search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
markdown.git: pick up new UTF-8 version w/ fixes
[girocco.git] / jailsetup.sh
blob3e7387c4813519b043e152f862e6fe52ffc5fad3
1 #!/bin/sh
2 # The Girocco jail setup script
3 #
4 # If the first parameter is "dbonly", setup the database only
5 #
6 # We are designed to set up the chroot based on the output of
7 # `uname -s` by sourcing a suitable system-specific script.
8 # Unrecognized systems will generate an error. When using
9 # "dbonly" the setup of the chroot binaries is skipped so the
10 # output of `uname -s` does not matter in that case.
11
12 set -e
13
14 curdir="`pwd`"
15 srcdir="$curdir/src"
16 getent="$srcdir/getent"
17 . ./shlib.sh
18
19 # find_std_utility should always come up with the full path to the standard
20 # version of the utility who's name is passed as "$1"
21 getconf="/usr/bin/getconf"
22 [ -x "$getconf" ] || getconf="/bin/getconf"
23 [ -x "$getconf" ] || getconf="getconf"
24 stdpath="$("unset" -f command; "command" "$getconf" "PATH" 2>/dev/null || :)"
25 ":" "${stdpath:=/bin:/usr/bin}"
26 stdpath="$stdpath:/sbin:/usr/sbin"
27 find_std_utility() (
28 "unset" -f unalias command "$1" >/dev/null 2>&1 || :
29 "unalias" -a >/dev/null 2>&1 || :
30 PATH="$stdpath" && "export" PATH || :
31 "command" -v "$1"
32 ) 2>/dev/null
33
34 dbonly=''
35 [ "$1" != "dbonly" ] || dbonly=1
36
37 reserved_users="root sshd _sshd mob git lock bundle nobody everyone $cfg_cgi_user $cfg_mirror_user"
38
39 # Require either sshd or _sshd user unless "dbonly"
40 sshd_user=sshd
41 if ! "$getent" passwd sshd >/dev/null && ! "$getent" passwd _sshd >/dev/null; then
42 if [ -n "$dbonly" ]; then
43 if [ ! -s etc/passwd ]; then
44 # Only complain on initial etc/passwd creation
45 echo "WARNING: no sshd or _sshd user, omitting entries from chroot etc/passwd"
46 fi
47 sshd_user=
48 else
49 echo "*** Error: You do not have required sshd or _sshd user in system." >&2
50 exit 1
51 fi
52 else
53 "$getent" passwd sshd >/dev/null || sshd_user=_sshd
54 fi
55
56 # Verify we have all we need
57 if ! "$getent" passwd "$cfg_mirror_user" >/dev/null; then
58 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
59 exit 1
60 fi
61 if ! "$getent" passwd "$cfg_cgi_user" >/dev/null; then
62 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
63 exit 1
64 fi
65 if [ -n "$dbonly" -a -z "$cfg_owning_group" ]; then
66 cfg_owning_group="$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 4)"
67 elif ! "$getent" group "$cfg_owning_group" >/dev/null; then
68 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
69 exit 1
70 fi
71
72 # One last paranoid check before we go writing all over everything
73 if [ -z "$cfg_chroot" -o "$cfg_chroot" = "/" ]; then
74 echo "*** Error: chroot location is not set or is invalid." >&2
75 echo "*** Error: perhaps you have an incorrect Config.pm?" >&2
76 exit 1
77 fi
78
79 umask 022
80 mkdir -p "$cfg_chroot"
81 cd "$cfg_chroot"
82 chmod 755 "$cfg_chroot" ||
83 echo "WARNING: Cannot chmod $cfg_chroot"
84
85 mkdir -p var/empty
86 chmod 0555 var/empty ||
87 echo "WARNING: Cannot chmod a=rx $cfg_chroot/var/empty"
88
89 # Set up basic user/group configuration; if there isn't any already
90 mobpass=''
91 [ -n "$cfg_mob" ] || mobpass='x'
92 mkdir -p etc
93 if [ ! -s etc/passwd ]; then
94 cat >etc/passwd <<EOT
95 root:x:0:0:system administrator:/var/empty:/bin/false
96 nobody:x:$("$getent" passwd nobody | cut -d : -f 3-4):unprivileged user:/var/empty:/bin/false
97 EOT
98 [ -z "$sshd_user" ] || cat >>etc/passwd <<EOT
99 sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
100 _sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
101 EOT
102 [ "$cfg_cgi_user" = "$cfg_mirror_user" ] || cat >>etc/passwd <<EOT
103 $cfg_cgi_user:x:$("$getent" passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
104 EOT
105 cat >>etc/passwd <<EOT
106 $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
107 everyone:x:65537:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):every user:/:/bin/false
108 mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
109 git::65539:$("$getent" passwd nobody | cut -d : -f 4):read-only access:/:/bin/git-shell-verify
110 EOT
111 elif [ -z "$dbonly" ]; then
112 # Make sure an sshd entry is present
113 if ! grep -q '^sshd:' etc/passwd; then
114 echo "*** Error: chroot etc/passwd exists but lacks sshd entry." >&2
115 exit 1
116 fi
117 fi
118
119 if [ ! -s etc/group ]; then
120 cat >etc/group <<EOT
121 _repo:x:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
122 EOT
123 fi
124
125 # Set up basic default Git configuration
126 # Initialize one if none exists or update critical variables for an existing one
127 mkdir -p etc/girocco
128 didchmod=
129 if [ -e etc/girocco/.gitconfig ] && ! [ -f etc/girocco/.gitconfig ]; then
130 echo "*** Error: chroot etc/girocco/.gitconfig exists but is not a file." >&2
131 exit 1
132 fi
133 if [ -f etc/girocco/.gitconfig ]; then
134 gcerr=0
135 x="$(git config --file etc/girocco/.gitconfig --get "no--such--section.no such subsection.no--such--key")" || gcerr=$?
136 if [ $gcerr -gt 1 ]; then
137 echo "*** Error: chroot etc/girocco/.gitconfig exists but is corrupt." >&2
138 echo "*** Error: either remove it or edit it to correct the problem." >&2
139 exit 1
140 fi
141 fi
142 if [ ! -s etc/girocco/.gitconfig ]; then
143 chmod u+w etc/girocco
144 didchmod=1
145 cat >etc/girocco/.gitconfig <<EOT
146 # Any values set here will take effect whenever Girocco runs a git command
147
148 EOT
149 fi
150 # $1 => name, $2 => value, $3 => overwrite_flag
151 update_config_item() {
152 _existsnot=
153 _oldval=
154 _oldval="$(git config --file etc/girocco/.gitconfig --get "$1")" || _existsnot=1
155 if [ -z "$_existsnot" ]; then
156 [ -n "$3" ] || return 0
157 [ "$_oldval" != "$2" ] || return 0
158 fi
159 [ -n "$didchmod" ] || { chmod u+w etc/girocco; didchmod=1; }
160 git config --file etc/girocco/.gitconfig "$1" "$2"
161 if [ -n "$_existsnot" ]; then
162 echo "chroot: etc/girocco/.gitconfig: config $1: (created) \"$2\""
163 else
164 echo "chroot: etc/girocco/.gitconfig: config $1: \"$_oldval\" -> \"$2\""
165 fi
166 }
167 if [ -n "$cfg_git_no_mmap" ]; then
168 update_config_item core.packedGitWindowSize 1m 1
169 else
170 update_config_item core.packedGitWindowSize 32m 1
171 fi
172 if [ -n "$var_window_memory" ]; then
173 update_config_item pack.windowMemory "$var_window_memory" 1
174 fi
175 if [ -n "$cfg_jgit_compatible_bitmaps" ]; then
176 update_config_item pack.writeBitmapHashCache false 1
177 else
178 update_config_item pack.writeBitmapHashCache true 1
179 fi
180 update_config_item http.lowSpeedLimit 1
181 update_config_item http.lowSpeedTime 600
182 update_config_item receive.maxInputSize "${cfg_max_receive_size:-0}" 1
183 [ -z "$didchmod" ] || chmod a-w etc/girocco
184
185 mkdir -p etc/sshkeys etc/sshcerts etc/sshactive
186 for ruser in $reserved_users; do
187 touch etc/sshkeys/$ruser
188 done
189 chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts etc/sshactive ||
190 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
191 chgrp $cfg_owning_group etc/passwd ||
192 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
193 chgrp $cfg_owning_group etc/group ||
194 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
195 chgrp $cfg_owning_group etc/girocco etc/girocco/.gitconfig ||
196 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/girocco"
197 chmod g+s etc etc/sshkeys etc/sshcerts etc/sshactive ||
198 echo "WARNING: Cannot chmod g+s the etc directories"
199 chmod g+w etc etc/sshkeys etc/sshcerts etc/sshactive ||
200 echo "WARNING: Cannot chmod g+w the etc directories"
201 chmod g+w etc/passwd etc/group ||
202 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
203 chmod go-w etc/passwd etc/girocco etc/girocco/.gitconfig ||
204 echo "WARNING: Cannot chmod go-w etc/girocco and/or etc/girocco/.gitconfig"
205 chmod a-w etc/girocco ||
206 echo "WARNING: Cannot chmod a-w etc/girocco"
207 chmod -R g+w etc/sshkeys etc/sshcerts etc/sshactive 2>/dev/null ||
208 echo "WARNING: Cannot chmod g+w the sshkeys, sshcerts and/or sshactive files"
209
210 # Note time of last install
211 > etc/sshactive/_install
212
213 [ -z "$dbonly" ] || exit 0
214
215 # Make sure the system type is supported for chroot
216 sysname="$(uname -s | tr A-Z a-z || :)"
217 : ${sysname:=linux}
218 nosshdir=
219 # These equivalents may need to be expanded at some point
220 case "$sysname" in
221 *kfreebsd*)
222 sysname=linux;;
223 *darwin*)
224 sysname=darwin;;
225 *dragonfly*)
226 sysname=dragonfly;;
227 *freebsd*)
228 sysname=freebsd;;
229 *linux*)
230 sysname=linux;;
231 esac
232
233 chrootsetup="$curdir/chrootsetup_$sysname.sh"
234 if ! [ -r "$chrootsetup" -a -s "$chrootsetup" ]; then
235 echo "*** Error: $chrootsetup not found" >&2
236 echo "*** Error: creating a chroot for a `uname -s` system is not supported" >&2
237 exit 1
238 fi
239
240 # validate reporoot, chroot, jailreporoot and sshd_bin before doing anything more
241
242 # validates the passed in dir if a second argument is not empty dir must NOT
243 # start with / otherwise it must. A trailing '/' is removed and any duplicated
244 # // are removed and a sole / or empty is disallowed.
245 make_valid_dir() {
246 _check="$(echo "$1" | tr -s /)"
247 _check="${_check%/}"
248 [ -z "$_check" -o "$_check" = "/" ] && return 1
249 if [ -z "$2" ]; then
250 # must start with '/'
251 case "$_check" in /*) :;; *) return 1; esac
252 else
253 # must NOT start with '/'
254 case "$_check" in /*) return 1; esac
255 fi
256 echo "$_check"
257 }
258
259 if ! reporoot="$(make_valid_dir "$cfg_reporoot")"; then
260 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
261 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
262 exit 1
263 fi
264 if ! chroot="$(make_valid_dir "$cfg_chroot")"; then
265 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
266 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
267 exit 1
268 fi
269 if ! jailreporoot="$(make_valid_dir "$cfg_jailreporoot" 1)"; then
270 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
271 echo "*** Error: MUST NOT start with '/' and MUST NOT be ''" >&2
272 exit 1
273 fi
274
275 # chroot MUST NOT be reporoot
276 if [ "$chroot" = "$reporoot" ]; then
277 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
278 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
279 echo "*** Error: reporoot and chroot MUST NOT be the same" >&2
280 exit 1
281 fi
282
283 # chroot MUST NOT be a subdirectory of reporoot
284 case "$chroot" in "$reporoot"/*)
285 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
286 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
287 echo "*** Error: chroot MUST NOT be a subdirectory of reporoot" >&2
288 exit 1
289 esac
290
291 # chroot/jailreporoot MUST NOT be a subdirectory of reporoot
292 case "$chroot/$jailreporoot" in "$reporoot"/*)
293 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
294 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
295 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
296 echo "*** Error: chroot/jailreporoot MUST NOT be a subdirectory of reporoot" >&2
297 exit 1
298 esac
299
300 # reporoot MUST NOT be a subdirectory of chroot/jailreporoot
301 case "$reporoot" in "$chroot/$jailreporoot"/*)
302 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
303 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
304 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
305 echo "*** Error: reporoot MUST NOT be a subdirectory of chroot/jailreporoot" >&2
306 exit 1
307 esac
308
309 # sshd_bin MUST be undef (or empty) or a full absolute path
310 sshd_bin_bad=
311 case "$cfg_sshd_bin" in *"/../"*) sshd_bin_bad=1;; ""|/?*) :;; *) sshd_bin_bad=1;; esac
312 [ -z "$sshd_bin_bad" ] || {
313 echo "*** Error: invalid Config::sshd_bin $cfg_sshd_bin" >&2
314 echo "*** Error: if set, sshd_bin must be an absolute path" >&2
315 exit 1
316 }
317 sshd_bin="$cfg_sshd_bin"
318 [ -n "$sshd_bin" ] || sshd_bin="$(find_std_utility "sshd")" || {
319 echo "*** Error: Config::sshd_bin is not set and no sshd could be found" >&2
320 echo "*** Error: please set Config::sshd_bin to an absolute path to sshd" >&2
321 exit 1
322 }
323 [ -x "$sshd_bin" ] && [ -r "$sshd_bin" ] && [ -f "$sshd_bin" ] || {
324 echo "*** Error: the selected sshd ('$sshd_bin') was not found, not readable or not executable" >&2
325 exit 1
326 }
327
328 # Set the user and group on the top of the chroot before creating anything else
329 chown 0:0 "$chroot"
330
331 # When we create a fork, the alternates always have an absolute path.
332 # If reporoot is not --bind mounted at the same location in chroot we must
333 # create a suitable symlink so the absolute path alternates continue to work
334 # in the ssh chroot or else forks will be broken in there.
335 if [ "$reporoot" != "/$jailreporoot" ]; then
336 mkdirp="$(dirname "${reporoot#/}")"
337 [ "$mkdirp" = "." ] && mkdirp=
338 lnback=
339 [ -z "$mkdirp" ] || lnback="$(echo "$mkdirp/" | sed -e 's,[^/]*/,../,g')"
340 [ -z "$mkdirp" ] || mkdir -p "$chroot/$mkdirp"
341 (umask 0; ln -s -f -n "$lnback$jailreporoot" "$chroot$reporoot")
342 [ $? -eq 0 ] || exit 1
343 fi
344
345 # First, setup basic platform-independent directory structure
346 mkdir -p bin dev etc lib sbin var/empty var/run "$jailreporoot"
347 chmod 0555 var/empty
348 rm -rf usr local
349 ln -s . usr
350 ln -s . local
351
352 # Now source the platform-specific script that is responsible for dev device
353 # setup, proc setup (if needed), lib64 setup (if needed) and basic library
354 # installation to make a chroot operational. Additionally it will define a
355 # pull_in_bin function that can be used to add executables and their library
356 # dependencies to the chroot and finally will install a suitable nc.openbsd
357 # compatible version of netcat that supports connections to unix sockets.
358 . "$chrootsetup"
359
360 # Now, bring in sshd, sh etc.
361 # The $chrootsetup script should have already provided a suitable nc.openbsd
362 install -p "$cfg_basedir/bin/git-shell-verify" bin/git-shell-verify.new
363 install -p "$cfg_basedir/bin/git-askpass-password" bin/git-askpass-password.new
364 perl -i -p \
365 -e 's|^#!.*|#!/bin/sh| if $. == 1;' \
366 -e 'close ARGV if eof;' \
367 bin/git-shell-verify.new bin/git-askpass-password.new
368 mv -f bin/git-askpass-password.new bin/git-askpass-password
369 mv -f bin/git-shell-verify.new bin/git-shell-verify
370 pull_in_bin "$cfg_basedir/bin/can_user_push" bin
371 pull_in_bin "$cfg_basedir/bin/list_packs" bin
372 pull_in_bin "$var_sh_bin" bin/sh
373 # be paranoid since these are going into the chroot and make sure
374 # that we get the "standard" versions of them (they are all standard "POSIX"
375 # utilities) not some wayward version picked up by a haphazard PATH
376 pull_in_bin "$(find_std_utility chmod )" bin
377 pull_in_bin "$(find_std_utility date )" bin
378 pull_in_bin "$(find_std_utility find )" bin
379 pull_in_bin "$(find_std_utility mkdir )" bin
380 pull_in_bin "$(find_std_utility mv )" bin
381 pull_in_bin "$(find_std_utility rm )" bin
382 pull_in_bin "$(find_std_utility sleep )" bin
383 pull_in_bin "$(find_std_utility touch )" bin
384 pull_in_bin "$(find_std_utility tr )" bin
385 pull_in_bin "$(find_std_utility wc )" bin
386 pull_in_bin "$(find_std_utility xargs )" bin
387 # this one's already been validated and might be in a non-standard location
388 pull_in_bin "$sshd_bin" sbin
389
390 # ...and the bits of git we need,
391 # being sure to use the configured git and its --exec-path to find the pieces
392 for i in git git-index-pack git-receive-pack git-shell git-update-server-info \
393 git-upload-archive git-upload-pack git-unpack-objects git-config \
394 git-for-each-ref git-rev-list git-rev-parse git-symbolic-ref; do
395 pull_in_bin "$var_git_exec_path/$i" bin git
396 done
397
398 # ...and any extras identified by install.sh
399 # these are also all standard "POSIX" utilities
400 # ones that a decent sh implementation would have built-in already...
401 if [ -n "$GIROCCO_CHROOT_EXTRA_INSTALLS" ]; then
402 for i in $GIROCCO_CHROOT_EXTRA_INSTALLS; do
403 pull_in_bin "$(find_std_utility "$(basename "$i")")" bin
404 done
405 fi
406
407 # Note time of last jailsetup
408 > etc/sshactive/_jailsetup
409
410 # Update permissions on the database files
411 chown $cfg_cgi_user:$cfg_owning_group etc/passwd etc/group
412 chown -R $cfg_cgi_user:$cfg_owning_group etc/sshkeys etc/sshcerts etc/sshactive
413 chown $cfg_mirror_user:$cfg_owning_group etc etc/girocco etc/girocco/.gitconfig
414
415 # Set up basic sshd configuration:
416 if [ -n "$nosshdir" ]; then
417 rm -rf etc/ssh
418 ln -s . etc/ssh
419 [ ! -f /etc/moduli ] || { cp -p /etc/moduli etc/; chown 0:0 etc/moduli; }
420 else
421 [ ! -e etc/ssh -o -d etc/ssh ] || rm -rf etc/ssh
422 mkdir -p etc/ssh
423 [ ! -f /etc/ssh/moduli ] || { cp -p /etc/ssh/moduli etc/ssh/; chown 0:0 etc/ssh/moduli; }
424 fi
425 mkdir -p var/run/sshd
426 if [ ! -s etc/ssh/sshd_config ]; then
427 cat >etc/ssh/sshd_config <<EOT
428 Protocol 2
429 Port $cfg_sshd_jail_port
430 UsePAM no
431 X11Forwarding no
432 AllowAgentForwarding no
433 AllowTcpForwarding no
434 PermitTunnel no
435 IgnoreUserKnownHosts yes
436 PrintLastLog no
437 PrintMotd no
438 UseDNS no
439 PermitRootLogin no
440 UsePrivilegeSeparation yes
441
442 HostKey /etc/ssh/ssh_host_rsa_key
443 EOT
444 if [ -z "$cfg_disable_dsa" ]; then
445 cat >>etc/ssh/sshd_config <<EOT
446 HostKey /etc/ssh/ssh_host_dsa_key
447 EOT
448 fi
449 cat >>etc/ssh/sshd_config <<EOT
450 AuthorizedKeysFile /etc/sshkeys/%u
451 StrictModes no
452
453 # mob and git users:
454 PermitEmptyPasswords yes
455 ChallengeResponseAuthentication no
456 PasswordAuthentication yes
457 EOT
458 fi
459 if [ ! -s etc/ssh/ssh_host_rsa_key ]; then
460 bits=2048
461 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
462 bits="$cfg_rsakeylength"
463 fi
464 yes | ssh-keygen -b "$bits" -t rsa -N "" -C Girocco -f etc/ssh/ssh_host_rsa_key
465 fi
466 if [ -z "$cfg_disable_dsa" -a ! -s etc/ssh/ssh_host_dsa_key ]; then
467 # ssh-keygen can only create 1024 bit DSA keys
468 yes | ssh-keygen -b 1024 -t dsa -N "" -C Girocco -f etc/ssh/ssh_host_dsa_key
469 fi
470
471 # Set the final permissions on the binaries and perform any final twiddling
472 chroot_update_permissions
473
474 # Change the owner of the sshd-related files
475 chown 0:0 etc/ssh/ssh_* etc/ssh/sshd_*
476
477 echo "--- Add to your boot scripts: mount --bind $reporoot $chroot/$jailreporoot"
478 echo "--- Add to your boot scripts: mount --bind /proc $chroot/proc"
479 echo "--- Add to your syslog configuration: listening on socket $chroot/dev/log"
480 echo "--- To restart a running jail's sshd: sudo kill -HUP \`cat $chroot/var/run/sshd.pid\`"
The repo.or.cz duct tape "Girocco"