On Mon, Apr 4, 2016 at 11:56 AM, sebb <seb...@gmail.com> wrote: > On 4 April 2016 at 12:54, Sam Ruby <ru...@intertwingly.net> wrote: >> On Fri, Apr 1, 2016 at 9:21 AM, sebb <seb...@gmail.com> wrote: >>> On 1 April 2016 at 14:10, Sam Ruby <ru...@intertwingly.net> wrote: >>>> On Fri, Apr 1, 2016 at 9:02 AM, sebb <seb...@gmail.com> wrote: >>>>> On 1 April 2016 at 13:48, Sam Ruby <ru...@intertwingly.net> wrote: >>> >>> I meant that the function would do a git pull or whatever it is that >>> the scheduled service does anyway. >>> I did not mean that the function would be able to add arbitrary code. >>> The code would still have to be committed to the git repo first. >>> >>> The auth would only be needed to prevent it being done unnecessarily. >> >> I'll look into this. >> >> As of a few hours ago gitpubsub was enabled for git-dual repositories, >> including whimsy. >> >> It does mean that we would have another process that would need to be >> monitored, but that's no problem. >> >> That process would need to be able to update code, install gems, and >> touch files in the docroot. I'd like to do what I should have done >> from the beginning: create a local role account do to these updates. > > Why not just use the _www account?
EEK! -1. No. I'm trying to be careful, running with $SAFE=1, untainting content only when I can trust the source or if it passes validation; but should a script injection attack vulnerability be present, the last thing I would want to do is to allow the web server to be able to overwrite code. > That's what is done on projects.a.o. Perhaps we should compare notes. That doesn't seem wise. On the other hand: http://imgs.xkcd.com/comics/bridge.png > The account does not need auth to do a pull from the main git repo, > but it does need to create files which are readable by the _www id, > and directories which are writable. Readable should not be a problem. > So if we use something other than _www, care will need to be taken to > ensure that the writable permissions are not affected. That's where puppet comes in, changing the ownership and/or permissions to selected directories. Directories like /srv/whimsy/www/public and /srv/whimsy/www/logs and /srv/whimsy/www/board/minutes which should contain only data, not code. - Sam Ruby
