search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cgi: remove a source of uninitialized variable warnings
[girocco.git] / jailsetup.sh
blob516b8384d463e9481605e5eb1edf07fe4b5fe2a6
1 #!/bin/sh
2 # The Girocco jail setup script
3 #
4 # If the first parameter is "dbonly", setup the database only
5 #
6 # We are designed to set up the chroot based on binaries from
7 # amd64 Debian lenny; some things may need slight modifications if
8 # being run on a different distribution.
9
10 set -e
11
12 . ./shlib.sh
13
14 dbonly=''
15 [ "$1" != "dbonly" ] || dbonly=1
16
17 reserved_users="root sshd mob $cfg_cgi_user $cfg_mirror_user"
18
19 # Verify we have all we neeed.
20 if ! getent passwd "$cfg_mirror_user" >/dev/null; then
21 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
22 exit 1
23 fi
24 if ! getent passwd "$cfg_cgi_user" >/dev/null; then
25 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
26 exit 1
27 fi
28 if [ -n "$dbonly" -a -z "$cfg_owning_group" ]; then
29 cfg_owning_group="$(getent passwd "$cfg_mirror_user" | cut -d : -f 4)"
30 elif ! getent group "$cfg_owning_group" >/dev/null; then
31 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
32 exit 1
33 fi
34
35 umask 022
36 mkdir -p "$cfg_chroot"
37 cd "$cfg_chroot"
38 chmod 755 "$cfg_chroot" ||
39 echo "WARNING: Cannot chmod $cfg_chroot"
40
41 # Set up basic user/group configuration; if there is any already,
42 # we hope it's the same numbers and users.
43
44 mobpass=''
45 [ -n "$cfg_mob" ] || mobpass='x'
46 mkdir -p etc
47 if [ ! -s etc/passwd ]; then
48 cat >etc/passwd <<EOT
49 sshd:x:101:65534:priviledge separation:/var/run/sshd:/bin/false
50 $cfg_cgi_user:x:$(getent passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
51 $cfg_mirror_user:x:$(getent passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
52 mob:$mobpass:65538:$(getent group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
53 EOT
54 fi
55
56 if [ ! -s etc/group ]; then
57 cat >etc/group <<EOT
58 _repo:x:$(getent group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
59 EOT
60 fi
61
62 mkdir -p etc/sshkeys etc/sshcerts
63 for ruser in $reserved_users; do
64 touch etc/sshkeys/$ruser
65 done
66 chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts ||
67 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
68 chgrp $cfg_owning_group etc/passwd ||
69 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
70 chgrp $cfg_owning_group etc/group ||
71 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
72 chmod g+s etc etc/sshkeys etc/sshcerts ||
73 echo "WARNING: Cannot chmod g+s the etc directories"
74 chmod g+w etc etc/sshkeys etc/sshcerts ||
75 echo "WARNING: Cannot chmod g+w the etc directories"
76 chmod g+w etc/passwd etc/group ||
77 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
78 chmod -R g+w etc/sshkeys etc/sshcerts 2>/dev/null ||
79 echo "WARNING: Cannot chmod g+w the sshkeys and/or sshcerts files"
80
81 [ -z "$dbonly" ] || exit 0
82
83 chown root "$cfg_chroot"
84 chown $cfg_cgi_user etc etc/passwd etc/group
85 chown -R $cfg_cgi_user etc/sshkeys etc/sshcerts
86
87 # First, setup basic directory structure
88 mkdir -p bin dev etc lib sbin ${cfg_jailreporoot#/} var/run proc
89 rm -f usr lib64
90 ln -s . usr
91 ln -s lib lib64
92
93 # Seed up /dev:
94 rm -f dev/null dev/zero dev/random dev/urandom
95 mknod dev/null c 1 3
96 mknod dev/zero c 1 5
97 mknod dev/random c 1 8
98 mknod dev/urandom c 1 9
99 chmod a+rw dev/null dev/zero dev/random dev/urandom
100
101 # Set up sshd configuration:
102 mkdir -p var/run/sshd
103
104 mkdir -p etc/ssh
105 if [ ! -s etc/ssh/sshd_config ]; then
106 cat >etc/ssh/sshd_config <<EOT
107 Protocol 2
108 Port 22
109 UsePAM no
110 X11Forwarding no
111 PermitRootLogin no
112 UsePrivilegeSeparation yes
113
114 AuthorizedKeysFile /etc/sshkeys/%u
115 StrictModes no
116
117 # mob user:
118 PermitEmptyPasswords yes
119 ChallengeResponseAuthentication no
120 PasswordAuthentication yes
121 EOT
122 fi
123 if [ ! -s etc/ssh/ssh_host_dsa_key ]; then
124 yes | ssh-keygen -N "" -C Girocco -t dsa -f etc/ssh/ssh_host_dsa_key
125 fi
126 if [ ! -s etc/ssh/ssh_host_rsa_key ]; then
127 yes | ssh-keygen -N "" -C Girocco -t rsa -f etc/ssh/ssh_host_rsa_key
128 fi
129
130 # Bring in basic libraries:
131 rm -f lib/*
132 # ld.so:
133 cp -p -t lib /lib/ld-linux.so.2
134 [ ! -d /lib64 ] || cp -p -t lib /lib64/ld-linux-x86-64.so.2
135 # libc:
136 cp -p -t lib /lib/libc.so.6 /lib/libcrypt.so.1 /lib/libutil.so.1 /lib/libnsl.so.1 /lib/libnss_compat.so.2 /lib/libresolv.so.2 /lib/libdl.so.2 /lib/libgcc_s.so.1
137
138 # Now, bring in sshd and sh.
139
140 pull_in_bin() {
141 bin="$1"; dst="$2"
142 cp -p -t "$dst" "$bin"
143 # ...and all the dependencies.
144 ldd "$bin" | grep -v linux-gate | grep -v linux-vdso | grep -v ld-linux | grep '=>' | awk '{print $3}' | xargs -r -- cp -p -u -t lib
145 }
146
147 install -p "$cfg_basedir/bin/git-shell-verify" bin
148 install -p "$cfg_basedir/bin/can_user_push" bin
149 pull_in_bin /bin/sh bin
150 pull_in_bin /bin/nc.openbsd bin
151 pull_in_bin /bin/date bin
152 # If /sbin/sshd is already running within the chroot, we get Text file busy.
153 pull_in_bin /usr/sbin/sshd sbin || :
154
155 # ...and the bits of git we need.
156 for i in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive git-upload-pack git-unpack-objects git-show-ref git-config; do
157 if [ -e /usr/lib/git-core/$i ]; then
158 pull_in_bin /usr/lib/git-core/$i bin
159 elif [ -e /usr/libexec/git-core/$i ]; then
160 pull_in_bin /usr/libexec/git-core/$i bin
161 else
162 pull_in_bin /usr/bin/$i bin
163 fi
164 done
165
166 echo "--- Add to your boot scripts: mount --bind $cfg_reporoot $cfg_chroot/$cfg_jailreporoot"
167 echo "--- Add to your boot scripts: mount --bind /proc $cfg_chroot/proc"
168 echo "--- Add to your syslog configuration: listening on socket $cfg_chroot/dev/log"
The repo.or.cz duct tape "Girocco"