Commit 7958c854 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Add a cvs proxy to run CVS commands on ops on behalf of a user. Use this

from template_exprun so that we are not reading and writing files across
NFS (via cvs import).
parent a92cef72
......@@ -11,14 +11,14 @@ SUBDIR = collab/cvstools
include $(OBJDIR)/Makeconf
SBIN_SCRIPTS = cvsrepo_ctrl
SBIN_SCRIPTS = cvsrepo_ctrl cvs_ctrl
LIBEXEC_SCRIPTS = webcvsrepo_ctrl
CTRL_LIBEXEC_SCRIPTS =
CTRL_LIB_FILES = cvsd.conf.head
CTRL_SBIN_SCRIPTS = cvsrepo_ctrl.proxy
CTRL_SBIN_SCRIPTS = cvsrepo_ctrl.proxy cvs.proxy
# These scripts installed setuid, with sudo.
SETUID_SBIN_SCRIPTS = cvsrepo_ctrl
SETUID_SBIN_SCRIPTS = cvsrepo_ctrl cvs_ctrl
#
# Force dependencies on the scripts so that they will be rerun through
......
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2007 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
use BSD::Resource;
use POSIX qw(:signal_h);
#
# Simply a wrapper for the cvs.
#
# The first argument option is the user to run this script as, since we
# gets invoked by a root ssh from boss.
#
sub usage()
{
print STDOUT
"Usage: cvs.proxy -u user [args ...]\n".
"Where options and arguments are those required by cvs\n";
exit(-1);
}
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $CVSBIN = "/usr/bin/cvs";
# Locals
my $optlist = "u:w:";
my $user;
#
# Turn off line buffering on output
#
$| = 1;
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/usr/bin:/sbin:/usr/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Testbed Support libraries
#
use lib "@prefix@/lib";
use libtestbed;
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my $options;
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"w"})) {
my $workdir = $options{"w"};
if (! chdir("$workdir")) {
die("*** $0:\n".
" Could not chdir to $workdir\n");
}
}
usage()
if (!exists($options{"u"}));
$user = $options{"u"};
#
# First option has to be the -u option, the user to run this script as.
#
if ($UID != 0) {
die("*** $0:\n".
" Must be root to run this script!");
}
(undef,undef,$unix_uid) = getpwnam($user) or
die("*** $0:\n".
" No such user $user\n");
#
# Need the entire group list for the user, cause of subgroups, and
# cause thats the correct thing to do. Too bad perl does not have a
# getgrouplist function like the C library.
#
my $glist = `id -G $user`;
if ($glist =~ /^([\d ]*)$/) {
$glist = $1;
}
else {
die("*** $0:\n".
" Unexpected results from 'id -G $user': $glist\n");
}
# Need to split off the first group and create a proper list for $GUID.
my @gglist = split(" ", $glist);
my $unix_gid = $gglist[0];
$glist = "$unix_gid $glist";
# Flip to user and never go back!
$GID = $unix_gid;
$EGID = $glist;
$EUID = $UID = $unix_uid;
$ENV{'USER'} = $user;
$ENV{'LOGNAME'} = $user;
#
# Fork a child process to run cvs in.
#
my $pid = fork();
if (!defined($pid)) {
die("*** $0:\n".
" Could not fork a new process!");
}
#
# Child runs the cvs program niced down, and then exits.
#
if (! $pid) {
# Set the CPU limit for us.
setrlimit(RLIMIT_CPU, 1200, 1200);
# Give parent a chance to react.
sleep(1);
exec("nice -2 $CVSBIN @ARGV");
die("Could not exec $CVSBIN!\n");
}
#
# Parent waits.
#
waitpid($pid, 0);
my $exit_status = $?;
#
# If the child was KILLed, then it overran its time limit.
# Send email. Otherwise, exit with result of child.
#
if (($exit_status & 0xff) == SIGKILL) {
my $msg = "$CVSBIN Exceeded CPU Limit";
SENDMAIL($TBOPS, "CVS Exceeded CPU Limit", $msg);
print STDERR "$msg\n";
exit(15);
}
exit($exit_status >> 8);
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005, 2006, 2007 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
use Errno qw(EEXIST);
#
# Add a mailman list, say for a project or other reason. If for a project
# the admin password comes from the groups table. Otherwise it comes from
# the sitevars table cause its assumed to be an admins list of some kind.
#
sub usage()
{
print STDOUT "Usage: cvs_ctrl ...\n";
exit(-1);
}
my $optlist = "dw:";
my $debug = 0;
my $workdir;
#
# Configure variables
#
my $TB = "@prefix@";
my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@";
my $SSH = "$TB/bin/sshtb";
my $CVSPROXY = "$TB/sbin/cvs.proxy";
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/usr/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Turn off line buffering on output
#
$| = 1;
#
# Load the Testbed support stuff.
#
use lib "@prefix@/lib";
use libdb;
use libtestbed;
use User;
#
# We don't want to run this script unless its the real version.
#
if ($EUID != 0) {
die("*** $0:\n".
" Must be setuid! Maybe its a development version?\n");
}
#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
#
if ($UID == 0) {
die("*** $0:\n".
" Please do not run this as root! Its already setuid!\n");
}
#
# Verify user and get his DB uid and other info for later.
#
my $this_user = User->ThisUser();
if (! defined($this_user)) {
tbdie("You ($UID) do not exist!");
}
my $user_uid = $this_user->uid();
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"d"})) {
$debug = 1;
}
if (defined($options{"w"})) {
$workdir = $options{"w"};
# Note different taint check (allow /).
if ($workdir =~ /^([-\w\.\/]+)$/) {
$workdir = $1;
}
else {
tbdie("Bad data in workdir: $workdir");
}
}
my @args = ("-host", $CONTROL, $CVSPROXY, "-u", $user_uid);
if (defined($workdir)) {
push(@args, "-w");
push(@args, $workdir);
}
push(@args, "--");
foreach my $arg (@ARGV) {
push(@args, "\\\"$1\\\"")
if ($arg =~ /^(.*)$/);
}
#
# For ssh.
#
$UID = $EUID;
#print "$SSH @args\n";
exec($SSH, @args);
......@@ -101,8 +101,10 @@ my $archcontrol = "$TB/bin/archive_control";
my $eventcontrol= "$TB/bin/eventsys_control";
my $tevc = "$TB/bin/tevc";
my $CVSBIN = "/usr/bin/cvs";
my $CVSCTRL = "/usr/testbed/sbin/cvs_ctrl";
my $FIND = "/usr/bin/find";
my $RCS = "/usr/bin/rcs";
my $SSH = "$TB/bin/sshtb";
# Protos
sub ParseArgs();
......@@ -159,6 +161,8 @@ my $user_name = $this_user->name();
my $user_email = $this_user->email();
my $user_uid = $this_user->uid();
$libtestbed::SYSTEM_DEBUG = 1;
#
# Before doing anything else, check for overquota ... lets not waste
# our time. Make sure user sees the error by exiting with 1.
......@@ -554,9 +558,9 @@ if (defined($instance->runidx())) {
}
# This imports the experiment directory into the records subdir.
System("cd $instance_dir; ".
"$CVSBIN -d $cvsdir import -I 'datastore' ".
" -m 'Import record for run $this_runid' ".
System("$CVSCTRL -w $instance_dir -- ".
" -d $cvsdir import -kb -I \"datastore\" ".
" -m \"Import record for run $this_runid\" ".
" $cvssubdir ${tag}_branch $tag")
== 0 or fatal(-1, "Could not import new record into $cvsdir");
......@@ -569,15 +573,11 @@ if (defined($instance->runidx())) {
symlink($linkvalue, "$instance_dir/$pathname");
}
# No keyword subst.
System("$FIND $cvsdir/$cvssubdir ".
" -name '*,v' -print -exec $RCS -q -kb '{}' \\;")
== 0 or fatal(-1, "Could not set -kb in $cvsdir");
# Now tag it with the same tag that was applied for the instance.
# Apply to the branch tag directly instead of symbolically since that
# does not work properly for some reason.
System("$CVSBIN -d $cvsdir rtag -n -r 1.1.1 $instance_tag $cvssubdir")
# does not work properly for some reason.
System("$CVSCTRL -- ".
" -d $cvsdir rtag -n -r 1.1.1 $instance_tag $cvssubdir")
== 0 or fatal(-1, "Could not rtag new record in $cvsdir");
if ($STAMPS) {
......@@ -816,7 +816,7 @@ sub ParseArgs()
if (! getopts($optlist, \%options)) {
usage();
}
#
# Allow pid to be used instead of GUID.
#
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment