FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 08-28-2008, 04:44 AM
Jesse Keating
 
Default rawhide, /mnt/koji and /pub/fedora

So I realized something last night. We created a user "masher" to have
the ability to write to /mnt/koji/mash/ but not any of the other koji
space. This is useful to prevent too much damage from a horribly wrong
rawhide compose. To make things easier in the rawhide compose configs,
we decided to run the cron/scripts as the masher user. This is also
good because it means things run unprivileged. However I ran into a
snag. We have another user, 'ftpsync' that has write access
to /pub/fedora/. Previously the rawhide script was ran as root, and
thus it was no problem to su ftpsync for the rsync calls. The masher
user does not possess the capability of doing this.

Since the ftpsync user is only really used to sync data onto the Fedora
netapp, I propose that we collapse ftpsync and masher into one user
(masher). It'll require minimal puppet changes, mostly just moving some
cron jobs from ftpsync over to masher. It will require UID changes,
either changing masher to the ftpsync UID (which breaks our new range we
just setup), or chmodding some stuff on the Fedora netapp and changing
what UID has write access there.

For now, I'm syncing rawhide by hand.

Comments?
--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 04:52 AM
Jesse Keating
 
Default rawhide, /mnt/koji and /pub/fedora

On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote:
> Comments?

One comment just made on IRC by G:

<G> f13: can't be allow masher to sudo to ftpsync and run a sync
command?

We would have to allow masher to sudo with no password in order to run
the rsync command. I'm not sure how far we can narrow it down since the
rsync source changes each day, only the dest (and other options) remain
the same.

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 04:55 AM
Nigel Jones
 
Default rawhide, /mnt/koji and /pub/fedora

On Wed, 2008-08-27 at 21:52 -0700, Jesse Keating wrote:
> On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote:
> > Comments?
>
> One comment just made on IRC by G:
>
> <G> f13: can't be allow masher to sudo to ftpsync and run a sync
> command?
>
G = $me
> We would have to allow masher to sudo with no password in order to run
> the rsync command. I'm not sure how far we can narrow it down since the
> rsync source changes each day, only the dest (and other options) remain
> the same.
Why not something like:

sudo /usr/local/bin/rawhideftpsync.sh <random bit>
that runs: rsync ...<normal path>.<random bit> ...

Just a thought.
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
--
Nigel Jones <dev@nigelj.com>

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 05:51 AM
Jesse Keating
 
Default rawhide, /mnt/koji and /pub/fedora

On Thu, 2008-08-28 at 16:55 +1200, Nigel Jones wrote:
> Why not something like:
>
> sudo /usr/local/bin/rawhideftpsync.sh <random bit>
> that runs: rsync ...<normal path>.<random bit> ...

I think I'd rather not have yet another script to puppet manage and
such, so if we could just maybe allow rsync it might be fine.

I just noticed we're going to have to do the same to allow it to do mail
as the rawhide user (or somebody is going to have to tell me how to set
the From address to something else when calling /bin/mail).

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 06:52 AM
"Xavier Lamien"
 
Default rawhide, /mnt/koji and /pub/fedora

2008/8/28 Jesse Keating <jkeating@redhat.com>

On Thu, 2008-08-28 at 16:55 +1200, Nigel Jones wrote:

> Why not something like:

>

> sudo /usr/local/bin/rawhideftpsync.sh <random bit>

> that runs: rsync ...<normal path>.<random bit> ...



I think I'd rather not have yet another script to puppet manage and

such, so if we could just maybe allow rsync it might be fine.
as nigel said, just allow masher to only sudo su - ftpsync from sudoer* or to just rsync the specific dir



I just noticed we're going to have to do the same to allow it to do mail

as the rawhide user (or somebody is going to have to tell me how to set

the From address to something else when calling /bin/mail).
yeah, you can easily do that by invoking : /bin/mail -r From_adress
hope that mailx is up to date



--
Xavier.t Lamien
--
http://fedoraproject.org/wiki/XavierLamien
GPG-Key ID: F3903DEB
Fingerprint: 0F2A 7A17 0F1B 82EE FCBF 1F51 76B7 A28D F390 3DEB



_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 09:57 AM
Jeroen van Meeuwen
 
Default rawhide, /mnt/koji and /pub/fedora

Nigel Jones wrote:

On Wed, 2008-08-27 at 21:52 -0700, Jesse Keating wrote:

On Wed, 2008-08-27 at 21:44 -0700, Jesse Keating wrote:

Comments?

One comment just made on IRC by G:

<G> f13: can't be allow masher to sudo to ftpsync and run a sync
command?


G = $me

We would have to allow masher to sudo with no password in order to run
the rsync command. I'm not sure how far we can narrow it down since the
rsync source changes each day, only the dest (and other options) remain
the same.

Why not something like:

sudo /usr/local/bin/rawhideftpsync.sh <random bit>
that runs: rsync ...<normal path>.<random bit> ...

Just a thought.


You could configure sudoers to allow the masher user to only be able to
execute whatever it sudo's as the ftpsync user:


masher hostname.domain.tld=(ftpsync) NOPASSWD: rsync $rsync_opts
foo.<wildcardmatch-source> bar


Does that narrow it down sufficiently?

Kind regards,

Jeroen van Meeuwen
-kanarip

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 01:42 PM
Mike McGrath
 
Default rawhide, /mnt/koji and /pub/fedora

On Wed, 27 Aug 2008, Jesse Keating wrote:

> So I realized something last night. We created a user "masher" to have
> the ability to write to /mnt/koji/mash/ but not any of the other koji
> space. This is useful to prevent too much damage from a horribly wrong
> rawhide compose. To make things easier in the rawhide compose configs,
> we decided to run the cron/scripts as the masher user. This is also
> good because it means things run unprivileged. However I ran into a
> snag. We have another user, 'ftpsync' that has write access
> to /pub/fedora/. Previously the rawhide script was ran as root, and
> thus it was no problem to su ftpsync for the rsync calls. The masher
> user does not possess the capability of doing this.
>
> Since the ftpsync user is only really used to sync data onto the Fedora
> netapp, I propose that we collapse ftpsync and masher into one user
> (masher). It'll require minimal puppet changes, mostly just moving some
> cron jobs from ftpsync over to masher. It will require UID changes,
> either changing masher to the ftpsync UID (which breaks our new range we
> just setup), or chmodding some stuff on the Fedora netapp and changing
> what UID has write access there.
>
> For now, I'm syncing rawhide by hand.
>
> Comments?

Fine by me. ftpsync isn't really one of ours anyway

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 01:49 PM
Bill Nottingham
 
Default rawhide, /mnt/koji and /pub/fedora

Jesse Keating (jkeating@redhat.com) said:
> So I realized something last night. We created a user "masher" to have
> the ability to write to /mnt/koji/mash/ but not any of the other koji
> space. This is useful to prevent too much damage from a horribly wrong
> rawhide compose. To make things easier in the rawhide compose configs,
> we decided to run the cron/scripts as the masher user. This is also
> good because it means things run unprivileged. However I ran into a
> snag. We have another user, 'ftpsync' that has write access
> to /pub/fedora/. Previously the rawhide script was ran as root, and
> thus it was no problem to su ftpsync for the rsync calls. The masher
> user does not possess the capability of doing this.
>
> Since the ftpsync user is only really used to sync data onto the Fedora
> netapp, I propose that we collapse ftpsync and masher into one user
> (masher). It'll require minimal puppet changes, mostly just moving some
> cron jobs from ftpsync over to masher. It will require UID changes,
> either changing masher to the ftpsync UID (which breaks our new range we
> just setup), or chmodding some stuff on the Fedora netapp and changing
> what UID has write access there.
>
> For now, I'm syncing rawhide by hand.
>
> Comments?

Is changing the user that owns the files going to cause unnecessary rsync
churn for mirrors?

Bill

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 01:54 PM
Seth Vidal
 
Default rawhide, /mnt/koji and /pub/fedora

On Thu, 2008-08-28 at 08:42 -0500, Mike McGrath wrote:
> On Wed, 27 Aug 2008, Jesse Keating wrote:
>
> > So I realized something last night. We created a user "masher" to have
> > the ability to write to /mnt/koji/mash/ but not any of the other koji
> > space. This is useful to prevent too much damage from a horribly wrong
> > rawhide compose. To make things easier in the rawhide compose configs,
> > we decided to run the cron/scripts as the masher user. This is also
> > good because it means things run unprivileged. However I ran into a
> > snag. We have another user, 'ftpsync' that has write access
> > to /pub/fedora/. Previously the rawhide script was ran as root, and
> > thus it was no problem to su ftpsync for the rsync calls. The masher
> > user does not possess the capability of doing this.
> >
> > Since the ftpsync user is only really used to sync data onto the Fedora
> > netapp, I propose that we collapse ftpsync and masher into one user
> > (masher). It'll require minimal puppet changes, mostly just moving some
> > cron jobs from ftpsync over to masher. It will require UID changes,
> > either changing masher to the ftpsync UID (which breaks our new range we
> > just setup), or chmodding some stuff on the Fedora netapp and changing
> > what UID has write access there.
> >
> > For now, I'm syncing rawhide by hand.
> >
> > Comments?
>
> Fine by me. ftpsync isn't really one of ours anyway
>

it and masher are, however, names that need to get added to the banlist
in fas, I think.

-sv


_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-28-2008, 03:13 PM
Mike McGrath
 
Default rawhide, /mnt/koji and /pub/fedora

On Thu, 28 Aug 2008, Seth Vidal wrote:

> On Thu, 2008-08-28 at 08:42 -0500, Mike McGrath wrote:
> > On Wed, 27 Aug 2008, Jesse Keating wrote:
> >
> > > So I realized something last night. We created a user "masher" to have
> > > the ability to write to /mnt/koji/mash/ but not any of the other koji
> > > space. This is useful to prevent too much damage from a horribly wrong
> > > rawhide compose. To make things easier in the rawhide compose configs,
> > > we decided to run the cron/scripts as the masher user. This is also
> > > good because it means things run unprivileged. However I ran into a
> > > snag. We have another user, 'ftpsync' that has write access
> > > to /pub/fedora/. Previously the rawhide script was ran as root, and
> > > thus it was no problem to su ftpsync for the rsync calls. The masher
> > > user does not possess the capability of doing this.
> > >
> > > Since the ftpsync user is only really used to sync data onto the Fedora
> > > netapp, I propose that we collapse ftpsync and masher into one user
> > > (masher). It'll require minimal puppet changes, mostly just moving some
> > > cron jobs from ftpsync over to masher. It will require UID changes,
> > > either changing masher to the ftpsync UID (which breaks our new range we
> > > just setup), or chmodding some stuff on the Fedora netapp and changing
> > > what UID has write access there.
> > >
> > > For now, I'm syncing rawhide by hand.
> > >
> > > Comments?
> >
> > Fine by me. ftpsync isn't really one of ours anyway
> >
>
> it and masher are, however, names that need to get added to the banlist
> in fas, I think.
>

Anyone care to think of a less manual way of doing this?

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 03:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org