gitweb_config: make sure the home_link is not empty
[girocco.git] / jailsetup.sh
blob3b041284c0d7307ca32cc0a43b635d1e8dbe62a6
1 #!/bin/sh
2 # The Girocco jail setup script
4 # If the first parameter is "dbonly", setup the database only
6 # We are designed to set up the chroot based on the output of
7 # `uname -s` by sourcing a suitable system-specific script.
8 # Unrecognized systems will generate an error. When using
9 # "dbonly" the setup of the chroot binaries is skipped so the
10 # output of `uname -s` does not matter in that case.
12 set -e
14 curdir="`pwd`"
15 srcdir="$curdir/src"
16 getent="$srcdir/getent"
17 . ./shlib.sh
19 dbonly=''
20 [ "$1" != "dbonly" ] || dbonly=1
22 reserved_users="root sshd _sshd mob everyone $cfg_cgi_user $cfg_mirror_user"
24 # Require either sshd or _sshd user unless "dbonly"
25 sshd_user=sshd
26 if ! "$getent" passwd sshd >/dev/null && ! "$getent" passwd _sshd >/dev/null; then
27 if [ -n "$dbonly" ]; then
28 if [ ! -s etc/passwd ]; then
29 # Only complain on initial etc/passwd creation
30 echo "WARNING: no sshd or _sshd user, omitting entries from chroot etc/passwd"
32 sshd_user=
33 else
34 echo "*** Error: You do not have required sshd or _sshd user in system." >&2
35 exit 1
37 else
38 "$getent" passwd sshd >/dev/null || sshd_user=_sshd
41 # Verify we have all we need
42 if ! "$getent" passwd "$cfg_mirror_user" >/dev/null; then
43 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
44 exit 1
46 if ! "$getent" passwd "$cfg_cgi_user" >/dev/null; then
47 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
48 exit 1
50 if [ -n "$dbonly" -a -z "$cfg_owning_group" ]; then
51 cfg_owning_group="$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 4)"
52 elif ! "$getent" group "$cfg_owning_group" >/dev/null; then
53 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
54 exit 1
57 # One last paranoid check before we go writing all over everything
58 if [ -z "$cfg_chroot" -o "$cfg_chroot" = "/" ]; then
59 echo "*** Error: chroot location is not set or is invalid." >&2
60 echo "*** Error: perhaps you have an incorrect Config.pm?" >&2
61 exit 1
64 umask 022
65 mkdir -p "$cfg_chroot"
66 cd "$cfg_chroot"
67 chmod 755 "$cfg_chroot" ||
68 echo "WARNING: Cannot chmod $cfg_chroot"
70 # Set up basic user/group configuration; if there isn't any already
71 mobpass=''
72 [ -n "$cfg_mob" ] || mobpass='x'
73 mkdir -p etc
74 if [ ! -s etc/passwd ]; then
75 cat >etc/passwd <<EOT
76 root:x:0:0:system administrator:/var/empty:/bin/false
77 EOT
78 [ -z "$sshd_user" ] || cat >>etc/passwd <<EOT
79 sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
80 _sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
81 EOT
82 cat >>etc/passwd <<EOT
83 $cfg_cgi_user:x:$("$getent" passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
84 $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
85 everyone:x:65537:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):every user:/:/bin/false
86 mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
87 EOT
88 elif [ -z "$dbonly" ]; then
89 # Make sure an sshd entry is present
90 if ! grep -q '^sshd:' etc/passwd; then
91 echo "*** Error: chroot etc/passwd exists but lacks sshd entry." >&2
92 exit 1
96 if [ ! -s etc/group ]; then
97 cat >etc/group <<EOT
98 _repo:x:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
99 EOT
102 mkdir -p etc/sshkeys etc/sshcerts etc/sshactive
103 for ruser in $reserved_users; do
104 touch etc/sshkeys/$ruser
105 done
106 chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts etc/sshactive ||
107 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
108 chgrp $cfg_owning_group etc/passwd ||
109 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
110 chgrp $cfg_owning_group etc/group ||
111 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
112 chmod g+s etc etc/sshkeys etc/sshcerts etc/sshactive ||
113 echo "WARNING: Cannot chmod g+s the etc directories"
114 chmod g+w etc etc/sshkeys etc/sshcerts etc/sshactive ||
115 echo "WARNING: Cannot chmod g+w the etc directories"
116 chmod g+w etc/passwd etc/group ||
117 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
118 chmod -R g+w etc/sshkeys etc/sshcerts etc/sshactive 2>/dev/null ||
119 echo "WARNING: Cannot chmod g+w the sshkeys, sshcerts and/or sshactive files"
121 [ -z "$dbonly" ] || exit 0
123 # Make sure the system type is supported for chroot
124 sysname="$(uname -s | tr A-Z a-z || :)"
125 : ${sysname:=linux}
126 nosshdir=
127 # These equivalents may need to be expanded at some point
128 case "$sysname" in
129 *kfreebsd*)
130 sysname=linux;;
131 *darwin*)
132 sysname=darwin;;
133 *freebsd*)
134 sysname=freebsd;;
135 *linux*)
136 sysname=linux;;
137 esac
139 chrootsetup="$curdir/chrootsetup_$sysname.sh"
140 if ! [ -r "$chrootsetup" -a -s "$chrootsetup" ]; then
141 echo "*** Error: $chrootsetup not found"
142 echo "*** Error: creating a chroot for a `uname -s` system is not supported"
143 exit 1
146 # Set the user and group on the top of the chroot before creating anything else
147 chown 0:0 "$cfg_chroot"
149 # First, setup basic platform-independent directory structure
150 mkdir -p bin dev etc lib sbin var/empty var/run ${cfg_jailreporoot#/}
151 chmod 0444 var/empty
152 rm -rf usr
153 ln -s . usr
155 # Now source the platform-specific script that is responsible for dev device
156 # setup, proc setup (if needed), lib64 setup (if needed) and basic library
157 # installation to make a chroot operational. Additionally it will define a
158 # pull_in_bin function that can be used to add executables and their library
159 # dependencies to the chroot and finally will install a suitable nc.openbsd
160 # compatible version of netcat that supports connections to unix sockets.
161 . "$chrootsetup"
163 # Now, bring in sshd, sh etc.
164 # The $chrootsetup script should have already provided a suitable nc.openbsd
165 install -p "$cfg_basedir/bin/git-shell-verify" bin
166 pull_in_bin "$cfg_basedir/bin/can_user_push" bin
167 pull_in_bin /bin/sh bin
168 pull_in_bin /bin/date bin
169 pull_in_bin /bin/mv bin
170 pull_in_bin /bin/rm bin
171 # If /sbin/sshd is already running within the chroot, we get Text file busy
172 # But we can avoid that if we remove it first
173 rm -f sbin/sshd
174 pull_in_bin /usr/sbin/sshd sbin
176 # ...and the bits of git we need,
177 # being sure to use the configured git and its --exec-path to find the pieces
178 git_exec_path="$("$cfg_git_bin" --exec-path)"
179 for i in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive \
180 git-upload-pack git-unpack-objects git-show-ref git-config git-for-each-ref; do
181 pull_in_bin "$git_exec_path/$i" bin
182 done
184 # Update permissions on the database files
185 chown $cfg_cgi_user:$cfg_owning_group etc etc/passwd etc/group
186 chown -R $cfg_cgi_user:$cfg_owning_group etc/sshkeys etc/sshcerts etc/sshactive
188 # Set up basic sshd configuration:
189 if [ -n "$nosshdir" ]; then
190 rm -rf etc/ssh
191 ln -s . etc/ssh
192 [ ! -f /etc/moduli ] || { cp -p /etc/moduli etc/; chown 0:0 etc/moduli; }
193 else
194 [ ! -e etc/ssh -o -d etc/ssh ] || rm -rf etc/ssh
195 mkdir -p etc/ssh
196 [ ! -f /etc/ssh/moduli ] || { cp -p /etc/ssh/moduli etc/ssh/; chown 0:0 etc/ssh/moduli; }
198 mkdir -p var/run/sshd
199 if [ ! -s etc/ssh/sshd_config ]; then
200 cat >etc/ssh/sshd_config <<EOT
201 Protocol 2
202 Port $cfg_sshd_jail_port
203 UsePAM no
204 X11Forwarding no
205 AllowAgentForwarding no
206 AllowTcpForwarding no
207 PermitTunnel no
208 IgnoreUserKnownHosts yes
209 PrintLastLog no
210 PrintMotd no
211 UseDNS no
212 PermitRootLogin no
213 UsePrivilegeSeparation yes
215 HostKey /etc/ssh/ssh_host_rsa_key
217 if [ -z "$cfg_disable_dsa" ]; then
218 cat >>etc/ssh/sshd_config <<EOT
219 HostKey /etc/ssh/ssh_host_dsa_key
222 cat >>etc/ssh/sshd_config <<EOT
223 AuthorizedKeysFile /etc/sshkeys/%u
224 StrictModes no
226 # mob user:
227 PermitEmptyPasswords yes
228 ChallengeResponseAuthentication no
229 PasswordAuthentication yes
232 if [ ! -s etc/ssh/ssh_host_rsa_key ]; then
233 bits=2048
234 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
235 bits="$cfg_rsakeylength"
237 yes | ssh-keygen -b "$bits" -t rsa -N "" -C Girocco -f etc/ssh/ssh_host_rsa_key
239 if [ -z "$cfg_disable_dsa" -a ! -s etc/ssh/ssh_host_dsa_key ]; then
240 # ssh-keygen can only create 1024 bit DSA keys
241 yes | ssh-keygen -b 1024 -t dsa -N "" -C Girocco -f etc/ssh/ssh_host_dsa_key
244 # Set the final permissions on the binaries and perform any final twiddling
245 chroot_update_permissions
247 # Change the owner of the sshd-related files
248 chown 0:0 etc/ssh/ssh_* etc/ssh/sshd_*
250 echo "--- Add to your boot scripts: mount --bind $cfg_reporoot $cfg_chroot/$cfg_jailreporoot"
251 echo "--- Add to your boot scripts: mount --bind /proc $cfg_chroot/proc"
252 echo "--- Add to your syslog configuration: listening on socket $cfg_chroot/dev/log"
253 echo "--- To restart a running jail's sshd: sudo kill -HUP \`cat $cfg_chroot/var/run/sshd.pid\`"