Merge branch 'debian/master' into 'handle-links-properly'

# Conflicts: # debian/patches/series

Merge branch 'debian/master' into 'handle-links-properly'
daf31839 · Héctor Orón Martínez · 53f44355 · 176c9511 · daf31839 · daf31839
Commit daf31839 authored Sep 12, 2018 by Héctor Orón Martínez
--- a/debian/obs-apache2.conf
+++ b/debian/obs-apache2.conf
@@ -5,6 +5,7 @@ Listen 82
 # Passenger defaults
 PassengerSpawnMethod "smart"
 PassengerMaxPoolSize 20
+PassengerDefaultUser obsapi
 #RailsEnv "development"

 # allow long request urls and being part of headers

--- a/debian/obs-api.postinst
+++ b/debian/obs-api.postinst
 #!/bin/sh -e

+# Add obsapi user and group to run the passenger RubyApp
+if ! getent group obsapi > /dev/null; then
+            addgroup --system --quiet obsapi
+fi
+if ! getent passwd obsapi > /dev/null; then
+    adduser --system --quiet \
+        --ingroup obsapi --shell /bin/false \
+        --no-create-home --home /nonexistent obsapi
+    usermod -c "User for build service api/webui" obsapi
+fi
+
 # Place api and repo url on index page
 if [ ! -f /usr/share/obs/overview/index.html ] ; then
  FQHOSTNAME=`hostname -f`
@@ -13,13 +24,19 @@ fi
 if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
  rm -f /usr/share/obs/api/config/secret.key
 fi
+
 SECRET_KEY="/etc/obs/api/config/secret.key"
 if [ ! -e "$SECRET_KEY" ]; then
-    ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
+  touch $SECRET_KEY
+  chmod 0640 $SECRET_KEY
+  chown obsapi:www-data $SECRET_KEY
+    ( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
    ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
-fi
+else
+  # cope with upgrades here to ensure that obsapi user own the key.
  chmod 0640 $SECRET_KEY
-  chown nobody:www-data $SECRET_KEY
+  chown obsapi:www-data $SECRET_KEY
+fi

 # Generate log files
  touch /var/log/obs/access.log

--- a/debian/obs-api.postrm
+++ b/debian/obs-api.postrm
@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
    # Disable the obs site if not already disabled
        a2dissite obs.conf	> /dev/null || true
    fi
+    # Delete obsapi user and group
+    deluser --system --quiet obsapi || true
+    delgroup --system --quiet obsapi || true
    # Restart Apache to really unload obs.conf
    reload_apache restart
 fi

--- a/debian/patches/fix-kiwitree-symlink.patch
+++ b/debian/patches/fix-kiwitree-symlink.patch
+commit 3b73dab1a9e676e28334df10fac7c054418228a8
+Author: Michael Schroeder <mls@suse.de>
+Date:   Fri Mar 17 10:49:14 2017 +0100
+
+    [backend] fix kiwitree symlink check
+
+    Bad code copied from the build package. Sigh.
+
+Origin: upstream, https://github.com/openSUSE/open-build-service/commit/3b73dab1a9e676e28334df10fac7c054418228a8
+--- a/src/backend/bs_repserver
+++ b/src/backend/bs_repserver
+@@ -1743,7 +1743,7 @@ sub receivekiwitree {
+     } elsif ($type eq 'l') {
+       $extra =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
+       die("bad symlink\n") if "/$extra/" =~ /\/\.?\//;
+-      if ("/$extra/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+      if ("/$extra/" =~ /^((?:\/\.\.)+)\/(.*?)$/s) {
+         my ($head, $tail) = ($1, $2);
+ 	die("bad upref in symlink\n") if "/$tail/" =~ /\/\.\.\//;
+ 	die("bad upref in symlink\n") if ($head =~ y!/!!) > ($file =~ y!/!!);
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,5 +16,6 @@ Do-not-ship-database.yml.patch
 localgem.patch
 disable-slp.patch
 CVE-2017-5188.patch
+fix-kiwitree-symlink.patch
 handle-links-properly.patch
 dist-Use-2.7-packages-for-testing.patch
\ No newline at end of file
--- a/debian/rake-tasks.sh
+++ b/debian/rake-tasks.sh
@@ -26,10 +26,10 @@ case "$1" in
 	chown -R www-data:www-data /usr/share/obs/api/public
 	chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
 	chmod 664 /var/log/obs/*.log
-	chown nobody:www-data /etc/obs/api/config/database.yml
-	chmod 660 /etc/obs/api/config/database.yml
-	chown nobody:www-data /var/log/obs/backend_access.log
-	chown nobody:www-data /var/log/obs/production.log
+	chown obsapi:www-data /etc/obs/api/config/database.yml
+	chmod 440 /etc/obs/api/config/database.yml
+	chown obsapi:www-data /var/log/obs/backend_access.log
+	chown obsapi:www-data /var/log/obs/production.log

 	# Generate Gemfile.lock file.
 	cd /usr/share/obs/api

--- a/debian/rules
+++ b/debian/rules
@@ -69,6 +69,9 @@ override_dh_install:
 	# Fix Mark scripts as executable until upstream fixes
 	chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*

+	# Remove useless Gemfile.lock
+	rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
+
 override_dh_systemd_enable:
 	dh_systemd_enable -p obs-server \
 		obsrepserver.service \