2 # The Girocco jail setup script
4 # We are designed to set up the chroot based on binaries from
5 # amd64 Debian lenny; some things may need slight modifications if
6 # being run on a different distribution.
12 reserved_users
="root sshd mob $cfg_cgi_user $cfg_mirror_user"
14 # Verify we have all we neeed.
15 if ! getent group
$cfg_owning_group >/dev
/null
; then
16 echo "*** Error: You do not have $cfg_owning_group in system yet." >&2
21 mkdir
-p "$cfg_chroot"
23 chown root
"$cfg_chroot"
24 chmod 755 "$cfg_chroot"
26 # First, setup basic directory structure
27 mkdir
-p bin dev etc lib sbin
${cfg_jailreporoot#/} var
/run proc
32 # Set up basic user/group configuration; if there is any already,
33 # we hope it's the same numbers and users.
36 [ -n "$cfg_mob" ] || mobpass
='x'
37 if [ ! -s etc
/passwd
]; then
39 sshd:x:101:65534:priviledge separation:/var/run/sshd:/bin/false
40 $cfg_cgi_user:x:$(getent passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
41 $cfg_mirror_user:x:$(getent passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
42 mob:$mobpass:65538:$(getent group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
46 if [ ! -s etc
/group
]; then
48 _repo:x:$(getent group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
53 rm -f dev
/null dev
/zero dev
/random dev
/urandom
56 mknod dev
/random c
1 8
57 mknod dev
/urandom c
1 9
58 chmod a
+rw dev
/null dev
/zero dev
/random dev
/urandom
60 # Set up sshd configuration:
62 mkdir
-p etc
/sshkeys etc
/sshcerts
63 for ruser
in $reserved_users; do
64 touch etc
/sshkeys
/$ruser
66 chown
-R $cfg_cgi_user:$cfg_owning_group etc
/sshkeys etc
/sshcerts
67 chmod g
+s etc
/sshkeys etc
/sshcerts
68 chmod -R g
+w etc
/sshkeys etc
/sshcerts
71 if [ ! -s etc
/ssh
/sshd_config
]; then
72 cat >etc
/ssh
/sshd_config
<<EOT
78 UsePrivilegeSeparation yes
80 AuthorizedKeysFile /etc/sshkeys/%u
84 PermitEmptyPasswords yes
85 ChallengeResponseAuthentication no
86 PasswordAuthentication yes
89 if [ ! -s etc
/ssh
/ssh_host_dsa_key
]; then
90 yes | ssh-keygen
-N "" -C Girocco
-t dsa
-f etc
/ssh
/ssh_host_dsa_key
92 if [ ! -s etc
/ssh
/ssh_host_rsa_key
]; then
93 yes | ssh-keygen
-N "" -C Girocco
-t rsa
-f etc
/ssh
/ssh_host_rsa_key
96 # Bring in basic libraries:
99 cp -t lib
/lib
/ld-linux.so
.2
100 [ ! -d /lib64
] ||
cp -t lib
/lib64
/ld-linux-x86-64.so
.2
102 cp -t lib
/lib
/libc.so
.6 /lib
/libcrypt.so
.1 /lib
/libutil.so
.1 /lib
/libnsl.so
.1 /lib
/libnss_compat.so
.2 /lib
/libresolv.so
.2 /lib
/libdl.so
.2 /lib
/libgcc_s.so
.1
104 # Now, bring in sshd and sh.
109 # ...and all the dependencies.
110 ldd
"$bin" |
grep -v linux-gate |
grep -v linux-vdso |
grep -v ld-linux |
grep '=>' |
awk '{print $3}' |
xargs -r -- cp -u -t lib
113 cp "$cfg_basedir/bin/git-shell-verify" bin
114 pull_in_bin
"$cfg_basedir/bin/can_user_push" bin
115 pull_in_bin
/bin
/sh bin
116 pull_in_bin
/bin
/nc.openbsd bin
117 # If /sbin/sshd is already running within the chroot, we get Text file busy.
118 pull_in_bin
/usr
/sbin
/sshd sbin ||
:
120 # ...and the bits of git we need.
121 for i
in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive git-upload-pack git-unpack-objects
; do
122 if [ -e /usr
/lib
/git-core
/$i ]; then
123 pull_in_bin
/usr
/lib
/git-core
/$i bin
125 pull_in_bin
/usr
/bin
/$i bin
129 echo "--- Add to your boot scripts: mount --bind $cfg_reporoot $cfg_chroot/$cfg_jailreporoot"
130 echo "--- Add to your boot scripts: mount --bind /proc $cfg_chroot/proc"
131 echo "--- Add to your syslog configuration: listening on socket $cfg_chroot/dev/log"