Merge branch 'wip/new-jobd'
[girocco.git] / jailsetup.sh
blobd679d07062b97a239e3a4ae62777cef41fd5c367
1 #!/bin/sh
2 # The Girocco jail setup script
4 # We are designed to set up the chroot based on binaries from
5 # amd64 Debian lenny; some things may need slight modifications if
6 # being run on a different distribution.
8 set -e
10 . shlib.sh
12 # Verify we have all we neeed.
13 if ! getent group $cfg_owning_group >/dev/null; then
14 echo "*** Error: You do not have $cfg_owning_group in system yet." >&2
15 exit 1
18 umask 022
19 mkdir -p "$cfg_chroot"
20 cd "$cfg_chroot"
21 chown root "$cfg_chroot"
22 chmod 755 "$cfg_chroot"
24 # First, setup basic directory structure
25 mkdir -p bin dev etc lib sbin srv/git var/run proc
26 rm -f usr lib64
27 ln -s . usr
28 ln -s lib lib64
30 # Set up basic user/group configuration; if there is any already,
31 # we hope it's the same numbers and users.
33 if [ ! -s etc/passwd ]; then
34 cat >etc/passwd <<EOT
35 sshd:x:101:65534:priviledge separation:/var/run/sshd:/bin/false
36 mob::65538:65534:the mob:/:/bin/git-shell
37 EOT
40 if [ ! -s etc/group ]; then
41 cat >etc/group <<EOT
42 _repo:x:$(getent group "$cfg_owning_group" | cut -d : -f 3):
43 sshd:x:101:65534:priviledge separation:/var/run/sshd:/bin/false
44 mob::65538:65534:the mob:/:/bin/git-shell
45 EOT
48 # Seed up /dev:
49 rm -f dev/null dev/zero dev/random dev/urandom
50 mknod dev/null c 1 3
51 mknod dev/zero c 1 5
52 mknod dev/random c 1 8
53 mknod dev/urandom c 1 9
54 chmod a+rw dev/null dev/zero dev/random dev/urandom
56 # Set up mob user:
57 touch var/run/mob
58 chown 65538 var/run/mob
59 chmod 0 var/run/mob
61 # Set up sshd configuration:
62 mkdir -p var/run/sshd
63 mkdir -p etc/sshkeys
64 chown $cfg_cgi_user.$cfg_owning_group etc/sshkeys
65 chmod g+ws etc/sshkeys
66 mkdir -p etc/ssh
67 if [ ! -s etc/ssh/sshd_config ]; then
68 cat >etc/ssh/sshd_config <<EOT
69 Protocol 2
70 Port 22
71 UsePAM no
72 X11Forwarding no
73 PermitRootLogin no
74 UsePrivilegeSeparation yes
76 AuthorizedKeysFile /etc/sshkeys/%u
77 StrictModes no
79 # mob user:
80 PermitEmptyPasswords yes
81 ChallengeResponseAuthentication no
82 PasswordAuthentication yes
83 EOT
85 if [ ! -s etc/ssh/ssh_host_dsa_key ]; then
86 yes | ssh-keygen -N "" -C Girocco -t dsa -f etc/ssh/ssh_host_dsa_key
87 yes | ssh-keygen -N "" -C Girocco -t rsa -f etc/ssh/ssh_host_rsa_key
90 # Bring in basic libraries:
91 rm -f lib/*
92 # ld.so:
93 cp -t lib /lib/ld-linux.so.2
94 [ ! -d /lib64 ] || cp -t lib /lib64/ld-linux-x86-64.so.2
95 # libc:
96 cp -t lib /lib/libc.so.6 /lib/libcrypt.so.1 /lib/libutil.so.1 /lib/libnsl.so.1 /lib/libnss_compat.so.2 /lib/libresolv.so.2 /lib/libdl.so.2 /lib/libgcc_s.so.1
98 # Now, bring in sshd and sh.
100 pull_in_bin() {
101 bin="$1"; dst="$2"
102 cp -t "$dst" "$bin"
103 # ...and all the dependencies.
104 ldd "$bin" | grep -v linux-gate | grep -v linux-vdso | grep -v ld-linux | grep '=>' | awk '{print $3}' | xargs -r -- cp -u -t lib
107 pull_in_bin /bin/sh bin
108 pull_in_bin /bin/nc.openbsd bin
109 # If /sbin/sshd is already running within the chroot, we get Text file busy.
110 pull_in_bin /usr/sbin/sshd sbin || :
112 # ...and the bits of git we need.
113 for i in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive git-upload-pack git-unpack-objects; do
114 pull_in_bin /usr/bin/$i bin
115 done
117 echo "--- Add to your boot scripts: mount --bind $cfg_reporoot $cfg_chroot/srv/git"
118 echo "--- Add to your boot scripts: mount --bind /proc $cfg_chroot/proc"
119 echo "--- Add to your syslog configuration: listening on socket $cfg_chroot/dev/log"