saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Make ssh-id-wrapper accessible to non-root users

Browse source 
This fixes #19532.  The wrapper script is copied into a temporary file,
made only accessible and executable to the ``runas`` user performing the
git operation, and then subsequently removed.

This also ensures Windows git clones do not receive a Linux-only script
as the GIT_SSH environment variable as they did before.
This commit is contained in:
David\ Beitey 2015-07-30 10:21:42 +10:00
parent d9ab4bb989
commit 6492bde192
1 changed files with 21 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
salt/modules/git.py
View file

@ -44,17 +44,30 @@ def _git_run(cmd, cwd=None, runas=None, identity=None, **kwargs):
# try each of the identities, independently
for id_file in identity:
env = {
'GIT_SSH': os.path.join(utils.templates.TEMPLATE_DIRNAME,
'git/ssh-id-wrapper'),
'GIT_IDENTITY': id_file
}
result = __salt__['cmd.run_all'](cmd,
cwd=cwd,
runas=runas,
env=env,
python_shell=False,
**kwargs)
# copy wrapper to area accessible by ``runas`` user
# currently no suppport in windows for wrapping git ssh
if not utils.is_windows():
ssh_id_wrapper = os.path.join(utils.templates.TEMPLATE_DIRNAME,
'git/ssh-id-wrapper')
tmp_file = utils.mkstemp()
utils.files.copyfile(ssh_id_wrapper, tmp_file)
os.chmod(tmp_file, 0o500)
os.chown(tmp_file, __salt__['file.user_to_uid'](runas), -1)
env['GIT_SSH'] = tmp_file
try:
result = __salt__['cmd.run_all'](cmd,
cwd=cwd,
runas=runas,
env=env,
python_shell=False,
**kwargs)
finally:
if 'GIT_SSH' in env:
os.remove(env['GIT_SSH'])
# if the command was successful, no need to try additional IDs
if result['retcode'] == 0: