Reduce doas.conf rules

This commit reduces the number of doas.conf rules to 4.
libexec/ scripts now query access permissions rather than
bin/portzap doing it.
This commit is contained in:
0x1eef 2024-04-19 06:19:17 -03:00
parent b688aa3f78
commit 3168b47a45
6 changed files with 49 additions and 32 deletions

View file

@ -12,14 +12,6 @@ libexec="${localbase}"/libexec/portzap
## ##
# functions # functions
require_membership_of() {
group=$1
if ! id -Gn | tr ' ' '\n' | grep -e "^${group}$" > /dev/null 2>&1; then
echo "[-] This command requires a user to be a member of ${group}."
exit 1
fi
}
require_dependency() { require_dependency() {
deps=$1 deps=$1
for dep in $deps; do for dep in $deps; do
@ -47,17 +39,14 @@ done
case $1 in case $1 in
"clone") "clone")
require_dependency "git doas" require_dependency "git doas"
require_membership_of _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
;; ;;
"pull") "pull")
require_dependency "git doas" require_dependency "git doas"
require_membership_of _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}"
doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}"
;; ;;
"erase") "erase")
require_membership_of _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
doas -u _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
;; ;;
"install") "install")
require_dependency "git doas" require_dependency "git doas"

View file

@ -0,0 +1,11 @@
#!/bin/sh -e
group="_portzap"
if id -Gn | \
tr ' ' '\n' | \
grep -e "^${group}$" \
> /dev/null 2>&1; then
exit 0
else
exit 1
fi

View file

@ -3,6 +3,7 @@
## ##
# variables # variables
localbase=${LOCALBASE:-/usr/local} localbase=${LOCALBASE:-/usr/local}
libexec=$(dirname "$0")
git="${localbase}"/bin/git git="${localbase}"/bin/git
giturl=$1 giturl=$1
gitdir=$2 gitdir=$2
@ -10,16 +11,22 @@ branch=$3
## ##
# main # main
if ! "${libexec}"/isportzap-member; then
echo "[-] This command requires a member of the _portzap group"
exit 1
fi
if [ -e "${gitdir}/.git" ]; then if [ -e "${gitdir}/.git" ]; then
echo "[-] ${gitdir} exists." echo "[-] ${gitdir} exists."
echo "[-] Try 'portzap pull'" echo "[-] Try 'portzap pull'"
exit 1 exit 1
fi else
set -x set -x
umask u=rwX,g=rwX,o= umask u=rwX,g=rwX,o=
"${git}" clone "${giturl}" "${gitdir}" doas -u _portzap "${git}" clone "${giturl}" "${gitdir}"
cd "${gitdir}" cd "${gitdir}"
set +x +e set +x +e
echo "[-] Checkout ${branch}" echo "[-] Checkout ${branch}"
"${git}" checkout -t origin/"${branch}" > /dev/null 2>&1; doas -u _portzap "${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
echo "[-] Done" echo "[-] Done"
fi

View file

@ -2,11 +2,17 @@
## ##
# variables # variables
libexec=$(dirname "$0")
gitdir=$1 gitdir=$1
installdir=$2 installdir=$2
## ##
# main # main
if ! "${libexec}"/isportzap-member; then
echo "[-] This command requires a member of the _portzap group"
exit 1
fi
printf "[-] Are you sure ? \n" printf "[-] Are you sure ? \n"
printf "[-] These directories will be erased:\n" printf "[-] These directories will be erased:\n"
printf " [*] %s \n" "${gitdir}" printf " [*] %s \n" "${gitdir}"

View file

@ -2,6 +2,7 @@
## ##
# variables # variables
libexec=$(dirname "$0")
localbase=${LOCALBASE:-/usr/local} localbase=${LOCALBASE:-/usr/local}
git="${localbase}"/bin/git git="${localbase}"/bin/git
gitdir=$1 gitdir=$1
@ -22,16 +23,21 @@ change_branch()
remote=$1 remote=$1
branch=$2 branch=$2
echo "[-] Attempt to change branch: ${branch}" echo "[-] Attempt to change branch: ${branch}"
"${git}" fetch "${remote}" > /dev/null 2>&1 doas -u _portzap "${git}" fetch "${remote}" > /dev/null 2>&1
"${git}" checkout "${branch}" > /dev/null 2>&1 || doas -u _portzap "${git}" checkout "${branch}" > /dev/null 2>&1 ||
"${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1 doas -u _portzap "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
"${git}" reset HEAD --hard > /dev/null 2>&1 doas -u _portzap "${git}" reset HEAD --hard > /dev/null 2>&1
echo "[-] Done" echo "[-] Done"
set -e set -e
} }
## ##
# main # main
if ! "${libexec}"/isportzap-member; then
echo "[-] This command requires a member of the _portzap group"
exit 1
fi
if [ -e "${gitdir}/.git" ]; then if [ -e "${gitdir}/.git" ]; then
umask u=rwX,g=rwX,o= umask u=rwX,g=rwX,o=
set_repository_permissions "${gitdir}" set_repository_permissions "${gitdir}"
@ -41,7 +47,7 @@ if [ -e "${gitdir}/.git" ]; then
change_branch "${remote}" "${branch}" change_branch "${remote}" "${branch}"
fi fi
set -x set -x
"${git}" pull --rebase "${remote}" "${branch}" doas -u _portzap "${git}" pull --rebase "${remote}" "${branch}"
else else
set +x set +x
echo "[-] ${gitdir} is not a valid git repository." echo "[-] ${gitdir} is not a valid git repository."

View file

@ -1,8 +1,6 @@
## ##
# portzap # portzap
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-erase
permit nopass root as _portzap cmd /usr/local/bin/git permit nopass root as _portzap cmd /usr/local/bin/git
permit nopass _portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git permit nopass :_portzap as _portzap cmd /usr/local/bin/git
permit nopass _portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
permit nopass :_portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git