search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
jobd: refer to jobd.pl not jobd.sh
[girocco.git] / jailsetup.sh
blob87a19482ebe8f6d9dce57abda88da3778120bf05
1 #!/bin/sh
2 # The Girocco jail setup script
3 #
4 # If the first parameter is "dbonly", setup the database only
5 #
6 # We are designed to set up the chroot based on the output of
7 # `uname -s` by sourcing a suitable system-specific script.
8 # Unrecognized systems will generate an error. When using
9 # "dbonly" the setup of the chroot binaries is skipped so the
10 # output of `uname -s` does not matter in that case.
11
12 set -e
13
14 curdir="$(pwd)"
15 srcdir="$curdir/src"
16 getent="$srcdir/getent"
17 . ./shlib.sh
18
19 # find_std_utility should always come up with the full path to the standard
20 # version of the utility whose name is passed as "$1"
21 getconf="/usr/bin/getconf"
22 [ -x "$getconf" ] || getconf="/bin/getconf"
23 [ -x "$getconf" ] || getconf="getconf"
24 stdpath="$("unset" -f command; "command" "$getconf" "PATH" 2>/dev/null)" || :
25 ":" "${stdpath:=/bin:/usr/bin}"
26 stdpath="$stdpath:/sbin:/usr/sbin"
27 find_std_utility() (
28 "unset" -f unalias command "$1" >/dev/null 2>&1 || :
29 "unalias" -a >/dev/null 2>&1 || :
30 PATH="$stdpath" && "export" PATH || :
31 "command" -v "$1"
32 ) 2>/dev/null
33
34 dbonly=
35 [ "$1" != "dbonly" ] || dbonly=1
36
37 reserved_users="root sshd _sshd mob git lock bundle nobody everyone $cfg_cgi_user $cfg_mirror_user"
38
39 # Require either sshd or _sshd user unless "dbonly"
40 sshd_user=sshd
41 if ! "$getent" passwd sshd >/dev/null && ! "$getent" passwd _sshd >/dev/null; then
42 if [ -n "$dbonly" ]; then
43 if ! [ -s etc/passwd ]; then
44 # Only complain on initial etc/passwd creation
45 echo "WARNING: no sshd or _sshd user, omitting entries from chroot etc/passwd"
46 fi
47 sshd_user=
48 else
49 echo "*** Error: You do not have required sshd or _sshd user in system." >&2
50 exit 1
51 fi
52 else
53 "$getent" passwd sshd >/dev/null || sshd_user=_sshd
54 fi
55
56 # Verify we have all we need
57 if ! "$getent" passwd "$cfg_mirror_user" >/dev/null; then
58 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
59 exit 1
60 fi
61 if ! "$getent" passwd "$cfg_cgi_user" >/dev/null; then
62 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
63 exit 1
64 fi
65 if [ -n "$dbonly" ] && [ -z "$cfg_owning_group" ]; then
66 cfg_owning_group="$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 4)"
67 elif ! "$getent" group "$cfg_owning_group" >/dev/null; then
68 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
69 exit 1
70 fi
71
72 # One last paranoid check before we go writing all over everything
73 if [ -z "$cfg_chroot" ] || [ "$cfg_chroot" = "/" ]; then
74 echo "*** Error: chroot location is not set or is invalid." >&2
75 echo "*** Error: perhaps you have an incorrect Config.pm?" >&2
76 exit 1
77 fi
78
79 umask 022
80 mkdir -p "$cfg_chroot"
81 cd "$cfg_chroot"
82 chmod 755 "$cfg_chroot" ||
83 echo "WARNING: Cannot chmod $cfg_chroot"
84
85 mkdir -p var/empty
86 chmod 0555 var/empty ||
87 echo "WARNING: Cannot chmod a=rx $cfg_chroot/var/empty"
88
89 # Set up basic user/group configuration; if there isn't any already
90 mobpass=
91 [ -n "$cfg_mob" ] || mobpass='x'
92 mkdir -p etc
93 if ! [ -s etc/passwd ]; then
94 cat >etc/passwd <<EOT
95 root:x:0:0:system administrator:/var/empty:/bin/false
96 nobody:x:$("$getent" passwd nobody | cut -d : -f 3-4):unprivileged user:/var/empty:/bin/false
97 EOT
98 [ -z "$sshd_user" ] || cat >>etc/passwd <<EOT
99 sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
100 _sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
101 EOT
102 [ "$cfg_cgi_user" = "$cfg_mirror_user" ] || cat >>etc/passwd <<EOT
103 $cfg_cgi_user:x:$("$getent" passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
104 EOT
105 cat >>etc/passwd <<EOT
106 $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
107 everyone:x:65537:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):every user:/:/bin/false
108 mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
109 git::65539:$("$getent" passwd nobody | cut -d : -f 4):read-only access:/:/bin/git-shell-verify
110 EOT
111 elif [ -z "$dbonly" ]; then
112 # Make sure an sshd entry is present
113 if ! grep -q '^sshd:' etc/passwd; then
114 echo "*** Error: chroot etc/passwd exists but lacks sshd entry." >&2
115 exit 1
116 fi
117 fi
118
119 if ! [ -s etc/group ]; then
120 cat >etc/group <<EOT
121 _repo:x:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
122 EOT
123 fi
124
125 # Set up basic default Git configuration
126 # Initialize one if none exists or update critical variables for an existing one
127 mkdir -p etc/girocco
128 didchmod=
129 if [ -e etc/girocco/.gitconfig ] && ! [ -f etc/girocco/.gitconfig ]; then
130 echo "*** Error: chroot etc/girocco/.gitconfig exists but is not a file." >&2
131 exit 1
132 fi
133 if [ -f etc/girocco/.gitconfig ]; then
134 gcerr=0
135 x="$(git config --file etc/girocco/.gitconfig --get "no--such--section.no such subsection.no--such--key")" || gcerr=$?
136 if [ $gcerr -gt 1 ]; then
137 echo "*** Error: chroot etc/girocco/.gitconfig exists but is corrupt." >&2
138 echo "*** Error: either remove it or edit it to correct the problem." >&2
139 exit 1
140 fi
141 fi
142 if ! [ -s etc/girocco/.gitconfig ]; then
143 chmod u+w etc/girocco
144 didchmod=1
145 cat >etc/girocco/.gitconfig <<EOT
146 # Any values set here will take effect whenever Girocco runs a git command
147
148 EOT
149 fi
150 # $1 => name, $2 => value, $3 => overwrite_flag
151 update_config_item() {
152 _existsnot=
153 _oldval=
154 _oldval="$(git config --file etc/girocco/.gitconfig --get "$1")" || _existsnot=1
155 if [ -z "$_existsnot" ]; then
156 [ -n "$3" ] || return 0
157 [ "$_oldval" != "$2" ] || return 0
158 fi
159 [ -n "$didchmod" ] || { chmod u+w etc/girocco; didchmod=1; }
160 git config --file etc/girocco/.gitconfig "$1" "$2"
161 if [ -n "$_existsnot" ]; then
162 echo "chroot: etc/girocco/.gitconfig: config $1: (created) \"$2\""
163 else
164 echo "chroot: etc/girocco/.gitconfig: config $1: \"$_oldval\" -> \"$2\""
165 fi
166 }
167 if [ -n "$cfg_git_no_mmap" ]; then
168 update_config_item core.packedGitWindowSize 1m 1
169 else
170 update_config_item core.packedGitWindowSize 32m 1
171 fi
172 if [ -n "$var_window_memory" ]; then
173 update_config_item pack.windowMemory "$var_window_memory" 1
174 fi
175 if [ -n "$cfg_jgit_compatible_bitmaps" ]; then
176 update_config_item pack.writeBitmapHashCache false 1
177 else
178 update_config_item pack.writeBitmapHashCache true 1
179 fi
180 update_config_item core.pager "cat" 1
181 update_config_item core.compression 5
182 update_config_item transfer.unpackLimit 1 1
183 update_config_item http.lowSpeedLimit 1
184 update_config_item http.lowSpeedTime 600
185 update_config_item receive.maxInputSize "${cfg_max_receive_size:-0}" 1
186 [ -z "$didchmod" ] || chmod a-w etc/girocco
187
188 mkdir -p etc/sshkeys etc/sshcerts etc/sshactive
189 for ruser in $reserved_users; do
190 touch etc/sshkeys/$ruser
191 done
192 chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts etc/sshactive ||
193 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
194 chgrp $cfg_owning_group etc/passwd ||
195 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
196 chgrp $cfg_owning_group etc/group ||
197 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
198 chgrp $cfg_owning_group etc/girocco etc/girocco/.gitconfig ||
199 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/girocco"
200 chmod g+s etc etc/sshkeys etc/sshcerts etc/sshactive ||
201 echo "WARNING: Cannot chmod g+s the etc directories"
202 chmod g+w etc etc/sshkeys etc/sshcerts etc/sshactive ||
203 echo "WARNING: Cannot chmod g+w the etc directories"
204 chmod g+w etc/passwd etc/group ||
205 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
206 chmod go-w etc/passwd etc/girocco etc/girocco/.gitconfig ||
207 echo "WARNING: Cannot chmod go-w etc/girocco and/or etc/girocco/.gitconfig"
208 chmod a-w etc/girocco ||
209 echo "WARNING: Cannot chmod a-w etc/girocco"
210 chmod -R g+w etc/sshkeys etc/sshcerts etc/sshactive 2>/dev/null ||
211 echo "WARNING: Cannot chmod g+w the sshkeys, sshcerts and/or sshactive files"
212
213 # Note time of last install
214 >etc/sshactive/_install
215
216 [ -z "$dbonly" ] || exit 0
217
218 # Make sure the system type is supported for chroot
219 sysname="$(uname -s | tr A-Z a-z)" || :
220 : ${sysname:=linux}
221 nosshdir=
222 # These equivalents may need to be expanded at some point
223 case "$sysname" in
224 *kfreebsd*)
225 sysname=linux;;
226 *darwin*)
227 sysname=darwin;;
228 *dragonfly*)
229 sysname=dragonfly;;
230 *freebsd*)
231 sysname=freebsd;;
232 *linux*)
233 sysname=linux;;
234 esac
235
236 chrootsetup="$curdir/chrootsetup_$sysname.sh"
237 if ! [ -f "$chrootsetup" ] || ! [ -r "$chrootsetup" ] || ! [ -s "$chrootsetup" ]; then
238 echo "*** Error: $chrootsetup not found" >&2
239 echo "*** Error: creating a chroot for a $(uname -s) system is not supported" >&2
240 exit 1
241 fi
242
243 # validate reporoot, chroot, jailreporoot and sshd_bin before doing anything more
244
245 # validates the passed in dir if a second argument is not empty dir must NOT
246 # start with / otherwise it must. A trailing '/' is removed and any duplicated
247 # // are removed and a sole / or empty is disallowed.
248 make_valid_dir() {
249 _check="$(echo "$1" | tr -s /)"
250 _check="${_check%/}"
251 [ -n "$_check" ] && [ "$_check" != "/" ] || return 1
252 if [ -z "$2" ]; then
253 # must start with '/'
254 case "$_check" in /*) :;; *) return 1; esac
255 else
256 # must NOT start with '/'
257 case "$_check" in /*) return 1; esac
258 fi
259 echo "$_check"
260 }
261
262 if ! reporoot="$(make_valid_dir "$cfg_reporoot")"; then
263 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
264 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
265 exit 1
266 fi
267 if ! chroot="$(make_valid_dir "$cfg_chroot")"; then
268 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
269 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
270 exit 1
271 fi
272 if ! jailreporoot="$(make_valid_dir "$cfg_jailreporoot" 1)"; then
273 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
274 echo "*** Error: MUST NOT start with '/' and MUST NOT be ''" >&2
275 exit 1
276 fi
277
278 # chroot MUST NOT be reporoot
279 if [ "$chroot" = "$reporoot" ]; then
280 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
281 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
282 echo "*** Error: reporoot and chroot MUST NOT be the same" >&2
283 exit 1
284 fi
285
286 # chroot MUST NOT be a subdirectory of reporoot
287 case "$chroot" in "$reporoot"/*)
288 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
289 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
290 echo "*** Error: chroot MUST NOT be a subdirectory of reporoot" >&2
291 exit 1
292 esac
293
294 # chroot/jailreporoot MUST NOT be a subdirectory of reporoot
295 case "$chroot/$jailreporoot" in "$reporoot"/*)
296 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
297 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
298 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
299 echo "*** Error: chroot/jailreporoot MUST NOT be a subdirectory of reporoot" >&2
300 exit 1
301 esac
302
303 # reporoot MUST NOT be a subdirectory of chroot/jailreporoot
304 case "$reporoot" in "$chroot/$jailreporoot"/*)
305 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
306 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
307 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
308 echo "*** Error: reporoot MUST NOT be a subdirectory of chroot/jailreporoot" >&2
309 exit 1
310 esac
311
312 # sshd_bin MUST be undef (or empty) or a full absolute path
313 sshd_bin_bad=
314 case "$cfg_sshd_bin" in *"/../"*) sshd_bin_bad=1;; ""|/?*) :;; *) sshd_bin_bad=1;; esac
315 [ -z "$sshd_bin_bad" ] || {
316 echo "*** Error: invalid Config::sshd_bin $cfg_sshd_bin" >&2
317 echo "*** Error: if set, sshd_bin must be an absolute path" >&2
318 exit 1
319 }
320 sshd_bin="$cfg_sshd_bin"
321 [ -n "$sshd_bin" ] || sshd_bin="$(find_std_utility "sshd")" || {
322 echo "*** Error: Config::sshd_bin is not set and no sshd could be found" >&2
323 echo "*** Error: please set Config::sshd_bin to an absolute path to sshd" >&2
324 exit 1
325 }
326 [ -x "$sshd_bin" ] && [ -r "$sshd_bin" ] && [ -f "$sshd_bin" ] || {
327 echo "*** Error: the selected sshd ('$sshd_bin') was not found, not readable or not executable" >&2
328 exit 1
329 }
330
331 # Set the user and group on the top of the chroot before creating anything else
332 chown 0:0 "$chroot"
333
334 # When we create a fork, the alternates always have an absolute path.
335 # If reporoot is not --bind mounted at the same location in chroot we must
336 # create a suitable symlink so the absolute path alternates continue to work
337 # in the ssh chroot or else forks will be broken in there.
338 if [ "$reporoot" != "/$jailreporoot" ]; then
339 mkdirp="$(dirname "${reporoot#/}")"
340 [ "$mkdirp" = "." ] && mkdirp=
341 lnback=
342 [ -z "$mkdirp" ] || lnback="$(echo "$mkdirp/" | sed -e 's,[^/]*/,../,g')"
343 [ -z "$mkdirp" ] || mkdir -p "$chroot/$mkdirp"
344 (umask 0; ln -s -f -n "$lnback$jailreporoot" "$chroot$reporoot")
345 [ $? -eq 0 ] || exit 1
346 fi
347
348 # First, setup basic platform-independent directory structure
349 mkdir -p bin dev etc lib sbin var/empty var/run "$jailreporoot"
350 chmod 0555 var/empty
351 rm -rf usr local
352 ln -s . usr
353 ln -s . local
354
355 # Now source the platform-specific script that is responsible for dev device
356 # setup, proc setup (if needed), lib64 setup (if needed) and basic library
357 # installation to make a chroot operational. Additionally it will define a
358 # pull_in_bin function that can be used to add executables and their library
359 # dependencies to the chroot and finally will install a suitable nc.openbsd
360 # compatible version of netcat that supports connections to unix sockets.
361 . "$chrootsetup"
362
363 # Now, bring in sshd, sh etc.
364 # The $chrootsetup script should have already provided a suitable nc.openbsd
365 install -p "$cfg_basedir/bin/git-shell-verify" bin/git-shell-verify.new
366 install -p "$cfg_basedir/bin/git-askpass-password" bin/git-askpass-password.new
367 perl -i -p \
368 -e 's|^#!.*|#!/bin/sh| if $. == 1;' \
369 -e 'close ARGV if eof;' \
370 bin/git-shell-verify.new bin/git-askpass-password.new
371 mv -f bin/git-askpass-password.new bin/git-askpass-password
372 mv -f bin/git-shell-verify.new bin/git-shell-verify
373 pull_in_bin "$cfg_basedir/bin/can_user_push" bin
374 pull_in_bin "$cfg_basedir/bin/list_packs" bin
375 pull_in_bin "$var_sh_bin" bin/sh
376 # be paranoid since these are going into the chroot and make sure
377 # that we get the "standard" versions of them (they are all standard "POSIX"
378 # utilities) not some wayward version picked up by a haphazard PATH
379 pull_in_bin "$(find_std_utility cat )" bin
380 pull_in_bin "$(find_std_utility chmod )" bin
381 pull_in_bin "$(find_std_utility date )" bin
382 pull_in_bin "$(find_std_utility find )" bin
383 pull_in_bin "$(find_std_utility mkdir )" bin
384 pull_in_bin "$(find_std_utility mv )" bin
385 pull_in_bin "$(find_std_utility rm )" bin
386 pull_in_bin "$(find_std_utility sleep )" bin
387 pull_in_bin "$(find_std_utility touch )" bin
388 pull_in_bin "$(find_std_utility tr )" bin
389 pull_in_bin "$(find_std_utility wc )" bin
390 # this one's already been validated and might be in a non-standard location
391 pull_in_bin "$sshd_bin" sbin
392
393 # ...and the bits of git we need,
394 # being sure to use the configured git and its --exec-path to find the pieces
395 for i in git git-index-pack git-receive-pack git-shell git-update-server-info \
396 git-upload-archive git-upload-pack git-unpack-objects git-config \
397 git-for-each-ref git-rev-list git-rev-parse git-symbolic-ref; do
398 pull_in_bin "$var_git_exec_path/$i" bin git
399 done
400
401 # ...and any extras identified by install.sh
402 # these are also all standard "POSIX" utilities
403 # ones that a decent sh implementation would have built-in already...
404 if [ -n "$GIROCCO_CHROOT_EXTRA_INSTALLS" ]; then
405 for i in $GIROCCO_CHROOT_EXTRA_INSTALLS; do
406 pull_in_bin "$(find_std_utility "$(basename "$i")")" bin
407 done
408 fi
409
410 # Note time of last jailsetup
411 >etc/sshactive/_jailsetup
412
413 # Update permissions on the database files
414 chown $cfg_cgi_user:$cfg_owning_group etc/passwd etc/group
415 chown -R $cfg_cgi_user:$cfg_owning_group etc/sshkeys etc/sshcerts etc/sshactive
416 chown $cfg_mirror_user:$cfg_owning_group etc etc/girocco etc/girocco/.gitconfig
417
418 # Set up basic sshd configuration:
419 if [ -n "$nosshdir" ]; then
420 rm -rf etc/ssh
421 ln -s . etc/ssh
422 ! [ -f /etc/moduli ] || { cp -p /etc/moduli etc/; chown 0:0 etc/moduli; }
423 else
424 ! [ -e etc/ssh ] || [ -d etc/ssh ] || rm -rf etc/ssh
425 mkdir -p etc/ssh
426 ! [ -f /etc/ssh/moduli ] || { cp -p /etc/ssh/moduli etc/ssh/; chown 0:0 etc/ssh/moduli; }
427 fi
428 mkdir -p var/run/sshd
429 if ! [ -s etc/ssh/sshd_config ]; then
430 cat >etc/ssh/sshd_config <<EOT
431 Protocol 2
432 Port $cfg_sshd_jail_port
433 UsePAM no
434 X11Forwarding no
435 AllowAgentForwarding no
436 AllowTcpForwarding no
437 PermitTunnel no
438 IgnoreUserKnownHosts yes
439 PrintLastLog no
440 PrintMotd no
441 UseDNS no
442 PermitRootLogin no
443 UsePrivilegeSeparation yes
444
445 HostKey /etc/ssh/ssh_host_rsa_key
446 EOT
447 if [ -z "$cfg_disable_dsa" ]; then
448 cat >>etc/ssh/sshd_config <<EOT
449 HostKey /etc/ssh/ssh_host_dsa_key
450 EOT
451 fi
452 cat >>etc/ssh/sshd_config <<EOT
453 AuthorizedKeysFile /etc/sshkeys/%u
454 StrictModes no
455
456 # mob and git users:
457 PermitEmptyPasswords yes
458 ChallengeResponseAuthentication no
459 PasswordAuthentication yes
460 EOT
461 fi
462 if ! [ -s etc/ssh/ssh_host_rsa_key ]; then
463 bits=2048
464 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
465 bits="$cfg_rsakeylength"
466 fi
467 yes | ssh-keygen -b "$bits" -t rsa -N "" -C Girocco -f etc/ssh/ssh_host_rsa_key
468 fi
469 if [ -z "$cfg_disable_dsa" ] && ! [ -s etc/ssh/ssh_host_dsa_key ]; then
470 # ssh-keygen can only create 1024 bit DSA keys
471 yes | ssh-keygen -b 1024 -t dsa -N "" -C Girocco -f etc/ssh/ssh_host_dsa_key
472 fi
473
474 # Set the final permissions on the binaries and perform any final twiddling
475 chroot_update_permissions
476
477 # Change the owner of the sshd-related files
478 chown 0:0 etc/ssh/ssh_* etc/ssh/sshd_*
479
480 echo "--- Add to your boot scripts: mount --bind $reporoot $chroot/$jailreporoot"
481 echo "--- Add to your boot scripts: mount --bind /proc $chroot/proc"
482 echo "--- Add to your syslog configuration: listening on socket $chroot/dev/log"
483 echo "--- To restart a running jail's sshd: sudo kill -HUP \$(cat $chroot/var/run/sshd.pid)"
The repo.or.cz duct tape "Girocco"