Add INSTALL instructions to explain how to secure tinderbox via apache and change permissions to secure tinderbox locally.

Bug #339688 r=bear

webtools/tinderbox/INSTALL

@@ -0,0 +1,79 @@
+#
+# Tinderbox INSTALL guide
+# 
+
+
+This is a quick guide for installing the tinderbox server.
+
+
+1) If you want to track checkins with tinderbox, you will need to
+   install bonsai first.
+
+2) In order to tighten access to the tinderbox files, you will need to
+   create a tinderbox user & group for exclusive use by the tinderbox server.
+   Add the mail user to your tinderbox group so that build logs can be
+   processed.
+
+3) Checkout the latest copy of the tinderbox server:
+	cd /builds/cvs && cvs -z3 co mozilla/webtools/tinderbox
+
+4) Edit the tinderbox Makefile and set the variables in the
+   SERVER_CONFIGURATION as appropriate.  Let's assume that you set:
+     TINDERBOX_DIR=/var/www/html/tinderbox
+     TINDERBOX_USER=tinderbox
+     TINDERBOX_GROUP=tinderbox
+	vi mozilla/webtools/tinderbox/Makefile
+
+5) Install the tinderbox server into the system directory
+	sudo make -C mozilla/webtools/tinderbox install
+
+6) Edit your webserver configuration file and setup the virtual server
+   for your tinderbox as well as limit permissions to certain sensitive files.
+	vi /etc/httpd/conf/httpd.conf
+
+# Example Virtual host entry for tinderbox for apache 2.0.x
+# Replace 'company.com' with your company and '/var/www/html' with the
+# actual location of your tinderbox installation
+#
+<VirtualHost *:80>
+	ServerName tinderbox.company.com
+	ServerAlias tinderbox
+	DocumentRoot /var/www/html
+	SuexecUserGroup tinderbox tinderbox
+	RewriteEngine On
+	RewriteRule ^/$ http://tinderbox.company.com/tinderbox/ [R,L,NE]
+	<Directory /var/www/html/tinderbox/>
+		Options FollowSymLinks ExecCGI
+		AllowOverride None
+		AddHandler cgi-script .cgi
+	</Directory>
+	# Deny access to private tree data
+	<Directory /var/www/html/tinderbox/*/>
+		<FilesMatch "^(ignorebuilds.pl|scrapebuilds|treedata).pl$">
+			Deny from all
+		</FilesMatch>
+		<FilesMatch "\.(dat)$">
+			Deny from all
+		</FilesMatch>
+	</Directory>
+	<Directory /var/www/html/tinderbox/data>
+		Deny from all
+	</Directory>
+</VirtualHost>	
+# End tinderbox apache configuration
+
+7) Add an email alias for 'tinderbox-daemon' on the local server and pipe
+   all mail through the handemail.pl script.
+   Assuming that you're using sendmail, add the following line to /etc/aliases
+
+tinderbox-daemon:  "|/var/www/html/tinderbox/handlemail.pl /var/www/html/tinderbox"
+
+   If sendmail uses smrsh, you may need to create a symlink under /etc/smrsh.
+	ln -sf /var/www/html/tinderbox/handlemail.pl /etc/smrsh/handlemail.pl
+
+8) Restart apache and go to http://tinderbox.company.com/tinderbox/ .
+   Click on 'Administer' and enter the information for your new tinderbox tree.
+
+9) pull the tinderbox client source and start sending build reports
+   to tinderbox-daemon@<tinderbox.server>
+	(cd /builds/cvs && cvs -z3 co mozilla/tools/tinderbox )

webtools/tinderbox/Makefile

@@ -31,11 +31,13 @@
 # Then "make install" should copy the files to the tinderbox location
 # specified by TINDERBOX_DIR
 
+# Begin SERVER_CONFIGURATION
+
 #TINDERBOX_DIR = /var/www/html/tinderbox
 #BONSAI_DIR = /var/www/html/bonsai
 #BONSAI_URL = /bonsai
 
-# Set these if you want to tighten permissions
+# Set these to the user/group that will run the tinderbox processes
 #TINDERBOX_USER = tinderbox
 #TINDERBOX_GROUP = tinderbox
 
@@ -44,43 +46,57 @@
 #PERL = /usr/bin/perl
 #UUDECODE = /usr/bin/uudecode
 
+# End SERVER_CONFIGURATION
+
 ALL_UTILS = GZIP PERL UUDECODE
 
+EXE_FILES = \
+	addimage.cgi \
+	addnote.cgi \
+	admintree.cgi \
+	buildwho.pl \
+	clean.pl \
+	doadmin.cgi \
+	fixupimages.pl \
+	handlemail.pl \
+	processbuild.pl	\
+	showbuilds.cgi \
+	showimages.cgi \
+	showlog.cgi \
+	$(NULL)
+
 FILES = \
-Backwards.pm	\
+	Backwards.pm \
-addimage.cgi	\
+	ep_mac.pl \
-addnote.cgi		\
+	ep_unix.pl \
-admintree.cgi	\
+	ep_windows.pl \
-buildwho.pl		\
+	header.pl \
-clean.pl		\
+	imagelog.pl \
-doadmin.cgi		\
+	tbglobals.pl \
-ep_mac.pl		\
+	viewvc.pl \
-ep_unix.pl		\
+	Empty.html \
-ep_windows.pl	\
+	faq.html \
-fixupimages.pl	\
+	index.html \
-handlemail.pl	\
+	examples/buildit.config \
-header.pl	\
+	examples/mozilla-unix.pl \
-imagelog.pl		\
+	examples/mozilla-windows.pl \
-processbuild.pl	\
+	$(NULL)
-showbuilds.cgi	\
-showimages.cgi	\
-showlog.cgi		\
-tbglobals.pl	\
-Empty.html		\
-faq.html		\
-index.html		\
-examples/buildit.config 	\
-examples/mozilla-unix.pl 	\
-examples/mozilla-windows.pl
 
 PICS = \
-1afi003r.gif	\
+	1afi003r.gif \
-star.gif
+	star.gif \
+	$(NULL)
 
 # Sanity check
 ifeq (,$(strip $(TINDERBOX_DIR)))
 $(error TINDERBOX_DIR must be set to the tinderbox install location)
 endif
+ifeq (,$(strip $(TINDERBOX_USER)))
+$(error TINDERBOX_USER must be set to the user that the tinderbox processes run as)
+endif
+ifeq (,$(strip $(TINDERBOX_GROUP)))
+$(error TINDERBOX_GROUP must be set to the group that the tinderbox processes run as)
+endif
 
 ifeq (,$(strip $(BONSAI_DIR)))
 $(error BONSAI_DIR must be set for bonsai support to work)
@@ -93,7 +109,7 @@ install:
 	$(foreach u,$(ALL_UTILS),$(if $($u),,$(error $u must be set to the full path of the utility)))
 	mkdir -p $(TINDERBOX_DIR)/examples
 	set -e ; \
-	for I in $(FILES); do \
+	for I in $(FILES) $(EXE_FILES); do \
 	  echo Installing $$I && \
           sed -e s#/usr/bonsaitools/bin/perl#$(PERL)#g \
               -e s#/tools/ns/bin/perl5#$(PERL)#g \
@@ -103,21 +119,18 @@ install:
               -e s#/d/webdocs/projects/bonsai#$(BONSAI_DIR)#g \
               -e s#\.\./bonsai#$(BONSAI_URL)#g \
               $$I > $(TINDERBOX_DIR)/$$I && \
-	  chmod 755 $(TINDERBOX_DIR)/$$I; \
+	   chmod 644 $(TINDERBOX_DIR)/$$I; \
 	done
+	chmod 755 $(addprefix $(TINDERBOX_DIR)/,$(EXE_FILES))
 	set -e ; \
 	for I in $(PICS); do \
 	  echo Installing $$I && \
 	  cp $$I $(TINDERBOX_DIR) && \
-	  chmod 755 $(TINDERBOX_DIR)/$$I; \
+	  chmod 644 $(TINDERBOX_DIR)/$$I; \
 	done
 	mkdir -p $(TINDERBOX_DIR)/data
-ifneq (,$(TINDERBOX_USER)$(TINDERBOX_GROUP))
 	chown -R $(TINDERBOX_USER) $(TINDERBOX_DIR)
 	chgrp -R $(TINDERBOX_GROUP) $(TINDERBOX_DIR)
 	chmod 755 $(TINDERBOX_DIR)
-	chmod 775 $(TINDERBOX_DIR)/data
+	chmod 770 $(TINDERBOX_DIR)/data
-else
+	chmod 770 $(TINDERBOX_DIR)/examples
-	chmod 777 $(TINDERBOX_DIR)
-	chmod 777 $(TINDERBOX_DIR)/data
-endif

webtools/tinderbox/doadmin.cgi

@@ -23,8 +23,9 @@
 
 require 'tbglobals.pl';
 
-umask 0666;
+umask 002;
-$perm = "0775"; # Permission of created files & dirs
+$perm = "0660"; # Permission of created files
+$dir_perm = "0770"; # Permission of created dirs
 
 # Process the form arguments
 %form = ();
@@ -124,10 +125,10 @@ sub create_tree {
     $bonsaitreename = $form{'bonsaitreename'};
 
     if( -r $treename ){
-        chmod(oct($perm), $treename);
+        chmod(oct($dir_perm), $treename);
     }
     else {
-        mkdir( $treename, oct($perm)) || die "<h1> Cannot mkdir $treename</h1>";
+        mkdir( $treename, oct($dir_perm)) || die "<h1> Cannot mkdir $treename</h1>";
     }
     open( F, ">$treename/treedata.pl" );
     print F "\$cvs_module='$modulename';\n";

webtools/tinderbox/processbuild.pl

@@ -23,7 +23,7 @@
 use Time::Local;
 require 'tbglobals.pl'; # for $gzip
 
-umask 0;
+umask 002;
 
 if ($ARGV[0] eq '--check-mail') {
   $only_check_mail = 1;

webtools/tinderbox/showbuilds.cgi

@@ -24,6 +24,8 @@ require 'tbglobals.pl';
 require 'imagelog.pl';
 require 'header.pl';
 
+umask 002;
+
 # Process the form arguments
 %form = ();
 &split_cgi_args();