Reduce doas.conf rules

This commit reduces the number of doas.conf rules to 4. libexec/ scripts now query access permissions rather than bin/portzap doing it.
2024-04-19 06:19:17 -03:00 · 2024-04-19 06:19:17 -03:00 · 3168b47a45
commit 3168b47a45
parent b688aa3f78
6 changed files with 49 additions and 32 deletions
--- a/bin/portzap
+++ b/bin/portzap
@ -12,14 +12,6 @@ libexec="${localbase}"/libexec/portzap

 ##
 # functions
-require_membership_of() {
-    group=$1
-    if ! id -Gn | tr ' ' '\n' | grep -e "^${group}$" > /dev/null 2>&1; then
-        echo "[-] This command requires a user to be a member of ${group}."
-        exit 1
-    fi
-}
-
 require_dependency() {
    deps=$1
    for dep in $deps; do
@ -47,17 +39,14 @@ done
 case $1 in
    "clone")
        require_dependency "git doas"
-        require_membership_of _portzap
-        doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
+        "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
        ;;
    "pull")
        require_dependency "git doas"
-        require_membership_of _portzap
-        doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}"
+        "${libexec}"/portzap-pull "${gitdir}" "${branch}"
        ;;
    "erase")
-        require_membership_of _portzap
-        doas -u _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
+        "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
        ;;
    "install")
        require_dependency "git doas"
--- a/libexec/portzap/isportzap-member
+++ b/libexec/portzap/isportzap-member
@ -0,0 +1,11 @@
+#!/bin/sh -e
+
+group="_portzap"
+if id -Gn | \
+   tr ' ' '\n' | \
+   grep -e "^${group}$" \
+   > /dev/null 2>&1; then
+   exit 0
+else
+   exit 1
+fi
--- a/libexec/portzap/portzap-clone
+++ b/libexec/portzap/portzap-clone
@ -3,6 +3,7 @@
 ##
 # variables
 localbase=${LOCALBASE:-/usr/local}
+libexec=$(dirname "$0")
 git="${localbase}"/bin/git
 giturl=$1
 gitdir=$2
@ -10,16 +11,22 @@ branch=$3

 ##
 # main
+if ! "${libexec}"/isportzap-member; then
+    echo "[-] This command requires a member of the _portzap group"
+    exit 1
+fi
+
 if [ -e "${gitdir}/.git" ]; then
    echo "[-] ${gitdir} exists."
    echo "[-] Try 'portzap pull'"
    exit 1
+else
+    set -x
+    umask u=rwX,g=rwX,o=
+    doas -u _portzap "${git}" clone "${giturl}" "${gitdir}"
+    cd "${gitdir}"
+    set +x +e
+    echo "[-] Checkout ${branch}"
+    doas -u _portzap "${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
+    echo "[-] Done"
 fi
-set -x
-umask u=rwX,g=rwX,o=
-"${git}" clone "${giturl}" "${gitdir}"
-cd "${gitdir}"
-set +x +e
-echo "[-] Checkout ${branch}"
-"${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
-echo "[-] Done"
--- a/libexec/portzap/portzap-erase
+++ b/libexec/portzap/portzap-erase
@ -2,11 +2,17 @@

 ##
 # variables
+libexec=$(dirname "$0")
 gitdir=$1
 installdir=$2

 ##
 # main
+if ! "${libexec}"/isportzap-member; then
+    echo "[-] This command requires a member of the _portzap group"
+    exit 1
+fi
+
 printf "[-] Are you sure ? \n"
 printf "[-] These directories will be erased:\n"
 printf "    [*] %s \n" "${gitdir}"
--- a/libexec/portzap/portzap-pull
+++ b/libexec/portzap/portzap-pull
@ -2,6 +2,7 @@

 ##
 # variables
+libexec=$(dirname "$0")
 localbase=${LOCALBASE:-/usr/local}
 git="${localbase}"/bin/git
 gitdir=$1
@ -22,16 +23,21 @@ change_branch()
    remote=$1
    branch=$2
    echo "[-] Attempt to change branch: ${branch}"
-    "${git}" fetch "${remote}" > /dev/null 2>&1
-    "${git}" checkout "${branch}" > /dev/null 2>&1 ||
-    "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
-    "${git}" reset HEAD --hard > /dev/null 2>&1
+    doas -u _portzap "${git}" fetch "${remote}" > /dev/null 2>&1
+    doas -u _portzap "${git}" checkout "${branch}" > /dev/null 2>&1 ||
+    doas -u _portzap "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
+    doas -u _portzap "${git}" reset HEAD --hard > /dev/null 2>&1
    echo "[-] Done"
    set -e
 }

 ##
 # main
+if ! "${libexec}"/isportzap-member; then
+    echo "[-] This command requires a member of the _portzap group"
+    exit 1
+fi
+
 if [ -e "${gitdir}/.git" ]; then
    umask u=rwX,g=rwX,o=
    set_repository_permissions "${gitdir}"
@ -41,7 +47,7 @@ if [ -e "${gitdir}/.git" ]; then
        change_branch "${remote}" "${branch}"
    fi
    set -x
-    "${git}" pull --rebase "${remote}" "${branch}"
+    doas -u _portzap "${git}" pull --rebase "${remote}" "${branch}"
 else
    set +x
    echo "[-] ${gitdir} is not a valid git repository."
--- a/share/portzap/doas.conf
+++ b/share/portzap/doas.conf
@ -1,8 +1,6 @@
 ##
 # portzap
-permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
-permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull
-permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-erase
 permit nopass root as _portzap cmd /usr/local/bin/git
-permit nopass _portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
-permit nopass _portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git
+permit nopass :_portzap as _portzap cmd /usr/local/bin/git
+permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
+permit nopass :_portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git