2 # The Girocco jail setup script
4 # If the first parameter is "dbonly", setup the database only
6 # We are designed to set up the chroot based on the output of
7 # `uname -s` by sourcing a suitable system-specific script.
8 # Unrecognized systems will generate an error. When using
9 # "dbonly" the setup of the chroot binaries is skipped so the
10 # output of `uname -s` does not matter in that case.
16 getent
="$srcdir/getent"
20 [ "$1" != "dbonly" ] || dbonly
=1
22 reserved_users
="root sshd _sshd mob $cfg_cgi_user $cfg_mirror_user"
24 # Require either sshd or _sshd user unless "dbonly"
26 if ! "$getent" passwd sshd
>/dev
/null
&& ! "$getent" passwd _sshd
>/dev
/null
; then
27 if [ -n "$dbonly" ]; then
28 if [ ! -s etc
/passwd
]; then
29 # Only complain on initial etc/passwd creation
30 echo "WARNING: no sshd or _sshd user, omitting entries from chroot etc/passwd"
34 echo "*** Error: You do not have required sshd or _sshd user in system." >&2
38 "$getent" passwd sshd
>/dev
/null || sshd_user
=_sshd
41 # Verify we have all we need
42 if ! "$getent" passwd
"$cfg_mirror_user" >/dev
/null
; then
43 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
46 if ! getent passwd
"$cfg_cgi_user" >/dev
/null
; then
47 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
50 if [ -n "$dbonly" -a -z "$cfg_owning_group" ]; then
51 cfg_owning_group
="$(getent passwd "$cfg_mirror_user" | cut -d : -f 4)"
52 elif ! getent group
"$cfg_owning_group" >/dev
/null
; then
53 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
58 mkdir
-p "$cfg_chroot"
60 chmod 755 "$cfg_chroot" ||
61 echo "WARNING: Cannot chmod $cfg_chroot"
63 # Set up basic user/group configuration; if there isn't any already
65 [ -n "$cfg_mob" ] || mobpass
='x'
67 if [ ! -s etc
/passwd
]; then
69 root:x:0:0:system administrator:/var/empty:/bin/false
71 [ -z "$sshd_user" ] ||
cat >>etc
/passwd
<<EOT
72 sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
73 _sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
75 cat >>etc
/passwd
<<EOT
76 $cfg_cgi_user:x:$("$getent" passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
77 $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
78 mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
80 elif [ -z "$dbonly" ]; then
81 # Make sure an sshd entry is present
82 if ! grep -q '^sshd:' etc
/passwd
; then
83 echo "*** Error: chroot etc/passwd exists but lacks sshd entry." >&2
88 if [ ! -s etc
/group
]; then
90 _repo:x:$(getent group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
94 mkdir
-p etc
/sshkeys etc
/sshcerts
95 for ruser
in $reserved_users; do
96 touch etc
/sshkeys
/$ruser
98 chgrp
$cfg_owning_group etc etc
/sshkeys etc
/sshcerts ||
99 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
100 chgrp
$cfg_owning_group etc
/passwd ||
101 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
102 chgrp
$cfg_owning_group etc
/group ||
103 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
104 chmod g
+s etc etc
/sshkeys etc
/sshcerts ||
105 echo "WARNING: Cannot chmod g+s the etc directories"
106 chmod g
+w etc etc
/sshkeys etc
/sshcerts ||
107 echo "WARNING: Cannot chmod g+w the etc directories"
108 chmod g
+w etc
/passwd etc
/group ||
109 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
110 chmod -R g
+w etc
/sshkeys etc
/sshcerts
2>/dev
/null ||
111 echo "WARNING: Cannot chmod g+w the sshkeys and/or sshcerts files"
113 [ -z "$dbonly" ] ||
exit 0
115 # Make sure the system type is supported for chroot
116 sysname
="$(uname -s | tr A-Z a-z || :)"
119 # These equivalents may need to be expanded at some point
131 chrootsetup
="$curdir/chrootsetup_$sysname.sh"
132 if ! [ -r "$chrootsetup" -a -s "$chrootsetup" ]; then
133 echo "*** Error: $chrootsetup not found"
134 echo "*** Error: creating a chroot for a `uname -s` system is not supported"
138 # Set the user and group on the top of the chroot before creating anything else
139 chown
0:0 "$cfg_chroot"
141 # First, setup basic platform-independent directory structure
142 mkdir
-p bin dev etc lib sbin var
/empty var
/run
${cfg_jailreporoot#/}
146 # Now source the platform-specific script that is responsible for dev device
147 # setup, proc setup (if needed), lib64 setup (if needed) and basic library
148 # installation to make a chroot operational. Additionally it will define a
149 # pull_in_bin function that can be used to add executables and their library
150 # dependencies to the chroot and finally will install a suitable nc.openbsd
151 # compatible version of netcat that supports connections to unix sockets.
154 # Now, bring in sshd, sh etc.
155 # The $chrootsetup script should have already provided a suitable nc.openbsd
156 install -p "$cfg_basedir/bin/git-shell-verify" bin
157 pull_in_bin
"$cfg_basedir/bin/can_user_push" bin
158 pull_in_bin
/bin
/sh bin
159 pull_in_bin
/bin
/date bin
160 pull_in_bin
/bin
/mv bin
161 pull_in_bin
/bin
/rm bin
162 # If /sbin/sshd is already running within the chroot, we get Text file busy
163 pull_in_bin
/usr
/sbin
/sshd sbin ||
:
165 # ...and the bits of git we need,
166 # being sure to use the configured git and its --exec-path to find the pieces
167 git_exec_path
="$("$cfg_git_bin" --exec-path)"
168 for i
in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive \
169 git-upload-pack git-unpack-objects git-show-ref git-config git-for-each-ref
; do
170 pull_in_bin
"$git_exec_path/$i" bin
173 # Update permissions on the database files
174 chown
$cfg_cgi_user:$cfg_owning_group etc etc
/passwd etc
/group
175 chown
-R $cfg_cgi_user:$cfg_owning_group etc
/sshkeys etc
/sshcerts
177 # Set up basic sshd configuration:
178 if [ -n "$nosshdir" ]; then
181 [ ! -f /etc
/moduli
] ||
{ cp -p /etc
/moduli etc
/; chown
0:0 etc
/moduli
; }
183 [ ! -e etc
/ssh -o -d etc
/ssh ] ||
rm -rf etc
/ssh
185 [ ! -f /etc
/ssh
/moduli
] ||
{ cp -p /etc
/ssh
/moduli etc
/ssh
/; chown
0:0 etc
/ssh
/moduli
; }
187 mkdir
-p var
/run
/sshd
188 if [ ! -s etc
/ssh
/sshd_config
]; then
189 cat >etc
/ssh
/sshd_config
<<EOT
195 UsePrivilegeSeparation yes
197 AuthorizedKeysFile /etc/sshkeys/%u
201 PermitEmptyPasswords yes
202 ChallengeResponseAuthentication no
203 PasswordAuthentication yes
206 if [ ! -s etc
/ssh
/ssh_host_dsa_key
]; then
207 yes | ssh-keygen
-N "" -C Girocco
-t dsa
-f etc
/ssh
/ssh_host_dsa_key
209 if [ ! -s etc
/ssh
/ssh_host_rsa_key
]; then
210 yes | ssh-keygen
-N "" -C Girocco
-t rsa
-f etc
/ssh
/ssh_host_rsa_key
213 # Set the final permissions on the binaries and perform any final twiddling
214 chroot_update_permissions
216 # Change the owner of the sshd-related files
217 chown
0:0 etc
/ssh
/ssh_
* etc
/ssh
/sshd_
*
219 echo "--- Add to your boot scripts: mount --bind $cfg_reporoot $cfg_chroot/$cfg_jailreporoot"
220 echo "--- Add to your boot scripts: mount --bind /proc $cfg_chroot/proc"
221 echo "--- Add to your syslog configuration: listening on socket $cfg_chroot/dev/log"