From ea6a5e46e56749c5c4d161980c2414130f67f64e Mon Sep 17 00:00:00 2001 From: 0x1eef <0x1eef@protonmail.com> Date: Sun, 7 Apr 2024 20:27:18 -0300 Subject: [PATCH] Delegate 'portzap clone|pull' to the _portzap user (via doas) --- Makefile | 11 +++++++---- README.md | 13 +++++++++++-- bin/portzap | 10 +++++----- libexec/portzap/portzap-adduser | 10 ---------- libexec/portzap/portzap-clone | 3 ++- libexec/portzap/portzap-pull | 2 +- libexec/portzap/portzap-setup | 22 ++++++++++++++++++++++ man/man8/portzap.8 | 31 +++++++++++++++++++++++-------- share/portzap/doas.conf | 2 ++ 9 files changed, 73 insertions(+), 31 deletions(-) delete mode 100755 libexec/portzap/portzap-adduser create mode 100755 libexec/portzap/portzap-setup create mode 100644 share/portzap/doas.conf diff --git a/Makefile b/Makefile index b6396db..35ecb59 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,21 @@ PREFIX = /usr/local BINDIR = $(PREFIX)/bin -LIBEXECDIR = $(PREFIX)/libexec/portzap MANDIR = $(PREFIX)/man/man8 +LIBEXECDIR = $(PREFIX)/libexec/portzap +SHAREDIR = $(PREFIX)/share/portzap install: - install -d $(BINDIR) $(LIBEXECDIR) $(MANDIR) + install -d $(BINDIR) $(LIBEXECDIR) $(SHAREDIR) $(MANDIR) install -m 0755 bin/portzap $(BINDIR) install -m 0755 libexec/portzap/* $(LIBEXECDIR) + install -m 0644 share/portzap/* $(SHAREDIR) install -m 0644 man/man8/portzap.8 $(MANDIR) deinstall: + rm $(BINDIR)/portzap + rm $(MANDIR)/portzap.8 rm -rf $(LIBEXECDIR) - rm -f $(BINDIR)/portzap - rm -f $(MANDIR)/portzap.8 + rm -rf $(SHAREDIR) shellcheck: shellcheck bin/portzap diff --git a/README.md b/README.md index 32c794c..5b3fb40 100644 --- a/README.md +++ b/README.md @@ -8,16 +8,20 @@ portzap is a utility that manages a local copy of the **CLI** # Clone the hardenedbsd ports tree into /home/_portzap/ports/. + # This command is delegated to the '_portzap' user. $ portzap clone # Pull updates into /home/_portzap/ports/. + # This command is delegated to the '_portzap' user. $ portzap pull # Install /home/_portzap/ports/ into /usr/ports/. + # This command requires root privileges. # portzap install # Add the portzap user, group and home directory. - # portzap adduser + # This command requires root privileges. + # portzap setup **ENVIRONMENT VARIABLES** @@ -34,9 +38,14 @@ portzap is a utility that manages a local copy of the $ git clone https://github.com/0x1eef/portzap.git $ cd portzap # make install - # portzap adduser + # portzap setup # pw groupmod -n _portzap -m +## Requirements + +* [doas](https://man.openbsd.org/doas)
+ pkg install doas + ## Sources * [GitHub](https://github.com/0x1eef/portzap) diff --git a/bin/portzap b/bin/portzap index 9ad0b94..1d5afcb 100755 --- a/bin/portzap +++ b/bin/portzap @@ -43,21 +43,21 @@ case $1 in "clone") require_dependency git require_membership_of _portzap - "${libexec}"/portzap-clone "${giturl}" "${gitdir}" + doas -u _portzap "${libexec}"/portzap-clone "${giturl}" "${gitdir}" ;; "pull") require_dependency git require_membership_of _portzap - "${libexec}"/portzap-pull "${gitdir}" + doas -u _portzap "${libexec}"/portzap-pull "${gitdir}" ;; "install") require_root require_dependency git "${libexec}"/portzap-install "${gitdir}" "${installdir}" "${revision}" ;; - "adduser") + "setup") require_root - "${libexec}"/portzap-adduser + "${libexec}"/portzap-setup ;; *) printf "Usage: portzap COMMAND [OPTIONS]\n" @@ -66,6 +66,6 @@ case $1 in printf " clone Clone the hardenedbsd ports tree.\n" printf " pull Pull updates from the hardenedbsd ports tree.\n" printf " install Install the ports tree into /usr/ports.\n" - printf " adduser Add the portzap user, group and home directory.\n" + printf " setup Add the _portzap user, group and home directory.\n" ;; esac diff --git a/libexec/portzap/portzap-adduser b/libexec/portzap/portzap-adduser deleted file mode 100755 index f48ba91..0000000 --- a/libexec/portzap/portzap-adduser +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -e - -## -# main -pw useradd -n _portzap \ - -c "portzap user" \ - -m \ - -s /sbin/nologin -chmod -R u=rwX,g=rwX,o= /home/_portzap/ -echo OK diff --git a/libexec/portzap/portzap-clone b/libexec/portzap/portzap-clone index 0dc54da..1fa4670 100755 --- a/libexec/portzap/portzap-clone +++ b/libexec/portzap/portzap-clone @@ -12,6 +12,7 @@ if [ -e "${gitdir}/.git" ]; then echo "Try 'portzap pull' instead." exit 1 fi -umask u=rwX,g=rwX,o= +umask u=rwX,g=rX,o=rX set -x git clone --depth 1 "${giturl}" "${gitdir}" +cd "${gitdir}" diff --git a/libexec/portzap/portzap-pull b/libexec/portzap/portzap-pull index c8fc515..b38fac0 100755 --- a/libexec/portzap/portzap-pull +++ b/libexec/portzap/portzap-pull @@ -6,7 +6,7 @@ gitdir=$1 ## # main -umask u=rwX,g=rwX,o= +umask u=rwX,g=rX,o=rX if [ -e "${gitdir}/.git" ]; then set -x cd "${gitdir}" diff --git a/libexec/portzap/portzap-setup b/libexec/portzap/portzap-setup new file mode 100755 index 0000000..b453d01 --- /dev/null +++ b/libexec/portzap/portzap-setup @@ -0,0 +1,22 @@ +#!/bin/sh -e + +## +# variables +conf=$(cat /usr/local/share/portzap/doas.conf) +doas=/usr/local/etc/doas.conf + +## +# main +if ! id -u _portzap > /dev/null 2>&1; then + pw useradd -n _portzap \ + -c "portzap user" \ + -m \ + -s /sbin/nologin + chmod u=rwX,g=rX,o= /home/_portzap/ +echo "[ok] add _portzap user, group and home directory" +fi + +if ! fgrep "${conf}" "${doas}" > /dev/null 2>&1; then + echo "${conf}" >> "${doas}" + echo "[ok] update ${doas}" +fi diff --git a/man/man8/portzap.8 b/man/man8/portzap.8 index 10a0d8b..1f8e622 100644 --- a/man/man8/portzap.8 +++ b/man/man8/portzap.8 @@ -12,35 +12,50 @@ portzap pull .br portzap install .br -portzap adduser +portzap setup .Sh DESCRIPTION .Nm portzap manages a copy of the hardenedbsd ports tree. .Sh EXAMPLES -.Pp +.sp +.sp .Nm portzap clone .br Clone the hardenedbsd ports tree into /home/_portzap/ports/. +.br +This command is delegated to the '_portzap' user. .Pp .Nm portzap pull .br Pull updates into /home/_portzap/ports/. +.br +This command is delegated to the '_portzap' user. .Pp .Nm portzap install .br Install /home/_portzap/ports/ into /usr/ports/. +.br +This command requires root privileges. .Pp -.Nm portzap adduser +.Nm portzap setup .br Add the portzap user, group and home directory. +.br +This command requires root privileges. .Sh ENVIRONMENT VARIABLES -.Pp -.Bl -tag -width $PORTZAP_GITURL -.It Ev PORTZAP_GITURL +.sp +.sp +.Nm PORTZAP_GITURL +.br The URL to a git repository. +.br Default: https://git.hardenedbsd.org/hardenedbsd/ports.git -.It Ev PORTZAP_INSTALLDIR -The directory where the ports collection will be installed. Default: /usr/ports/. +.sp +.Nm PORTZAP_INSTALLDIR +.br +The directory where the ports collection will be installed. +.br +Default: /usr/ports/ .Sh AUTHORS The .Nm portzap diff --git a/share/portzap/doas.conf b/share/portzap/doas.conf new file mode 100644 index 0000000..5ec6ddd --- /dev/null +++ b/share/portzap/doas.conf @@ -0,0 +1,2 @@ +permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-clone +permit nopass :_portzap as _portzap cmd /usr/local/libexec/portzap/portzap-pull