Enable full https push with user client certificate creation
[girocco.git] / jailsetup.sh
bloba0dcf00405c1fc529f80f6bf4641410da2c62683
1 #!/bin/sh
2 # The Girocco jail setup script
4 # We are designed to set up the chroot based on binaries from
5 # amd64 Debian lenny; some things may need slight modifications if
6 # being run on a different distribution.
8 set -e
10 . ./shlib.sh
12 reserved_users="root sshd mob $cfg_cgi_user $cfg_mirror_user"
14 # Verify we have all we neeed.
15 if ! getent group $cfg_owning_group >/dev/null; then
16 echo "*** Error: You do not have $cfg_owning_group in system yet." >&2
17 exit 1
20 umask 022
21 mkdir -p "$cfg_chroot"
22 cd "$cfg_chroot"
23 chown root "$cfg_chroot"
24 chmod 755 "$cfg_chroot"
26 # First, setup basic directory structure
27 mkdir -p bin dev etc lib sbin ${cfg_jailreporoot#/} var/run proc
28 rm -f usr lib64
29 ln -s . usr
30 ln -s lib lib64
32 # Set up basic user/group configuration; if there is any already,
33 # we hope it's the same numbers and users.
35 mobpass=''
36 [ -n "$cfg_mob" ] || mobpass='x'
37 if [ ! -s etc/passwd ]; then
38 cat >etc/passwd <<EOT
39 sshd:x:101:65534:priviledge separation:/var/run/sshd:/bin/false
40 $cfg_cgi_user:x:$(getent passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
41 $cfg_mirror_user:x:$(getent passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
42 mob:$mobpass:65538:$(getent group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
43 EOT
46 if [ ! -s etc/group ]; then
47 cat >etc/group <<EOT
48 _repo:x:$(getent group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
49 EOT
52 # Seed up /dev:
53 rm -f dev/null dev/zero dev/random dev/urandom
54 mknod dev/null c 1 3
55 mknod dev/zero c 1 5
56 mknod dev/random c 1 8
57 mknod dev/urandom c 1 9
58 chmod a+rw dev/null dev/zero dev/random dev/urandom
60 # Set up sshd configuration:
61 mkdir -p var/run/sshd
62 mkdir -p etc/sshkeys etc/sshcerts
63 for ruser in $reserved_users; do
64 touch etc/sshkeys/$ruser
65 done
66 chown -R $cfg_cgi_user:$cfg_owning_group etc/sshkeys etc/sshcerts
67 chmod g+s etc/sshkeys etc/sshcerts
68 chmod -R g+w etc/sshkeys etc/sshcerts
70 mkdir -p etc/ssh
71 if [ ! -s etc/ssh/sshd_config ]; then
72 cat >etc/ssh/sshd_config <<EOT
73 Protocol 2
74 Port 22
75 UsePAM no
76 X11Forwarding no
77 PermitRootLogin no
78 UsePrivilegeSeparation yes
80 AuthorizedKeysFile /etc/sshkeys/%u
81 StrictModes no
83 # mob user:
84 PermitEmptyPasswords yes
85 ChallengeResponseAuthentication no
86 PasswordAuthentication yes
87 EOT
89 if [ ! -s etc/ssh/ssh_host_dsa_key ]; then
90 yes | ssh-keygen -N "" -C Girocco -t dsa -f etc/ssh/ssh_host_dsa_key
92 if [ ! -s etc/ssh/ssh_host_rsa_key ]; then
93 yes | ssh-keygen -N "" -C Girocco -t rsa -f etc/ssh/ssh_host_rsa_key
96 # Bring in basic libraries:
97 rm -f lib/*
98 # ld.so:
99 cp -t lib /lib/ld-linux.so.2
100 [ ! -d /lib64 ] || cp -t lib /lib64/ld-linux-x86-64.so.2
101 # libc:
102 cp -t lib /lib/libc.so.6 /lib/libcrypt.so.1 /lib/libutil.so.1 /lib/libnsl.so.1 /lib/libnss_compat.so.2 /lib/libresolv.so.2 /lib/libdl.so.2 /lib/libgcc_s.so.1
104 # Now, bring in sshd and sh.
106 pull_in_bin() {
107 bin="$1"; dst="$2"
108 cp -t "$dst" "$bin"
109 # ...and all the dependencies.
110 ldd "$bin" | grep -v linux-gate | grep -v linux-vdso | grep -v ld-linux | grep '=>' | awk '{print $3}' | xargs -r -- cp -u -t lib
113 cp "$cfg_basedir/bin/git-shell-verify" bin
114 pull_in_bin "$cfg_basedir/bin/can_user_push" bin
115 pull_in_bin /bin/sh bin
116 pull_in_bin /bin/nc.openbsd bin
117 # If /sbin/sshd is already running within the chroot, we get Text file busy.
118 pull_in_bin /usr/sbin/sshd sbin || :
120 # ...and the bits of git we need.
121 for i in git git-index-pack git-receive-pack git-shell git-update-server-info git-upload-archive git-upload-pack git-unpack-objects; do
122 if [ -e /usr/lib/git-core/$i ]; then
123 pull_in_bin /usr/lib/git-core/$i bin
124 else
125 pull_in_bin /usr/bin/$i bin
127 done
129 echo "--- Add to your boot scripts: mount --bind $cfg_reporoot $cfg_chroot/$cfg_jailreporoot"
130 echo "--- Add to your boot scripts: mount --bind /proc $cfg_chroot/proc"
131 echo "--- Add to your syslog configuration: listening on socket $cfg_chroot/dev/log"