Bug #2861

hackers.git linter script accepts an insane configuration

bill-auger - over 3 years ago - .

% Done:



there is a rather serious bug in the hackers.git linter script (parabola-hackers::bin/meta-check), which causes the nshd.service to crash, on the server where 'git' and 'autobuilder' live, upon a git push to hackers.git

the problem seems to be, that if any YAML file has a complete 'ssh_keys' entry, but is missing the 'shell' field, the linter will accept it; but it is fatal to the 'nshd'->'hackers-init' services - those are reloaded, as an initial step of the git hooks, and begin to process the insane configuration, and fail to initialize - the result is that no 'parabola-hackers' managed users exist on the system, and so the autobuilder fails to build the keyring (because the autobuilder user is also a 'parabola-hackers' managed user) - worse though, is that all shell logins are rejected for the same reason; and the nshd service can not be restarted until the offending YAML file is corrected - luckily, the 'git' user is not a 'parabola-hackers' managed user; so it can be corrected without logging in as a 'hacker'

i have not looked at the linter script yet; but i noticed that all YAML files have a complete 'shell' entry: (shell: "/bin/bash"), incliding those which shall have no shell access - its not clear if that is mandatory or not - perhaps, it is only the presence of the complete 'ssh_keys' entry, which causes the missing 'shell' entry to be fatal; but there is surely no necessity to specify a preferred shell, for users which shall have no shell access

Also available in: Atom PDF