From 8fb1786c1854de69b17cf1d47a202cdf4b133c80 Mon Sep 17 00:00:00 2001 From: southerntofu Date: Tue, 28 Apr 2020 18:23:13 +0000 Subject: [PATCH] Allow forgehook group to read secrets in the db --- databases/unix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/databases/unix b/databases/unix index 9e2ffa7..a79cc7f 100755 --- a/databases/unix +++ b/databases/unix @@ -217,8 +217,9 @@ secret_cmd() { fi owner="$(cat $db/."$rhex".owner)" - if [[ "$owner" != "$user" ]]; then - # TODO: when running with group forgehook, we don't exit because it's an endpoint asking + db_owner="$(find /usr/local/bin/forgehook-db -maxdepth 0 -printf '%u')" + if [[ "$owner" != "$user" ]] && [[ "$(id -gn $SUDO_GID)" != "$db_owner" ]]; then + # TODO: when running with group forgehook, we don't exit because it's an endpoint asking (done?) echo "ERROR: Repository $r is owned by $owner" exit 1 fi