New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use separate homu user for Homu-related states #615
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,15 +9,21 @@ homu-debugging-packages: | |
- sqlite3 | ||
|
||
homu: | ||
user.present: | ||
- fullname: Homu | ||
- shell: /bin/bash | ||
- home: /home/servo/homu | ||
virtualenv.managed: | ||
- name: /home/servo/homu/_venv | ||
- user: homu | ||
- venv_bin: virtualenv-3.5 | ||
- python: python3 | ||
- system_site_packages: False | ||
- require: | ||
- pkg: python3 | ||
- pip: virtualenv | ||
pip.installed: | ||
- user: homu | ||
- pkgs: | ||
- git+https://github.com/servo/homu@{{ homu.rev }} | ||
- toml == 0.9.1 # Please ensure this is in sync with requirements.txt | ||
|
@@ -36,9 +42,9 @@ homu: | |
file.managed: | ||
- source: salt://{{ tpldir }}/files/cfg.toml | ||
- template: jinja | ||
- user: servo | ||
- group: servo | ||
- mode: 644 | ||
- user: homu | ||
- group: homu | ||
- mode: 640 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since this file is no longer world-readable, we'll need to run the tests with |
||
|
||
/etc/init/homu.conf: | ||
file.managed: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
import os | ||
import pwd | ||
import stat | ||
|
||
from tests.util import Failure, Success | ||
|
||
|
||
def get_owner(filename): | ||
return pwd.getpwuid(os.stat(filename).st_uid).pw_name | ||
|
||
|
||
def is_world_readable(filename): | ||
st = os.stat(filename) | ||
return bool(st.st_mode & stat.S_IROTH) | ||
|
||
|
||
def run(): | ||
for root, directories, filenames in os.walk('/home/servo/homu/'): | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will also check files like |
||
for filename in filenames: | ||
full_path = os.path.join(root, filename) | ||
if get_owner(full_path) != 'homu': | ||
return Failure('Homu file is not owned by \'homu\' user:', | ||
full_path) | ||
if is_world_readable(full_path): | ||
return Failure('Homu file is world-readable:', full_path) | ||
return Success('Homu files have valid permissions') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Homu should have its own home directory completely separate from servo, i.e.
/home/homu
. We'll also need to have some manual deployment steps for this to move the homu db to the right place by hand.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also create a
homu
group as the primary group of thehomu
user.