From 96d7f4ceb91d44a40646f1dbe065b770c6da8b65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrew=20Lee=20=28=E6=9D=8E=E5=81=A5=E7=A7=8B=29?=
<ajqlee@debian.org>
Date: Fri, 7 Sep 2018 13:36:08 +0800
Subject: [PATCH 1/4] fix-kiwitree-symlink.patch: cherry-pick bad code fix from
upstream.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>
---
debian/patches/fix-kiwitree-symlink.patch | 20 ++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 21 insertions(+)
create mode 100644 debian/patches/fix-kiwitree-symlink.patch
diff --git a/debian/patches/fix-kiwitree-symlink.patch b/debian/patches/fix-kiwitree-symlink.patch
new file mode 100644
index 0000000000..fb1150217d
--- /dev/null
+++ b/debian/patches/fix-kiwitree-symlink.patch
@@ -0,0 +1,20 @@
+commit 3b73dab1a9e676e28334df10fac7c054418228a8
+Author: Michael Schroeder <mls@suse.de>
+Date: Fri Mar 17 10:49:14 2017 +0100
+
+ [backend] fix kiwitree symlink check
+
+ Bad code copied from the build package. Sigh.
+
+Origin: upstream, https://github.com/openSUSE/open-build-service/commit/3b73dab1a9e676e28334df10fac7c054418228a8
+--- a/src/backend/bs_repserver
++++ b/src/backend/bs_repserver
+@@ -1743,7 +1743,7 @@ sub receivekiwitree {
+ } elsif ($type eq 'l') {
+ $extra =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
+ die("bad symlink\n") if "/$extra/" =~ /\/\.?\//;
+- if ("/$extra/" =~ /^(\/\.\.)+\/(.*?)$/s) {
++ if ("/$extra/" =~ /^((?:\/\.\.)+)\/(.*?)$/s) {
+ my ($head, $tail) = ($1, $2);
+ die("bad upref in symlink\n") if "/$tail/" =~ /\/\.\.\//;
+ die("bad upref in symlink\n") if ($head =~ y!/!!) > ($file =~ y!/!!);
diff --git a/debian/patches/series b/debian/patches/series
index 5f8f3362b6..e626a43f66 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ Do-not-ship-database.yml.patch
localgem.patch
disable-slp.patch
CVE-2017-5188.patch
+fix-kiwitree-symlink.patch
--
GitLab
From 53f4435562806a691b4f96bbe5e84340330fdafb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrew=20Lee=20=28=E6=9D=8E=E5=81=A5=E7=A7=8B=29?=
<ajqlee@debian.org>
Date: Fri, 7 Sep 2018 15:29:07 +0800
Subject: [PATCH 2/4] Handle links properly when doing backend build operations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These are fixed from upstream 2.7 branch. Originally from pull
request#3284 in upstream:
https://github.com/openSUSE/open-build-service/pull/3284/commits
Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>
---
.../dist-Use-2.7-packages-for-testing.patch | 26 ++++++++++
debian/patches/handle-links-properly.patch | 47 +++++++++++++++++++
debian/patches/series | 2 +
3 files changed, 75 insertions(+)
create mode 100644 debian/patches/dist-Use-2.7-packages-for-testing.patch
create mode 100644 debian/patches/handle-links-properly.patch
diff --git a/debian/patches/dist-Use-2.7-packages-for-testing.patch b/debian/patches/dist-Use-2.7-packages-for-testing.patch
new file mode 100644
index 0000000000..dec03d12aa
--- /dev/null
+++ b/debian/patches/dist-Use-2.7-packages-for-testing.patch
@@ -0,0 +1,26 @@
+From be9fc5f2f7c564392948f127faff6486225ba8e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Geuken?= <bgeuken@suse.de>
+Date: Mon, 26 Jun 2017 15:06:51 +0200
+Subject: [PATCH] [dist] Use 2.7 packages for testing 2.7 branch in travis
+
+---
+ dist/ci/obs_testsuite_travis_install.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Origin: upstream, https://github.com/openSUSE/open-build-service/pull/3284/commits
+diff --git a/dist/ci/obs_testsuite_travis_install.sh b/dist/ci/obs_testsuite_travis_install.sh
+index 85238dbd1..f9ecadaeb 100755
+--- a/dist/ci/obs_testsuite_travis_install.sh
++++ b/dist/ci/obs_testsuite_travis_install.sh
+@@ -8,7 +8,7 @@ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C5C219E7
+
+ # Install updates from our own repository
+ sudo chmod a+w /etc/apt/sources.list.d
+-echo 'deb http://download.opensuse.org/repositories/OBS:/Server:/Unstable/xUbuntu_12.04 /' > /etc/apt/sources.list.d/opensuse.list
++echo 'deb http://download.opensuse.org/repositories/OBS:/Server:/2.7/xUbuntu_12.04 /' > /etc/apt/sources.list.d/opensuse.list
+
+ # We could use this to only update the package list from the OBS,
+ # but apprently this is not possible anymore. So we update all package lists.
+--
+2.11.0
+
diff --git a/debian/patches/handle-links-properly.patch b/debian/patches/handle-links-properly.patch
new file mode 100644
index 0000000000..01e7296f44
--- /dev/null
+++ b/debian/patches/handle-links-properly.patch
@@ -0,0 +1,47 @@
+commit d4bddd6df495cc436185961fb497dacedc046008
+Author: Adrian Schröter <adrian@suse.de>
+Date: Thu Jun 22 12:12:01 2017 +0200
+
+ [webui] Handle links properly when doing backend build operations
+
+ OBS wasn't properly handling linked projects when triggering rebuilds,
+ wipe binaries and abort build. This resulted in packages of linked
+ projects being aborted, wiped, rebuilt.
+
+ This fixes the falsey code.
+
+ Pair-programmed with @eduardoj and @bgeuken
+
+Origin: upstream, https://github.com/openSUSE/open-build-service/pull/3284/commits
+--- a/src/api/app/models/package.rb
++++ b/src/api/app/models/package.rb
+@@ -1344,22 +1344,23 @@ class Package < ActiveRecord::Base
+ self
+ end
+
++ #### WARNING: these operations run in build object, not this package object
+ def rebuild(params)
+- backend_build_command(:rebuild, params.slice(:package, :arch, :repository))
++ backend_build_command(:rebuild, params[:project], params.slice(:package, :arch, :repository))
+ end
+
+ def wipe_binaries(params)
+- backend_build_command(:wipe, params.slice(:package, :arch, :repository))
++ backend_build_command(:wipe, params[:project], params.slice(:package, :arch, :repository))
+ end
+
+ def abort_build(params)
+- backend_build_command(:abortbuild, params.slice(:package, :arch, :repository))
++ backend_build_command(:abortbuild, params[:project], params.slice(:package, :arch, :repository))
+ end
+
+- def backend_build_command(command, params)
++ def backend_build_command(command, build_project, params)
+ begin
+- Suse::Backend.post("/build/#{URI.escape(project.name)}?cmd=#{command}&#{params.to_query}", '')
+- rescue ActiveXML::Transport::Error, Timeout::Error => e
++ Suse::Backend.post("/build/#{URI.escape(build_project)}?cmd=#{command}&#{params.to_query}", '')
++ rescue ActiveXML::Transport::Error, Timeout::Error, Project::WritePermissionError => e
+ errors.add(:base, e.message)
+ return false
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 5f8f3362b6..e9a5928bd6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,5 @@ Do-not-ship-database.yml.patch
localgem.patch
disable-slp.patch
CVE-2017-5188.patch
+handle-links-properly.patch
+dist-Use-2.7-packages-for-testing.patch
--
GitLab
From f0db9bb691fefdd201aaaca49f94c48850288df1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrew=20Lee=20=28=E6=9D=8E=E5=81=A5=E7=A7=8B=29?=
<ajqlee@debian.org>
Date: Fri, 7 Sep 2018 19:40:51 +0800
Subject: [PATCH 3/4] Make passenger rubyapp runs as obsapi user.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Passenger's default user is nobody:
https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_default_user
So that we got Passenger and the RubyApp runs as nobody. However,
according to Debian's SystemGroup usage:
https://wiki.debian.org/SystemGroups
nogroup (user: nobody): Daemons that need not own any files run as user
nobody and group nogroup. Thus, no files on a system should be owned by
this user or group.
So that we should create a new user call 'obapi' and force passenger app
to run as obs-api instead.
And config files should be readable by that obsapi user but usually not
writable.
Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>
---
debian/obs-apache2.conf | 1 +
debian/obs-api.postinst | 23 ++++++++++++++++++++---
debian/obs-api.postrm | 3 +++
debian/rake-tasks.sh | 8 ++++----
debian/rules | 3 +++
5 files changed, 31 insertions(+), 7 deletions(-)
diff --git a/debian/obs-apache2.conf b/debian/obs-apache2.conf
index 8f8f4df053..3b8c8f8aec 100644
--- a/debian/obs-apache2.conf
+++ b/debian/obs-apache2.conf
@@ -5,6 +5,7 @@ Listen 82
# Passenger defaults
PassengerSpawnMethod "smart"
PassengerMaxPoolSize 20
+PassengerDefaultUser obsapi
#RailsEnv "development"
# allow long request urls and being part of headers
diff --git a/debian/obs-api.postinst b/debian/obs-api.postinst
index a0e9fcf6d0..eb75dc3dbc 100644
--- a/debian/obs-api.postinst
+++ b/debian/obs-api.postinst
@@ -1,5 +1,16 @@
#!/bin/sh -e
+# Add obsapi user and group to run the passenger RubyApp
+if ! getent group obsapi > /dev/null; then
+ addgroup --system --quiet obsapi
+fi
+if ! getent passwd obsapi > /dev/null; then
+ adduser --system --quiet \
+ --ingroup obsapi --shell /bin/false \
+ --no-create-home --home /nonexistent obsapi
+ usermod -c "User for build service api/webui" obsapi
+fi
+
# Place api and repo url on index page
if [ ! -f /usr/share/obs/overview/index.html ] ; then
FQHOSTNAME=`hostname -f`
@@ -13,13 +24,19 @@ fi
if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
rm -f /usr/share/obs/api/config/secret.key
fi
+
SECRET_KEY="/etc/obs/api/config/secret.key"
if [ ! -e "$SECRET_KEY" ]; then
- ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
+ touch $SECRET_KEY
+ chmod 0640 $SECRET_KEY
+ chown obsapi:www-data $SECRET_KEY
+ ( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
-fi
+else
+ # cope with upgrades here to ensure that obsapi user own the key.
chmod 0640 $SECRET_KEY
- chown nobody:www-data $SECRET_KEY
+ chown obsapi:www-data $SECRET_KEY
+fi
# Generate log files
touch /var/log/obs/access.log
diff --git a/debian/obs-api.postrm b/debian/obs-api.postrm
index f1384e7950..3649dfacd3 100644
--- a/debian/obs-api.postrm
+++ b/debian/obs-api.postrm
@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
# Disable the obs site if not already disabled
a2dissite obs.conf > /dev/null || true
fi
+ # Delete obsapi user and group
+ deluser --system --quiet obsapi || true
+ delgroup --system --quiet obsapi || true
# Restart Apache to really unload obs.conf
reload_apache restart
fi
diff --git a/debian/rake-tasks.sh b/debian/rake-tasks.sh
index 858d524821..8044fa6e18 100755
--- a/debian/rake-tasks.sh
+++ b/debian/rake-tasks.sh
@@ -26,10 +26,10 @@ case "$1" in
chown -R www-data:www-data /usr/share/obs/api/public
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
- chown nobody:www-data /etc/obs/api/config/database.yml
- chmod 660 /etc/obs/api/config/database.yml
- chown nobody:www-data /var/log/obs/backend_access.log
- chown nobody:www-data /var/log/obs/production.log
+ chown obsapi:obsapi /etc/obs/api/config/database.yml
+ chmod 440 /etc/obs/api/config/database.yml
+ chown obsapi:obsapi /var/log/obs/backend_access.log
+ chown obsapi:obsapi /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
diff --git a/debian/rules b/debian/rules
index b57936861d..ac2426a52c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -69,6 +69,9 @@ override_dh_install:
# Fix Mark scripts as executable until upstream fixes
chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*
+ # Remove useless Gemfile.lock
+ rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
+
override_dh_systemd_enable:
dh_systemd_enable -p obs-server \
obsrepserver.service \
--
GitLab
From adc6bacf58eeaa286b044f7103a192358b9b61b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrew=20Lee=20=28=E6=9D=8E=E5=81=A5=E7=A7=8B=29?=
<ajqlee@debian.org>
Date: Tue, 11 Sep 2018 18:08:01 +0800
Subject: [PATCH 4/4] Update correct group permission for rb_sysopen
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The rb_sysopen runs as www-data that needs to access to production.log,
backend_access.log and database.yml.
Revert the group owner to www-data to avoid following errors:
Rails Error: Unable to access log file. Please ensure that
/usr/share/obs/api/log/production.log exists and is writable (ie, make
it writable for user and group: chmod 0664
/usr/share/obs/api/log/production.log). The log level has been raised
to WARN and the output directed to STDERR until the problem is fixed.
rake aborted!
Errno::EACCES: Cannot load `Rails.application.database_configuration`:
Permission denied @ rb_sysopen - /usr/share/obs/api/config/database.yml
/usr/share/obs/api/config/environment.rb:30:in `<top (required)>'
Errno::EACCES: Permission denied @ rb_sysopen -
/usr/share/obs/api/config/database.yml
/usr/share/obs/api/config/environment.rb:30:in `<top (required)>'
Tasks: TOP => environment
(See full trace by running task with --trace)
Errno::EACCES: Permission denied @ rb_sysopen -
/usr/share/obs/api/log/backend_access.log
/usr/share/obs/api/lib/opensuse/backend.rb:14:in `new'
/usr/share/obs/api/lib/opensuse/backend.rb:14:in `<class:Backend>'
/usr/share/obs/api/lib/opensuse/backend.rb:6:in `<module:Suse>'
/usr/share/obs/api/lib/opensuse/backend.rb:5:in `<top (required)>'
/usr/share/obs/api/app/models/project.rb:1:in `<top (required)>'
/usr/share/obs/api/app/indices/project_index.rb:2:in `block in <top
(required)>'
Tasks: TOP => ts:index
(See full trace by running task with --trace)
Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>
---
debian/rake-tasks.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/debian/rake-tasks.sh b/debian/rake-tasks.sh
index 8044fa6e18..154900a4ed 100755
--- a/debian/rake-tasks.sh
+++ b/debian/rake-tasks.sh
@@ -26,10 +26,10 @@ case "$1" in
chown -R www-data:www-data /usr/share/obs/api/public
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
- chown obsapi:obsapi /etc/obs/api/config/database.yml
+ chown obsapi:www-data /etc/obs/api/config/database.yml
chmod 440 /etc/obs/api/config/database.yml
- chown obsapi:obsapi /var/log/obs/backend_access.log
- chown obsapi:obsapi /var/log/obs/production.log
+ chown obsapi:www-data /var/log/obs/backend_access.log
+ chown obsapi:www-data /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
--
GitLab