Commit daf31839 authored by Héctor Orón Martínez's avatar Héctor Orón Martínez

Merge branch 'debian/master' into 'handle-links-properly'

# Conflicts:
#   debian/patches/series
parents 53f44355 176c9511
......@@ -5,6 +5,7 @@ Listen 82
# Passenger defaults
PassengerSpawnMethod "smart"
PassengerMaxPoolSize 20
PassengerDefaultUser obsapi
#RailsEnv "development"
# allow long request urls and being part of headers
......
#!/bin/sh -e
# Add obsapi user and group to run the passenger RubyApp
if ! getent group obsapi > /dev/null; then
addgroup --system --quiet obsapi
fi
if ! getent passwd obsapi > /dev/null; then
adduser --system --quiet \
--ingroup obsapi --shell /bin/false \
--no-create-home --home /nonexistent obsapi
usermod -c "User for build service api/webui" obsapi
fi
# Place api and repo url on index page
if [ ! -f /usr/share/obs/overview/index.html ] ; then
FQHOSTNAME=`hostname -f`
......@@ -13,13 +24,19 @@ fi
if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
rm -f /usr/share/obs/api/config/secret.key
fi
SECRET_KEY="/etc/obs/api/config/secret.key"
if [ ! -e "$SECRET_KEY" ]; then
( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
touch $SECRET_KEY
chmod 0640 $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
fi
else
# cope with upgrades here to ensure that obsapi user own the key.
chmod 0640 $SECRET_KEY
chown nobody:www-data $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
fi
# Generate log files
touch /var/log/obs/access.log
......
......@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
# Disable the obs site if not already disabled
a2dissite obs.conf > /dev/null || true
fi
# Delete obsapi user and group
deluser --system --quiet obsapi || true
delgroup --system --quiet obsapi || true
# Restart Apache to really unload obs.conf
reload_apache restart
fi
......
commit 3b73dab1a9e676e28334df10fac7c054418228a8
Author: Michael Schroeder <mls@suse.de>
Date: Fri Mar 17 10:49:14 2017 +0100
[backend] fix kiwitree symlink check
Bad code copied from the build package. Sigh.
Origin: upstream, https://github.com/openSUSE/open-build-service/commit/3b73dab1a9e676e28334df10fac7c054418228a8
--- a/src/backend/bs_repserver
+++ b/src/backend/bs_repserver
@@ -1743,7 +1743,7 @@ sub receivekiwitree {
} elsif ($type eq 'l') {
$extra =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
die("bad symlink\n") if "/$extra/" =~ /\/\.?\//;
- if ("/$extra/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ if ("/$extra/" =~ /^((?:\/\.\.)+)\/(.*?)$/s) {
my ($head, $tail) = ($1, $2);
die("bad upref in symlink\n") if "/$tail/" =~ /\/\.\.\//;
die("bad upref in symlink\n") if ($head =~ y!/!!) > ($file =~ y!/!!);
......@@ -16,5 +16,6 @@ Do-not-ship-database.yml.patch
localgem.patch
disable-slp.patch
CVE-2017-5188.patch
fix-kiwitree-symlink.patch
handle-links-properly.patch
dist-Use-2.7-packages-for-testing.patch
dist-Use-2.7-packages-for-testing.patch
\ No newline at end of file
......@@ -26,10 +26,10 @@ case "$1" in
chown -R www-data:www-data /usr/share/obs/api/public
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
chown nobody:www-data /etc/obs/api/config/database.yml
chmod 660 /etc/obs/api/config/database.yml
chown nobody:www-data /var/log/obs/backend_access.log
chown nobody:www-data /var/log/obs/production.log
chown obsapi:www-data /etc/obs/api/config/database.yml
chmod 440 /etc/obs/api/config/database.yml
chown obsapi:www-data /var/log/obs/backend_access.log
chown obsapi:www-data /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
......
......@@ -69,6 +69,9 @@ override_dh_install:
# Fix Mark scripts as executable until upstream fixes
chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*
# Remove useless Gemfile.lock
rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
override_dh_systemd_enable:
dh_systemd_enable -p obs-server \
obsrepserver.service \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment