• Stars
    star
    108
  • Rank 321,259 (Top 7 %)
  • Language
    Shell
  • License
    MIT License
  • Created almost 10 years ago
  • Updated almost 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Safelist of apt packages approved for build environments with restricted sudo

APT package safelist

We have a container-based infrastructure which runs docker. Because docker containers are not fully isolated, the use of sudo is disallowed on that environment, to prevent builds from breaking out to the host machine. We do however want to allow the installation of some packages via apt.

This repo contains plain text files for the packages approved for installation in those restricted build environments, specifically meant for use with the apt_packages addon in travis-build.

Package approval process

CAUTION!

PLEASE READ CAREFULLY!

  1. Check the list of approved packages for your build environment (ubuntu-precise or ubuntu-trusty).

  2. If it's not in there, check for existing issues and pull requests requesting the package you want.

    Please search first.

    If one doesn't exist please open an issue requesting the package you need in this repo. Be sure to replace __PACKAGE__ in the issue title, and to indicate in the issue title whether you'd want the package in Precise or Trusty. If none is specified, we will test it on Precise.

  3. The initial steps for package approval process is automated.

    • This means that the issues' subject should follow exactly the one indicated. That is, there should be exactly one package per issue. The process would not work with multiple package requests in one issue.
    • If the source package defines multiple packages, those will be processed at once. In this case, list only one.
  4. PRs are not accepted, since we have not run tests on them.

  5. The automation process will test the source package as described below.

    • If no issues are found, a PR will be opened, and it will be merged shortly thereafter.
    • If no matching source packages is found, a comment indicating this is posted on the issue. This means that either the package name is incorrect, or that your request requires a package repository that is not currently listed in APT source safelist.
    • The command grep -R -i -H -C5 -E --color 'set(uid|euid|gid)' --exclude install-sh . is run on the source package. If any file matches, a comment to this effect will be posted on the issue, prompting further examination. If no further problems are found in the further examination, it will be added to the list.

nitty gritty details

The approval process is mostly about ensuring the .deb installation hooks don't do anything malicious or goofy that would open up a container to potential attack from a neighbor. The primary concern is protecting Travis CI customers and their property 🀘. The steps go like this (for ubuntu precise), much of which is also available as the travis-download-deb-sources executable within the vagrant box:

  1. Bring up the vagrant box: vagrant up trusty
  2. SSH into the vagrant box: vagrant ssh trusty
  3. Start the Travis Ruby container: sudo -u ubuntu -i docker run -v /var/tmp:/var/tmp -d travis:ruby
  4. Get the container's IP address: docker inspect <container-id>
  5. SSH into the container: ssh travis@<container-ip> (password=travis)
  6. Freshen up the apt cache: sudo apt-get update
  7. Move into the shared dir or sub directory, e.g.: mkdir -p /var/tmp/deb-sources ; cd /var/tmp/deb-sources
  8. Grab the package sources: apt-get source <package-name>
  9. Take a look at the package's extracted hooks: cd <package-name>/debian ; vim *pre* *post* *inst* (see inspecting packages)
  10. If no malicious or goofy bits are found, πŸ‘ :shipit:

pre-commit hook

If you work with this repository, installing this pre-commit hook (in your local ~/.git/hooks/pre-commit) will make your life so much easier:

make sort
git add ubuntu-{precise,trusty}

This ensures that the files we need are always sorted without duplicates or blank lines.

The slightly simplified version:

  1. Bring up the vagrant box: vagrant up trusty
  2. SSH into the vagrant box: vagrant ssh trusty
  3. Run the travis-download-deb-sources script for the package in question, e.g.: sudo -u ubuntu -i travis-download-deb-sources git
  4. Proceed with inspecting the debian/*pre* and debian/*post* hook scripts. (see inspecting packages)

All together now, for poppler-utils:

# inside the vagrant box
sudo -u ubuntu -i -- travis-download-deb-sources poppler-utils
cd /var/tmp/shared/deb-sources/poppler-0.18.4/debian
vi *{pre,post,inst}*

(If you don't have the pre-commit hook)

# either inside the vagrant box in /vagrant or outside in the repo top level
make add PACKAGE=poppler-utils
git commit -v

inspecting packages

The big things to worry about are if any of the debian hook scripts are doing malicious or silly things, or if the package being installed depends on setuid or setgid.

# move into the `deb-sources` directory
pushd /var/tmp/shared/deb-sources

# look for `setuid`, `seteuid`, and `setgid` usage, except for mentions in `install-sh`
grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b'

# if the above `grep` finds anything, take a closer look:
vi $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')

# move into the `debian` directory
pushd $(find . -name debian | head -1)

# take a look at the hook scripts and such
shopt -s nullglob
vi *{pre,post,inst}*

github API handy bits

There is a helper script at ./bin/travis-list-apt-safelist-issues which may be used to query the open APT safelist requests, as well as for automatic commit message formatting, e.g.:

# list everything
./bin/travis-list-apt-safelist-issues

# Show only the generated commit messages
./bin/travis-list-apt-safelist-issues | jq -r .commit_message

@meatballhat's workflow

First things first

shopt -s nullglob

Grab 1 or more packages

for pkg in abc def xyz ; do
  sudo -u ubuntu -- /usr/local/bin/travis-download-deb-sources "${pkg}" ;
done

Edit any matches for set(uid|euid|gid|egid)

vim $(grep -l -R -i -E 'set(uid|euid|gid)' . | grep -v -E '\binstall-sh\b')

Edit any debian package files

for d in $(find . -name debian) ; do
  pushd $d && vim *{pre,post,inst}* ; popd ;
done

If all clear, list all audited package names on one line

for d in $(find . -name debian) ; do
  pushd $d &>/dev/null && \
    grep ^Package control | awk -F: '{ print $2 }' | xargs echo ;
  popd &>/dev/null ;
done | xargs echo

Back outside of the Vagrant box, pass this list of packages for addition. Adding both the package name and its' :i386 variant is not always necessary, but doesn't hurt.

(If you don't have the pre-commit hook)

for pkg in abc def xyz ; do
  make add PACKAGE=$pkg
  make add PACKAGE=${pkg}:i386
done

Grab the generated commit message

./bin/travis-list-apt-safelist-issues | jq -r '.commit_message' | grep -A2 abc

Commit and push, then restart all travis-build apps with a bit o' sleep

for app in travis-pro-build-production travis-pro-build-staging travis-build-production travis-build-staging ; do
  heroku ps:restart -a ${app} ;
  sleep 5 ;
done

More Repositories

1

travis-ci

Free continuous integration platform for GitHub projects.
8,353
star
2

travis.rb

Travis CI Client (CLI and Ruby library)
Ruby
1,583
star
3

dpl

Dpl (dee-pee-ell) is a deploy tool made for continuous deployment.
Ruby
1,284
star
4

gimme

Install go, yay!
Shell
690
star
5

travis-cookbooks

Chef cookbook monolithic repo πŸ“– πŸ’£
HTML
663
star
6

travis-build

.travis.yml => build.sh converter
Ruby
653
star
7

travis-web

The Ember web client for Travis CI
JavaScript
611
star
8

docs-travis-ci-com

The Travis CI Documentation
SCSS
570
star
9

travis-api

The Travis CI API
Ruby
295
star
10

worker

Worker runs your Travis CI jobs
Go
274
star
11

travis-core

[DEPRECATED] Models and classes shared by Travis CI api, hub and gatekeeper
Ruby
239
star
12

travis-yaml

parses, normalizes, validates and serializes your .travis.yml
Ruby
170
star
13

travis-ci.github.com

[DEPRECATED] The Travis CI blog & documentation website
CSS
154
star
14

travis-worker

[DEPRECATED] This project is deprecated in favor of travis-ci/worker
Ruby
141
star
15

terraform-config

Terraform bits and bytes
HCL
123
star
16

travis-yml

Travis CI build config processing
Ruby
113
star
17

travis-lint

[DEPRECATED] Use travis-ci/travis-yml instead
Ruby
113
star
18

packer-templates

Templates for Packer!
Ruby
102
star
19

travis-watcher-macosx

[DEPRECATED] A Travis CI client for Mac OS X.
Objective-C
95
star
20

artifacts

Travis CI Artifacts Uploader
Go
87
star
21

travis-boxes

[DEPRECATED] Travis Boxes makes provisioning and configuring Virtual Box machines simple and easy.
Ruby
78
star
22

apt-source-safelist

Safelist of apt sources approved for build environments with restricted sudo
Ruby
78
star
23

gh

Layered GitHub API client
Ruby
68
star
24

travis-hub

Job State Central Command
Ruby
67
star
25

beta-features

The perfect place to leave feedback and comments on newly released Beta Features.
58
star
26

pudding

[DEPRECATED] It's a thing for managing instances!
Go
58
star
27

travis-logs

Processes log updates from the job runner (worker), and streams them to the web client, aggregates them, and archives to S3.
Ruby
56
star
28

travis-crowd

[DEPRECATED] Travis' love campaign (replaced by https://github.com/travis-ci/travis-love-campaign)
Ruby
49
star
29

osx-image-bootstrap

DEPRECATED Bootstrap scripts for Travis CI OS X VMs
Shell
47
star
30

build-stages-demo

Demos for Travis CI build stages
Ruby
46
star
31

travis-listener

Receives and queues service hook notifications from GitHub for processing.
Ruby
44
star
32

travis-rubies

my rubies, let me show you them
Shell
43
star
33

casher

CH CHING
Ruby
42
star
34

moustached-hubot

Moustached ChatOps for your hubot.
CoffeeScript
42
star
35

kubernetes-config

Travis services running on Kubernetes!
Shell
38
star
36

travis-tasks

The Sidekiq based Travis background job processor.
Ruby
37
star
37

php-src-builder

Builds php/php-src with php-build and uploads artifacts to S3
Roff
31
star
38

travis-support

Support classes and extensions used in travis-ci
Ruby
30
star
39

travis-scheduler

Queues jobs to be run by the various workers
Ruby
28
star
40

travis-cli-gh

[DEPRECATED] Travis CLI plugin to interact with GitHub API
Ruby
24
star
41

travis-sso

Implements Travis CI Single Sign-On as a Rack middleware.
Ruby
22
star
42

travis-artifacts

[DEPRECATED] Upload artifacts after running your tests to S3 (Unmaintained. See https://github.com/travis-ci/artifacts)
Ruby
21
star
43

docker-sinatra

[DEMO] Sample project for running a sinatra application on Docker from within a Travis build
Ruby
21
star
44

sso

SSO in go, implemented as an HTTP proxy.
Go
21
star
45

travis-assets

[DEPRECATED] We are using a CDN now
JavaScript
21
star
46

travis-conditions

Boolean language for conditional builds, stages, jobs
Ruby
20
star
47

actions

The best of GitHub Actions!
JavaScript
19
star
48

travis-foundation

Travis Foundation website.
HTML
19
star
49

gcloud-cleanup

Clean That Cloud! ☁️ πŸ›€
Go
19
star
50

travis-ruby-client

Ruby client library for Travis CI API
Ruby
19
star
51

packer-templates-mac

Templates for building images for macOS for Travis with Packer!
Shell
17
star
52

travis-chat

[DEMO] example app demoing travis-sso usage
Ruby
15
star
53

jupiter-brain

Jupiter Brain manages servers
Go
14
star
54

cpython-builder

Clones and builds CPython
Shell
13
star
55

travis.js

[DEPRECATED]
CoffeeScript
12
star
56

travis-deploy

[DEPRECATED] Travis Deploy tool
Ruby
11
star
57

collectd-vsphere

vSphere metrics plugin for collectd
Go
11
star
58

travis-web-log

CoffeeScript
10
star
59

system-info

πŸ’ Gathers and reports system information specific to the travis build environment.
Ruby
10
star
60

worker-operator

A Kubernetes operator for deploying worker
Go
10
star
61

enterprise-installation

Travis CI Enterprise Installation Instructions
10
star
62

job-board

have a job? need a job? no jobs? all the jobs!
Ruby
9
star
63

cloud-brain

It talks to the clouds
Go
9
star
64

travis-weblint

travis-lint meets teh Internet
Ruby
9
star
65

travis-images

[DEPRECATED] Used to created and manage Travis VMs IN THE CLOUD
Ruby
9
star
66

apt-whitelist-checker

Automation of https://github.com/travis-ci/apt-package-whitelist approval process
Shell
9
star
67

cyclist

AWS ASG lifecycle thing πŸŽ‰ 🚴
Go
8
star
68

2fabot

Slack bot that sends reminders to people to enable two-factor authentication.
Go
8
star
69

travis-extension-chrome

[DEPRECATED] Chrome extension that displays build status in the toolbar
8
star
70

travis-cli-pr

[DEPRECATED] This plugin has been deprecated, please use the travis settings command and the GitHub plugin instead. https://github.com/travis-ci/travis-cli-gh
Ruby
8
star
71

unlimited-jce-policy-jdk7

It's JCE Unlimited Strength Jurisdiction Policy Files 7 in a gem!
Ruby
7
star
72

prompt_warn_env

Warn if sensitive env vars are present
Shell
7
star
73

travis-erlang-builder

πŸ“«
Shell
6
star
74

travis-become

Ruby
6
star
75

travis-config

How does one configure πŸ’ƒ
Ruby
6
star
76

travis-migrations

Skeleton app to allow migrations to be run for our infrastructures
Ruby
6
star
77

travis-nightly-builder

API + rake tasks to build "nightly" or on-demand stuff
JavaScript
6
star
78

encrypted-column

Go implementation of encrypted database column bits
Go
6
star
79

travis-cli-settings

[DEPRECATED] No longer in use.
Ruby
5
star
80

travis-styleguide

[DEPRECATED] ✨
CSS
5
star
81

hubot-pudding

Script for interacting with a pudding server
CoffeeScript
5
star
82

travis-redirect

Ruby
5
star
83

veewee-definitions

[DEPRECATED] Veewee definitions we use to build our base boxes
Shell
5
star
84

container-example

[DEMO] An example showing how to use Travis CIs container-based infrastructure
Protocol Buffer
5
star
85

webhook-signature-verifier

A small Sinatra app to verify the webhook payload signature
Ruby
4
star
86

travis-images-specs

[DEPRECATED] tests for Travis build images
Ruby
4
star
87

travis-sidekiqs

Async, baby!
Ruby
4
star
88

cat-party

[DEMO] CodeDeploy Demo
HTML
4
star
89

tfw

The Tiny Floating Whale of infrastructure at Travis CI ✨ 🐳
Shell
4
star
90

travis-caching

[DEPRECATED] A simple caching service with pluggable backends
Ruby
4
star
91

travis_migrate_to_apps

Migrate your GitHub organizations to use the Travis CI GitHub App integration
Ruby
4
star
92

macbot

Slack bot for managing vSphere and other Travis Mac infrastructure things
Go
4
star
93

build-email

[DEPRECATED] The up-to-date HTML for build emails is generated from this template: https://github.com/travis-ci/travis-tasks/blob/master/lib/travis/addons/email/mailer/views/build/finished_email.html.erb
4
star
94

openshift-travis-quickstart

[DEMO] A sample Rack application showing Travis CI and OpenShift integration
Ruby
4
star
95

travis-api-v3

Pulling out our V3 codebase to be a stand alone application.
Ruby
3
star
96

travis-packer-build

πŸ“¦ 🚧
Ruby
3
star
97

travis-logsearch

Pipeline to dump job execution logs into elasticsearch!
Ruby
3
star
98

apt-gpg-keys

List of keys installed by travis-build at run time
3
star
99

build-env-linux

[WIP] New and improved Travis build environments for Linux
3
star
100

travis-encrypt

Encryption support
Ruby
3
star