Giters

michael-berlin / apt-package-whitelist

Whitelist of apt packages approved for build environments with restricted sudo

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

APT package whitelist

This repo contains plain text files for the packages approved for installation in restricted build environments, specifically meant for use with the apt_packages addon in travis-build.

Package approval process

  1. Check the list of approved packages for your build environment (most likely ubuntu-precise).
  2. If it's not in there, check for existing issues requesting the package you want, and if one doesn't exist please open an issue requesting the package you need in the primary issues repo (and be sure to replace __PACKAGE__ in the issue title ๐Ÿ˜‰).
  3. Please be patient ๐Ÿ˜บ

nitty gritty details

The approval process is mostly about ensuring the .deb installation hooks don't do anything malicious or goofy that would open up a container to potential attack from a neighbor. The primary concern is protecting Travis CI customers and their property ๐Ÿค˜. The steps go like this (for ubuntu precise), much of which is also available as the travis-download-deb-sources executable within the vagrant box:

  1. Bring up the vagrant box: vagrant up precise
  2. SSH into the vagrant box: vagrant ssh precise
  3. Start the Travis Ruby container: sudo -u ubuntu -i docker run -v /var/tmp:/var/tmp -d travis:ruby
  4. Get the container's IP address: docker inspect <container-id>
  5. SSH into the container: ssh travis@<container-ip> (password=travis)
  6. Freshen up the apt cache: sudo apt-get update
  7. Move into the shared dir or sub directory, e.g.: mkdir -p /var/tmp/deb-sources ; cd /var/tmp/deb-sources
  8. Grab the package sources: apt-get source <package-name>
  9. Take a look at the package's extracted hooks: cd <package-name>/debian ; vim *pre* *post* *inst* (see inspecting packages)
  10. If no malicious or goofy bits are found, ๐Ÿ‘ :shipit: e.g.: make add PACKAGE=<package-name>

Or the slightly simplified version:

  1. Bring up the vagrant box: vagrant up precise
  2. SSH into the vagrant box: vagrant ssh precise
  3. Run the travis-download-deb-sources script for the package in question, e.g.: sudo -u ubuntu -i travis-download-deb-sources git
  4. Proceed with inspecting the debian/*pre* and debian/*post* hook scripts. (see inspecting packages)

All together now, for poppler-utils:

# inside the vagrant box
sudo -u ubuntu -i -- travis-download-deb-sources poppler-utils
cd /var/tmp/shared/deb-sources/poppler-0.18.4/debian
vi *{pre,post,inst}*
# either inside the vagrant box in /vagrant or outside in the repo top level
make add PACKAGE=poppler-utils
git commit -v

inspecting packages

The big things to worry about are if any of the debian hook scripts are doing malicious or silly things, or if the package being installed depends on setuid or setgid.

# move into the `deb-sources` directory
pushd /var/tmp/shared/deb-sources

# look for `setuid`, `seteuid`, and `setgid` usage, except for mentions in `install-sh`
grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b'

# if the above `grep` finds anything, take a closer look:
vi $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')

# move into the `debian` directory
pushd $(find . -name debian | head -1)

# take a look at the hook scripts and such
shopt -s nullglob
vi *{pre,post,inst}*

github API handy bits

There is a helper script at ./bin/travis-list-apt-whitelist-issues which may be used to query the open APT whitelist requests, as well as for automatic commit message formatting, e.g.:

# list everything
./bin/travis-list-apt-whitelist-issues

# Show only the generated commit messages
./bin/travis-list-apt-whitelist-issues | jq -r .commit_message

@meatballhat's workflow

First things first

shopt -s nullglob

Grab 1 or more packages

for pkg in abc def xyz ; do
  sudo -u ubuntu -- /usr/local/bin/travis-download-deb-sources "${pkg}" ;
done

Edit any matches for set(uid|euid|gid|egid)

vim $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')

Edit any debian package files

for d in $(find . -name debian) ; do
  pushd $d && vim *{pre,post,inst}* ; popd ;
done

If all clear, list all audited package names on one line

for d in $(find . -name debian) ; do
  pushd $d &>/dev/null && \
    grep ^Package control | awk -F: '{ print $2 }' | xargs echo ;
  popd &>/dev/null ;
done | xargs echo

Back outside of the Vagrant box, pass this list of packages for addition

for pkg in abc def xyz ; do
  make add PACKAGE=$pkg ;
done

Grab the generated commit message

./bin/travis-list-apt-whitelist-issues | jq -r '.commit_message' | grep -A2 abc

Commit and push, then restart all travis-build apps with a bit o' sleep

for app in $(hk apps | awk '/travis.*build-(prod|stag)/ { print $1 }') ; do
  hk restart -a ${app} ;
  sleep 5 ;
done

About

Whitelist of apt packages approved for build environments with restricted sudo

License:MIT License

Languages

Language:Shell 72.8%Language:Makefile 20.2%Language:Ruby 7.0%