README 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720
  1. debianqueued -- daemon for managing Debian upload queues
  2. ========================================================
  3. Copyright (C) 1997 Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
  4. $Id: README,v 1.20 1999/07/08 09:35:37 ftplinux Exp $
  5. Copyright and Disclaimer
  6. ------------------------
  7. This program is free software. You can redistribute it and/or
  8. modify it under the terms of the GNU General Public License as
  9. published by the Free Software Foundation: either version 2 or
  10. (at your option) any later version.
  11. This program comes with ABSOLUTELY NO WARRANTY!
  12. You're free to modify this program at your will, according to the GPL,
  13. and I don't object if you modify the program. But it would be nice if
  14. you could send me back such changes if they could be of public
  15. interest. I will try to integrate them into the mainstream version
  16. then.
  17. Installation
  18. ------------
  19. debianqueued has been written for running a new Debian upload queue at
  20. ftp.uni-erlangen.de, but I tried to keep it as general as possible and
  21. it should be useable for other sites, too. If there should be
  22. non-portabilities, tell me about them and we'll try to get them fixed!
  23. Before installing debianqueued, you should have the following
  24. utilities installed:
  25. - gnupg (needed for checking signatures)
  26. - ssh & Co. (but not necessarily sshd, only client programs used)
  27. - package libemail-sender-perl
  28. - a package that provides /usr/sbin/sendmail
  29. The daemon needs a directory of its own where the scripts reside and
  30. where it can put certain files. This directory is called $queued_dir
  31. in the Perl scripts and below. There are no special requirements where
  32. in the filesystem hierarchy this directory should be.
  33. All configurations are done in file 'config' in $queued_dir. For
  34. security reasons, the $queued_dir should not be in a public FTP area,
  35. and should be writeable (as the files in it) only for the user
  36. maintaining the local debianqueued.
  37. The file Queue.README and Queue.message in the distribution archive
  38. are examples for README and .message files to put into the queue
  39. directory. Modify them as you like, or don't install them if you
  40. don't like them...
  41. Running debianqueued
  42. --------------------
  43. debianqueued is intended to run all time, not as a cron job.
  44. Unfortunately, you can't start it at system boot time automatically,
  45. because a human has to type in the pass phrase for the ssh key. So you
  46. have to start the daemon manually.
  47. The daemon can be stopped by simply killing it (with SIGTERM
  48. preferrably). SIGTERM and SIGINT are blocked during some operations,
  49. where it could leave files in a inconsistent state. So it make take
  50. some time until the daemon really dies. If you have the urgent need
  51. that it goes away immediately, use SIGQUIT. Please don't use SIGKILL
  52. except unavoidable, because the daemon can't clean up after this
  53. signal.
  54. For your convenience, the daemon can kill and restart itself. If you
  55. start debianqueued with a "-k" argument, it tries to kill a running
  56. daemon (and it complains if none is running.) If "-r" is on the
  57. command line, it tries to kill a running daemon first if there is one.
  58. (If not, it starts anyway, but prints a little warning.) If a daemon
  59. is running and a new one is started without "-r", you get an error
  60. message about this. This is to protect you from restarting the daemon
  61. without intention.
  62. The other script, dqueued-watcher, is intended as cron job, and it
  63. watches that the daemon is running, in case that it should crash
  64. sometimes. It also takes care of updating the Debian keyring files if
  65. necessary. You should enter it e.g. like
  66. 0,30 * * * * .../dqueued-watcher
  67. into your crontab. (Assuming you want to run it every 30 minutes,
  68. which seems a good compromise.)
  69. Both scripts (debianqueued and dqueued-watcher) need no special
  70. priviledges and thus can be run as an ordinary user (not root). You
  71. can create an own user for debianqueued (e.g. "dqueue"), but you need
  72. not. The only difference could be which ssh key is used for connects
  73. to the target host. But you can configure the file to take the ssh key
  74. from in the config file.
  75. The Config File
  76. ---------------
  77. The config file, $queued_dir/config, is plain Perl code and is
  78. included by debianqueued and dqueued-watcher. You can set the
  79. following variables there:
  80. - $debug:
  81. Non-zero values enable debugging output (to log file).
  82. The following are all programs that debianqueued calls. You should
  83. always use absolute pathnames!
  84. - $pgp, $ssh, $scp, $ssh_agent, $ssh_add, $md5sum, $mail, $mkfifo,
  85. $tar, $gzip, $ar
  86. Notes:
  87. o $mail should support the -s option for supplying a subject.
  88. Therefore choose mailx if your mail doesn't know -s.
  89. o $tar should be GNU tar, several GNU features are used (e.g.
  90. --use-compress-program).
  91. o $ar must be able to unpack *.deb files and must understand the
  92. 'p' command. Better check this first... If you don't define $ar
  93. (or define it to be empty), debianqueued won't be able to
  94. extract a maintainer address from .deb files. (Which isn't that
  95. disturbing...)
  96. - @test_binaries:
  97. All binaries listed in this variable are tested to be present
  98. before each queue run. If any is not available, the queue run is
  99. delayed. This test can be useful if those binaries reside on NFS
  100. filesystems which may be (auto-)mounted only slowly. It is
  101. specially annoying for users if pgp can't be found and a .changes
  102. is deleted.
  103. - $ssh_options:
  104. Options passed to ssh and scp on every call. General ssh
  105. configuration should be done here and not in ~/.ssh/config, to
  106. avoid dependency on the user's settings. A good idea for
  107. $ssh_options seems to be
  108. -o'BatchMode yes' -o'FallBackToRsh no' -o'ForwardAgent no'
  109. -o'ForwardX11 no' -o'PasswordAuthentication no'
  110. -o'StrictHostKeyChecking yes'
  111. - $ssh_key_file:
  112. The file containing the ssh key you want the daemon to use for
  113. connects to the target host. If you leave this empty, the default
  114. ~/.ssh/identity is used, which may or may not be what you want.
  115. - $incoming:
  116. This names the queue directory itself. Probably it will be inside
  117. the public FTP area. Don't forget to allow uploads to it in
  118. ftpaccess if you're using wu-ftpd.
  119. Maybe you should also allow anonymous users to rename files in that
  120. directory, to fix upload problems (they can't delete files, so they
  121. have to move the errorneous file out of the way). But this
  122. introduces a denial-of-service security hole, that an attacker
  123. renames files of other people and then a job won't be done. But at
  124. least the data aren't lost, and the rename command probably was
  125. logged by ftpd. Nevertheless, there's no urgent need to allow
  126. renamings, because the queue daemon deletes all bad files
  127. automatically, so they can be reuploaded under the same name.
  128. Decide on your own...
  129. - $keep_files:
  130. This is a regular expression for files that never should be deleted
  131. in the queue directory. The status file must be included here,
  132. other probable candicates are .message and/or README files.
  133. - $chmod_on_target:
  134. If this variable is true (i.e., not 0 or ""), all files belonging
  135. to a job are changed to mode 644 only on the target host. The
  136. alternative (if the variable is false, i.e. 0) is to change the
  137. mode already locally, after the sizes and md5 sums have been
  138. verified. The latter is the default.
  139. The background for this is the following: The files must be
  140. word-readable on master for dinstall to work, so they must be at
  141. least mode 444, but 644 seems more useful. If the upload policy of
  142. your site says that uploaded files shouldn't be readable for world,
  143. the queue daemon has to change the permission at some point of
  144. time. (scp copies a file's permissions just as the contents, so
  145. after scp, the files on the target have the same mode as in the
  146. queue directory.) If the files in the queue are mode 644 anyway,
  147. you don't need to care about this option. The default --to give
  148. word read permission in the queue already after some checks-- is
  149. obviously less restrictive, but might be against the policy of your
  150. site. The alternative keeps the files unreadable in the queue in
  151. any case, and they'll be readable only on the target host.
  152. - $statusfile:
  153. This is the name of the status file or FIFO, through which users
  154. can ask the daemon what it's currently doing. It should normally be
  155. in the queue directory. If you change the name, please don't forget
  156. to check $keep_files. See also the own section on the status file.
  157. If you leave $statusfile empty, the daemon doesn't create and
  158. manage a status file at all, if you don't want it. Unfortunately,
  159. dqueued-watcher's algorithm to determine whether it already has
  160. reported a missing daemon depends on the status file, so this
  161. doesn't work anymore in this case. You'll get dead daemon mails on
  162. every run of dqueued-watcher.
  163. - $statusdelay:
  164. If this number is greater than 0, the status file is implemented as
  165. a regular file, and updated at least every $statusdelay seconds. If
  166. $statusdelay is 0, the FIFO implementation is used (see status file
  167. section).
  168. - $keyring:
  169. The name of the PGP keyring the daemon uses to check PGP signatures
  170. of .changes files. This is usually $queued_dir/debian-keyring.pgp.
  171. It should contain exactly the keys of all Debian developers (i.e.
  172. those and no other keys).
  173. - $gpg_keyring:
  174. The name of the GnuPG keyring. The daemon now alternatively accepts
  175. GnuPG signatures on .changes and .commands files. The value here is
  176. usually $queued_dir/debian-keyring.gpg. It should contain only keys
  177. of Debian developers (but not all developers have a GPG key
  178. yet...).
  179. - $keyring_archive:
  180. Path of the debian-keyring.tar.gz file inside a Debian mirror. The
  181. file is "/debian/doc/debian-keyring.tar.gz" on ftp.debian.org,
  182. don't know where you mirror it to... Leave it empty if you don't
  183. have that file on your local machine. But then you'll have to
  184. update the keyring manually from time to time.
  185. - $keyring_archive_name:
  186. Name of the PGP keyring file in the archive $keyring_archive. Currently
  187. "debian-keyring*/debian-keyring.pgp".
  188. - $gpg_keyring_archive_name:
  189. Name of the GnuPG keyring file in the archive $keyring_archive. Currently
  190. "debian-keyring*/debian-keyring.gpg".
  191. - $logfile:
  192. The file debianqueued writes its logging data to. Usually "log" in
  193. $queued_dir.
  194. - $pidfile:
  195. The file debianqueued writes its pid to. Usually "pid" in
  196. $queued_dir.
  197. - $target:
  198. Name of the target host, i.e. the host where the queue uploads to.
  199. Usually "master.debian.org". (Ignored with "copy" upload method.)
  200. - $targetlogin:
  201. The login on the target to use for uploads. (Ignored with "copy"
  202. and "ftp" upload methods; "ftp" always does anonymous logins.)
  203. - $targetdir:
  204. The directory on the target to where files should be uploaded. On
  205. master.debian.org this currently is
  206. "/home/Debian/ftp/private/project/Incoming".
  207. - $max_upload_retries:
  208. This is the number how often the daemon tries to upload a job (a
  209. .changes + the files belonging to it). After that number is
  210. exhausted, all these files are deleted.
  211. - $log_age:
  212. This is how many days are waited before logfiles are rotated. (The
  213. age of the current log files is derived from the first date found
  214. in it.)
  215. - $log_keep:
  216. How many old log files to keep. The current logfile is what you
  217. configured as $logfile above, older versions have ".0", ".1.gz",
  218. ".2.gz", ... appended. I.e., all old versions except the first are
  219. additionally gzipped. $log_keep is one higher than the max.
  220. appended number that should exist.
  221. - $mail_summary:
  222. If this is set to a true value (not 0 and not ""), dqueued-watcher
  223. will send a mail with a summary of the daemon's acivities whenever
  224. logfiles are rotated.
  225. - $summary_file:
  226. If that value is a file name (and not an empty string),
  227. dqueued-watcher will write the same summary of daemon activities as
  228. above to the named file. This can be in addition to sending a mail.
  229. - @nonus_packages:
  230. This is a (Perl) list of names of packages that must be uploaded to
  231. nonus.debian.org and not to master. Since the queue daemon only can
  232. deal with one target, it can't do that upload and thus must reject
  233. the job. Generally you can treat this variable as a list of any
  234. packages that should be rejected.
  235. All the following timing variables are in seconds:
  236. - $upload_delay_1:
  237. The time between the first (failed) upload try and the next one.
  238. Usually shorter then $upload_delay_2 for quick retry after
  239. transient errors.
  240. - $upload_delay_2:
  241. The time between the following (except the first) upload retries.
  242. - $queue_delay:
  243. The time between two queue runs. (May not be obeyed too exactly...
  244. a few seconds deviation are normal).
  245. - $stray_remove_timeout:
  246. If a file not associated with any .changes file is found in the
  247. queue directory, it is removed after this many seconds.
  248. - $problem_report_timeout:
  249. If there are problems with a job that could also be result of a
  250. not-yet-complete upload (missing or too small files), the daemon
  251. waits this long before reporting the problem to the uploader. This
  252. avoids warning mails for slow but ongoing uploads.
  253. - $no_changes_timeout:
  254. If files are found in the queue directory that look like a Debian
  255. upload (*.tar.gz, *.diff.gz, *.deb, or *.dsc files), but aren't
  256. accompanied by a .changes file, then debianqueued tries to notify
  257. the uploader after $no_changes_timeout seconds about this. This
  258. value is somewhat similar to $problem_report_timeout, and the
  259. values can be equal.
  260. Since there's no .changes, the daemon can't never be sure who
  261. really uploaded the files, but it tries to extract the maintainer
  262. address from all of the files mentioned above. If they're real
  263. Debian files (except a .orig.tar.gz), this works in most cases.
  264. - $bad_changes_timeout:
  265. After this time, a job with persisting problems (missing files,
  266. wrong size or md5 checksum) is removed.
  267. - $remote_timeout:
  268. This is the maximum time a remote command (ssh/scp) may take. It's
  269. to protect against network unreliabilities and the like. Choose the
  270. number sufficiently high, so that the timeout doesn't inadventedly
  271. kill a longish upload. A few hours seems ok.
  272. Contents of $queued_dir
  273. -----------------------
  274. $queued_dir contains usually the following files:
  275. - config:
  276. The configuration file, described above.
  277. - log:
  278. Log file of debianqueued. All interesting actions and errors are
  279. logged there, in a format similar to syslog.
  280. - pid:
  281. This file contains the pid of debianqueued, to detect double
  282. daemons and for killing a running daemon.
  283. - debian-keyring.pgp, debian-keyring.gpg:
  284. These are the PGP and GnuPG key rings used by debianqueued to
  285. verify the signatures of .changes files. It should contain the keys
  286. of all Debian developers and no other keys. The current Debian key
  287. ring can be obtained from
  288. ftp.debian.org:/debian/doc/debian-keyring.tar.gz. dqueued-watcher
  289. supports the facility to update this file automatically if you also
  290. run a Debian mirror.
  291. - debianqueued, dqueued-watcher:
  292. The Perl scripts.
  293. All filenames except "config" can be changed in the config file. The
  294. files are not really required to reside in $queued_dir, but it seems
  295. practical to have them all together...
  296. Details of Queue Processing
  297. ---------------------------
  298. The details of how the files in the queue are processed may be a bit
  299. complicated. You can skip this section if you're not interested in
  300. those details and everything is running fine... :-)
  301. The first thing the daemon does on every queue run is determining all
  302. the *.changes files present. All of them are subsequently read and
  303. analyzed. The .changes MUST contain a Maintainer: field, and the
  304. contents of that field should be the mail address of the uploader. The
  305. address is used for sending back acknowledges and error messages.
  306. (dinstall on master uses the same convention.)
  307. Next, the PGP or GnuPG signature of the .changes is checked. The
  308. signature must be valid and must belong to one of the keys in the
  309. Debian keyring (see config variables $keyring and $gpg_keyring). This
  310. ensures that only registered Debian developers can use the upload
  311. queue to transfer files to master.
  312. Then all files mentioned in the Files: field of the .changes are
  313. checked. All of them must be present, and must have correct size and
  314. md5 checksum. If any of this conditions is violated, the upload
  315. doesn't happen and an error message is sent to the uploader. If the
  316. error is a incorrect size/md5sum, the file is also deleted, because it
  317. has to be reuploaded anyway, and it could be the case that the
  318. uploader cannot easily overwrite a file in the queue dir (due to
  319. upload permission restrictions). If the error is a missing file or a
  320. too small file, the error message is hold back for some time
  321. ($problems_report_timeout), because they can also be result of an
  322. not-yet-complete upload.
  323. The time baseline for when to send such a problem report is the
  324. maximum modification time of the .changes itself and all files
  325. mentioned in it. When such a report is sent, the setgid bit (show as
  326. 'S' in ls -l listing, in group x position) on the .changes is set to
  327. note that fact, and to avoid the report being sent on every following
  328. queue run. If any modification time becomes greater than the time the
  329. setgid bit was set, a new problem report is sent, because obviously
  330. something has changed to the files.
  331. If a job is hanging around for too long with errors
  332. ($bad_changes_timeout), the .changes and all its files are deleted.
  333. The base for that timeout is again the maximum modification time as
  334. explained above.
  335. If now the .changes itself and all its files are ok, an upload is
  336. tried. The upload itself is done with scp. In that stage, various
  337. errors from the net and/or ssh can occur. All these simply count as
  338. upload failures, since it's not easy to distinguish transient and
  339. permanent failures :-( If the scp goes ok, the md5sums of the files on
  340. the target are compared with the local ones. This is to ensure that
  341. the transfer didn't corrupt anything. On any error in the upload or in
  342. the md5 check, the files written to the target host are deleted again
  343. (they may be broken), and an error message is sent to the uploader.
  344. The upload is retied $upload_delay_1 seconds later. If it fails again,
  345. the next retries have a (longer) delay $upload_delay_2 between them.
  346. At most $max_upload_retries retries are done. After all these failed,
  347. all the files are deleted, since it seems we can't move them... For
  348. remembering how many tries were alredy done (and when), debianqueued
  349. uses a separate file. Its name is the .changes' filename with
  350. ".failures" appended. It contains simply two integers, the retry count
  351. and the last upload time (in Unix time format).
  352. After a successfull upload, the daemon also checks for files that look
  353. like they belonged to the same job, but weren't listed in the
  354. .changes. Due to experience, this happens rather often with
  355. .orig.tar.gz files, which people upload though they're aren't needed
  356. nor mentioned in the .changes. The daemon uses the filename pattern
  357. <pkg-name>_<version>* to find such unneeded files, where the Debian
  358. revision is stripped from <version>. The latter is needed to include
  359. .orig.tar.gz files, which don't have the Debian revision part. But
  360. this also introduces the possibility that files of another upload for
  361. the same package but with another revision are deleted though they
  362. shouldn't. However, this case seems rather unlikely, so I didn't care
  363. about it. If such files are deleted, that fact is mentioned in the
  364. reply mail to the uploader.
  365. If any files are found in the queue dir that don't belong to any
  366. .changes, they are considered "stray". Such files are remove after
  367. $stray_remove_timeout. This should be around 1 day or so, to avoid
  368. files being removed that belong to a job, but whose .changes is still
  369. to come. The daemon also tries to find out whether such stray files
  370. could be part of an incomplete upload, where the .changes file is
  371. still missing or has been forgotten. Files that match the patterns
  372. *.deb, *.dsc, *.diff.gz, or *.tar.gz are analyzed whether a maintainer
  373. address can be extracted from them. If yes, the maintainer is notified
  374. about the incomplete upload after $no_changes_timeout seconds.
  375. However, the maintainer needs not really be the uploader... It could
  376. be a binary-only upload for another architecture, or a non-maintainer
  377. upload. In these cases, the mail goes to the wrong wrong person :-(
  378. But better than not writing at all, IMHO...
  379. The status file
  380. ---------------
  381. debianqueued provides a status file for the user in the queue
  382. directory. By reading this file, the user can get an idea what the
  383. daemon is currently doing.
  384. There are two possible implementations of the status file: as a plain
  385. file, or as a named pipe (FIFO). Both have their advantages and
  386. disadvantages.
  387. If using the FIFO, the data printed (last ping time, next queue run)
  388. are always up to date, because they're interrogated (by a signal) just
  389. at the time the FIFO is opened for reading. Also, the daemon hasn't to
  390. care about the status file if nobody accesses it. The bad things about
  391. the FIFO: It is a potential portability problem, because not all
  392. systems have FIFOs, or they behave different than I expect... But the
  393. more severe problem: wu-ftpd refuses to send the contents of a FIFO on
  394. a FTP GET request :-(( It does an explicit check whether a file to be
  395. retrieved is a regular file. This can be easily patched [1], but not
  396. everybody wants to do that or can do that (but I did it for
  397. ftp.uni-erlangen.de). (BTW, there could still be problems (races) if
  398. more than one process try to read the status file at the same time...)
  399. The alternative is using a plain file, which is updated regularily by
  400. the daemon. This works on every system, but causes more overhead (the
  401. daemon has to wake up each $statusdelay seconds and write a file), and
  402. the time figures in the file can't be exact. $statusdelay should be a
  403. compromise between CPU wastage and desired accuracy of the times found
  404. in the status file. I think 15 or 30 seconds should be ok, but your
  405. milage may vary.
  406. If the status file is a FIFO, the queue daemon forks a second process
  407. for watching the FIFO (so don't wonder if debianqueued shows up twice
  408. in ps output :-), to avoid blocking a reading process too long until
  409. the main daemon has time to watch the pipe. The status daemon requests
  410. data from the main daemon by sending a signal (SIGUSR1). Nevertheless
  411. it can happen that a process that opens the status file (for reading)
  412. is blocked, because the daemon has crashed (or never has been started,
  413. after reboot). To minimize chances for that situation, dqueued-watcher
  414. replaces the FIFO by a plain file (telling that the daemon is down) if
  415. it sees that no queue daemon is running.
  416. [1]: This is such a patch, for wu-ftpd-2.4.2-BETA-13:
  417. --- wu-ftpd/src/ftpd.c~ Wed Jul 9 13:18:44 1997
  418. +++ wu-ftpd/src/ftpd.c Wed Jul 9 13:19:15 1997
  419. @@ -1857,7 +1857,9 @@
  420. return;
  421. }
  422. if (cmd == NULL &&
  423. - (fstat(fileno(fin), &st) < 0 || (st.st_mode & S_IFMT) != S_IFREG)) {
  424. + (fstat(fileno(fin), &st) < 0 ||
  425. + ((st.st_mode & S_IFMT) != S_IFREG &&
  426. + (st.st_mode & S_IFMT) != S_IFIFO))) {
  427. reply(550, "%s: not a plain file.", name);
  428. goto done;
  429. }
  430. Command Files
  431. -------------
  432. The practical experiences with debianqueued showed that users
  433. sometimes make errors with their uploads, resulting in misnamed or
  434. corrupted files... Formerly they didn't have any chance to fix such
  435. errors, because the ftpd usually doesn't allow deleting or renaming
  436. files in the queue directory. (If you would allow this, *anybody* can
  437. remove/rename files, which isn't desirable.) So users had to wait
  438. until the daemon deleted the bad files (usually ~ 24 hours), before
  439. they could start the next try.
  440. To overcome this, I invented the *.command files. The daemon looks for
  441. such files just as it tests for *.changes files on every queue run,
  442. and processes them before the usual jobs. *.commands files must be PGP
  443. or GnuPG signed by a known Debian developer (same test as for
  444. *.changes), so only these people can give the daemon commands. Since
  445. Debian developers can also delete files in master's incoming, the
  446. *.commands feature doesn't give away any security.
  447. The syntax of a *.commands file is much like a *.changes, but it
  448. contains only two (mandatory) fields: Uploader: and Commands.
  449. Uploader: contains the e-mail address of the uploader for reply mails,
  450. and should have same contents as Maintainer: in a .changes. Commands:
  451. is a multi-line field like e.g. Description: or Changes:. Every
  452. continuation line must start with a space. Each line in Commands:
  453. contains a command for the daemon that looks like a shell command (but
  454. it isn't one, the daemon parses and executes it itself and doesn't use
  455. sh or the respective binaries).
  456. Example:
  457. -----BEGIN PGP SIGNED MESSAGE-----
  458. Hash: SHA256
  459. Uploader: Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
  460. Commands:
  461. rm hello_1.0-1_i386.deb
  462. mv hello_1.0-1.dsx hello_1.0-1.dsc
  463. -----BEGIN PGP SIGNATURE-----
  464. Version: GnuPG v1.4.12 (GNU/Linux)
  465. iQCVAwUBNFiQSXVhJ0HiWnvJAQG58AP+IDJVeSWmDvzMUphScg1EK0mvChgnuD7h
  466. BRiVQubXkB2DphLJW5UUSRnjw1iuFcYwH/lFpNpl7XP95LkLX3iFza9qItw4k2/q
  467. tvylZkmIA9jxCyv/YB6zZCbHmbvUnL473eLRoxlnYZd3JFaCZMJ86B0Ph4GFNPAf
  468. Z4jxNrgh7Bc=
  469. =pH94
  470. -----END PGP SIGNATURE-----
  471. The only commands implemented at this time are 'rm' and 'mv'. No
  472. options are implemented, and filenames may not contain slashes and are
  473. interpreted relative to the queue directory. This ensures that only
  474. files there can be modified. 'mv' always takes two arguments. 'rm' can
  475. take any number of args. It also knows about the following shell
  476. wildcard chars: *, ?, and [...]. {..,..} constructs are *not*
  477. supported. The daemon expands these patterns itself and doesn't use sh
  478. for that (for security reasons).
  479. *.commands files are processed before the usual *.changes jobs, so if
  480. a commands file fixes a job so that it can be processed, that
  481. processing happens in the same queue run and no unnecessary delay is
  482. introduced.
  483. The uploader of a *.commands will receive a reply mail with a comment
  484. (OK or error message) to each of the commands given. The daemon not
  485. only logs the contents of the Uploader: field, but also the owner of
  486. the PGP/GnuPG key that was used to sign the file. In case you want to
  487. find out who issued some commands, the Uploader: field is insecure,
  488. since its contents can't be checked.
  489. Security Considerations
  490. -----------------------
  491. You already know that debianqueued uses ssh & Co. to get access to
  492. master, or in general any target host. You also probably know that you
  493. need to unlock your ssh secret key with a passphrase before it can be
  494. used. For the daemon this creates a problem: It needs the passphrase
  495. to be able to use ssh/scp, but obviously you can't type in the phrase
  496. every time the daemon needs it... It would also be very ugly and
  497. insecure to write the passphase into some config file of the daemon!
  498. The solution is using ssh-agent, which comes with the ssh package.
  499. This agent's purpose is to store passphrases and give it to
  500. ssh/scp/... if they need it. ssh-agent has to ways how it can be
  501. accessed: through a Unix domain socket, or with an inherited file
  502. descriptor (ssh-agent is the father of your login shell then). The
  503. second method is much more secure than the first, because the socket
  504. can be easily exploited by root. On the other hand, an inherited file
  505. descriptor can be access *only* from a child process, so even root has
  506. bad chances to get its hands on it. Unfortunately, the fd method has
  507. been removed in ssh-1.2.17, so I STRONGLY recommend to use ssh-1.2.16.
  508. (You can still have a newer version for normal use, but separate
  509. binaries for debianqueued.) Also, using debianqueued with Unix domain
  510. sockets is basically untested, though I've heard that it doesn't
  511. work...
  512. debianqueued starts the ssh-agent automatically and runs ssh-add. This
  513. will ask you for your passphrase. The phrase is stored in the agent
  514. and available only to child processes of the agent. The agent will
  515. also start up a second instance of the queue daemon that notices that
  516. the agent is already running.
  517. Currently, there's no method to store the passphrase in a file, due to
  518. all the security disadvantages of this. If you don't mind this and
  519. would like to have some opportunity to do it nevertheless, please ask
  520. me. If there's enough demand, I'll do it.
  521. New Upload Methods
  522. ------------------
  523. Since release 0.9, debianqueued has two new upload methods as
  524. alternatives to ssh: copy and ftp.
  525. The copy method simply moves the files to another directory on the
  526. same host. This seems a bit silly, but is for a special purpose: The
  527. admins of master intend to run an upload queue there, too, in the
  528. future to avoid non-anonymous FTP connections, which transmit the
  529. password in cleartext. And, additionally to simply moving the files,
  530. the queue daemon also checks the signature and integrity of uploads
  531. and can reject non-US packages.
  532. The ftp method uploads to a standard anon-FTP incoming directory. The
  533. intention here is that you could create second-level queue daemons.
  534. I.e., those daemons would upload into the queue of another daemon
  535. (and, for example, this could be the queue of the daemon on master).
  536. However, the ftp method still has some limitations:
  537. 1) Files in the target dir can't be deleted.
  538. 2) Uploaded files can't be verified as good as with the other methods.
  539. 3) $chmod_on_target often doesn't work.
  540. 4) The check for a writable incoming directory leaves temporary files
  541. behind.
  542. Ad 1): In anon-FTP incoming directories removing of files usually
  543. isn't allowed (this would widely open doors to denial-of-service
  544. attacks). But debianqueued has to remove files on the target as part
  545. of handling upload errors. So if an transmission error happens during
  546. a job, the bad file can't be deleted. On the next try, the file is
  547. already present on the target and can't be overwritten, so all the
  548. following tries will fail, too, except the upstream queue daemon has
  549. deleted them already. And if the .changes was among the files already
  550. (at least partially) uploaded, the daemon even will think that the
  551. whole job is already present on the target and will delete the job in
  552. its queue.
  553. Ad 2): Uploaded files are usually verified with md5sum if they're
  554. really the same as the originals. But getting the md5sum for a file on
  555. a FTP server usually isn't possible. It's currently handled as
  556. follows: If the server supports a SITE MD5SUM command (non-standard!),
  557. then this is used and you have the same checking quality. Otherwise,
  558. debianqueued falls back to only comparing the file sizes. This is
  559. better than nothing, but doesn't detected changed contents that don't
  560. result in size changes.
  561. Ad 3): Often SITE CHMOD (standard) isn't allowed in incoming
  562. directories. If this is the case, $chmod_on_target must be off,
  563. otherwise all uploads will fail. The mode of uploaded files if forced
  564. anyway by the FTP server in most cases.
  565. Ad 4): As you know, the queue daemon has a special check if the target
  566. directory is writable at all (it isn't during a freeze) to protect
  567. against repeated upload errors. (Jobs would be even deleted otherwise
  568. if the target dir is unaccessible for too long.) This check is
  569. performed by creating a test file and deleting it immediately again.
  570. But since in FTP incoming dirs deletion isn't permitted, the temporary
  571. file ("junk-for-writable-test-DATE") will remain there. As a partial
  572. fix, the daemon deletes such files immediately, it doesn't even wait
  573. for $stray_remove_timeout. So if the upload goes to the queue dir of
  574. an upstream debianqueued, those temporary files won't be there for
  575. long.
  576. These problems of the FTP method might be remove in future, if I have
  577. better ideas how to bypass the limitations of anon-FTP incoming
  578. directories. Hints welcome :-)
  579. # Local Variables:
  580. # mode: indented-text
  581. # End: