[CentOS] Looking for input SELinux/Other & post-commit hooks.

Wed, 25 Sep 2013 09:36:48 -0700 

Hi All,

I'm looking for input as to how I may restrict some post commit hooks by way of 
SELinux or some other mechanism.  Here's a description of the problem that I 
need to solve.

I have a source code server that support SVN and soon git.  The server has no 
actual users on it and we use CAS with Apache basic authentication to 
authenticate and authorize users access to the repository.  This server mounts 
two NFS shares, one for the mirror environment for HTTP based installations and 
another NFS share for our Puppet environment.  There is a corresponding source 
repository and NFS share for each "user" of the system as well as corresponding 
NFS shares for mirror and puppet.  All the content is owned by the user Apache.

Each time a user commits scripts are run to check this code out of the source 
code server and into a respective

/mirror/<repotype>/<reponame>
/puppet/<repotype>/<reponame>

But there are other bits of code that the end user would like to also be able 
to run, such as generating group information based on the content of a file 
that was committed manual pruning of some arbitrary data and other things that 
I don't want to account for in code.  Essentially allowing them to extend the 
system further for their needs.

This means that I need to ensure that a user isn't able to run code like rm -rf 
/etc/password or rm -rf /{mirror,puppet}/* which would essentially ruin 
everyone's data. What I essentially would like to do is ensure that if someone 
were to attempt to run any of the third party code that the permissions for 
that run would be within the context of their own areas so that the most damage 
they could do is wipe out the content of their /mirror/<repotype>/<reponame> & 
/puppet/<repotype>/<reponame> while not having to setup and destroy a 
(potentially) large chroot environment each time the script is run.

-- 
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices

“A successful person is one who can lay a solid foundation from the bricks 
others have thrown at them.” -David Brinkley via Luke Shaw
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to