summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
l---------config.hs2
-rw-r--r--debian/changelog9
-rw-r--r--doc/forum/Ldap_and_Propellor.mdwn12
-rw-r--r--doc/forum/Ldap_and_Propellor/comment_1_80f98aaf4927d834dc714faeae7bf167._comment16
-rw-r--r--doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_3_e057fae70854f7323dafa0d79b327dec._comment11
-rw-r--r--doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_4_916b6cae93e772fa0fac88676409b03a._comment8
-rw-r--r--doc/forum/use_withUmask_in_a_property/comment_6_79355b6df4dc750a4ea2e1e13f50dca8._comment7
-rw-r--r--doc/forum/use_withUmask_in_a_property/comment_7_6b9488d20a04bc25f2ba44391f4a0a47._comment8
-rw-r--r--doc/forum/use_withUmask_in_a_property/comment_8_ce37b55141120b3b6babebe14c1b1ec2._comment7
-rw-r--r--doc/forum/use_withUmask_in_a_property/comment_9_a84a0c6773c8b3df03c028b63814b3d8._comment9
-rw-r--r--doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust.mdwn5
-rw-r--r--doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_1_8164845c93baeaaccd7b29fef5d33df8._comment9
-rw-r--r--doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_2_bff114c1d3a225b5149e8710118116af._comment9
-rw-r--r--privdata/relocate1
-rw-r--r--src/Propellor/Property/Sbuild.hs17
-rw-r--r--src/Propellor/Property/Ssh.hs4
16 files changed, 129 insertions, 5 deletions
diff --git a/config.hs b/config.hs
index 97d90636..ec313725 120000
--- a/config.hs
+++ b/config.hs
@@ -1 +1 @@
-joeyconfig.hs \ No newline at end of file
+config-simple.hs \ No newline at end of file
diff --git a/debian/changelog b/debian/changelog
index 893498a4..74045c76 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+propellor (3.1.2) UNRELEASED; urgency=medium
+
+ * Ssh.knownHost: Bug fix: Only fix up the owner of the known_hosts
+ file after it exists.
+ * Sbuild.keypairInsecurelyGenerated: Improved to be more robust.
+ Thanks, Sean Whitton.
+
+ -- Joey Hess <id@joeyh.name> Sun, 24 Jul 2016 13:34:37 -0400
+
propellor (3.1.1) unstable; urgency=medium
* Haddock build fix.
diff --git a/doc/forum/Ldap_and_Propellor.mdwn b/doc/forum/Ldap_and_Propellor.mdwn
new file mode 100644
index 00000000..094be12a
--- /dev/null
+++ b/doc/forum/Ldap_and_Propellor.mdwn
@@ -0,0 +1,12 @@
+Hello,
+
+First, thank you for your program and your work, it's very interesting. I'm trying to use it and I have two questions :
+
+
+1) Is there already some propellor code to deal with Ldap or should I write my own code ? (I didn't see anything in the API doc)
+
+2) Is it possible to use propellor with another folder than ~/.propellor/ ? (for exemple to deal with several "domains")
+
+Thank you,
+
+TobiasBora.
diff --git a/doc/forum/Ldap_and_Propellor/comment_1_80f98aaf4927d834dc714faeae7bf167._comment b/doc/forum/Ldap_and_Propellor/comment_1_80f98aaf4927d834dc714faeae7bf167._comment
new file mode 100644
index 00000000..7c8d9bbf
--- /dev/null
+++ b/doc/forum/Ldap_and_Propellor/comment_1_80f98aaf4927d834dc714faeae7bf167._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2016-07-05T20:39:45Z"
+ content="""
+I don't think that anyone has integrated it with LDAP yet.
+
+It's easy to use propellor from another location; just put the propellor
+git repository anywhere you want, use `make` to build it once,
+and run `./propellor` thereafter.
+
+The only thing that hardcodes using ~/.propellor is the /usr/bin/propellor
+wrapper, by running the propellor you built yourself you bypass the need
+for the wrapper. I keep propellor in ~/src/propellor on my laptop
+and run it this way myself.
+"""]]
diff --git a/doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_3_e057fae70854f7323dafa0d79b327dec._comment b/doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_3_e057fae70854f7323dafa0d79b327dec._comment
new file mode 100644
index 00000000..5da15f09
--- /dev/null
+++ b/doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_3_e057fae70854f7323dafa0d79b327dec._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="weinzwang"
+ subject="Same problem with ssh.knownHost"
+ date="2016-07-24T15:47:25Z"
+ content="""
+Making a host key known to a brand new user `requires` the
+owner of a nonexistent file to be set, if I understand the
+code correctly. Removing the \"requires\"-lines from the function
+modKnownHost makes the problem go away, but that's probably not
+the correct solution.
+"""]]
diff --git a/doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_4_916b6cae93e772fa0fac88676409b03a._comment b/doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_4_916b6cae93e772fa0fac88676409b03a._comment
new file mode 100644
index 00000000..36a31728
--- /dev/null
+++ b/doc/forum/Ssh.authorizedKey_does_not_work_on_brand_new_user/comment_4_916b6cae93e772fa0fac88676409b03a._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2016-07-24T17:35:24Z"
+ content="""
+I see it; changed it to use `before` so the file creation/modification
+comes before any chmodding.
+"""]]
diff --git a/doc/forum/use_withUmask_in_a_property/comment_6_79355b6df4dc750a4ea2e1e13f50dca8._comment b/doc/forum/use_withUmask_in_a_property/comment_6_79355b6df4dc750a4ea2e1e13f50dca8._comment
new file mode 100644
index 00000000..6efc3fff
--- /dev/null
+++ b/doc/forum/use_withUmask_in_a_property/comment_6_79355b6df4dc750a4ea2e1e13f50dca8._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="gueux"
+ subject="comment 6"
+ date="2016-06-24T10:08:51Z"
+ content="""
+Ahhh! I didn't realize this, now it makes sense to me, thanks! maybe you could make withFile' available in propellor? (and maybe even override withFile)
+"""]]
diff --git a/doc/forum/use_withUmask_in_a_property/comment_7_6b9488d20a04bc25f2ba44391f4a0a47._comment b/doc/forum/use_withUmask_in_a_property/comment_7_6b9488d20a04bc25f2ba44391f4a0a47._comment
new file mode 100644
index 00000000..a1e3ab6a
--- /dev/null
+++ b/doc/forum/use_withUmask_in_a_property/comment_7_6b9488d20a04bc25f2ba44391f4a0a47._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="gueux"
+ subject="comment 7"
+ date="2016-06-24T10:24:16Z"
+ content="""
+Hopefully we will have MonadIO is base (and functions generalized) one day :)
+https://mail.haskell.org/pipermail/libraries/2015-July/026008.html
+"""]]
diff --git a/doc/forum/use_withUmask_in_a_property/comment_8_ce37b55141120b3b6babebe14c1b1ec2._comment b/doc/forum/use_withUmask_in_a_property/comment_8_ce37b55141120b3b6babebe14c1b1ec2._comment
new file mode 100644
index 00000000..18b94ff0
--- /dev/null
+++ b/doc/forum/use_withUmask_in_a_property/comment_8_ce37b55141120b3b6babebe14c1b1ec2._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="gueux"
+ subject="comment 8"
+ date="2016-06-24T10:29:09Z"
+ content="""
+Oh, MonadIO is actually in base. We \"just\" miss the generelized functions...
+"""]]
diff --git a/doc/forum/use_withUmask_in_a_property/comment_9_a84a0c6773c8b3df03c028b63814b3d8._comment b/doc/forum/use_withUmask_in_a_property/comment_9_a84a0c6773c8b3df03c028b63814b3d8._comment
new file mode 100644
index 00000000..f819337f
--- /dev/null
+++ b/doc/forum/use_withUmask_in_a_property/comment_9_a84a0c6773c8b3df03c028b63814b3d8._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 9"""
+ date="2016-07-05T20:44:14Z"
+ content="""
+Yeah, it's a general problem with base that it's not sufficiently
+generalized. I suppose it's best not to add exported functions to propellor
+to work around that general problem.
+"""]]
diff --git a/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust.mdwn b/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust.mdwn
new file mode 100644
index 00000000..e67cf17e
--- /dev/null
+++ b/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust.mdwn
@@ -0,0 +1,5 @@
+Please consider merging branch `rngd-robust` of repo `https://git.spwhitton.name/propellor`
+
+Several changes to the `Sbuild.keypairInsecurelyGenerated` property to make it more robust. Please see comments added by the diff.
+
+> <s>done</s> ... however, that sleep 10 after killing rngd seems quite dodgy. --[[Joey]]
diff --git a/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_1_8164845c93baeaaccd7b29fef5d33df8._comment b/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_1_8164845c93baeaaccd7b29fef5d33df8._comment
new file mode 100644
index 00000000..67e8b454
--- /dev/null
+++ b/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_1_8164845c93baeaaccd7b29fef5d33df8._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ subject="comment 1"
+ date="2016-07-24T23:40:45Z"
+ content="""
+Thanks for looking at this, though looking as master you haven't actually merged my branch.
+
+I'm reluctant to build in a lot of shell scripting logic to do better than `sleep 10`. Do you think it would be worth writing a property that ensures that a process with a given pid file has been killed? Or just an action in the propellor monad?
+"""]]
diff --git a/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_2_bff114c1d3a225b5149e8710118116af._comment b/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_2_bff114c1d3a225b5149e8710118116af._comment
new file mode 100644
index 00000000..904a2138
--- /dev/null
+++ b/doc/todo/merge_request:_make_Sbuild.keypairInsecurelyGenerated_more_robust/comment_2_bff114c1d3a225b5149e8710118116af._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2016-07-25T00:51:44Z"
+ content="""
+(Really merged now.)
+
+A property would be good. Might could just use `start-stop-daemon`.
+"""]]
diff --git a/privdata/relocate b/privdata/relocate
deleted file mode 100644
index 271692d8..00000000
--- a/privdata/relocate
+++ /dev/null
@@ -1 +0,0 @@
-.joeyconfig
diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs
index 5d58a84a..d128e3b9 100644
--- a/src/Propellor/Property/Sbuild.hs
+++ b/src/Propellor/Property/Sbuild.hs
@@ -365,8 +365,23 @@ keypairInsecurelyGenerated = check (not <$> doesFileExist secKeyFile) go
go :: Property DebianLike
go = combineProperties "sbuild keyring insecurely generated" $ props
& Apt.installed ["rng-tools"]
- & cmdProperty "rngd" ["-r", "/dev/urandom"] `assume` MadeChange
+ -- If this dir does not exist the sbuild key generation command
+ -- will fail; the user might have deleted it to work around
+ -- #831462
+ & File.dirExists "/var/lib/sbuild/apt-keys"
+ -- If there is already an rngd process running we have to kill
+ -- it, as it might not be feeding to /dev/urandom
+ & userScriptProperty (User "root")
+ [ "kill 2>/dev/null $(cat /var/run/rngd.pid) || true"
+ , "sleep 10"
+ , "rngd -r /dev/urandom"
+ ]
+ `assume` MadeChange
& keypairGenerated
+ -- Kill off the rngd process we spawned
+ & userScriptProperty (User "root")
+ ["kill $(cat /var/run/rngd.pid)"]
+ `assume` MadeChange
-- another script from wiki.d.o/sbuild
ccachePrepared :: Property DebianLike
diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs
index 6e1690d2..0a92e42b 100644
--- a/src/Propellor/Property/Ssh.hs
+++ b/src/Propellor/Property/Ssh.hs
@@ -356,8 +356,8 @@ knownHostLines hosts hn = keylines <$> fromHost hosts hn getHostPubKey
modKnownHost :: User -> FilePath -> Property UnixLike -> Property UnixLike
modKnownHost user f p = p
- `requires` File.ownerGroup f user (userGroup user)
- `requires` File.ownerGroup (takeDirectory f) user (userGroup user)
+ `before` File.ownerGroup f user (userGroup user)
+ `before` File.ownerGroup (takeDirectory f) user (userGroup user)
-- | Ensures that a local user's authorized_keys contains lines allowing
-- logins from a remote user on the specified Host.