Reduce doas.conf rules
This commit reduces the number of doas.conf rules to 4. libexec/ scripts now query access permissions rather than bin/portzap doing it.
This commit is contained in:
parent
b688aa3f78
commit
3168b47a45
6 changed files with 49 additions and 32 deletions
17
bin/portzap
17
bin/portzap
|
@ -12,14 +12,6 @@ libexec="${localbase}"/libexec/portzap
|
||||||
|
|
||||||
##
|
##
|
||||||
# functions
|
# functions
|
||||||
require_membership_of() {
|
|
||||||
group=$1
|
|
||||||
if ! id -Gn | tr ' ' '\n' | grep -e "^${group}$" > /dev/null 2>&1; then
|
|
||||||
echo "[-] This command requires a user to be a member of ${group}."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
require_dependency() {
|
require_dependency() {
|
||||||
deps=$1
|
deps=$1
|
||||||
for dep in $deps; do
|
for dep in $deps; do
|
||||||
|
@ -47,17 +39,14 @@ done
|
||||||
case $1 in
|
case $1 in
|
||||||
"clone")
|
"clone")
|
||||||
require_dependency "git doas"
|
require_dependency "git doas"
|
||||||
require_membership_of _portzap
|
"${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
|
||||||
doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" "${branch}"
|
|
||||||
;;
|
;;
|
||||||
"pull")
|
"pull")
|
||||||
require_dependency "git doas"
|
require_dependency "git doas"
|
||||||
require_membership_of _portzap
|
"${libexec}"/portzap-pull "${gitdir}" "${branch}"
|
||||||
doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" "${branch}"
|
|
||||||
;;
|
;;
|
||||||
"erase")
|
"erase")
|
||||||
require_membership_of _portzap
|
"${libexec}"/portzap-erase "${gitdir}" "${installdir}"
|
||||||
doas -u _portzap "${libexec}"/portzap-erase "${gitdir}" "${installdir}"
|
|
||||||
;;
|
;;
|
||||||
"install")
|
"install")
|
||||||
require_dependency "git doas"
|
require_dependency "git doas"
|
||||||
|
|
11
libexec/portzap/isportzap-member
Normal file
11
libexec/portzap/isportzap-member
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
group="_portzap"
|
||||||
|
if id -Gn | \
|
||||||
|
tr ' ' '\n' | \
|
||||||
|
grep -e "^${group}$" \
|
||||||
|
> /dev/null 2>&1; then
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
exit 1
|
||||||
|
fi
|
|
@ -3,6 +3,7 @@
|
||||||
##
|
##
|
||||||
# variables
|
# variables
|
||||||
localbase=${LOCALBASE:-/usr/local}
|
localbase=${LOCALBASE:-/usr/local}
|
||||||
|
libexec=$(dirname "$0")
|
||||||
git="${localbase}"/bin/git
|
git="${localbase}"/bin/git
|
||||||
giturl=$1
|
giturl=$1
|
||||||
gitdir=$2
|
gitdir=$2
|
||||||
|
@ -10,16 +11,22 @@ branch=$3
|
||||||
|
|
||||||
##
|
##
|
||||||
# main
|
# main
|
||||||
|
if ! "${libexec}"/isportzap-member; then
|
||||||
|
echo "[-] This command requires a member of the _portzap group"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -e "${gitdir}/.git" ]; then
|
if [ -e "${gitdir}/.git" ]; then
|
||||||
echo "[-] ${gitdir} exists."
|
echo "[-] ${gitdir} exists."
|
||||||
echo "[-] Try 'portzap pull'"
|
echo "[-] Try 'portzap pull'"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
else
|
||||||
set -x
|
set -x
|
||||||
umask u=rwX,g=rwX,o=
|
umask u=rwX,g=rwX,o=
|
||||||
"${git}" clone "${giturl}" "${gitdir}"
|
doas -u _portzap "${git}" clone "${giturl}" "${gitdir}"
|
||||||
cd "${gitdir}"
|
cd "${gitdir}"
|
||||||
set +x +e
|
set +x +e
|
||||||
echo "[-] Checkout ${branch}"
|
echo "[-] Checkout ${branch}"
|
||||||
"${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
|
doas -u _portzap "${git}" checkout -t origin/"${branch}" > /dev/null 2>&1;
|
||||||
echo "[-] Done"
|
echo "[-] Done"
|
||||||
|
fi
|
||||||
|
|
|
@ -2,11 +2,17 @@
|
||||||
|
|
||||||
##
|
##
|
||||||
# variables
|
# variables
|
||||||
|
libexec=$(dirname "$0")
|
||||||
gitdir=$1
|
gitdir=$1
|
||||||
installdir=$2
|
installdir=$2
|
||||||
|
|
||||||
##
|
##
|
||||||
# main
|
# main
|
||||||
|
if ! "${libexec}"/isportzap-member; then
|
||||||
|
echo "[-] This command requires a member of the _portzap group"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
printf "[-] Are you sure ? \n"
|
printf "[-] Are you sure ? \n"
|
||||||
printf "[-] These directories will be erased:\n"
|
printf "[-] These directories will be erased:\n"
|
||||||
printf " [*] %s \n" "${gitdir}"
|
printf " [*] %s \n" "${gitdir}"
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
##
|
##
|
||||||
# variables
|
# variables
|
||||||
|
libexec=$(dirname "$0")
|
||||||
localbase=${LOCALBASE:-/usr/local}
|
localbase=${LOCALBASE:-/usr/local}
|
||||||
git="${localbase}"/bin/git
|
git="${localbase}"/bin/git
|
||||||
gitdir=$1
|
gitdir=$1
|
||||||
|
@ -22,16 +23,21 @@ change_branch()
|
||||||
remote=$1
|
remote=$1
|
||||||
branch=$2
|
branch=$2
|
||||||
echo "[-] Attempt to change branch: ${branch}"
|
echo "[-] Attempt to change branch: ${branch}"
|
||||||
"${git}" fetch "${remote}" > /dev/null 2>&1
|
doas -u _portzap "${git}" fetch "${remote}" > /dev/null 2>&1
|
||||||
"${git}" checkout "${branch}" > /dev/null 2>&1 ||
|
doas -u _portzap "${git}" checkout "${branch}" > /dev/null 2>&1 ||
|
||||||
"${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
|
doas -u _portzap "${git}" checkout -t "${remote}"/"${branch}" > /dev/null 2>&1
|
||||||
"${git}" reset HEAD --hard > /dev/null 2>&1
|
doas -u _portzap "${git}" reset HEAD --hard > /dev/null 2>&1
|
||||||
echo "[-] Done"
|
echo "[-] Done"
|
||||||
set -e
|
set -e
|
||||||
}
|
}
|
||||||
|
|
||||||
##
|
##
|
||||||
# main
|
# main
|
||||||
|
if ! "${libexec}"/isportzap-member; then
|
||||||
|
echo "[-] This command requires a member of the _portzap group"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -e "${gitdir}/.git" ]; then
|
if [ -e "${gitdir}/.git" ]; then
|
||||||
umask u=rwX,g=rwX,o=
|
umask u=rwX,g=rwX,o=
|
||||||
set_repository_permissions "${gitdir}"
|
set_repository_permissions "${gitdir}"
|
||||||
|
@ -41,7 +47,7 @@ if [ -e "${gitdir}/.git" ]; then
|
||||||
change_branch "${remote}" "${branch}"
|
change_branch "${remote}" "${branch}"
|
||||||
fi
|
fi
|
||||||
set -x
|
set -x
|
||||||
"${git}" pull --rebase "${remote}" "${branch}"
|
doas -u _portzap "${git}" pull --rebase "${remote}" "${branch}"
|
||||||
else
|
else
|
||||||
set +x
|
set +x
|
||||||
echo "[-] ${gitdir} is not a valid git repository."
|
echo "[-] ${gitdir} is not a valid git repository."
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
##
|
##
|
||||||
# portzap
|
# portzap
|
||||||
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone
|
|
||||||
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull
|
|
||||||
permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-erase
|
|
||||||
permit nopass root as _portzap cmd /usr/local/bin/git
|
permit nopass root as _portzap cmd /usr/local/bin/git
|
||||||
permit nopass _portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
|
permit nopass :_portzap as _portzap cmd /usr/local/bin/git
|
||||||
permit nopass _portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git
|
permit nopass :_portzap as root cmd /bin/chmod args -R u=rwX,g=rwX,o= /home/_portzap/ports/.git
|
||||||
|
permit nopass :_portzap as root cmd /usr/sbin/chown args -R _portzap:_portzap /home/_portzap/ports/.git
|
||||||
|
|
Loading…
Reference in a new issue