← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to bin/ivle-buildjail

  • Committer: William Grant
  • Date: 2009-07-31 04:19:31 UTC
  • mto: This revision was merged to the branch mainline in revision 1300.
  • Revision ID: me@williamgrant.id.au-20090731041931-4et5e8apnqr38spy
Fail the jail build if there are any world-writable paths.

Show diffs side-by-side

added added

removed removed

Lines of Context:
bin/ivle-buildjail
18
18
 
19
19
import optparse
20
20
import os
 
21
import stat
21
22
import sys
22
23
import shutil
23
24
 
25
26
import ivle.config
26
27
import ivle.jailbuilder.debian
27
28
 
 
29
class UnsafeJail(Exception):
 
30
    pass
 
31
 
28
32
usage = """usage: %prog [options]
29
33
(requires root)
30
34
Builds or updates the base IVLE jail."""
137
141
        shutil.rmtree(jail_site_packages)
138
142
    shutil.copytree(ivle_site_packages, jail_site_packages)
139
143
 
 
144
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
 
145
# and /var/{lock,tmp} should die.
 
146
for path in ('tmp', 'var/lock', 'var/tmp'):
 
147
    path = os.path.join(build_path, path)
 
148
    os.chmod(path, os.stat(path).st_mode & ~stat.S_IWOTH)
 
149
 
 
150
# Verify that nothing in the jail is world-writable.
 
151
# We don't want students to write into places that others can see.
 
152
for path, dirs, files in os.walk(build_path):
 
153
    for dname in dirs:
 
154
        d = os.path.join(path, dname)
 
155
        if os.path.islink(d):
 
156
            continue
 
157
        if os.stat(d).st_mode & stat.S_IWOTH:
 
158
            raise UnsafeJail(d)
 
159
 
 
160
    for fname in files:
 
161
        f = os.path.join(path, fname)
 
162
        if os.path.islink(f):
 
163
            continue
 
164
        if os.stat(f).st_mode & stat.S_IWOTH:
 
165
            if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
 
166
                os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
 
167
                                        'random', 'urandom')
 
168
                ):
 
169
                continue
 
170
            raise UnsafeJail(f)
 
171
    
 
172
 
140
173
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete',
141
174
              build_path + '/', ivle.conf.jail_system]) != 0:
142
175
    print >> sys.stderr, "Jail copying failed."