Comments (15)
lolomin
commented on June 2, 2024
1
[root@cygnus shells]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
from borgwarehouse.
lolomin
commented on June 2, 2024
1
Hi Ravinou,
Can confirm that it works now, thks a lot !
By the way : git pull made :
- lost of -H 127.0.0.1 -p specific_port in package.json
- lost of changed admin password
Maybe it would be good to gitignore or place these credentials/configs somewhere else ?
Thks for your reactivity.
Regards,
lolo
from borgwarehouse.
Ravinou
commented on June 2, 2024
Hi @lolomin !
If you have follow the documentation on debian and create a systemd service, you will find logs for application with :
journalctl -u borgwarehouse
But, from what I see you have a problem with a shell script, so the answer should be in /var/log/syslog
You can tail -f /var/log/syslog when you create a repo, or try to grep error with something like cat /var/log/syslog | grep npm.
Commonly, people forget to set the execution rights on the scripts. You can check this.
from borgwarehouse.
lolomin
commented on June 2, 2024
Hi Ravinou,
Thanks for your quick answer :)
Nothing there, already checked :
[root@cygnus ~]# journalctl -u borgwarehouse
-- No entries --
[root@cygnus ~]# grep -i borgwarehouse /var/log/messages
[root@cygnus ~]# grep -i npm /var/log/messages | grep -iv zigbee
[root@cygnus ~]#
The only logs that I have for npm are for my other service running npm with Zigbee2MQTT.
The shell scripts are already executable :
[root@cygnus shells]# pwd
/home/borgwarehouse/borgwarehouse/helpers/shells
[root@cygnus shells]# ll
total 28
drwxr-xr-x 2 borgwarehouse borgwarehouse 4096 Dec 18 22:58 .
drwxr-xr-x 4 borgwarehouse borgwarehouse 4096 Dec 18 22:58 ..
-rwx------ 1 borgwarehouse borgwarehouse 2960 Dec 18 22:58 createRepo.sh
-rwx------ 1 borgwarehouse borgwarehouse 802 Dec 18 22:58 deleteRepo.sh
-rwx------ 1 borgwarehouse borgwarehouse 544 Dec 18 22:58 getLastSave.sh
-rwx------ 1 borgwarehouse borgwarehouse 470 Dec 18 22:58 getStorageUsed.sh
-rwx------ 1 borgwarehouse borgwarehouse 1565 Dec 18 22:58 updateRepo.sh
The distrib is a Fedora 37, not a Debian or Ubuntu like
lolo
from borgwarehouse.
Ravinou
commented on June 2, 2024
I never test the app on Fedora.
Please, stop the service borgwarehouse.
And launch the app manually please :
su borgwarehouse
cd /home/borgwarehouse/borgwarehouse
npm run start
You will have the direct log now in your terminal. Try to create a repo and you can give me the error.
Thanks
from borgwarehouse.
lolomin
commented on June 2, 2024
[borgwarehouse@cygnus borgwarehouse]$ npm run start
[email protected] start
next start -H 127.0.0.1 -p 7689
ready - started server on 127.0.0.1:7689, url: http://127.0.0.1:7689
info - Loaded env from /home/borgwarehouse/borgwarehouse/.env.local
Error: Command failed: /home/borgwarehouse/borgwarehouse/helpers/shells/createRepo.sh repo0 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkwpHLpLPShK6Z0qmG8Op8VZ6Zki04eB1b0vOWYQG5U borgwarehouse@cygnus" 50
at ChildProcess.exithandler (node:child_process:412:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1091:16)
at Socket.<anonymous> (node:internal/child_process:449:11)
at Socket.emit (node:events:513:28)
at Pipe.<anonymous> (node:net:313:12) {
code: 3,
killed: false,
signal: null,
cmd: '/home/borgwarehouse/borgwarehouse/helpers/shells/createRepo.sh repo0 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkwpHLpLPShK6Z0qmG8Op8VZ6Zki04eB1b0vOWYQG5U borgwarehouse@cygnus" 50',
stdout: 'You must install borgbackup package.\n',
stderr: ''
}
[root@cygnus borgwarehouse]# rpm -qa | grep -i borgbackup
borgbackup-1.2.2-1.fc37.x86_64
[root@cygnus borgwarehouse]# which borg
/usr/bin/borg
[root@cygnus borgwarehouse]#
So the project is not deployable on a distrib other than Debian/Ubuntu ?
lolo
from borgwarehouse.
Ravinou
commented on June 2, 2024
So the project is not deployable on a distrib other than Debian/Ubuntu ?
It's just not test with every distro, but I can adapt with contrib like yours ;)
Can you please replace createRepo.sh with :
#!/bin/bash
# Shell created by Raven for BorgWarehouse.
# This shell takes 3 arguments : [reponame] X [SSH pub key] X [quota]
# Main steps are :
# - check if args are present
# - check the ssh pub key format
# - check if borgbackup package is install
# - generate a random username, check if it exists in /etc/passwd
# - add the user (with random name), group, shell and home
# - create a pool which is the folder where all the repositories for a user are located (only one by user for borgwarehouse usage)
# - create the authorized_keys
# - add the SSH public key in the authorized_keys with borg restriction for repository and storage quota.
# This simple method prevents the user from connecting to the server with a shell in SSH.
# He can only use the borg command. Moreover, he will not be able to leave his repository or create a new one.
# It is similar to a jail and that is the goal.
# Exit when any command fails
set -e
# Check args
if [ "$1" == "" ] || [ "$2" == "" ] || [ "$3" == "" ];then
echo "This shell takes 3 argument : Reponame, SSH Public Key, Quota in Go [e.g. : 10] "
exit 1
fi
# Check if the SSH public key is a valid format
# This pattern validates SSH public keys for : rsa, ed25519, ed25519-sk
pattern='(ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3}(\s.*)?'
if [[ ! "$2" =~ $pattern ]]
then
echo "Invalid public SSH KEY format. Provide a key in OpenSSH format (rsa, ed25519, ed25519-sk)"
exit 2
fi
# Check if borgbackup is installed
if ! [ -x "$(command -v borg)" ]; then
echo "You must install borgbackup package."
exit 3
fi
# Generation of a random for username
randUsername () {
openssl rand -hex 4
}
user=$(randUsername)
# Check if the random is already a username.
while grep -q $user /etc/passwd
do
user=$(randUsername)
done
# Some variables
group="${user}"
home="/var/borgwarehouse/${user}"
pool="${home}/repos"
## add user and create homedirectory ${user} - [shell=/bin/bash home=${home} group=${group}]
sudo useradd -d ${home} -s "/bin/bash" -m ${user}
## Create directory ${home}/.ssh
sudo mkdir -p ${home}/.ssh
## Create autorized_keys file
sudo touch ${home}/.ssh/authorized_keys
## Create ${pool}
sudo mkdir -p ${pool}
## Create the repo
sudo mkdir -p "${pool}/$1"
## Check if authorized_keys exists
authorized_keys="${home}/.ssh/authorized_keys"
if [ ! -f "${authorized_keys}" ];then
echo "${authorized_keys} must be present"
exit 4
fi
## Change permissions
sudo chmod -R 700 ${home}
sudo chmod 600 ${authorized_keys}
sudo chown -R ${user}:${user} ${home}
## Add ssh public key in authorized_keys with borg restriction for only 1 repository (:$1) and storage quota
sudo -u ${user} bash -c "echo 'command=\"cd ${pool};borg serve --restrict-to-repository ${pool}/$1 --storage-quota $3G\",restrict $2' >> ${authorized_keys}"
## Return the unix user
echo ${user}
And let me know if it works.
from borgwarehouse.
lolomin
commented on June 2, 2024
Got another error now π
Error: Command failed: /home/borgwarehouse/borgwarehouse/helpers/shells/createRepo.sh repo0 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkwpHLpLPShK6Z0qmG8Op8VZ6Zki04eB1b0vOWYQG5U borgwarehouse@cygnus" 50
at ChildProcess.exithandler (node:child_process:412:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1091:16)
at Socket.<anonymous> (node:internal/child_process:449:11)
at Socket.emit (node:events:513:28)
at Pipe.<anonymous> (node:net:313:12) {
code: 4,
killed: false,
signal: null,
cmd: '/home/borgwarehouse/borgwarehouse/helpers/shells/createRepo.sh repo0 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkwpHLpLPShK6Z0qmG8Op8VZ6Zki04eB1b0vOWYQG5U borgwarehouse@cygnus" 50',
stdout: '/var/borgwarehouse/78e0ccf7/.ssh/authorized_keys must be present\n',
stderr: ''
}
Some infos :
[root@cygnus shells]# ll /var/borgwarehouse/78e0ccf7/
total 44
drwx------ 5 78e0ccf7 78e0ccf7 4096 Dec 19 11:58 .
drwxr-xr-x 3 root root 4096 Dec 19 11:58 ..
-rw-r--r-- 1 78e0ccf7 78e0ccf7 18 Nov 18 15:24 .bash_logout
-rw-r--r-- 1 78e0ccf7 78e0ccf7 141 Nov 18 15:24 .bash_profile
-rw-r--r-- 1 78e0ccf7 78e0ccf7 492 Nov 18 15:24 .bashrc
-rw-r--r-- 1 78e0ccf7 78e0ccf7 172 Sep 19 12:42 .kshrc
drwxr-xr-x 4 78e0ccf7 78e0ccf7 4096 Jul 22 01:56 .mozilla
drwxr-xr-x 3 root root 4096 Dec 19 11:58 repos
drwxr-xr-x 2 root root 4096 Dec 19 11:58 .ssh
-rw-r--r-- 1 78e0ccf7 78e0ccf7 299 Jul 23 16:08 .zprofile
-rw-r--r-- 1 78e0ccf7 78e0ccf7 658 Jul 23 16:08 .zshrc
[root@cygnus shells]# ll /var/borgwarehouse/
total 12
drwxr-xr-x 3 root root 4096 Dec 19 11:58 .
drwxr-xr-x 34 root root 4096 Dec 18 22:57 ..
drwx------ 5 78e0ccf7 78e0ccf7 4096 Dec 19 11:58 78e0ccf7
[root@cygnus shells]# ll /var/borgwarehouse/78e0ccf7/repos/
total 12
drwxr-xr-x 3 root root 4096 Dec 19 11:58 .
drwx------ 5 78e0ccf7 78e0ccf7 4096 Dec 19 11:58 ..
drwxr-xr-x 2 root root 4096 Dec 19 11:58 repo0
[root@cygnus shells]# ll /var/borgwarehouse/78e0ccf7/repos/repo0/
total 8
drwxr-xr-x 2 root root 4096 Dec 19 11:58 .
drwxr-xr-x 3 root root 4096 Dec 19 11:58 ..
[root@cygnus shells]#
[root@cygnus shells]# ll /var/borgwarehouse/78e0ccf7/.ssh/
total 8
drwxr-xr-x 2 root root 4096 Dec 19 11:58 .
drwx------ 5 78e0ccf7 78e0ccf7 4096 Dec 19 11:58 ..
-rw-r--r-- 1 root root 0 Dec 19 11:58 authorized_keys
lolo
from borgwarehouse.
Ravinou
commented on June 2, 2024
Strange, is the file /var/borgwarehouse/78e0ccf7/.ssh/authorized_keysΒ exist ?
from borgwarehouse.
lolomin
commented on June 2, 2024
Yes as you can see above
[root@cygnus shells]# ll /var/borgwarehouse/78e0ccf7/.ssh/authorized_keys
-rw-r--r-- 1 root root 0 Dec 19 11:58 /var/borgwarehouse/78e0ccf7/.ssh/authorized_keys
from borgwarehouse.
Ravinou
commented on June 2, 2024
Did you launch the app with root ? I have the impression that the npm run start was launched with root and not the borgwarehouse user?
from borgwarehouse.
lolomin
commented on June 2, 2024
No it was run as borgwarehouse user π
[borgwarehouse@cygnus borgwarehouse]$ npm run start
> [email protected] start
> next start -H 127.0.0.1 -p 7689
ready - started server on 127.0.0.1:7689, url: http://127.0.0.1:7689
info - Loaded env from /home/borgwarehouse/borgwarehouse/.env.local
from borgwarehouse.
Ravinou
commented on June 2, 2024
I will test it on Fedora. What is your version of Fedora please ?
from borgwarehouse.
Ravinou
commented on June 2, 2024
@lolomin
Please, can you pull the last commits :
git pull
Then, change the all content of /etc/sudoers.d/10-borgwarehouse with :
borgwarehouse ALL=(ALL) NOPASSWD: /usr/sbin/userdel -rf [[\:xdigit\:]]*
borgwarehouse ALL=(ALL) NOPASSWD: /usr/sbin/useradd -d /var/borgwarehouse/[[\:xdigit\:]]* -s /bin/bash -m --badname [[\:xdigit\:]]*
borgwarehouse ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /var/borgwarehouse/[[\:xdigit\:]]*/repos/repo[[\:digit\:]]*, /usr/bin/mkdir -p /var/borgwarehouse/[[\:xdigit\:]]*/.ssh
borgwarehouse ALL=(ALL) NOPASSWD: /usr/bin/touch /var/borgwarehouse/[[\:xdigit\:]]*/.ssh/authorized_keys
borgwarehouse ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 750 /var/borgwarehouse/[[\:xdigit\:]]*, /usr/bin/chmod 600 /var/borgwarehouse/[[\:xdigit\:]]*/.ssh/authorized_keys
borgwarehouse ALL=(ALL) NOPASSWD: /usr/bin/chown -R [[\:xdigit\:]]*\:borgwarehouse /var/borgwarehouse/[[\:xdigit\:]]*
borgwarehouse ALL=(ALL) NOPASSWD: /usr/bin/tee /var/borgwarehouse/[[\:xdigit\:]]*/.ssh/authorized_keys
borgwarehouse ALL=(ALL) NOPASSWD: /usr/bin/sed -ri s|*|g /var/borgwarehouse/[[\:xdigit\:]]*/.ssh/authorized_keys
borgwarehouse ALL=(ALL) NOPASSWD: /usr/bin/jc du -s *
The change in sudoers file is a security improvement of sudo limitations. And the two commits I did resolve problems for Fedora. I tested it on Fedora 37 π
from borgwarehouse.
Ravinou
commented on June 2, 2024
Great, I close this issue for Fedora. I will improve the app with your feedback. Thanks
from borgwarehouse.
Related Issues (20)
- Can't connect to the web interface when using IPv4 in a dual-stack setup HOT 3
- Outdated version of Borg in container image HOT 2
- Connection closed by remote host HOT 3
- Failed to start custom docker image - exec: "./docker-bw-init.sh": permission denied: unknown HOT 8
- [Enhancement]: Add support to use the same key on multiple repos HOT 1
- Typo in docs HOT 1
- Possible to access the same Borg Repo from multiple machines? HOT 2
- Issue with Docker Deploy HOT 3
- Manual import old repository: Storage used not updated - or what can be expected? HOT 2
- Append only option HOT 3
- Unit tests HOT 1
- Spaces in passwords? HOT 3
- Server side prune HOT 2
- Typo in systemd service description? HOT 1
- [Debian] Repository path incorrect HOT 4
- [Baremetal Debian] Down status despite successful backup with symbolic link for repo HOT 10
- Repo API with Token key HOT 1
- OIDC / OAuth Support HOT 1
- Repo location doesn't seem to read from .env.local? HOT 2
- Hetzner StorageBox compatibility HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from borgwarehouse.