessary. The goal is max paranoia and gracefully die if anything is off. c and d are easy for anyone to circumvent with git commit --author, but they are just an extra layer of sanity checking. e is to make sure that only translation files are being committed. Hmmm, not really a fan of belt-and-suspenders-and-duct-tape. Adding easily circumventable checks just adds potential breakage without security. I'd do a single check that we are confident in. /usr/bin/whoami = translation user seems good enough to me. If you can subvert that, you can subvert the operation of the shell script and the system to the point where that single check working doesn't matter. History and smart people like Dan Walsh and Bruce Schneier have taught me security works best in layers. However, I'm still fairly new to how we handle things so this list will be shortened to a and e. 5.) Teach d-l how to commit translations to a local git repository and rebase ontop of changes (hello git.py). The sysadmin team will write a cronjob to periodically push commits to git.gnome.org as user gnomeweb. I'll address points 1-3 now and put this off to someone else until at very least after the Boston Summit. This part is all up to the damned lies maintainers - though that they already had code. Transifex certainly does. Claude seems to be of the opinion d-l should do that. If you're ok with it, I'm ok with it. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug.
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Jeff Schroeder jeffschroeder changed: What|Removed |Added Attachment #173458|0 |1 is obsolete|| --- Comment #20 from Jeff Schroeder jeffschroe...@computer.org 2010-10-30 00:40:38 UTC --- Created an attachment (id=173543) View: https://bugzilla.gnome.org/attachment.cgi?id=173543 Review: https://bugzilla.gnome.org/review?bug=599066attachment=173543 Version 3 addressing all of owen's comments -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #21 from Jeff Schroeder jeffschroe...@computer.org 2010-10-30 00:42:36 UTC --- I've created a translations user with the shell set to /sbin/nologin and tested the script: [r...@label ~]# /tmp/create-auth --translation-user gnomeweb webusers bugzilla Added 1 user: translations [r...@label ~]# cd /etc/sshd/users/translations/ [r...@label translations]# cat authorized_keys command=/home/admin/bin/run-git-or-special-cmd,no-pty,no-port-forwarding,host=91.189.93.2 ssh-rsa B3NzaC1yc2EBIwAAAQEAoP1vEyT0IiDzmedoe+NKpgJ0pe47pOiaX31/XAntQ5+WWJn2PJDZIGyxBmgSjO8z4pdk7TMV9Bf2ryJRwEnEJDNkAoz1HJM8WUCt0l2SYwS4Qrem2AYHqPJTESrSLkwtEkK4WZrrk00Mp8/dUUBAL3uM5lTKjQuRXZ2PFZFBg79KTP4mrakZ0eTuvvs/jA13Fa8g9q5Ho3A7pe8kpTWCYeqzVbsTMHd1u7s3hiZ5JZhiCHeEOrXN/APtMpSH16wnBjogershs4BzRyAGu2SGcJOs+5jII26tFC3RcFrqTYsaaaplDlZp1j0fKGdQBe+v+SmR6OWFPzlxnhmeQFpqow== gnome...@progress.gnome.org_l10n_autocommit_git_only_key [r...@label translations]# /tmp/create-auth gnomeweb webusers bugzilla Removed 1 user: translations Once this is in I'll update puppet and then write the git commit hook. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #7 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 05:15:00 UTC --- Created an attachment (id=173457) View: https://bugzilla.gnome.org/attachment.cgi?id=173457 Review: https://bugzilla.gnome.org/review?bug=599066attachment=173457 create-auth patch This is pretty ugly, but there doesn't seem like a super clean way to do this. The create-auth script needs a bit of refactoring to not make me cry. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Jeff Schroeder jeffschroeder changed: What|Removed |Added Attachment #173457|0 |1 is obsolete|| --- Comment #9 from Jeff Schroeder jeffschroe...@computer.org 2010-10-29 05:32:01 UTC --- Created an attachment (id=173458) View: https://bugzilla.gnome.org/attachment.cgi?id=173458 Review: https://bugzilla.gnome.org/review?bug=599066attachment=173458 Version 2 Forgot a global GNOMEWEB statement before. Not strictly necessary and works without, but it fits with the rest of the existing coding style. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Gil Forcada gforcada changed: What|Removed |Added CC||gforc...@gnome.org --- Comment #6 from Gil Forcada gforc...@gnome.org 2010-10-26 10:53:31 UTC --- So to resume and maybe ger my hands dirty with it... What should do this git hook? - check that only po files are changed/added - check the user (as per Owen's comment) - anything else? -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified Paul Cutler pcutler changed: What|Removed |Added Status|UNCONFIRMED |NEW CC||pcut...@gnome.org Ever Confirmed|0 |1 --- Comment #5 from Paul Cutler pcut...@gnome.org 2010-07-11 19:01:59 UTC --- Alexandro, Can you take another look at the code per Owen's comments? Please ping Claude if you have questions on the functionality needed. Thanks. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified --- Comment #1 from Claude Paroz cla...@2xlibre.net 2009-10-20 18:22:17 CEST --- This of course is only valid for UI translations, not documentation where image files and Makefile.am have to be touched. But this could be done in a second step. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the QA contact of the bug. You are watching the assignee of the bug. ___ gnome-infrastructure mailing list gnome-infrastructure@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-infrastructure