Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use separate homu user for Homu-related states #615

Closed
wants to merge 1 commit into from
Closed

Use separate homu user for Homu-related states #615

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 9 additions & 3 deletions homu/init.sls
View file
Open in desktop
Expand Up @@ -9,15 +9,21 @@ homu-debugging-packages:
- sqlite3

homu:
user.present:
- fullname: Homu
- shell: /bin/bash
- home: /home/servo/homu
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Homu should have its own home directory completely separate from servo, i.e. /home/homu. We'll also need to have some manual deployment steps for this to move the homu db to the right place by hand.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also create a homu group as the primary group of the homu user.

virtualenv.managed:
- name: /home/servo/homu/_venv
- user: homu
- venv_bin: virtualenv-3.5
- python: python3
- system_site_packages: False
- require:
- pkg: python3
- pip: virtualenv
pip.installed:
- user: homu
- pkgs:
- git+https://github.com/servo/homu@{{ homu.rev }}
- toml == 0.9.1 # Please ensure this is in sync with requirements.txt
Expand All @@ -36,9 +42,9 @@ homu:
file.managed:
- source: salt://{{ tpldir }}/files/cfg.toml
- template: jinja
- user: servo
- group: servo
- mode: 644
- user: homu
- group: homu
- mode: 640
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this file is no longer world-readable, we'll need to run the tests with sudo from .travis/dispatch.sh. Please put this change in a separate commit first to make sure it doesn't break anything else.


/etc/init/homu.conf:
file.managed:
Expand Down
26 changes: 26 additions & 0 deletions tests/sls/homu/config_permissions.py
View file
Open in desktop
@@ -0,0 +1,26 @@
import os
import pwd
import stat

from tests.util import Failure, Success


def get_owner(filename):
return pwd.getpwuid(os.stat(filename).st_uid).pw_name


def is_world_readable(filename):
st = os.stat(filename)
return bool(st.st_mode & stat.S_IROTH)


def run():
for root, directories, filenames in os.walk('/home/servo/homu/'):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will also check files like .profile for the homu user. I think it's OK if we only check permissions on Homu's cfg.toml file (and the database if it exists).

for filename in filenames:
full_path = os.path.join(root, filename)
if get_owner(full_path) != 'homu':
return Failure('Homu file is not owned by \'homu\' user:',
full_path)
if is_world_readable(full_path):
return Failure('Homu file is world-readable:', full_path)
return Success('Homu files have valid permissions')