[tor-bugs] #32800 [Internal Services/Tor Sysadmin Team]: Creating some space to host Tor Browser nightly updates

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 18 18:03:21 UTC 2020 

#32800: Creating some space to host Tor Browser nightly updates
-------------------------------------------------+------------------------
 Reporter:  boklm                                |          Owner:  tpa
     Type:  task                                 |         Status:  closed
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:  tbb-update, TorBrowserTeam202002     |  Actual Points:
Parent ID:  #18867                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+------------------------

Comment (by boklm):

 Replying to [comment:10 weasel]:
 > https://nightlies.tbb.torproject.org/ is now a thing.

 Thanks!

 >
 > To upload, as tbb-nightlies, put things into tbb-nightlies-master:/srv
 /tbb-nightlies-master.torproject.org/htdocs and run static-update-
 component nightlies.tbb.torproject.org
 >
 > boklm should have sudo access to that user.
 >
 > There also is an /etc/ssh/userkeys/tbb-nightlies.  You can put ssh
 authorized_keys lines in there.  However, tpo policy is that only command-
 locked keys (i.e. with a command=".." thing) should exist.  Also, please
 use restrict and ideally from= lock the keys also.

 Should I be using `/usr/local/bin/staticsync-ssh-wrap`, or something else
 to restrict rsync access?

 I tried with `command="/usr/local/bin/staticsync-ssh-wrap
 nightlies.tbb.torproject.org"` in `/etc/ssh/userkeys/tbb-nightlies`.

 Then I tried running rsync like this:
 {{{
 $ rsync --safe-links -lrtHz  /some/directory/. tbb-nightlies-master:/srv
 /tbb-nightlies-master.torproject.org/htdocs/.
 }}}
 But I get the following error:
 {{{
 This rsync command (nightlies.tbb.torproject.org --server -lHtrze.iLsfxC
 --safe-links . /srv/tbb-nightlies-master.torproject.org/htdocs/.) not
 allowed.
 }}}

 So it looks like `staticsync-ssh-wrap` only allows rsync to read from this
 directory, but not to write to it.

 Should I be using `/usr/share/doc/rsync/scripts/rrsync` instead, or is
 there something else?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32800#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list