Re: SVN authorization

2015-08-06 Thread Craig Treleaven

> On Aug 6, 2015, at 9:44 AM, Rainer Müller  wrote:
> 
> Hello Craig,
> 
> On 2015-08-06 14:52, Craig Treleaven wrote:
>>> On Aug 5, 2015, at 11:20 PM, Mihai Moldovan  wrote:
>>> 
>>> On 06.08.2015 02:53 AM, Craig Treleaven wrote:
 I vaguely recall running an svn command to add MacPorts as a trusted 
 server (or some-such) but I don’t recall the details.  
 
 Could someone point me in the right direction?
>>> 
>>> Refer to https://trac.macports.org/wiki/howto/SyncingWithSVN and 
>>> specifically to
>>> Step 3 under "Configuration”.
>> 
>> Thanks for the pointer.  As I read the page, I only need to do the second 
>> part--storing the certificate file in 
>> [blah]/.subversion/auth/svn.ssl.server.  However, trying to selfupdate, I 
>> still get:
>> 
>> --->  Updating the ports tree
>> Synchronizing local ports tree from file:///Users/craigtreleaven/mp/ports
>> Updating '.':
>> svn: E175002: Unable to connect to a repository at URL 
>> 'https://svn.macports.org/repository/macports/trunk/dports'
>> svn: E175002: OPTIONS of 
>> 'https://svn.macports.org/repository/macports/trunk/dports': Server 
>> certificate verification failed: issuer is not trusted 
>> (https://svn.macports.org)
>> Command failed: /usr/bin/svn update --non-interactive 
>> /Users/craigtreleaven/mp/ports
>> Exit code: 1
>> 
>> 
>> I wonder if it is the ownership/permissions of the certificate file.  The 
>> wiki page doesn’t say so, but I had to use ‘sudo’ to create the directory 
>> and write the certificate file to it. 
>> 
>> $ sudo ls -al /opt/local/var/macports/home/.subversion/auth/svn.ssl.server
>> total 8
>> drwxr-xr-x  3 root  admin   102  6 Aug 08:27 .
>> drwx--  6 root  admin   204  5 Aug 20:19 ..
>> -rw-r--r--  1 root  admin  1806  6 Aug 08:27 9368d05e066fecedad33aa815bbaf7cc
> 
> Only root will be able to read this file (due to permissions on "..").
> MacPorts automatically runs the update command as the user owning the
> Subversion working copy, so you need to configure it for that user. The
> instructions in the wiki assume the ports tree will be owned by the
> macports user.
> 
>> Finally, I checked a backup of my 10.6 volume and I didn’t even have a 
>> '/opt/local/var/macports/home/.subversion/auth/svn.ssl.server’ directory?
> 
> Back then, /usr/bin/svn was still able to verify SSL certificates for
> HTTPS. Apple broke this with OS X 10.7 Lion and never fixed it.
> /usr/bin/svn does not have any list of trusted authorities and
> therefore always display this certificate warning requiring manual
> acknowledgement to continue.
> 
> Side note: if you install the subversion port and either curl-ca-bundle
> or certsync, certificate verification for HTTPS should just work using
> /opt/local/bin/svn.
> 
> I prefer to keep the ports tree in my home directory, where I also keep
> everything else I am working on. As MacPorts automatically switches to
> the user owning the ports tree, this works just fine and also uses my
> configuration of Subversion. But I need to ensure that the macports
> user is able to read the Portfiles (and accompanying patches). My setup
> is as follows:
> 
> In my /opt/local/etc/macports/sources.conf I have the following entry:
> file:///Users/raimue/src/macports/trunk/dports/ [default]
> 
> The permissions on this path are the following, especially I need the
> x-bit to allow any user to traverse through my home directory:
>  drwxr-xr-x6 rootadmin   204 Feb 21 21:32 /Users
>  drwxr-xr-x+ 227 raimue  staff  7718 Aug  6 15:26 /Users/raimue
>   0: group:everyone deny delete
>  drwx--x--x  117 raimue  staff  3978 Jul 27 10:54 /Users/raimue/src
>  drwxr-xr-x   23 raimue  staff   782 Jun  7 13:03 /Users/raimue/src/macports
>  drwxr-xr-x+  12 raimue  staff   408 Mar  7 16:21 
> /Users/raimue/src/macports/trunk
>   0: group:everyone allow list,search,file_inherit,directory_inherit
>  drwxr-xr-x+  52 raimue  staff  1768 Aug  5 15:14 
> /Users/raimue/src/macports/trunk/dports
>   0: group:everyone allow list,search,file_inherit,directory_inherit
> 
> These additional ACL entries make sure that the macports user is able
> to read Portfiles in the ports tree (not sure why I have that one on
> $HOME itself, is it default?). I could have made them less permissive,
> but the tree should not contain anything private anyway. They ensure
> that all newly created files get the correct permissions. Only when
> moving files from somewhere else into the ports tree I need to be more
> cautious and apply the ACL rules once again.
> 
> The command to set these ACLs would be:
> chmod -R +a "group:everyone allow 
> read,execute,list,search,file_inherit,directory_inherit" 
> 
> Hopefully that helps you with your own setup.

Thanks Rainer!  I installed subversion, logged out and back in to clear the 
hash, and then needed to run svn upgrade in my ports directory.  That cleared 
the remaining hurdles and my tree is now updating!

Thanks again.

Craig
___
macports-de

Re: SVN authorization

2015-08-06 Thread Rainer Müller
Hello Craig,

On 2015-08-06 14:52, Craig Treleaven wrote:
>> On Aug 5, 2015, at 11:20 PM, Mihai Moldovan  wrote:
>>
>> On 06.08.2015 02:53 AM, Craig Treleaven wrote:
>>> I vaguely recall running an svn command to add MacPorts as a trusted server 
>>> (or some-such) but I don’t recall the details.  
>>>
>>> Could someone point me in the right direction?
>>
>> Refer to https://trac.macports.org/wiki/howto/SyncingWithSVN and 
>> specifically to
>> Step 3 under "Configuration”.
> 
> Thanks for the pointer.  As I read the page, I only need to do the second 
> part--storing the certificate file in [blah]/.subversion/auth/svn.ssl.server. 
>  However, trying to selfupdate, I still get:
> 
> --->  Updating the ports tree
> Synchronizing local ports tree from file:///Users/craigtreleaven/mp/ports
> Updating '.':
> svn: E175002: Unable to connect to a repository at URL 
> 'https://svn.macports.org/repository/macports/trunk/dports'
> svn: E175002: OPTIONS of 
> 'https://svn.macports.org/repository/macports/trunk/dports': Server 
> certificate verification failed: issuer is not trusted 
> (https://svn.macports.org)
> Command failed: /usr/bin/svn update --non-interactive 
> /Users/craigtreleaven/mp/ports
> Exit code: 1
> 
> 
> I wonder if it is the ownership/permissions of the certificate file.  The 
> wiki page doesn’t say so, but I had to use ‘sudo’ to create the directory and 
> write the certificate file to it. 
> 
> $ sudo ls -al /opt/local/var/macports/home/.subversion/auth/svn.ssl.server
> total 8
> drwxr-xr-x  3 root  admin   102  6 Aug 08:27 .
> drwx--  6 root  admin   204  5 Aug 20:19 ..
> -rw-r--r--  1 root  admin  1806  6 Aug 08:27 9368d05e066fecedad33aa815bbaf7cc

Only root will be able to read this file (due to permissions on "..").
MacPorts automatically runs the update command as the user owning the
Subversion working copy, so you need to configure it for that user. The
instructions in the wiki assume the ports tree will be owned by the
macports user.

> Finally, I checked a backup of my 10.6 volume and I didn’t even have a 
> '/opt/local/var/macports/home/.subversion/auth/svn.ssl.server’ directory?

Back then, /usr/bin/svn was still able to verify SSL certificates for
HTTPS. Apple broke this with OS X 10.7 Lion and never fixed it.
/usr/bin/svn does not have any list of trusted authorities and
therefore always display this certificate warning requiring manual
acknowledgement to continue.

Side note: if you install the subversion port and either curl-ca-bundle
or certsync, certificate verification for HTTPS should just work using
/opt/local/bin/svn.

I prefer to keep the ports tree in my home directory, where I also keep
everything else I am working on. As MacPorts automatically switches to
the user owning the ports tree, this works just fine and also uses my
configuration of Subversion. But I need to ensure that the macports
user is able to read the Portfiles (and accompanying patches). My setup
is as follows:

In my /opt/local/etc/macports/sources.conf I have the following entry:
file:///Users/raimue/src/macports/trunk/dports/ [default]

The permissions on this path are the following, especially I need the
x-bit to allow any user to traverse through my home directory:
  drwxr-xr-x6 rootadmin   204 Feb 21 21:32 /Users
  drwxr-xr-x+ 227 raimue  staff  7718 Aug  6 15:26 /Users/raimue
   0: group:everyone deny delete
  drwx--x--x  117 raimue  staff  3978 Jul 27 10:54 /Users/raimue/src
  drwxr-xr-x   23 raimue  staff   782 Jun  7 13:03 /Users/raimue/src/macports
  drwxr-xr-x+  12 raimue  staff   408 Mar  7 16:21 
/Users/raimue/src/macports/trunk
   0: group:everyone allow list,search,file_inherit,directory_inherit
  drwxr-xr-x+  52 raimue  staff  1768 Aug  5 15:14 
/Users/raimue/src/macports/trunk/dports
   0: group:everyone allow list,search,file_inherit,directory_inherit

These additional ACL entries make sure that the macports user is able
to read Portfiles in the ports tree (not sure why I have that one on
$HOME itself, is it default?). I could have made them less permissive,
but the tree should not contain anything private anyway. They ensure
that all newly created files get the correct permissions. Only when
moving files from somewhere else into the ports tree I need to be more
cautious and apply the ACL rules once again.

The command to set these ACLs would be:
chmod -R +a "group:everyone allow 
read,execute,list,search,file_inherit,directory_inherit" 

Hopefully that helps you with your own setup.

Rainer
___
macports-dev mailing list
macports-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-dev


Re: Looking for opinions on authorization frameworks for Pallet

2015-08-06 Thread Rainer Müller
Hello Kyle,

On 2015-08-05 20:14, Kyle Sammons wrote:
> ** Option 0: Do nothing; leave the current code in place, but continue
> to ignore it; require the user to run it with superuser privileges;
> 
> Pros:
> 
> 1. Easiest to implement; requires no changes to the current code,
> allowing me to add more features to Pallet, and remove more bugs.
> 
> Cons:
> 
> 1. Still requires a certificate. Using a modern authorization framework
> requires the use of a self-signed certificate, which highly complicates
> the project build process, making writing a Portfile much harder.

That's right. I don't think it is unsolvable, just a lot of work to
figure it out, but the solution we implement here could also be used for
other applications. It might be worth the effort to have this.

> 2. Still requires running Pallet with superuser privileges.
> 
> 3. Insecure. The entire application will be running as a superuser, so
> any vulnerabilities that are exploitable will allow a hacker to run as
> root.

There would not be any new functionality in the graphical frontend that
could not also be exploited in 'sudo port' from the command line, right?

> ** Option 2. Remove all authorization frameworks from Pallet, and
> require the user to run it with superuser privileges:
> 
> Pros:
> 
> 1. Pretty easy to implement. I could implement this solution in a day or
> two, allowing me to add more features to Pallet, and remove more bugs.
> 
> 2. Doesn't require a certificate. Using a modern authorization framework
> requires the use of a self-signed certificate, which highly complicates
> the project build process, making writing a portfile much harder.
> 
> 3. Easiest to support. Running an application with "sudo" will really
> never be deprecated, and will work on every OS X version.

Would I have to type 'sudo pallet'? Will I be able to start the
application from an app bundle?

> 4. Smallest code-base.
> 
> Cons:
> -
> 1. Insecure. The entire application will be running as a superuser, so
> any vulnerabilities that are exploitable will allow a hacker to run as
> root.

See above.

Rainer
___
macports-dev mailing list
macports-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-dev


Re: SVN authorization

2015-08-06 Thread Craig Treleaven
> On Aug 5, 2015, at 11:20 PM, Mihai Moldovan  wrote:
> 
> On 06.08.2015 02:53 AM, Craig Treleaven wrote:
>> I vaguely recall running an svn command to add MacPorts as a trusted server 
>> (or some-such) but I don’t recall the details.  
>> 
>> Could someone point me in the right direction?
> 
> Refer to https://trac.macports.org/wiki/howto/SyncingWithSVN and specifically 
> to
> Step 3 under "Configuration”.

Thanks for the pointer.  As I read the page, I only need to do the second 
part--storing the certificate file in [blah]/.subversion/auth/svn.ssl.server.  
However, trying to selfupdate, I still get:

--->  Updating the ports tree
Synchronizing local ports tree from file:///Users/craigtreleaven/mp/ports
Updating '.':
svn: E175002: Unable to connect to a repository at URL 
'https://svn.macports.org/repository/macports/trunk/dports'
svn: E175002: OPTIONS of 
'https://svn.macports.org/repository/macports/trunk/dports': Server certificate 
verification failed: issuer is not trusted (https://svn.macports.org)
Command failed: /usr/bin/svn update --non-interactive 
/Users/craigtreleaven/mp/ports
Exit code: 1


I wonder if it is the ownership/permissions of the certificate file.  The wiki 
page doesn’t say so, but I had to use ‘sudo’ to create the directory and write 
the certificate file to it. 

$ sudo ls -al /opt/local/var/macports/home/.subversion/auth/svn.ssl.server
total 8
drwxr-xr-x  3 root  admin   102  6 Aug 08:27 .
drwx--  6 root  admin   204  5 Aug 20:19 ..
-rw-r--r--  1 root  admin  1806  6 Aug 08:27 9368d05e066fecedad33aa815bbaf7cc


Finally, I checked a backup of my 10.6 volume and I didn’t even have a 
'/opt/local/var/macports/home/.subversion/auth/svn.ssl.server’ directory?

Craig
___
macports-dev mailing list
macports-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-dev