|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
1 |
#!/usr/bin/python
|
2 |
# IVLE - Informatics Virtual Learning Environment
|
|
3 |
# Copyright (C) 2009 The University of Melbourne
|
|
4 |
#
|
|
5 |
# This program is free software; you can redistribute it and/or modify
|
|
6 |
# it under the terms of the GNU General Public License as published by
|
|
7 |
# the Free Software Foundation; either version 2 of the License, or
|
|
8 |
# (at your option) any later version.
|
|
9 |
#
|
|
10 |
# This program is distributed in the hope that it will be useful,
|
|
11 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
12 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
13 |
# GNU General Public License for more details.
|
|
14 |
#
|
|
15 |
# You should have received a copy of the GNU General Public License
|
|
16 |
# along with this program; if not, write to the Free Software
|
|
17 |
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
18 |
||
19 |
import optparse |
|
20 |
import os |
|
|
1281.1.9
by William Grant
Fail the jail build if there are any world-writable paths. |
21 |
import stat |
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
22 |
import sys |
23 |
import shutil |
|
24 |
||
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
25 |
import ivle.config |
26 |
import ivle.jailbuilder.debian |
|
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
27 |
|
|
1281.1.9
by William Grant
Fail the jail build if there are any world-writable paths. |
28 |
class UnsafeJail(Exception): |
29 |
pass
|
|
30 |
||
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
31 |
usage = """usage: %prog [options] |
32 |
(requires root)
|
|
33 |
Builds or updates the base IVLE jail."""
|
|
34 |
||
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
35 |
# Requires root
|
36 |
if os.getuid() != 0: |
|
|
1492
by David Coles
Fix spelling of 'privileges' |
37 |
print >> sys.stderr, "This script requires root privileges to run" |
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
38 |
sys.exit(1) |
39 |
||
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
40 |
conf = ivle.config.Config() |
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
41 |
build_path = conf['paths']['jails']['template_build'] |
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
42 |
|
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
43 |
# Parse arguments
|
44 |
parser = optparse.OptionParser(usage) |
|
45 |
parser.add_option("-r", "--recreate", |
|
46 |
action="store_true", dest="recreate", |
|
47 |
help='''Completely recreate the jail - don't just update its IVLE code. |
|
48 |
Be warned, this may download hundreds of megabytes!''') |
|
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
49 |
parser.add_option("-u", "--upgrade", |
50 |
action="store_true", dest="upgrade", |
|
51 |
help='''Apply any package updates in the jail.''') |
|
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
52 |
parser.add_option("-m", "--mirror", |
53 |
action="store", dest="apt_mirror", |
|
|
1289
by William Grant
Allow overriding of the default jailbuilding mirror in ivle.conf. |
54 |
help="Sets the apt mirror.", default=conf['jail']['mirror']) |
|
1191
by Matt Giuca
ivle-buildjail: Added option --python-site-packages, which allows the user to |
55 |
parser.add_option("--python-site-packages", |
56 |
action="store", dest="python_site_packages", |
|
57 |
help="Path to Python site packages directory inside the jail.", |
|
58 |
default=None) |
|
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
59 |
(options, args) = parser.parse_args(sys.argv) |
60 |
||
61 |
if os.geteuid() != 0: |
|
62 |
print >> sys.stderr, "Must be root to run buildjail." |
|
63 |
sys.exit(1) |
|
64 |
||
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
65 |
if not options.recreate and not os.path.exists(build_path): |
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
66 |
print >> sys.stderr, "No jail exists -- please rerun with -r." |
67 |
sys.exit(1) |
|
68 |
||
|
1191
by Matt Giuca
ivle-buildjail: Added option --python-site-packages, which allows the user to |
69 |
if (options.python_site_packages is not None and |
70 |
options.python_site_packages[:1] not in (os.path.sep, os.path.altsep)): |
|
71 |
print >> sys.stderr, "python-site-packages must be an absolute path." |
|
72 |
sys.exit(1) |
|
73 |
||
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
74 |
if options.recreate: |
|
1123
by William Grant
ivle-buildjail now replaces sources.list and installs extra packages. |
75 |
options.upgrade = True |
76 |
||
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
77 |
# Create the jail and its subdirectories
|
78 |
# Note: Other subdirs will be made by copying files
|
|
79 |
if options.apt_mirror is not None: |
|
80 |
os.environ['MIRROR'] = options.apt_mirror |
|
81 |
||
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
82 |
os.system('rm -rf --one-file-system ' + build_path) |
|
1092.1.22
by William Grant
Allow configuration of the suite used for debootstrapping a new jail. |
83 |
ivle.jailbuilder.debian.debootstrap_create_jail(conf['jail']['suite'], |
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
84 |
build_path, mirror=options.apt_mirror) |
85 |
||
|
1123
by William Grant
ivle-buildjail now replaces sources.list and installs extra packages. |
86 |
ivle.jailbuilder.debian.apt_update_cache(build_path) |
|
1400
by David Coles
Add python-configobj to ivle-buildjail as it is required for the correct functioning of IVLE |
87 |
# Minimal required packages
|
|
1123
by William Grant
ivle-buildjail now replaces sources.list and installs extra packages. |
88 |
ivle.jailbuilder.debian.apt_install(build_path, |
|
1400
by David Coles
Add python-configobj to ivle-buildjail as it is required for the correct functioning of IVLE |
89 |
['python2.5', 'python-cjson', 'python-svn', 'python-configobj']) |
|
1123
by William Grant
ivle-buildjail now replaces sources.list and installs extra packages. |
90 |
|
91 |
ivle.jailbuilder.debian.apt_clean(build_path) |
|
92 |
||
93 |
if options.upgrade: |
|
94 |
# Run apt-get update, apt-get upgrade and apt-get clean.
|
|
95 |
ivle.jailbuilder.debian.mangle_sources_list(build_path, clobber=True) |
|
96 |
ivle.jailbuilder.debian.mangle_sources_list(build_path, lines=[ |
|
97 |
'deb %s %s%s %s' % (options.apt_mirror, conf['jail']['suite'], |
|
98 |
pocket, ' '.join(['main', 'universe'])) |
|
99 |
for pocket in ('', '-updates', '-security')]) |
|
100 |
||
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
101 |
# Add any extra site apt sources.
|
102 |
if conf['jail']['extra_sources']: |
|
103 |
ivle.jailbuilder.debian.mangle_sources_list(build_path, |
|
104 |
conf['jail']['extra_sources']) |
|
105 |
||
106 |
# Add any extra site apt keys.
|
|
107 |
if conf['jail']['extra_keys']: |
|
108 |
ivle.jailbuilder.debian.apt_add_key(build_path, |
|
109 |
conf['jail']['extra_keys']) |
|
110 |
||
111 |
ivle.jailbuilder.debian.apt_update_cache(build_path) |
|
|
1123
by William Grant
ivle-buildjail now replaces sources.list and installs extra packages. |
112 |
ivle.jailbuilder.debian.apt_upgrade(build_path) |
|
1092.1.16
by William Grant
Reimplement setup/buildjail.sh in Python. This means that sites can configure |
113 |
|
114 |
# Install any extra site packages.
|
|
115 |
if conf['jail']['extra_packages']: |
|
116 |
ivle.jailbuilder.debian.apt_install(build_path, |
|
117 |
conf['jail']['extra_packages']) |
|
118 |
||
119 |
ivle.jailbuilder.debian.apt_clean(build_path) |
|
120 |
||
|
1099.1.179
by William Grant
ivle-buildjail now only copies the system's IVLE files if jail/devmode |
121 |
if conf['jail']['devmode']: |
122 |
# Copy all console and operating system files into the jail
|
|
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
123 |
services_path = os.path.join(conf['paths']['share'], 'services') |
|
1099.1.179
by William Grant
ivle-buildjail now only copies the system's IVLE files if jail/devmode |
124 |
jail_services_path = os.path.join(build_path, services_path[1:]) |
125 |
if os.path.exists(jail_services_path): |
|
126 |
shutil.rmtree(jail_services_path) |
|
127 |
shutil.copytree(services_path, jail_services_path) |
|
128 |
||
129 |
# Also copy the IVLE lib directory into the jail
|
|
130 |
# This is necessary for running certain services
|
|
|
1191
by Matt Giuca
ivle-buildjail: Added option --python-site-packages, which allows the user to |
131 |
|
132 |
# ivle_site_packages is the IVLE install location outside the jail
|
|
133 |
ivle_site_packages = os.path.dirname(ivle.__file__) |
|
134 |
||
135 |
if options.python_site_packages is None: |
|
136 |
# Get the site packages from the IVLE install location *OUTSIDE* the
|
|
137 |
# jail. Warning! This only works if you have the same Python site
|
|
138 |
# packages directory inside and out (ie. same Python version).
|
|
139 |
# If not, you should use --python-site-packages.
|
|
140 |
jail_site_packages = os.path.join(build_path, ivle_site_packages[1:]) |
|
141 |
else: |
|
142 |
# User-specified site packages
|
|
143 |
jail_site_packages = os.path.join(build_path, |
|
144 |
options.python_site_packages[1:], "ivle") |
|
|
1099.1.179
by William Grant
ivle-buildjail now only copies the system's IVLE files if jail/devmode |
145 |
if os.path.exists(jail_site_packages): |
146 |
shutil.rmtree(jail_site_packages) |
|
147 |
shutil.copytree(ivle_site_packages, jail_site_packages) |
|
148 |
||
|
1404
by William Grant
When in devmode, copy hosts/hostname/resolv.conf into the jail. |
149 |
# And finally copy in /etc/hosts, /etc/resolv.conf and /etc/hostname,
|
150 |
# so name resolution is less unlikely to work.
|
|
151 |
shutil.copy( |
|
152 |
'/etc/resolv.conf', os.path.join(build_path, 'etc/resolv.conf')) |
|
153 |
shutil.copy('/etc/hosts', os.path.join(build_path, 'etc/hosts')) |
|
154 |
shutil.copy('/etc/hostname', os.path.join(build_path, 'etc/hostname')) |
|
155 |
||
|
1281.1.9
by William Grant
Fail the jail build if there are any world-writable paths. |
156 |
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
|
157 |
# and /var/{lock,tmp} should die.
|
|
158 |
for path in ('tmp', 'var/lock', 'var/tmp'): |
|
159 |
path = os.path.join(build_path, path) |
|
160 |
os.chmod(path, os.stat(path).st_mode & ~stat.S_IWOTH) |
|
161 |
||
162 |
# Verify that nothing in the jail is world-writable.
|
|
163 |
# We don't want students to write into places that others can see.
|
|
|
1393
by David Coles
Provide a better error message when ivle-buildjail detects world writeable files in the jail template |
164 |
try: |
165 |
for path, dirs, files in os.walk(build_path): |
|
166 |
for dname in dirs: |
|
167 |
d = os.path.join(path, dname) |
|
168 |
if os.path.islink(d): |
|
169 |
continue
|
|
170 |
if os.stat(d).st_mode & stat.S_IWOTH: |
|
171 |
raise UnsafeJail(d) |
|
172 |
||
173 |
for fname in files: |
|
174 |
f = os.path.join(path, fname) |
|
175 |
if os.path.islink(f): |
|
176 |
continue
|
|
177 |
if os.stat(f).st_mode & stat.S_IWOTH: |
|
178 |
if (os.path.dirname(f) == os.path.join(build_path, 'dev') and |
|
179 |
os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero', |
|
180 |
'random', 'urandom') |
|
181 |
):
|
|
182 |
continue
|
|
183 |
raise UnsafeJail(f) |
|
184 |
except UnsafeJail, e: |
|
185 |
print >> sys.stderr,"""Error: Jail contains world writable path: '%s'. |
|
186 |
This is a security vulnerability as jail template contents are shared between
|
|
187 |
users. Please either make this path world unwriteable or remove it from the
|
|
188 |
jail."""%str(e) |
|
189 |
sys.exit(1) |
|
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
190 |
|
191 |
# Copy jail template build to actual jail template
|
|
192 |
template_path = conf['paths']['jails']['template'] |
|
|
1092.1.5
by William Grant
ivle-buildjail: Remove some too-new rsync options. |
193 |
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete', |
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
194 |
build_path + '/', template_path]) != 0: |
|
1092.1.2
by William Grant
ivle-buildjail: Actually add. |
195 |
print >> sys.stderr, "Jail copying failed." |
196 |
sys.exit(1) |
|
197 |
||
|
1281.1.2
by William Grant
Replace /etc/passwd and /etc/ivle/ivle.conf in the jail with symlinks. |
198 |
# Now mangle things a bit, so we can bind-mount the user bits in.
|
199 |
# /etc/passwd and /etc/ivle/ivle.conf need to be symlinks to somewhere in /home
|
|
200 |
||
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
201 |
os.rename(os.path.join(template_path, 'etc/passwd'), |
202 |
os.path.join(template_path, 'home/.passwd') |
|
|
1281.1.2
by William Grant
Replace /etc/passwd and /etc/ivle/ivle.conf in the jail with symlinks. |
203 |
)
|
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
204 |
os.symlink('../home/.passwd', os.path.join(template_path, 'etc/passwd')) |
|
1281.1.2
by William Grant
Replace /etc/passwd and /etc/ivle/ivle.conf in the jail with symlinks. |
205 |
|
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
206 |
os.makedirs(os.path.join(template_path, "etc/ivle")) |
|
1281.1.6
by William Grant
Fix /etc/ivle/ivle.conf symlink in jail. |
207 |
os.symlink('../../home/.ivle.conf', |
|
1392
by David Coles
Remove ivle-buildjail's dependancy on the old ivle.conf module |
208 |
os.path.join(template_path, "etc/ivle/ivle.conf")) |