Reduce doas.conf rules
This commit reduces the number of doas.conf rules to 4. libexec/ scripts now query access permissions rather than bin/portzap doing it.
This commit is contained in:
parent
b688aa3f78
commit
3168b47a45
6 changed files with 49 additions and 32 deletions
17
bin/portzap
17
bin/portzap
|
@ -12,14 +12,6 @@ libexec="${localbase}"/libexec/portzap
|
|||
|
||||
##
|
||||
# functions
|
||||
require_membership_of() {
|
||||
group=$1
|
||||
if ! id -Gn | tr ' ' '\n' | grep -e "^${group}$" > /dev/null 2>&1; then
|
||||
echo "[-] This command requires a user to be a member of ${group}."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
require_dependency() {
|
||||
deps=$1
|
||||
for dep in $deps; do
|
||||
|
@ -47,17 +39,14 @@ done
|
|||
case $1 in
|
||||
"clone")
|
||||
require_dependency "git doas"
|
||||
require_membership_of _portzap
|
||||
doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
|
||||
"${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
|
||||
;;
|
||||
"pull")
|
||||
require_dependency "git doas"
|
||||
require_membership_of _portzap
|
||||
doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}"
|
||||
"${libexec}"/portzap-pull "${gitdir}" "${branch}"
|
||||
;;
|
||||
"erase")
|
||||
require_membership_of _portzap
|
||||
doas -u _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
|
||||
"${libexec}"/portzap-erase "${gitdir}" "${installdir}"
|
||||
;;
|
||||
"install")
|
||||
require_dependency "git doas"
|
||||
|
|
11
libexec/portzap/isportzap-member
Normal file
11
libexec/portzap/isportzap-member
Normal file
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh -e
|
||||
|
||||
group="_portzap"
|
||||
if id -Gn | \
|
||||
tr ' ' '\n' | \
|
||||
grep -e "^${group}$" \
|
||||
> /dev/null 2>&1; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -3,6 +3,7 @@
|
|||
##
|
||||
# variables
|
||||
localbase=${LOCALBASE:-/usr/local}
|
||||
libexec=$(dirname "$0")
|
||||
git="${localbase}"/bin/git
|
||||
giturl=$1
|
||||
gitdir=$2
|
||||
|
@ -10,16 +11,22 @@ branch=$3
|
|||
|
||||
##
|
||||
# main
|
||||
if ! "${libexec}"/isportzap-member; then
|
||||
echo "[-] This command requires a member of the _portzap group"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -e "${gitdir}/.git" ]; then
|
||||
echo "[-] ${gitdir} exists."
|
||||
echo "[-] Try 'portzap pull'"
|
||||
exit 1
|
||||
else
|
||||
set -x
|
||||
umask u=rwX,g=rwX,o=
|
||||
doas -u _portzap "${git}" clone "${giturl}" "${gitdir}"
|
||||
cd "${gitdir}"
|
||||
set +x +e
|
||||
echo "[-] Checkout ${branch}"
|
||||
doas -u _portzap "${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
|
||||
echo "[-] Done"
|
||||
fi
|
||||
set -x
|
||||
umask u=rwX,g=rwX,o=
|
||||
"${git}" clone "${giturl}" "${gitdir}"
|
||||
cd "${gitdir}"
|
||||
set +x +e
|
||||
echo "[-] Checkout ${branch}"
|
||||
"${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
|
||||
echo "[-] Done"
|
||||
|
|
|
@ -2,11 +2,17 @@
|
|||
|
||||
##
|
||||
# variables
|
||||
libexec=$(dirname "$0")
|
||||
gitdir=$1
|
||||
installdir=$2
|
||||
|
||||
##
|
||||
# main
|
||||
if ! "${libexec}"/isportzap-member; then
|
||||
echo "[-] This command requires a member of the _portzap group"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printf "[-] Are you sure ? \n"
|
||||
printf "[-] These directories will be erased:\n"
|
||||
printf " [*] %s \n" "${gitdir}"
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
##
|
||||
# variables
|
||||
libexec=$(dirname "$0")
|
||||
localbase=${LOCALBASE:-/usr/local}
|
||||
git="${localbase}"/bin/git
|
||||
gitdir=$1
|
||||
|
@ -22,16 +23,21 @@ change_branch()
|
|||
remote=$1
|
||||
branch=$2
|
||||
echo "[-] Attempt to change branch: ${branch}"
|
||||
"${git}" fetch "${remote}" > /dev/null 2>&1
|
||||
"${git}" checkout "${branch}" > /dev/null 2>&1 ||
|
||||
"${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
|
||||
"${git}" reset HEAD --hard > /dev/null 2>&1
|
||||
doas -u _portzap "${git}" fetch "${remote}" > /dev/null 2>&1
|
||||
doas -u _portzap "${git}" checkout "${branch}" > /dev/null 2>&1 ||
|
||||
doas -u _portzap "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
|
||||
doas -u _portzap "${git}" reset HEAD --hard > /dev/null 2>&1
|
||||
echo "[-] Done"
|
||||
set -e
|
||||
}
|
||||
|
||||
##
|
||||
# main
|
||||
if ! "${libexec}"/isportzap-member; then
|
||||
echo "[-] This command requires a member of the _portzap group"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -e "${gitdir}/.git" ]; then
|
||||
umask u=rwX,g=rwX,o=
|
||||
set_repository_permissions "${gitdir}"
|
||||
|
@ -41,7 +47,7 @@ if [ -e "${gitdir}/.git" ]; then
|
|||
change_branch "${remote}" "${branch}"
|
||||
fi
|
||||
set -x
|
||||
"${git}" pull --rebase "${remote}" "${branch}"
|
||||
doas -u _portzap "${git}" pull --rebase "${remote}" "${branch}"
|
||||
else
|
||||
set +x
|
||||
echo "[-] ${gitdir} is not a valid git repository."
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
##
|
||||
# portzap
|
||||
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
|
||||
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull
|
||||
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-erase
|
||||
permit nopass root as _portzap cmd /usr/local/bin/git
|
||||
permit nopass _portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
|
||||
permit nopass _portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git
|
||||
permit nopass :_portzap as _portzap cmd /usr/local/bin/git
|
||||
permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
|
||||
permit nopass :_portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git
|
||||
|
|
Loading…
Reference in a new issue