From 3168b47a45a77995c9b0a2a851a9bb852df701e4 Mon Sep 17 00:00:00 2001 From: 0x1eef <0x1eef@protonmail.com> Date: Fri, 19 Apr 2024 06:19:17 -0300 Subject: [PATCH] Reduce doas.conf rules This commit reduces the number of doas.conf rules to 4. libexec/ scripts now query access permissions rather than bin/portzap doing it. --- bin/portzap | 17 +++-------------- libexec/portzap/isportzap-member | 11 +++++++++++ libexec/portzap/portzap-clone | 23 +++++++++++++++-------- libexec/portzap/portzap-erase | 6 ++++++ libexec/portzap/portzap-pull | 16 +++++++++++----- share/portzap/doas.conf | 8 +++----- 6 files changed, 49 insertions(+), 32 deletions(-) create mode 100644 libexec/portzap/isportzap-member diff --git a/bin/portzap b/bin/portzap index a715e17..a24e9f9 100755 --- a/bin/portzap +++ b/bin/portzap @@ -12,14 +12,6 @@ libexec="${localbase}"/libexec/portzap ## # functions -require_membership_of() { - group=$1 - if ! id -Gn | tr ' ' '\n' | grep -e "^${group}$" > /dev/null 2>&1; then - echo "[-] This command requires a user to be a member of ${group}." - exit 1 - fi -} - require_dependency() { deps=$1 for dep in $deps; do @@ -47,17 +39,14 @@ done case $1 in "clone") require_dependency "git doas" - require_membership_of _portzap - doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}" + "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}" ;; "pull") require_dependency "git doas" - require_membership_of _portzap - doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}" + "${libexec}"/portzap-pull "${gitdir}" "${branch}" ;; "erase") - require_membership_of _portzap - doas -u _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}" + "${libexec}"/portzap-erase "${gitdir}" "${installdir}" ;; "install") require_dependency "git doas" diff --git a/libexec/portzap/isportzap-member b/libexec/portzap/isportzap-member new file mode 100644 index 0000000..696fcde --- /dev/null +++ b/libexec/portzap/isportzap-member @@ -0,0 +1,11 @@ +#!/bin/sh -e + +group="_portzap" +if id -Gn | \ + tr ' ' '\n' | \ + grep -e "^${group}$" \ + > /dev/null 2>&1; then + exit 0 +else + exit 1 +fi diff --git a/libexec/portzap/portzap-clone b/libexec/portzap/portzap-clone index 59c0f7d..d34dd35 100755 --- a/libexec/portzap/portzap-clone +++ b/libexec/portzap/portzap-clone @@ -3,6 +3,7 @@ ## # variables localbase=${LOCALBASE:-/usr/local} +libexec=$(dirname "$0") git="${localbase}"/bin/git giturl=$1 gitdir=$2 @@ -10,16 +11,22 @@ branch=$3 ## # main +if ! "${libexec}"/isportzap-member; then + echo "[-] This command requires a member of the _portzap group" + exit 1 +fi + if [ -e "${gitdir}/.git" ]; then echo "[-] ${gitdir} exists." echo "[-] Try 'portzap pull'" exit 1 +else + set -x + umask u=rwX,g=rwX,o= + doas -u _portzap "${git}" clone "${giturl}" "${gitdir}" + cd "${gitdir}" + set +x +e + echo "[-] Checkout ${branch}" + doas -u _portzap "${git}" checkout -t origin/"${branch}" > /dev/null 2>&1; + echo "[-] Done" fi -set -x -umask u=rwX,g=rwX,o= -"${git}" clone "${giturl}" "${gitdir}" -cd "${gitdir}" -set +x +e -echo "[-] Checkout ${branch}" -"${git}" checkout -t origin/"${branch}" > /dev/null 2>&1; -echo "[-] Done" diff --git a/libexec/portzap/portzap-erase b/libexec/portzap/portzap-erase index b422827..6fb9ce0 100644 --- a/libexec/portzap/portzap-erase +++ b/libexec/portzap/portzap-erase @@ -2,11 +2,17 @@ ## # variables +libexec=$(dirname "$0") gitdir=$1 installdir=$2 ## # main +if ! "${libexec}"/isportzap-member; then + echo "[-] This command requires a member of the _portzap group" + exit 1 +fi + printf "[-] Are you sure ? \n" printf "[-] These directories will be erased:\n" printf " [*] %s \n" "${gitdir}" diff --git a/libexec/portzap/portzap-pull b/libexec/portzap/portzap-pull index 8b62075..8502726 100755 --- a/libexec/portzap/portzap-pull +++ b/libexec/portzap/portzap-pull @@ -2,6 +2,7 @@ ## # variables +libexec=$(dirname "$0") localbase=${LOCALBASE:-/usr/local} git="${localbase}"/bin/git gitdir=$1 @@ -22,16 +23,21 @@ change_branch() remote=$1 branch=$2 echo "[-] Attempt to change branch: ${branch}" - "${git}" fetch "${remote}" > /dev/null 2>&1 - "${git}" checkout "${branch}" > /dev/null 2>&1 || - "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1 - "${git}" reset HEAD --hard > /dev/null 2>&1 + doas -u _portzap "${git}" fetch "${remote}" > /dev/null 2>&1 + doas -u _portzap "${git}" checkout "${branch}" > /dev/null 2>&1 || + doas -u _portzap "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1 + doas -u _portzap "${git}" reset HEAD --hard > /dev/null 2>&1 echo "[-] Done" set -e } ## # main +if ! "${libexec}"/isportzap-member; then + echo "[-] This command requires a member of the _portzap group" + exit 1 +fi + if [ -e "${gitdir}/.git" ]; then umask u=rwX,g=rwX,o= set_repository_permissions "${gitdir}" @@ -41,7 +47,7 @@ if [ -e "${gitdir}/.git" ]; then change_branch "${remote}" "${branch}" fi set -x - "${git}" pull --rebase "${remote}" "${branch}" + doas -u _portzap "${git}" pull --rebase "${remote}" "${branch}" else set +x echo "[-] ${gitdir} is not a valid git repository." diff --git a/share/portzap/doas.conf b/share/portzap/doas.conf index 81cad8e..8d7fb4c 100644 --- a/share/portzap/doas.conf +++ b/share/portzap/doas.conf @@ -1,8 +1,6 @@ ## # portzap -permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone -permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull -permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-erase permit nopass root as _portzap cmd /usr/local/bin/git -permit nopass _portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git -permit nopass _portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git +permit nopass :_portzap as _portzap cmd /usr/local/bin/git +permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git +permit nopass :_portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git