mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-11-05 06:50:29 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

server: always use same rsync destination path to allow for strict setups

Browse source 
for more info on how:
http://positon.org/rsync-command-restriction-over-ssh
http://ramblings.narrabilis.com/using-rsync-with-ssh
This commit is contained in:
Hans-Christoph Steiner 2014-10-10 23:47:16 -04:00
parent 8e9e17892d
commit 7a07f59731
1 changed files with 11 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

19
fdroidserver/server.py
View file

@ -121,7 +121,9 @@ def update_awsbucket(repo_section):
def update_serverwebroot(serverwebroot, repo_section): def update_serverwebroot(serverwebroot, repo_section):
rsyncargs = ['rsync', '--archive', '--delete'] # use a checksum comparison for accurate comparisons on different
# filesystems, for example, FAT has a low resolution timestamp
rsyncargs = ['rsync', '--archive', '--delete', '--checksum']
if options.verbose: if options.verbose:
rsyncargs += ['--verbose'] rsyncargs += ['--verbose']
if options.quiet: if options.quiet:
@ -132,17 +134,18 @@ def update_serverwebroot(serverwebroot, repo_section):
rsyncargs += ['-e', 'ssh -i ' + config['identity_file']] rsyncargs += ['-e', 'ssh -i ' + config['identity_file']]
indexxml = os.path.join(repo_section, 'index.xml') indexxml = os.path.join(repo_section, 'index.xml')
indexjar = os.path.join(repo_section, 'index.jar') indexjar = os.path.join(repo_section, 'index.jar')
# serverwebroot is guaranteed to have a trailing slash in common.py # upload the first time without the index so that the repo stays working
# while this update is running. Then once it is complete, rerun the
# command again to upload the index. Always using the same target with
# rsync allows for very strict settings on the receiving server, you can
# literally specify the one rsync command that is allowed to run in
# ~/.ssh/authorized_keys. (serverwebroot is guaranteed to have a trailing
# slash in common.py)
if subprocess.call(rsyncargs + if subprocess.call(rsyncargs +
['--exclude', indexxml, '--exclude', indexjar, ['--exclude', indexxml, '--exclude', indexjar,
repo_section, serverwebroot]) != 0: repo_section, serverwebroot]) != 0:
sys.exit(1) sys.exit(1)
# use stricter checking on the indexes since they provide the signature if subprocess.call(rsyncargs + [repo_section, serverwebroot]) != 0:
rsyncargs += ['--checksum']
sectionpath = serverwebroot + repo_section
if subprocess.call(rsyncargs + [indexxml, sectionpath]) != 0:
sys.exit(1)
if subprocess.call(rsyncargs + [indexjar, sectionpath]) != 0:
sys.exit(1) sys.exit(1)
# upload "current version" symlinks if requested # upload "current version" symlinks if requested
if config['make_current_version_link'] and repo_section == 'repo': if config['make_current_version_link'] and repo_section == 'repo':