Attempt to avoid update/gc clustering

[girocco.git] / jailsetup.sh

#!/bin/sh
# The Girocco jail setup script
#
# If the first parameter is "dbonly", setup the database only
#
# We are designed to set up the chroot based on binaries from
# amd64 Debian lenny; some things may need slight modifications if
# being run on a different distribution.

set -e

. ./shlib.sh

dbonly=''
[ "$1" != "dbonly" ] || dbonly=1

reserved_users="root sshd mob $cfg_cgi_user $cfg_mirror_user"

# Verify we have all we neeed.
if ! getent passwd "$cfg_mirror_user" >/dev/null; then
        echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
        exit 1
fi
if ! getent passwd "$cfg_cgi_user" >/dev/null; then
        echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
        exit 1
fi
if [ -n "$dbonly" -a -z "$cfg_owning_group" ]; then
        cfg_owning_group="$(getent passwd "$cfg_mirror_user" | cut -d : -f 4)"
elif ! getent group "$cfg_owning_group" >/dev/null; then
        echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
        exit 1
fi

umask 022
mkdir -p "$cfg_chroot"
cd "$cfg_chroot"
chmod 755 "$cfg_chroot" ||
        echo "WARNING: Cannot chmod $cfg_chroot"

# Set up basic user/group configuration; if there is any already,
# we hope it's the same numbers and users.

mobpass=''
[ -n "$cfg_mob" ] || mobpass='x'
mkdir -p etc
if [ ! -s etc/passwd ]; then
        cat >etc/passwd <<EOT
sshd:x:101:65534:priviledge separation:/var/run/sshd:/bin/false
$cfg_cgi_user:x:$(getent passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
$cfg_mirror_user:x:$(getent passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
mob:$mobpass:65538:$(getent group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
EOT
fi

if [ ! -s etc/group ]; then
        cat >etc/group <<EOT
_repo:x:$(getent group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
EOT
fi

mkdir -p etc/sshkeys etc/sshcerts
for ruser in $reserved_users; do
  touch etc/sshkeys/$ruser
done
chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts ||
        echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
chgrp $cfg_owning_group etc/passwd ||
        echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
chgrp $cfg_owning_group etc/group ||
        echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
chmod g+s etc etc/sshkeys etc/sshcerts ||
        echo "WARNING: Cannot chmod g+s the etc directories"
chmod g+w etc etc/sshkeys etc/sshcerts ||
        echo "WARNING: Cannot chmod g+w the etc directories"
chmod g+w etc/passwd etc/group ||
        echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
chmod -R g+w etc/sshkeys etc/sshcerts 2>/dev/null ||
        echo "WARNING: Cannot chmod g+w the sshkeys and/or sshcerts files"

[ -z "$dbonly" ] || exit 0

chown root "$cfg_chroot"
chown $cfg_cgi_user etc etc/passwd etc/group
chown -R $cfg_cgi_user etc/sshkeys etc/sshcerts

# First, setup basic directory structure
mkdir -p bin dev etc lib sbin ${cfg_jailreporoot#/} var/run proc
rm -f usr lib64
ln -s . usr
ln -s lib lib64

# Seed up /dev:
rm -f dev/null dev/zero dev/random dev/urandom
mknod dev/null c 1 3
mknod dev/zero c 1 5
mknod dev/random c 1 8
mknod dev/urandom c 1 9
chmod a+rw dev/null dev/zero dev/random dev/urandom

# Set up sshd configuration:
mkdir -p var/run/sshd

mkdir -p etc/ssh
if [ ! -s etc/ssh/sshd_config ]; then
        cat >etc/ssh/sshd_config <<EOT
Protocol        2
Port            22
UsePAM          no
X11Forwarding   no
PermitRootLogin no
UsePrivilegeSeparation yes

AuthorizedKeysFile      /etc/sshkeys/%u
StrictModes     no

# mob user:
PermitEmptyPasswords    yes
ChallengeResponseAuthentication no
PasswordAuthentication  yes
EOT
fi
if [ ! -s etc/ssh/ssh_host_dsa_key ]; then
        yes | ssh-keygen -N "" -C Girocco -t dsa -f etc/ssh/ssh_host_dsa_key
fi
if [ ! -s etc/ssh/ssh_host_rsa_key ]; then
        yes | ssh-keygen -N "" -C Girocco -t rsa -f etc/ssh/ssh_host_rsa_key
fi

# Bring in basic libraries:
rm -f lib/*
# ld.so:
cp -p -t lib /lib/ld-linux.so.2
[ ! -d /lib64 ] || cp -p -t lib /lib64/ld-linux-x86-64.so.2
# libc:
cp -p -t lib /lib/libc.so.6 /lib/libcrypt.so.1 /lib/libutil.so.1 /lib/libnsl.so.1 /lib/libnss_compat.so.2 /lib/libresolv.so.2 /lib/libdl.so.2 /lib/libgcc_s.so.1

# Now, bring in sshd and sh.

pull_in_bin() {
        bin="$1"; dst="$2"
        cp -p -t "$dst" "$bin"
        # ...and all the dependencies.
        ldd "$bin" | grep -v linux-gate | grep -v linux-vdso | grep -v ld-linux | grep '=>' | awk '{print $3}' | xargs -r -- cp -p -u -t lib
}

install -p "$cfg_basedir/bin/git-shell-verify" bin
install -p "$cfg_basedir/bin/can_user_push" bin
pull_in_bin /bin/sh bin
pull_in_bin /bin/nc.openbsd bin
pull_in_bin /bin/date bin
pull_in_bin /bin/mv
pull_in_bin /bin/rm
# If /sbin/sshd is already running within the chroot, we get Text file busy.
pull_in_bin /usr/sbin/sshd sbin || :

# ...and the bits of git we need.
for i in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive \
        git-upload-pack git-unpack-objects git-show-ref git-config git-for-each-ref; do
        if [ -e /usr/lib/git-core/$i ]; then
                pull_in_bin /usr/lib/git-core/$i bin
        elif [ -e /usr/libexec/git-core/$i ]; then
                pull_in_bin /usr/libexec/git-core/$i bin
        else
                pull_in_bin /usr/bin/$i bin
        fi
done

echo "--- Add to your boot scripts: mount --bind $cfg_reporoot $cfg_chroot/$cfg_jailreporoot"
echo "--- Add to your boot scripts: mount --bind /proc $cfg_chroot/proc"
echo "--- Add to your syslog configuration: listening on socket $cfg_chroot/dev/log"