[Fedora-infrastructure-list] Package Version Control Scripts

Toshio Kuratomi toshio at tiki-lounge.com
Fri Aug 4 16:05:34 UTC 2006 

Following up on what was discussed in the meeting and the list of
requirements from the previous email, here are the scripts I'm currently
working on to setup the bzr repository.

* scponly-repo.sh: This is the first script to run.  It sets up the
chroot environment.  A portion of this script should be made into a cron
job that periodically refreshes the programs and libraries within the
chroot (to limit the time that the chroot is vulnerable to exploits.)
  - A portion of this script needs to be run by root.
  - This script labels files for SELinux.  If SELinux is not enabled on
the server this lands on we'll want to comment that out.
  - A portion of the script sets up a passwd and group file within the
chroot.  I suspect that this is not necessary.

* setup-repo.sh: This script imports one of the cvs-seed tarballs from
cvs.fedora.redhat.com into the new repository.  It sets up a sample
within the embargo directory as well.

* repo.conf: Apache configuration file to enable access to the repo over
http.  Note that this allows bzr to access the repository over ssh.  It
is not a web-front end.  There is a separate cgi script which I haven't
yet worked with that can be used for that.

* user.sh: Sets up one user with an account on the system; adding them
to appropriate groups and etc.  This is incomplete until I tie it into
the accounts system to retrieve the ssh key.  In the future, user
information should be created by the accountsdb.

* user-setup.sh: This script sets up default groups (vcsuser and
security) that are used by the acls.  It also creates a vcsguest account
that allows anonymous logins.  After implementing http retrieval on my
test machine, I don't think this is necessary any longer.  Anonymous
access can use http to retrieve public information.  Read-write access
and access to private information will go through sftp.

* sshd_config: Replacement sshd configuration.  Changes:
  - AuthorizedKeysFile is changed to explicitly reference /home/%u
instead of the user's home directory.  This is so vcusers have their
keys extracted from /home/%u instead of their home directory (which is
within the chroot).  vcsusers do not have access to change ssh keys on
the server, this has to be done through the accounts db.
  - PermitEmptyPasswords, PasswordAuthentication: This is to enable
anonymous ssh login to the chroot.  Since anonymous access is going to
happen over http, this should no longer be necessary.
  - Subsystem sftp: enabled sftp for bzr.

Everything is a work in progress but my main thrust right now is
creating good ACLs and testing what the limitations are.

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup-repo.sh
Type: application/x-shellscript
Size: 2725 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20060804/36392c13/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup-repo.sh
Type: application/x-shellscript
Size: 2725 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20060804/36392c13/attachment-0001.bin 
-------------- next part --------------
AliasMatch ^/repos(/.*)?$ "/pkgs/bzr/chroot/pkgs$1"
<Directory "/pkgs/bzr/chroot/repos">
  Options Indexes
  AllowOverride None
  Order allow,deny
  Allow from all
</Directory>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user.sh
Type: application/x-shellscript
Size: 667 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20060804/36392c13/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user-setup.sh
Type: application/x-shellscript
Size: 595 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20060804/36392c13/attachment-0003.bin 
-------------- next part --------------
#	$OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile	/home/%u/.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords yes
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20060804/36392c13/attachment-0004.bin

More information about the infrastructure mailing list