search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
projtool.pl: update and expand help
[girocco.git] / jailsetup.sh
blobe9b51a71a76c621ea06d525bfca37b3111f0e66a
1 #!/bin/sh
2 # The Girocco jail setup script
3 #
4 # If the first parameter is "dbonly", setup the database only
5 #
6 # We are designed to set up the chroot based on the output of
7 # `uname -s` by sourcing a suitable system-specific script.
8 # Unrecognized systems will generate an error. When using
9 # "dbonly" the setup of the chroot binaries is skipped so the
10 # output of `uname -s` does not matter in that case.
11
12 set -e
13
14 curdir="$(pwd)"
15 srcdir="$curdir/src"
16 getent="$srcdir/getent"
17 . ./shlib.sh
18
19 # find_std_utility should always come up with the full path to the standard
20 # version of the utility whose name is passed as "$1"
21 getconf="/usr/bin/getconf"
22 [ -x "$getconf" ] || getconf="/bin/getconf"
23 [ -x "$getconf" ] || getconf="getconf"
24 stdpath="$("unset" -f command; "command" "$getconf" "PATH" 2>/dev/null)" || :
25 ":" "${stdpath:=/bin:/usr/bin}"
26 stdpath="$stdpath:/sbin:/usr/sbin"
27 find_std_utility() (
28 "unset" -f unalias command "$1" >/dev/null 2>&1 || :
29 "unalias" -a >/dev/null 2>&1 || :
30 PATH="$stdpath" && "export" PATH || :
31 "command" -v "$1"
32 ) 2>/dev/null
33
34 dbonly=
35 [ "$1" != "dbonly" ] || dbonly=1
36
37 reserved_users="root sshd _sshd mob git lock bundle nobody everyone $cfg_cgi_user $cfg_mirror_user"
38
39 # Require either sshd or _sshd user unless "dbonly"
40 sshd_user=sshd
41 if ! "$getent" passwd sshd >/dev/null && ! "$getent" passwd _sshd >/dev/null; then
42 if [ -n "$dbonly" ]; then
43 if ! [ -s etc/passwd ]; then
44 # Only complain on initial etc/passwd creation
45 echo "WARNING: no sshd or _sshd user, omitting entries from chroot etc/passwd"
46 fi
47 sshd_user=
48 else
49 echo "*** Error: You do not have required sshd or _sshd user in system." >&2
50 exit 1
51 fi
52 else
53 "$getent" passwd sshd >/dev/null || sshd_user=_sshd
54 fi
55
56 # Verify we have all we need
57 if ! "$getent" passwd "$cfg_mirror_user" >/dev/null; then
58 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
59 exit 1
60 fi
61 if ! "$getent" passwd "$cfg_cgi_user" >/dev/null; then
62 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
63 exit 1
64 fi
65 if [ -n "$dbonly" ] && [ -z "$cfg_owning_group" ]; then
66 cfg_owning_group="$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 4)"
67 elif ! "$getent" group "$cfg_owning_group" >/dev/null; then
68 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
69 exit 1
70 fi
71
72 # One last paranoid check before we go writing all over everything
73 if [ -z "$cfg_chroot" ] || [ "$cfg_chroot" = "/" ]; then
74 echo "*** Error: chroot location is not set or is invalid." >&2
75 echo "*** Error: perhaps you have an incorrect Config.pm?" >&2
76 exit 1
77 fi
78
79 umask 022
80 mkdir -p "$cfg_chroot"
81 cd "$cfg_chroot"
82 chmod 755 "$cfg_chroot" ||
83 echo "WARNING: Cannot chmod $cfg_chroot"
84
85 mkdir -p var/empty
86 chmod 0555 var/empty ||
87 echo "WARNING: Cannot chmod a=rx $cfg_chroot/var/empty"
88
89 # Set up basic user/group configuration; if there isn't any already
90 mobpass=
91 [ -n "$cfg_mob" ] || mobpass='x'
92 mkdir -p etc
93 if ! [ -s etc/passwd ]; then
94 cat >etc/passwd <<EOT
95 root:x:0:0:system administrator:/var/empty:/bin/false
96 nobody:x:$("$getent" passwd nobody | cut -d : -f 3-4):unprivileged user:/var/empty:/bin/false
97 EOT
98 [ -z "$sshd_user" ] || cat >>etc/passwd <<EOT
99 sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
100 _sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
101 EOT
102 [ "$cfg_cgi_user" = "$cfg_mirror_user" ] || cat >>etc/passwd <<EOT
103 $cfg_cgi_user:x:$("$getent" passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
104 EOT
105 cat >>etc/passwd <<EOT
106 $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
107 everyone:x:65537:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):every user:/:/bin/false
108 mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
109 git::65539:$("$getent" passwd nobody | cut -d : -f 4):read-only access:/:/bin/git-shell-verify
110 EOT
111 elif [ -z "$dbonly" ]; then
112 # Make sure an sshd entry is present
113 if ! grep -q '^sshd:' etc/passwd; then
114 echo "*** Error: chroot etc/passwd exists but lacks sshd entry." >&2
115 exit 1
116 fi
117 fi
118
119 if ! [ -s etc/group ]; then
120 cat >etc/group <<EOT
121 _repo:x:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
122 EOT
123 fi
124
125 # Set up basic default Git configuration
126 # Initialize one if none exists or update critical variables for an existing one
127 mkdir -p etc/girocco
128 didchmod=
129 if [ -e etc/girocco/.gitconfig ] && ! [ -f etc/girocco/.gitconfig ]; then
130 echo "*** Error: chroot etc/girocco/.gitconfig exists but is not a file." >&2
131 exit 1
132 fi
133 if [ -f etc/girocco/.gitconfig ]; then
134 gcerr=0
135 x="$(git config --file etc/girocco/.gitconfig --get "no--such--section.no such subsection.no--such--key")" || gcerr=$?
136 if [ $gcerr -gt 1 ]; then
137 echo "*** Error: chroot etc/girocco/.gitconfig exists but is corrupt." >&2
138 echo "*** Error: either remove it or edit it to correct the problem." >&2
139 exit 1
140 fi
141 fi
142 if ! [ -s etc/girocco/.gitconfig ]; then
143 chmod u+w etc/girocco
144 didchmod=1
145 cat >etc/girocco/.gitconfig <<EOT
146 # Any values set here will take effect whenever Girocco runs a git command
147
148 EOT
149 fi
150 # $1 => name, $2 => value, $3 => overwrite_flag
151 update_config_item() {
152 _existsnot=
153 _oldval=
154 _oldval="$(git config --file etc/girocco/.gitconfig --get "$1")" || _existsnot=1
155 if [ -z "$_existsnot" ]; then
156 [ -n "$3" ] || return 0
157 [ "$_oldval" != "$2" ] || return 0
158 fi
159 [ -n "$didchmod" ] || { chmod u+w etc/girocco; didchmod=1; }
160 git config --file etc/girocco/.gitconfig "$1" "$2"
161 if [ -n "$_existsnot" ]; then
162 echo "chroot: etc/girocco/.gitconfig: config $1: (created) \"$2\""
163 else
164 echo "chroot: etc/girocco/.gitconfig: config $1: \"$_oldval\" -> \"$2\""
165 fi
166 }
167 if [ -n "$cfg_git_no_mmap" ]; then
168 update_config_item core.packedGitWindowSize 1m 1
169 else
170 update_config_item core.packedGitWindowSize 32m 1
171 fi
172 if [ -n "$var_window_memory" ]; then
173 update_config_item pack.windowMemory "$var_window_memory" 1
174 fi
175 if [ -n "$cfg_jgit_compatible_bitmaps" ]; then
176 update_config_item pack.writeBitmapHashCache false 1
177 else
178 update_config_item pack.writeBitmapHashCache true 1
179 fi
180 update_config_item core.pager "cat" 1
181 update_config_item core.compression 5
182 update_config_item http.lowSpeedLimit 1
183 update_config_item http.lowSpeedTime 600
184 update_config_item receive.maxInputSize "${cfg_max_receive_size:-0}" 1
185 [ -z "$didchmod" ] || chmod a-w etc/girocco
186
187 mkdir -p etc/sshkeys etc/sshcerts etc/sshactive
188 for ruser in $reserved_users; do
189 touch etc/sshkeys/$ruser
190 done
191 chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts etc/sshactive ||
192 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
193 chgrp $cfg_owning_group etc/passwd ||
194 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
195 chgrp $cfg_owning_group etc/group ||
196 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
197 chgrp $cfg_owning_group etc/girocco etc/girocco/.gitconfig ||
198 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/girocco"
199 chmod g+s etc etc/sshkeys etc/sshcerts etc/sshactive ||
200 echo "WARNING: Cannot chmod g+s the etc directories"
201 chmod g+w etc etc/sshkeys etc/sshcerts etc/sshactive ||
202 echo "WARNING: Cannot chmod g+w the etc directories"
203 chmod g+w etc/passwd etc/group ||
204 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
205 chmod go-w etc/passwd etc/girocco etc/girocco/.gitconfig ||
206 echo "WARNING: Cannot chmod go-w etc/girocco and/or etc/girocco/.gitconfig"
207 chmod a-w etc/girocco ||
208 echo "WARNING: Cannot chmod a-w etc/girocco"
209 chmod -R g+w etc/sshkeys etc/sshcerts etc/sshactive 2>/dev/null ||
210 echo "WARNING: Cannot chmod g+w the sshkeys, sshcerts and/or sshactive files"
211
212 # Note time of last install
213 >etc/sshactive/_install
214
215 [ -z "$dbonly" ] || exit 0
216
217 # Make sure the system type is supported for chroot
218 sysname="$(uname -s | tr A-Z a-z)" || :
219 : ${sysname:=linux}
220 nosshdir=
221 # These equivalents may need to be expanded at some point
222 case "$sysname" in
223 *kfreebsd*)
224 sysname=linux;;
225 *darwin*)
226 sysname=darwin;;
227 *dragonfly*)
228 sysname=dragonfly;;
229 *freebsd*)
230 sysname=freebsd;;
231 *linux*)
232 sysname=linux;;
233 esac
234
235 chrootsetup="$curdir/chrootsetup_$sysname.sh"
236 if ! [ -f "$chrootsetup" ] || ! [ -r "$chrootsetup" ] || ! [ -s "$chrootsetup" ]; then
237 echo "*** Error: $chrootsetup not found" >&2
238 echo "*** Error: creating a chroot for a $(uname -s) system is not supported" >&2
239 exit 1
240 fi
241
242 # validate reporoot, chroot, jailreporoot and sshd_bin before doing anything more
243
244 # validates the passed in dir if a second argument is not empty dir must NOT
245 # start with / otherwise it must. A trailing '/' is removed and any duplicated
246 # // are removed and a sole / or empty is disallowed.
247 make_valid_dir() {
248 _check="$(echo "$1" | tr -s /)"
249 _check="${_check%/}"
250 [ -n "$_check" ] && [ "$_check" != "/" ] || return 1
251 if [ -z "$2" ]; then
252 # must start with '/'
253 case "$_check" in /*) :;; *) return 1; esac
254 else
255 # must NOT start with '/'
256 case "$_check" in /*) return 1; esac
257 fi
258 echo "$_check"
259 }
260
261 if ! reporoot="$(make_valid_dir "$cfg_reporoot")"; then
262 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
263 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
264 exit 1
265 fi
266 if ! chroot="$(make_valid_dir "$cfg_chroot")"; then
267 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
268 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
269 exit 1
270 fi
271 if ! jailreporoot="$(make_valid_dir "$cfg_jailreporoot" 1)"; then
272 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
273 echo "*** Error: MUST NOT start with '/' and MUST NOT be ''" >&2
274 exit 1
275 fi
276
277 # chroot MUST NOT be reporoot
278 if [ "$chroot" = "$reporoot" ]; then
279 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
280 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
281 echo "*** Error: reporoot and chroot MUST NOT be the same" >&2
282 exit 1
283 fi
284
285 # chroot MUST NOT be a subdirectory of reporoot
286 case "$chroot" in "$reporoot"/*)
287 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
288 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
289 echo "*** Error: chroot MUST NOT be a subdirectory of reporoot" >&2
290 exit 1
291 esac
292
293 # chroot/jailreporoot MUST NOT be a subdirectory of reporoot
294 case "$chroot/$jailreporoot" in "$reporoot"/*)
295 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
296 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
297 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
298 echo "*** Error: chroot/jailreporoot MUST NOT be a subdirectory of reporoot" >&2
299 exit 1
300 esac
301
302 # reporoot MUST NOT be a subdirectory of chroot/jailreporoot
303 case "$reporoot" in "$chroot/$jailreporoot"/*)
304 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
305 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
306 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
307 echo "*** Error: reporoot MUST NOT be a subdirectory of chroot/jailreporoot" >&2
308 exit 1
309 esac
310
311 # sshd_bin MUST be undef (or empty) or a full absolute path
312 sshd_bin_bad=
313 case "$cfg_sshd_bin" in *"/../"*) sshd_bin_bad=1;; ""|/?*) :;; *) sshd_bin_bad=1;; esac
314 [ -z "$sshd_bin_bad" ] || {
315 echo "*** Error: invalid Config::sshd_bin $cfg_sshd_bin" >&2
316 echo "*** Error: if set, sshd_bin must be an absolute path" >&2
317 exit 1
318 }
319 sshd_bin="$cfg_sshd_bin"
320 [ -n "$sshd_bin" ] || sshd_bin="$(find_std_utility "sshd")" || {
321 echo "*** Error: Config::sshd_bin is not set and no sshd could be found" >&2
322 echo "*** Error: please set Config::sshd_bin to an absolute path to sshd" >&2
323 exit 1
324 }
325 [ -x "$sshd_bin" ] && [ -r "$sshd_bin" ] && [ -f "$sshd_bin" ] || {
326 echo "*** Error: the selected sshd ('$sshd_bin') was not found, not readable or not executable" >&2
327 exit 1
328 }
329
330 # Set the user and group on the top of the chroot before creating anything else
331 chown 0:0 "$chroot"
332
333 # When we create a fork, the alternates always have an absolute path.
334 # If reporoot is not --bind mounted at the same location in chroot we must
335 # create a suitable symlink so the absolute path alternates continue to work
336 # in the ssh chroot or else forks will be broken in there.
337 if [ "$reporoot" != "/$jailreporoot" ]; then
338 mkdirp="$(dirname "${reporoot#/}")"
339 [ "$mkdirp" = "." ] && mkdirp=
340 lnback=
341 [ -z "$mkdirp" ] || lnback="$(echo "$mkdirp/" | sed -e 's,[^/]*/,../,g')"
342 [ -z "$mkdirp" ] || mkdir -p "$chroot/$mkdirp"
343 (umask 0; ln -s -f -n "$lnback$jailreporoot" "$chroot$reporoot")
344 [ $? -eq 0 ] || exit 1
345 fi
346
347 # First, setup basic platform-independent directory structure
348 mkdir -p bin dev etc lib sbin var/empty var/run "$jailreporoot"
349 chmod 0555 var/empty
350 rm -rf usr local
351 ln -s . usr
352 ln -s . local
353
354 # Now source the platform-specific script that is responsible for dev device
355 # setup, proc setup (if needed), lib64 setup (if needed) and basic library
356 # installation to make a chroot operational. Additionally it will define a
357 # pull_in_bin function that can be used to add executables and their library
358 # dependencies to the chroot and finally will install a suitable nc.openbsd
359 # compatible version of netcat that supports connections to unix sockets.
360 . "$chrootsetup"
361
362 # Now, bring in sshd, sh etc.
363 # The $chrootsetup script should have already provided a suitable nc.openbsd
364 install -p "$cfg_basedir/bin/git-shell-verify" bin/git-shell-verify.new
365 install -p "$cfg_basedir/bin/git-askpass-password" bin/git-askpass-password.new
366 perl -i -p \
367 -e 's|^#!.*|#!/bin/sh| if $. == 1;' \
368 -e 'close ARGV if eof;' \
369 bin/git-shell-verify.new bin/git-askpass-password.new
370 mv -f bin/git-askpass-password.new bin/git-askpass-password
371 mv -f bin/git-shell-verify.new bin/git-shell-verify
372 pull_in_bin "$cfg_basedir/bin/can_user_push" bin
373 pull_in_bin "$cfg_basedir/bin/list_packs" bin
374 pull_in_bin "$var_sh_bin" bin/sh
375 # be paranoid since these are going into the chroot and make sure
376 # that we get the "standard" versions of them (they are all standard "POSIX"
377 # utilities) not some wayward version picked up by a haphazard PATH
378 pull_in_bin "$(find_std_utility cat )" bin
379 pull_in_bin "$(find_std_utility chmod )" bin
380 pull_in_bin "$(find_std_utility date )" bin
381 pull_in_bin "$(find_std_utility find )" bin
382 pull_in_bin "$(find_std_utility mkdir )" bin
383 pull_in_bin "$(find_std_utility mv )" bin
384 pull_in_bin "$(find_std_utility rm )" bin
385 pull_in_bin "$(find_std_utility sleep )" bin
386 pull_in_bin "$(find_std_utility touch )" bin
387 pull_in_bin "$(find_std_utility tr )" bin
388 pull_in_bin "$(find_std_utility wc )" bin
389 # this one's already been validated and might be in a non-standard location
390 pull_in_bin "$sshd_bin" sbin
391
392 # ...and the bits of git we need,
393 # being sure to use the configured git and its --exec-path to find the pieces
394 for i in git git-index-pack git-receive-pack git-shell git-update-server-info \
395 git-upload-archive git-upload-pack git-unpack-objects git-config \
396 git-for-each-ref git-rev-list git-rev-parse git-symbolic-ref; do
397 pull_in_bin "$var_git_exec_path/$i" bin git
398 done
399
400 # ...and any extras identified by install.sh
401 # these are also all standard "POSIX" utilities
402 # ones that a decent sh implementation would have built-in already...
403 if [ -n "$GIROCCO_CHROOT_EXTRA_INSTALLS" ]; then
404 for i in $GIROCCO_CHROOT_EXTRA_INSTALLS; do
405 pull_in_bin "$(find_std_utility "$(basename "$i")")" bin
406 done
407 fi
408
409 # Note time of last jailsetup
410 >etc/sshactive/_jailsetup
411
412 # Update permissions on the database files
413 chown $cfg_cgi_user:$cfg_owning_group etc/passwd etc/group
414 chown -R $cfg_cgi_user:$cfg_owning_group etc/sshkeys etc/sshcerts etc/sshactive
415 chown $cfg_mirror_user:$cfg_owning_group etc etc/girocco etc/girocco/.gitconfig
416
417 # Set up basic sshd configuration:
418 if [ -n "$nosshdir" ]; then
419 rm -rf etc/ssh
420 ln -s . etc/ssh
421 ! [ -f /etc/moduli ] || { cp -p /etc/moduli etc/; chown 0:0 etc/moduli; }
422 else
423 ! [ -e etc/ssh ] || [ -d etc/ssh ] || rm -rf etc/ssh
424 mkdir -p etc/ssh
425 ! [ -f /etc/ssh/moduli ] || { cp -p /etc/ssh/moduli etc/ssh/; chown 0:0 etc/ssh/moduli; }
426 fi
427 mkdir -p var/run/sshd
428 if ! [ -s etc/ssh/sshd_config ]; then
429 cat >etc/ssh/sshd_config <<EOT
430 Protocol 2
431 Port $cfg_sshd_jail_port
432 UsePAM no
433 X11Forwarding no
434 AllowAgentForwarding no
435 AllowTcpForwarding no
436 PermitTunnel no
437 IgnoreUserKnownHosts yes
438 PrintLastLog no
439 PrintMotd no
440 UseDNS no
441 PermitRootLogin no
442 UsePrivilegeSeparation yes
443
444 HostKey /etc/ssh/ssh_host_rsa_key
445 EOT
446 if [ -z "$cfg_disable_dsa" ]; then
447 cat >>etc/ssh/sshd_config <<EOT
448 HostKey /etc/ssh/ssh_host_dsa_key
449 EOT
450 fi
451 cat >>etc/ssh/sshd_config <<EOT
452 AuthorizedKeysFile /etc/sshkeys/%u
453 StrictModes no
454
455 # mob and git users:
456 PermitEmptyPasswords yes
457 ChallengeResponseAuthentication no
458 PasswordAuthentication yes
459 EOT
460 fi
461 if ! [ -s etc/ssh/ssh_host_rsa_key ]; then
462 bits=2048
463 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
464 bits="$cfg_rsakeylength"
465 fi
466 yes | ssh-keygen -b "$bits" -t rsa -N "" -C Girocco -f etc/ssh/ssh_host_rsa_key
467 fi
468 if [ -z "$cfg_disable_dsa" ] && ! [ -s etc/ssh/ssh_host_dsa_key ]; then
469 # ssh-keygen can only create 1024 bit DSA keys
470 yes | ssh-keygen -b 1024 -t dsa -N "" -C Girocco -f etc/ssh/ssh_host_dsa_key
471 fi
472
473 # Set the final permissions on the binaries and perform any final twiddling
474 chroot_update_permissions
475
476 # Change the owner of the sshd-related files
477 chown 0:0 etc/ssh/ssh_* etc/ssh/sshd_*
478
479 echo "--- Add to your boot scripts: mount --bind $reporoot $chroot/$jailreporoot"
480 echo "--- Add to your boot scripts: mount --bind /proc $chroot/proc"
481 echo "--- Add to your syslog configuration: listening on socket $chroot/dev/log"
482 echo "--- To restart a running jail's sshd: sudo kill -HUP \$(cat $chroot/var/run/sshd.pid)"
The repo.or.cz duct tape "Girocco"