From 5c5337567290c6fff8396a26e5f4c4f6402f8fe8 Mon Sep 17 00:00:00 2001 From: Brecht Van Lommel Date: Tue, 9 May 2023 16:45:35 +0200 Subject: [PATCH] Sphinx: simplify running process as another user --- sphinx/README.md | 9 ++++----- sphinx/sphinx_to_html.py | 16 +++------------- 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/sphinx/README.md b/sphinx/README.md index 5aecf40..48aae9e 100644 --- a/sphinx/README.md +++ b/sphinx/README.md @@ -15,8 +15,7 @@ Add to Gitea app.ini. [markup.restructuredtext] ENABLED = true FILE_EXTENSIONS = .rst - RENDER_COMMAND = "timeout 30s ./custom/sphinx/sphinx_to_html.py --user sphinx --user-work-dir /path/to/dir" - IS_INPUT_FILE = true + RENDER_COMMAND = timeout 30s sudo -u sphinx python3 ./custom/sphinx/sphinx_to_html.py [markup.sanitizer.restructuredtext] ELEMENT = div @@ -28,6 +27,6 @@ Add to Gitea app.ini. PREVIEWABLE_FILE_MODES = markdown,restructuredtext The `sphinx` user is required for sandboxing of sphinx-build which we do not -assume to be secure. The work directory should be writable by both the gitea -user and sphinx user, with the sphinx user having as little access as possible -to other directories. +assume to be so secure that it should have access to all gitea data. This user +needs read-only access to the custom/sphinx, and the user running gitea needs +to be able to run a process as the `sphinx` user. diff --git a/sphinx/sphinx_to_html.py b/sphinx/sphinx_to_html.py index 7686109..95bcad9 100755 --- a/sphinx/sphinx_to_html.py +++ b/sphinx/sphinx_to_html.py @@ -10,11 +10,7 @@ import subprocess import sys import tempfile -parser = argparse.ArgumentParser(prog="sphinx_to_html") -parser.add_argument("filename_rst", help="Input .rst file") -parser.add_argument("--user", help="Run sphinx as another user", type=str) -parser.add_argument("--user-work-dir", help="Do work in specified folder accessible by user", type=str) -args = parser.parse_args() +page_contents = sys.stdin.read() base_url = "https://projects.blender.org" local_url = "http://localhost:3000" @@ -44,15 +40,12 @@ else: image_url = "" # Set up temporary directory with sphinx configuration. -with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir: +with tempfile.TemporaryDirectory() as tmp_dir: work_dir = pathlib.Path(tmp_dir) / "work" script_dir = pathlib.Path(__file__).parent.resolve() shutil.copytree(script_dir / "template", work_dir) page_filepath = work_dir / "contents.rst" - shutil.copyfile(args.filename_rst, page_filepath) - - page_contents = page_filepath.read_text() # Turn links into external links since internal links are not found and stripped. def path_to_label(path): @@ -103,10 +96,7 @@ with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir: out_filepath = out_dir / "contents.html" sphinx_cmd = ["sphinx-build", "-b", "html", work_dir, out_dir] - if args.user: - result = subprocess.run(sphinx_cmd, capture_output=True, user=args.user) - else: - result = subprocess.run(sphinx_cmd, capture_output=True) + result = subprocess.run(sphinx_cmd, capture_output=True) # Output errors. error = result.stderr.decode("utf-8", "ignore").strip()