diff options
author | Joey Hess <joey@kodama.kitenet.net> | 2007-11-05 22:49:53 -0500 |
---|---|---|
committer | Joey Hess <joey@kodama.kitenet.net> | 2007-11-05 22:49:53 -0500 |
commit | 2ef31bb41f1f04a9d7341e7b2fe683f71e922097 (patch) | |
tree | d7071bd0fb632fbfb927c6b12da7ad79654c5a18 /init.d | |
parent | c45d585d40d8d2513c665c7d2f7315a4403fcdac (diff) |
store empty directories and restore in etckeeper init
While working on this, I had to consider security policies -- is it ok if
etckeeper init can run code from the /etc repository? I've decided this
should be ok, and documented that it should only be run on trusted repos.
Note that metastore could also be exploited by untrusted repos, and of
course, note that you're checking out your *** /etc *** so it damn well
better be trusted!
With that determined, I decided to use a simple shell script to hold the
empty directory info and allow them to be easily created. Expanding this for
other files git can't represent is a possibility..
Diffstat (limited to 'init.d')
-rwxr-xr-x | init.d/05restore-etckeeper | 8 | ||||
-rwxr-xr-x | init.d/10restore-metadata | 5 |
2 files changed, 13 insertions, 0 deletions
diff --git a/init.d/05restore-etckeeper b/init.d/05restore-etckeeper new file mode 100755 index 0000000..376524c --- /dev/null +++ b/init.d/05restore-etckeeper @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +# Yes, this runs code from the repository. As documented, etckeeper-init +# should only be run on repositories you trust. +if [ -e .etckeeper ]; then + . ./.etckeeper +fi diff --git a/init.d/10restore-metadata b/init.d/10restore-metadata index fdb1f8e..cd6174c 100755 --- a/init.d/10restore-metadata +++ b/init.d/10restore-metadata @@ -1,5 +1,10 @@ #!/bin/sh set -e + +# Note that metastore doesn't check that the .metastore file only changes +# perms of files in the current directory. It's ok to trust the .metastore +# file won't do anything shady, because, as documented, etckeeper-init +# should only be run on repositories you trust. if [ -e .metadata ]; then metastore --apply fi |