Merge lp:~joetalbott/charms/trusty/snappy-proposed-image-builder/add_build_commands_to_sudoers into lp:~canonical-ci-engineering/charms/trusty/snappy-proposed-image-builder/trunk

Proposed by Joe Talbott on 2015-06-04
Status: Merged
Approved by: Joe Talbott on 2015-06-04
Approved revision: 7
Merged at revision: 7
Proposed branch: lp:~joetalbott/charms/trusty/snappy-proposed-image-builder/add_build_commands_to_sudoers
Merge into: lp:~canonical-ci-engineering/charms/trusty/snappy-proposed-image-builder/trunk
Diff against target: 41 lines (+17/-1)
2 files modified
hooks/actions.py (+16/-0)
templates/sudoers.conf (+1/-1)
To merge this branch: bzr merge lp:~joetalbott/charms/trusty/snappy-proposed-image-builder/add_build_commands_to_sudoers
Reviewer Review Type Date Requested Status
Francis Ginther 2015-06-04 Approve on 2015-06-04
Review via email: mp+261125@code.launchpad.net

Commit message

Add more commands needed during image building to sudoers.

Description of the change

Add more commands needed during image building to sudoers.

I think in a later MP I'll update the image-builder to run a script that manages the building to avoid the security risks introduced here.

To post a comment you must log in.
Francis Ginther (fginther) wrote :

Fun stuff, looks good. I recommend adding a note regarding the home dir fix to the commit message.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'hooks/actions.py'
2--- hooks/actions.py 2015-06-03 18:14:36 +0000
3+++ hooks/actions.py 2015-06-04 18:14:27 +0000
4@@ -1,5 +1,8 @@
5 import base64
6+import errno
7+import grp
8 import os
9+import pwd
10 import shutil
11 import subprocess
12
13@@ -67,6 +70,19 @@
14 hookenv.log('Creating service user: %s', username)
15 adduser(username)
16
17+ # create user's home directory if it doesn't exist.
18+ home = os.path.exists(os.path.join('/home', username))
19+ try:
20+ os.makedirs(home, 0o755)
21+ except OSError as e:
22+ if e.errno != errno.EEXIST:
23+ raise
24+
25+ # make sure the user owns their home.
26+ group_info = grp.getgrnam(username)
27+ user_info = pwd.getpwdnam(username)
28+ os.chown(home, user_info['pw_uid'], group_info['gr_gid'])
29+
30
31 def install_python_packages(service_name):
32 env_dir = os.path.join(_service_dir(), 've')
33
34=== modified file 'templates/sudoers.conf'
35--- templates/sudoers.conf 2015-05-27 13:56:25 +0000
36+++ templates/sudoers.conf 2015-06-04 18:14:27 +0000
37@@ -1,4 +1,4 @@
38 # Specifically added for ubuntu-device-flash command for snappy-proposed-image-builder
39
40-core-worker ALL=(ALL) NOPASSWD: /usr/bin/ubuntu-device-flash, /bin/rm
41+core-worker ALL=(ALL) NOPASSWD: /bin/chmod, /bin/mount, /bin/umount, /bin/tar, /bin/cp, /srv/{{ environment }}/snappy-proposed-image-builder/ubuntu-device-flash, /usr/sbin/chroot, /bin/rm
42

Subscribers

People subscribed via source and target branches