[RndTbl] muug.ca debian mirror 403'ing

Trevor Cordes trevor at tecnopolis.ca
Wed Sep 28 17:53:37 CDT 2016 

On 2016-09-23 Theodore Baschak wrote:
> Looks like this happened again, it must be an upstream permissions
> error thats being propagated thru the mirroring process.

OK, I spent a few minutes and whipped up a perl script (kludge) that
should solve this problem until upstream mirrors get fixed.  Using
inotify I watch for a perm change, check if the perms are not at least
755 and if not I chmod 755.  Using inotify should result in basically
zero overhead (no polling, no cron-ing, etc).

I also put in a systemd wrapper I like to use that allows me to capture
all stdout/err to a central log file without having to program it in
each script.  Not sure if systemd finally fixed this shortcoming, but
at least check (maybe 1-2 years ago) they hadn't.  (Did I mention I hate
systemd yet?)  Systemd unit is muug-debian-mirror-dir-perm-kludge.

So this little script should restart on every reboot.

It's logging all action to /var/log/debian-mirror-dir-perm-kludge.log
so we can ensure it's not going wonky and/or pinpoint what rsync run /
mirror is screwing it up by comparing times.

You can easily test with (root)  chmod g-r /ARRAY/mirror/debian
then  cat /var/log/debian-mirror-dir-perm-kludge.log
then  ll -d /ARRAY/mirror/debian

Note, I suppose there is a possibility that rsync could do something
mental like recheck the perm immediately or fight with my script in
some way.  That should show up in the logs.  Perhaps a short (5s?) delay
in my script before chmod might alleviate any issue.  We'll see if it's
required.

The script could easily be expanded to watch all mirror dirs, but
probably best to only use on an as-needed basis.  I was cautious about
security but anything like this just adds complexity and thus decreases
security.


#cat /usr/local/sbin/debian-mirror-dir-perm-kludge
#!/usr/bin/perl -w

$naughtydir='/ARRAY/mirror/debian';

use Linux::Inotify2;
use POSIX qw(strftime);
$|=1;

printf strftime("%Y-%m-%d %H:%M:%S",localtime)." starting\n";

my $inotify=new Linux::Inotify2 or die "unable to create new inotify object: $!";

$inotify->watch($naughtydir,IN_ATTRIB|IN_ONLYDIR|IN_DONT_FOLLOW, sub {
  my $e=shift;
  print "events were lost\n" if $e->IN_Q_OVERFLOW;

  ($perm)=(stat $naughtydir)[2] or die "cannot stat: $!";
  $perm&=07777;

  # see if perms got wonkyized
  if (($perm&0755)!=0755) {
    die "hanky panky" if !-d $naughtydir or -l $naughtydir;
    printf strftime("%Y-%m-%d %H:%M:%S",localtime)." updated perms (was: %o)\n",$perm;
    chmod 0755,$naughtydir or die "could not chmod:  $!";
  }
});

1 while $inotify->poll;

More information about the Roundtable mailing list