Refactor to not use setuid and not bypass the git daemon

diff --git a/manifests/instance.pp b/manifests/instance.pp
index 3c76365ad2f5155877c5bec8c6d89b6e8680465d..f6c635fa4605f161cffa586e295f27695d3dca4a 100644 (file)
--- a/manifests/instance.pp
+++ b/manifests/instance.pp
@@ -1,7 +1,7 @@
 define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false,
                 $adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki',
                 $account_creation_password = false, $add_plugins = false, $disable_plugins = false,
-                $protocol = 'https') {
+                $protocol = 'https', $owner = $name, $group = $name) {
 
   $desc = $description ? {
     false   => $title,
@@ -13,23 +13,30 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
       file { "/etc/ikiwiki/$name.setup":
         ensure  => present,
         content => template('ikiwiki/ikiwiki.setup.erb'),
-        owner   => www-data,
-        group   => www-data,
+        owner   => root,
+        group   => $owner,
         mode    => 640,
         notify  => Exec["ikiwiki_refresh_${name}"],
       }
 
-      exec { "ikiwiki_refresh_${name}":
-        command     => "/usr/local/sbin/ikiwiki-refresh $name $instance",
+      exec { "ikiwiki_refresh_${name}_${instance}":
+        command     => "/usr/local/sbin/ikiwiki-refresh $name $instance $owner $group",
         user        => root,
         refreshonly => true,
       }
-  
+
+      exec { "ssh-keygen-ikiwiki-${name}_${instance}":
+        command => "ssh-keygen -t rsa -P '' -f ${ikiwiki::sites_folder}/${name}/.ssh/id_rsa":
+        creates => "${ikiwiki::sites_folder}/${name}/.ssh/id_rsa",
+        user    => $owner,
+        group   => $group,
+      }
+
       if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}_src"]) {
         file { "${ikiwiki::sites_folder}/${name}/${instance}_src":
           ensure  => directory,
-          owner   => www-data,
-          group   => www-data,
+          owner   => $owner,
+          group   => $group,
           recurse => true,
           notify  => Exec["ikiwiki_refresh_${name}"],
           require => File["${ikiwiki::sites_folder}/${name}"],
@@ -39,8 +46,8 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
       if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}"]) {
         file { "${ikiwiki::sites_folder}/${name}/${instance}":
           ensure  => directory,
-          owner   => www-data,
-          group   => www-data,
+          owner   => $owner,
+          group   => $group,
           recurse => true,
           require => File["${ikiwiki::sites_folder}/${name}"],
         }
@@ -54,21 +61,19 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
         }
       }
 
-      # The post-update hook should have www-data as owner so
-      # gitolite can do a setuid to it and write to ikiwiki
-      # folders without messing the permission scheme.
-      #
-      # The same is valid for the cgi.
-      #
-      # See http://ikiwiki.info/rcs/git/
-      #     http://ikiwiki.info/forum/multi-user_setup_of_ikiwiki__44___gitolite_and_apache2_in_Debian_Sid/
-      #
-      file { [ "/var/git/repositories/${name}.git/hooks/post-update",
-               "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi" ]:
+      file { "/var/git/repositories/${name}.git/hooks/post-update":
+        ensure  => present,
+        owner   => $ikiwiki::git_implementation,
+        group   => $ikiwiki::git_implementation,
+        mode    => 0755,
+        require => File["/etc/ikiwiki/$name.setup"],
+      }
+
+      file { "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi":
         ensure  => present,
-        owner   => www-data,
-        group   => gitolite,
-        mode    => 6550,
+        owner   => $owner,
+        group   => $group,
+        mode    => 0550,
         require => File["/etc/ikiwiki/$name.setup"],
       }
     }

diff --git a/templates/deploy.sh.erb b/templates/deploy.sh.erb
index 91aee0e6c858a495bd3419035ca1db4701486a92..4ebbf1da7a8ec62c9c677550a6dbf387379208a7 100644 (file)
--- a/templates/deploy.sh.erb
+++ b/templates/deploy.sh.erb
@@ -5,10 +5,6 @@ INSTANCE="$2"
 BASE="<%= scope.lookupvar('ikiwiki::sites_folder') %>"
 SITE=$BASE/$NAME
 CONF="/etc/ikiwiki"
-WEB_OWNER="www-data"
-WEB_GROUP="www-data"
-REPO_OWNER="<%= scope.lookupvar('ikiwiki::git_implementation') %>"
-REPO_GROUP="<%= scope.lookupvar('ikiwiki::git_implementation') %>"
 REPO="/var/git/repositories/$NAME.git"
 
 if [ -z "$INSTANCE" ]; then
@@ -43,6 +39,3 @@ if [ ! -d "$REPO" ]; then
   touch $REPO/git-daemon-export-ok
   ( cd $REPO/$NAME.git && git --bare update-server-info )
 fi
-
-# Refresh the instance
-ikiwiki-refresh $NAME $INSTANCE

diff --git a/templates/refresh.sh.erb b/templates/refresh.sh.erb
index 43089347906a14ba1738837669df9907b5bde59a..41b52967652f2f04a995dd099a0b294bfe37a954 100644 (file)
--- a/templates/refresh.sh.erb
+++ b/templates/refresh.sh.erb
@@ -2,11 +2,11 @@
 
 NAME="$1"
 INSTANCE="$2"
+WEB_OWNER="$3"
+WEB_GROUP="$4"
 BASE="<%= scope.lookupvar('ikiwiki::sites_folder') %>"
-SITE=$BASE/$NAME
+SITE="$BASE/$NAME"
 CONF="/etc/ikiwiki"
-WEB_OWNER="www-data"
-WEB_GROUP="www-data"
 REPO_OWNER="<%= scope.lookupvar('ikiwiki::git_implementation') %>"
 REPO_GROUP="<%= scope.lookupvar('ikiwiki::git_implementation') %>"
 REPO="/var/git/repositories/$NAME.git"
@@ -30,11 +30,9 @@ fi
 ikiwiki --setup /etc/ikiwiki/$NAME.setup
 
 # Fix permissions
-chown -R $WEB_OWNER.$WEB_GROUP $SITE/"$INSTANCE"_src $SITE/$INSTANCE
 chown -R $REPO_OWNER.$REPO_GROUP $REPO
-chown $WEB_OWNER.$REPO_GROUP $REPO/hooks/post-update
-chown $WEB_OWNER.$REPO_GROUP $SITE/$INSTANCE/ikiwiki.cgi
+chown -R $WEB_OWNER.$WEB_GROUP $SITE/"$INSTANCE"_src $SITE/$INSTANCE
 
 # Setuid/setgid
-chmod 6550 $REPO/hooks/post-update
-chmod 6550 $SITE/$INSTANCE/ikiwiki.cgi
+chmod 0755 $REPO/hooks/post-update
+chmod 0550 $SITE/$INSTANCE/ikiwiki.cgi