Reduce doas.conf rules

This commit reduces the number of doas.conf rules to 4.
libexec/ scripts now query access permissions rather than
bin/portzap doing it.
This commit is contained in:
0x1eef 2024-04-19 06:19:17 -03:00
parent b688aa3f78
commit 3168b47a45
6 changed files with 49 additions and 32 deletions

View file

@ -12,14 +12,6 @@ libexec="${localbase}"/libexec/portzap
##
# functions
require_membership_of() {
group=$1
if ! id -Gn | tr ' ' '\n' | grep -e "^${group}$" > /dev/null 2>&1; then
echo "[-] This command requires a user to be a member of ${group}."
exit 1
fi
}
require_dependency() {
deps=$1
for dep in $deps; do
@ -47,17 +39,14 @@ done
case $1 in
"clone")
require_dependency "git doas"
require_membership_of _portzap
doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
"${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
;;
"pull")
require_dependency "git doas"
require_membership_of _portzap
doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}"
"${libexec}"/portzap-pull "${gitdir}" "${branch}"
;;
"erase")
require_membership_of _portzap
doas -u _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
"${libexec}"/portzap-erase "${gitdir}" "${installdir}"
;;
"install")
require_dependency "git doas"

View file

@ -0,0 +1,11 @@
#!/bin/sh -e
group="_portzap"
if id -Gn | \
tr ' ' '\n' | \
grep -e "^${group}$" \
> /dev/null 2>&1; then
exit 0
else
exit 1
fi

View file

@ -3,6 +3,7 @@
##
# variables
localbase=${LOCALBASE:-/usr/local}
libexec=$(dirname "$0")
git="${localbase}"/bin/git
giturl=$1
gitdir=$2
@ -10,16 +11,22 @@ branch=$3
##
# main
if ! "${libexec}"/isportzap-member; then
echo "[-] This command requires a member of the _portzap group"
exit 1
fi
if [ -e "${gitdir}/.git" ]; then
echo "[-] ${gitdir} exists."
echo "[-] Try 'portzap pull'"
exit 1
else
set -x
umask u=rwX,g=rwX,o=
doas -u _portzap "${git}" clone "${giturl}" "${gitdir}"
cd "${gitdir}"
set +x +e
echo "[-] Checkout ${branch}"
doas -u _portzap "${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
echo "[-] Done"
fi
set -x
umask u=rwX,g=rwX,o=
"${git}" clone "${giturl}" "${gitdir}"
cd "${gitdir}"
set +x +e
echo "[-] Checkout ${branch}"
"${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
echo "[-] Done"

View file

@ -2,11 +2,17 @@
##
# variables
libexec=$(dirname "$0")
gitdir=$1
installdir=$2
##
# main
if ! "${libexec}"/isportzap-member; then
echo "[-] This command requires a member of the _portzap group"
exit 1
fi
printf "[-] Are you sure ? \n"
printf "[-] These directories will be erased:\n"
printf " [*] %s \n" "${gitdir}"

View file

@ -2,6 +2,7 @@
##
# variables
libexec=$(dirname "$0")
localbase=${LOCALBASE:-/usr/local}
git="${localbase}"/bin/git
gitdir=$1
@ -22,16 +23,21 @@ change_branch()
remote=$1
branch=$2
echo "[-] Attempt to change branch: ${branch}"
"${git}" fetch "${remote}" > /dev/null 2>&1
"${git}" checkout "${branch}" > /dev/null 2>&1 ||
"${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
"${git}" reset HEAD --hard > /dev/null 2>&1
doas -u _portzap "${git}" fetch "${remote}" > /dev/null 2>&1
doas -u _portzap "${git}" checkout "${branch}" > /dev/null 2>&1 ||
doas -u _portzap "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
doas -u _portzap "${git}" reset HEAD --hard > /dev/null 2>&1
echo "[-] Done"
set -e
}
##
# main
if ! "${libexec}"/isportzap-member; then
echo "[-] This command requires a member of the _portzap group"
exit 1
fi
if [ -e "${gitdir}/.git" ]; then
umask u=rwX,g=rwX,o=
set_repository_permissions "${gitdir}"
@ -41,7 +47,7 @@ if [ -e "${gitdir}/.git" ]; then
change_branch "${remote}" "${branch}"
fi
set -x
"${git}" pull --rebase "${remote}" "${branch}"
doas -u _portzap "${git}" pull --rebase "${remote}" "${branch}"
else
set +x
echo "[-] ${gitdir} is not a valid git repository."

View file

@ -1,8 +1,6 @@
##
# portzap
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-erase
permit nopass root as _portzap cmd /usr/local/bin/git
permit nopass _portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
permit nopass _portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git
permit nopass :_portzap as _portzap cmd /usr/local/bin/git
permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
permit nopass :_portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git