search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
clone/update: optimize ref removal
[girocco.git] / jailsetup.sh
blobe36c27004ac39243d8b4114886b39d50dfa574d9
1 #!/bin/sh
2 # The Girocco jail setup script
3 #
4 # If the first parameter is "dbonly", setup the database only
5 #
6 # We are designed to set up the chroot based on the output of
7 # `uname -s` by sourcing a suitable system-specific script.
8 # Unrecognized systems will generate an error. When using
9 # "dbonly" the setup of the chroot binaries is skipped so the
10 # output of `uname -s` does not matter in that case.
11
12 set -e
13
14 curdir="`pwd`"
15 srcdir="$curdir/src"
16 getent="$srcdir/getent"
17 . ./shlib.sh
18
19 dbonly=''
20 [ "$1" != "dbonly" ] || dbonly=1
21
22 reserved_users="root sshd _sshd mob git lock bundle nobody everyone $cfg_cgi_user $cfg_mirror_user"
23
24 # Require either sshd or _sshd user unless "dbonly"
25 sshd_user=sshd
26 if ! "$getent" passwd sshd >/dev/null && ! "$getent" passwd _sshd >/dev/null; then
27 if [ -n "$dbonly" ]; then
28 if [ ! -s etc/passwd ]; then
29 # Only complain on initial etc/passwd creation
30 echo "WARNING: no sshd or _sshd user, omitting entries from chroot etc/passwd"
31 fi
32 sshd_user=
33 else
34 echo "*** Error: You do not have required sshd or _sshd user in system." >&2
35 exit 1
36 fi
37 else
38 "$getent" passwd sshd >/dev/null || sshd_user=_sshd
39 fi
40
41 # Verify we have all we need
42 if ! "$getent" passwd "$cfg_mirror_user" >/dev/null; then
43 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
44 exit 1
45 fi
46 if ! "$getent" passwd "$cfg_cgi_user" >/dev/null; then
47 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
48 exit 1
49 fi
50 if [ -n "$dbonly" -a -z "$cfg_owning_group" ]; then
51 cfg_owning_group="$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 4)"
52 elif ! "$getent" group "$cfg_owning_group" >/dev/null; then
53 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
54 exit 1
55 fi
56
57 # One last paranoid check before we go writing all over everything
58 if [ -z "$cfg_chroot" -o "$cfg_chroot" = "/" ]; then
59 echo "*** Error: chroot location is not set or is invalid." >&2
60 echo "*** Error: perhaps you have an incorrect Config.pm?" >&2
61 exit 1
62 fi
63
64 umask 022
65 mkdir -p "$cfg_chroot"
66 cd "$cfg_chroot"
67 chmod 755 "$cfg_chroot" ||
68 echo "WARNING: Cannot chmod $cfg_chroot"
69
70 mkdir -p var/empty
71 chmod 0555 var/empty ||
72 echo "WARNING: Cannot chmod a=rx $cfg_chroot/var/empty"
73
74 # Set up basic user/group configuration; if there isn't any already
75 mobpass=''
76 [ -n "$cfg_mob" ] || mobpass='x'
77 mkdir -p etc
78 if [ ! -s etc/passwd ]; then
79 cat >etc/passwd <<EOT
80 root:x:0:0:system administrator:/var/empty:/bin/false
81 nobody:x:$("$getent" passwd nobody | cut -d : -f 3-4):unprivileged user:/var/empty:/bin/false
82 EOT
83 [ -z "$sshd_user" ] || cat >>etc/passwd <<EOT
84 sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
85 _sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
86 EOT
87 [ "$cfg_cgi_user" = "$cfg_mirror_user" ] || cat >>etc/passwd <<EOT
88 $cfg_cgi_user:x:$("$getent" passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
89 EOT
90 cat >>etc/passwd <<EOT
91 $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
92 everyone:x:65537:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):every user:/:/bin/false
93 mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
94 EOT
95 elif [ -z "$dbonly" ]; then
96 # Make sure an sshd entry is present
97 if ! grep -q '^sshd:' etc/passwd; then
98 echo "*** Error: chroot etc/passwd exists but lacks sshd entry." >&2
99 exit 1
100 fi
101 fi
102
103 if [ ! -s etc/group ]; then
104 cat >etc/group <<EOT
105 _repo:x:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
106 EOT
107 fi
108
109 # Set up basic default Git configuration
110 # Initialize one if none exists or update critical variables for an existing one
111 mkdir -p etc/girocco
112 didchmod=
113 if [ -e etc/girocco/.gitconfig ] && ! [ -f etc/girocco/.gitconfig ]; then
114 echo "*** Error: chroot etc/girocco/.gitconfig exists but is not a file." >&2
115 exit 1
116 fi
117 if [ -f etc/girocco/.gitconfig ]; then
118 gcerr=0
119 x="$(git config --file etc/girocco/.gitconfig --get "no--such--section.no such subsection.no--such--key")" || gcerr=$?
120 if [ $gcerr -gt 1 ]; then
121 echo "*** Error: chroot etc/girocco/.gitconfig exists but is corrupt." >&2
122 echo "*** Error: either remove it or edit it to correct the problem." >&2
123 exit 1
124 fi
125 fi
126 if [ ! -s etc/girocco/.gitconfig ]; then
127 chmod u+w etc/girocco
128 didchmod=1
129 cat >etc/girocco/.gitconfig <<EOT
130 # Any values set here will take effect whenever Girocco runs a git command
131
132 EOT
133 fi
134 # $1 => name, $2 => value, $3 => overwrite_flag
135 update_config_item() {
136 _existsnot=
137 _oldval=
138 _oldval="$(git config --file etc/girocco/.gitconfig --get "$1")" || _existsnot=1
139 if [ -z "$_existsnot" ]; then
140 [ -n "$3" ] || return 0
141 [ "$_oldval" != "$2" ] || return 0
142 fi
143 [ -n "$didchmod" ] || { chmod u+w etc/girocco; didchmod=1; }
144 git config --file etc/girocco/.gitconfig "$1" "$2"
145 if [ -n "$_existsnot" ]; then
146 echo "chroot: etc/girocco/.gitconfig: config $1: (created) \"$2\""
147 else
148 echo "chroot: etc/girocco/.gitconfig: config $1: \"$_oldval\" -> \"$2\""
149 fi
150 }
151 if [ -n "$cfg_git_no_mmap" ]; then
152 update_config_item core.packedGitWindowSize 1m 1
153 else
154 update_config_item core.packedGitWindowSize 32m 1
155 fi
156 if [ -n "$var_window_memory" ]; then
157 update_config_item pack.windowMemory "$var_window_memory" 1
158 fi
159 update_config_item http.lowSpeedLimit 1
160 update_config_item http.lowSpeedTime 600
161 [ -z "$didchmod" ] || chmod a-w etc/girocco
162
163 mkdir -p etc/sshkeys etc/sshcerts etc/sshactive
164 for ruser in $reserved_users; do
165 touch etc/sshkeys/$ruser
166 done
167 chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts etc/sshactive ||
168 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
169 chgrp $cfg_owning_group etc/passwd ||
170 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
171 chgrp $cfg_owning_group etc/group ||
172 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
173 chgrp $cfg_owning_group etc/girocco etc/girocco/.gitconfig ||
174 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/girocco"
175 chmod g+s etc etc/sshkeys etc/sshcerts etc/sshactive ||
176 echo "WARNING: Cannot chmod g+s the etc directories"
177 chmod g+w etc etc/sshkeys etc/sshcerts etc/sshactive ||
178 echo "WARNING: Cannot chmod g+w the etc directories"
179 chmod g+w etc/passwd etc/group ||
180 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
181 chmod go-w etc/passwd etc/girocco etc/girocco/.gitconfig ||
182 echo "WARNING: Cannot chmod go-w etc/girocco and/or etc/girocco/.gitconfig"
183 chmod a-w etc/girocco ||
184 echo "WARNING: Cannot chmod a-w etc/girocco"
185 chmod -R g+w etc/sshkeys etc/sshcerts etc/sshactive 2>/dev/null ||
186 echo "WARNING: Cannot chmod g+w the sshkeys, sshcerts and/or sshactive files"
187
188 # Note time of last install
189 > etc/sshactive/_install
190
191 [ -z "$dbonly" ] || exit 0
192
193 # Make sure the system type is supported for chroot
194 sysname="$(uname -s | tr A-Z a-z || :)"
195 : ${sysname:=linux}
196 nosshdir=
197 # These equivalents may need to be expanded at some point
198 case "$sysname" in
199 *kfreebsd*)
200 sysname=linux;;
201 *darwin*)
202 sysname=darwin;;
203 *dragonfly*)
204 sysname=dragonfly;;
205 *freebsd*)
206 sysname=freebsd;;
207 *linux*)
208 sysname=linux;;
209 esac
210
211 chrootsetup="$curdir/chrootsetup_$sysname.sh"
212 if ! [ -r "$chrootsetup" -a -s "$chrootsetup" ]; then
213 echo "*** Error: $chrootsetup not found" >&2
214 echo "*** Error: creating a chroot for a `uname -s` system is not supported" >&2
215 exit 1
216 fi
217
218 # validate reporoot, chroot and jailreporoot before doing anything more
219
220 # validates the passed in dir if a second argument is not empty dir must NOT
221 # start with / otherwise it must. A trailing '/' is removed and any duplicated
222 # // are removed and a sole / or empty is disallowed.
223 make_valid_dir() {
224 _check="$(echo "$1" | tr -s /)"
225 _check="${_check%/}"
226 [ -z "$_check" -o "$_check" = "/" ] && return 1
227 if [ -z "$2" ]; then
228 # must start with '/'
229 case "$_check" in /*) :;; *) return 1; esac
230 else
231 # must NOT start with '/'
232 case "$_check" in /*) return 1; esac
233 fi
234 echo "$_check"
235 }
236
237 if ! reporoot="$(make_valid_dir "$cfg_reporoot")"; then
238 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
239 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
240 exit 1
241 fi
242 if ! chroot="$(make_valid_dir "$cfg_chroot")"; then
243 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
244 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
245 exit 1
246 fi
247 if ! jailreporoot="$(make_valid_dir "$cfg_jailreporoot" 1)"; then
248 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
249 echo "*** Error: MUST NOT start with '/' and MUST NOT be ''" >&2
250 exit 1
251 fi
252
253 # chroot MUST NOT be reporoot
254 if [ "$chroot" = "$reporoot" ]; then
255 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
256 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
257 echo "*** Error: reporoot and chroot MUST NOT be the same" >&2
258 exit 1
259 fi
260
261 # chroot MUST NOT be a subdirectory of reporoot
262 case "$chroot" in "$reporoot"/*)
263 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
264 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
265 echo "*** Error: chroot MUST NOT be a subdirectory of reporoot" >&2
266 exit 1
267 esac
268
269 # chroot/jailreporoot MUST NOT be a subdirectory of reporoot
270 case "$chroot/$jailreporoot" in "$reporoot"/*)
271 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
272 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
273 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
274 echo "*** Error: chroot/jailreporoot MUST NOT be a subdirectory of reporoot" >&2
275 exit 1
276 esac
277
278 # reporoot MUST NOT be a subdirectory of chroot/jailreporoot
279 case "$reporoot" in "$chroot/$jailreporoot"/*)
280 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
281 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
282 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
283 echo "*** Error: reporoot MUST NOT be a subdirectory of chroot/jailreporoot" >&2
284 exit 1
285 esac
286
287 # Set the user and group on the top of the chroot before creating anything else
288 chown 0:0 "$chroot"
289
290 # When we create a fork, the alternates always have an absolute path.
291 # If reporoot is not --bind mounted at the same location in chroot we must
292 # create a suitable symlink so the absolute path alternates continue to work
293 # in the ssh chroot or else forks will be broken in there.
294 if [ "$reporoot" != "/$jailreporoot" ]; then
295 mkdirp="$(dirname "${reporoot#/}")"
296 [ "$mkdirp" = "." ] && mkdirp=
297 lnback=
298 [ -z "$mkdirp" ] || lnback="$(echo "$mkdirp/" | sed -e 's,[^/]*/,../,g')"
299 [ -z "$mkdirp" ] || mkdir -p "$chroot/$mkdirp"
300 (umask 0; ln -s -f -n "$lnback$jailreporoot" "$chroot$reporoot")
301 [ $? -eq 0 ] || exit 1
302 fi
303
304 # First, setup basic platform-independent directory structure
305 mkdir -p bin dev etc lib sbin var/empty var/run "$jailreporoot"
306 chmod 0555 var/empty
307 rm -rf usr local
308 ln -s . usr
309 ln -s . local
310
311 # Now source the platform-specific script that is responsible for dev device
312 # setup, proc setup (if needed), lib64 setup (if needed) and basic library
313 # installation to make a chroot operational. Additionally it will define a
314 # pull_in_bin function that can be used to add executables and their library
315 # dependencies to the chroot and finally will install a suitable nc.openbsd
316 # compatible version of netcat that supports connections to unix sockets.
317 . "$chrootsetup"
318
319 # Now, bring in sshd, sh etc.
320 # The $chrootsetup script should have already provided a suitable nc.openbsd
321 install -p "$cfg_basedir/bin/git-shell-verify" bin/git-shell-verify.new
322 install -p "$cfg_basedir/bin/git-askpass-password" bin/git-askpass-password.new
323 perl -i -p \
324 -e 's|^#!.*|#!/bin/sh| if $. == 1;' \
325 -e 'close ARGV if eof;' \
326 bin/git-shell-verify.new bin/git-askpass-password.new
327 mv -f bin/git-askpass-password.new bin/git-askpass-password
328 mv -f bin/git-shell-verify.new bin/git-shell-verify
329 pull_in_bin "$cfg_basedir/bin/can_user_push" bin
330 pull_in_bin "$cfg_basedir/bin/list_packs" bin
331 pull_in_bin "$var_sh_bin" bin/sh
332 pull_in_bin /bin/chmod bin
333 pull_in_bin /bin/date bin
334 pull_in_bin /bin/mkdir bin
335 pull_in_bin /bin/mv bin
336 pull_in_bin /bin/rm bin
337 pull_in_bin /bin/sleep bin
338 pull_in_bin /usr/bin/find bin
339 pull_in_bin /usr/bin/touch bin
340 pull_in_bin /usr/bin/wc bin
341 pull_in_bin /usr/bin/xargs bin
342 pull_in_bin /usr/sbin/sshd sbin
343
344 # ...and the bits of git we need,
345 # being sure to use the configured git and its --exec-path to find the pieces
346 for i in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive \
347 git-upload-pack git-unpack-objects git-config git-for-each-ref git-rev-list; do
348 pull_in_bin "$var_git_exec_path/$i" bin git
349 done
350
351 # Note time of last jailsetup
352 > etc/sshactive/_jailsetup
353
354 # Update permissions on the database files
355 chown $cfg_cgi_user:$cfg_owning_group etc/passwd etc/group
356 chown -R $cfg_cgi_user:$cfg_owning_group etc/sshkeys etc/sshcerts etc/sshactive
357 chown $cfg_mirror_user:$cfg_owning_group etc etc/girocco etc/girocco/.gitconfig
358
359 # Set up basic sshd configuration:
360 if [ -n "$nosshdir" ]; then
361 rm -rf etc/ssh
362 ln -s . etc/ssh
363 [ ! -f /etc/moduli ] || { cp -p /etc/moduli etc/; chown 0:0 etc/moduli; }
364 else
365 [ ! -e etc/ssh -o -d etc/ssh ] || rm -rf etc/ssh
366 mkdir -p etc/ssh
367 [ ! -f /etc/ssh/moduli ] || { cp -p /etc/ssh/moduli etc/ssh/; chown 0:0 etc/ssh/moduli; }
368 fi
369 mkdir -p var/run/sshd
370 if [ ! -s etc/ssh/sshd_config ]; then
371 cat >etc/ssh/sshd_config <<EOT
372 Protocol 2
373 Port $cfg_sshd_jail_port
374 UsePAM no
375 X11Forwarding no
376 AllowAgentForwarding no
377 AllowTcpForwarding no
378 PermitTunnel no
379 IgnoreUserKnownHosts yes
380 PrintLastLog no
381 PrintMotd no
382 UseDNS no
383 PermitRootLogin no
384 UsePrivilegeSeparation yes
385
386 HostKey /etc/ssh/ssh_host_rsa_key
387 EOT
388 if [ -z "$cfg_disable_dsa" ]; then
389 cat >>etc/ssh/sshd_config <<EOT
390 HostKey /etc/ssh/ssh_host_dsa_key
391 EOT
392 fi
393 cat >>etc/ssh/sshd_config <<EOT
394 AuthorizedKeysFile /etc/sshkeys/%u
395 StrictModes no
396
397 # mob user:
398 PermitEmptyPasswords yes
399 ChallengeResponseAuthentication no
400 PasswordAuthentication yes
401 EOT
402 fi
403 if [ ! -s etc/ssh/ssh_host_rsa_key ]; then
404 bits=2048
405 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
406 bits="$cfg_rsakeylength"
407 fi
408 yes | ssh-keygen -b "$bits" -t rsa -N "" -C Girocco -f etc/ssh/ssh_host_rsa_key
409 fi
410 if [ -z "$cfg_disable_dsa" -a ! -s etc/ssh/ssh_host_dsa_key ]; then
411 # ssh-keygen can only create 1024 bit DSA keys
412 yes | ssh-keygen -b 1024 -t dsa -N "" -C Girocco -f etc/ssh/ssh_host_dsa_key
413 fi
414
415 # Set the final permissions on the binaries and perform any final twiddling
416 chroot_update_permissions
417
418 # Change the owner of the sshd-related files
419 chown 0:0 etc/ssh/ssh_* etc/ssh/sshd_*
420
421 echo "--- Add to your boot scripts: mount --bind $reporoot $chroot/$jailreporoot"
422 echo "--- Add to your boot scripts: mount --bind /proc $chroot/proc"
423 echo "--- Add to your syslog configuration: listening on socket $chroot/dev/log"
424 echo "--- To restart a running jail's sshd: sudo kill -HUP \`cat $chroot/var/run/sshd.pid\`"
The repo.or.cz duct tape "Girocco"