← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to bin/ivle-buildjail

  • Committer: David Coles
  • Date: 2009-07-21 02:19:56 UTC
  • mto: (1281.1.8 aufsless)
  • mto: This revision was merged to the branch mainline in revision 1300.
  • Revision ID: coles.david@gmail.com-20090721021956-c1jiwu7fhi2dna1g
Updated to work on bind mounts

Show diffs side-by-side

added added

removed removed

Lines of Context:
bin/ivle-buildjail
18
18
 
19
19
import optparse
20
20
import os
21
 
import stat
22
21
import sys
23
22
import shutil
24
23
 
 
24
import ivle.conf
25
25
import ivle.config
26
26
import ivle.jailbuilder.debian
27
27
 
28
 
class UnsafeJail(Exception):
29
 
    pass
30
 
 
31
28
usage = """usage: %prog [options]
32
29
(requires root)
33
30
Builds or updates the base IVLE jail."""
34
31
 
35
 
# Requires root
36
 
if os.getuid() != 0:
37
 
    print >> sys.stderr, "This script requires root privileges to run"
38
 
    sys.exit(1)
39
 
 
40
32
conf = ivle.config.Config()
41
 
build_path = conf['paths']['jails']['template_build']
 
33
build_path = ivle.conf.jail_system_build
42
34
 
43
35
# Parse arguments
44
36
parser = optparse.OptionParser(usage)
51
43
    help='''Apply any package updates in the jail.''')
52
44
parser.add_option("-m", "--mirror",
53
45
    action="store", dest="apt_mirror",
54
 
    help="Sets the apt mirror.", default=conf['jail']['mirror'])
 
46
    help="Sets the apt mirror.", default="http://archive.ubuntu.com/ubuntu")
55
47
parser.add_option("--python-site-packages",
56
48
    action="store", dest="python_site_packages",
57
49
    help="Path to Python site packages directory inside the jail.",
84
76
              build_path, mirror=options.apt_mirror)
85
77
 
86
78
    ivle.jailbuilder.debian.apt_update_cache(build_path)
87
 
    # Minimal required packages
88
79
    ivle.jailbuilder.debian.apt_install(build_path,
89
 
            ['python2.5', 'python-cjson', 'python-svn', 'python-configobj'])
 
80
                        ['python2.5', 'python-cjson', 'python-svn'])
90
81
 
91
82
    ivle.jailbuilder.debian.apt_clean(build_path)
92
83
 
118
109
 
119
110
    ivle.jailbuilder.debian.apt_clean(build_path)
120
111
 
121
 
    # Configure locales to allow en_US.UTF-8 (which IVLE uses)
122
 
    ivle.jailbuilder.debian._execute_in_chroot(build_path,
123
 
        ['locale-gen', 'en_US.UTF-8'])
124
 
 
125
112
if conf['jail']['devmode']:
126
113
    # Copy all console and operating system files into the jail
127
 
    services_path = os.path.join(conf['paths']['share'], 'services')
 
114
    services_path = os.path.join(ivle.conf.share_path, 'services')
128
115
    jail_services_path = os.path.join(build_path, services_path[1:])
129
116
    if os.path.exists(jail_services_path):
130
117
        shutil.rmtree(jail_services_path)
150
137
        shutil.rmtree(jail_site_packages)
151
138
    shutil.copytree(ivle_site_packages, jail_site_packages)
152
139
 
153
 
    # And finally copy in /etc/hosts, /etc/resolv.conf and /etc/hostname,
154
 
    # so name resolution is less unlikely to work.
155
 
    shutil.copy(
156
 
        '/etc/resolv.conf', os.path.join(build_path, 'etc/resolv.conf'))
157
 
    shutil.copy('/etc/hosts', os.path.join(build_path, 'etc/hosts'))
158
 
    shutil.copy('/etc/hostname', os.path.join(build_path, 'etc/hostname'))
159
 
 
160
 
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
161
 
# and /var/{lock,tmp} should die.
162
 
for path in ('tmp', 'var/lock', 'var/tmp'):
163
 
    path = os.path.join(build_path, path)
164
 
    os.chmod(path, os.stat(path).st_mode & ~stat.S_IWOTH)
165
 
 
166
 
# Verify that nothing in the jail is world-writable.
167
 
# We don't want students to write into places that others can see.
168
 
try:
169
 
    for path, dirs, files in os.walk(build_path):
170
 
        for dname in dirs:
171
 
            d = os.path.join(path, dname)
172
 
            if os.path.islink(d):
173
 
                continue
174
 
            if os.stat(d).st_mode & stat.S_IWOTH:
175
 
                raise UnsafeJail(d)
176
 
 
177
 
        for fname in files:
178
 
            f = os.path.join(path, fname)
179
 
            if os.path.islink(f):
180
 
                continue
181
 
            if os.stat(f).st_mode & stat.S_IWOTH:
182
 
                if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
183
 
                    os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
184
 
                                            'random', 'urandom')
185
 
                    ):
186
 
                    continue
187
 
                raise UnsafeJail(f)
188
 
except UnsafeJail, e:
189
 
    print >> sys.stderr,"""Error: Jail contains world writable path: '%s'.
190
 
This is a security vulnerability as jail template contents are shared between 
191
 
users. Please either make this path world unwriteable or remove it from the 
192
 
jail."""%str(e)
193
 
    sys.exit(1)
194
 
 
195
 
# Copy jail template build to actual jail template
196
 
template_path = conf['paths']['jails']['template']
197
140
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete',
198
 
              build_path + '/', template_path]) != 0:
 
141
              build_path + '/', ivle.conf.jail_system]) != 0:
199
142
    print >> sys.stderr, "Jail copying failed."
200
143
    sys.exit(1)
201
144
 
202
145
# Now mangle things a bit, so we can bind-mount the user bits in.
203
146
# /etc/passwd and /etc/ivle/ivle.conf need to be symlinks to somewhere in /home
204
147
 
205
 
os.rename(os.path.join(template_path, 'etc/passwd'),
206
 
          os.path.join(template_path, 'home/.passwd')
 
148
os.rename(os.path.join(ivle.conf.jail_system, 'etc/passwd'),
 
149
          os.path.join(ivle.conf.jail_system, 'home/.passwd')
207
150
          )
208
 
os.symlink('../home/.passwd', os.path.join(template_path, 'etc/passwd'))
 
151
os.symlink('../home/.passwd', os.path.join(ivle.conf.jail_system, 'etc/passwd'))
209
152
 
210
 
os.makedirs(os.path.join(template_path, "etc/ivle"))
 
153
os.makedirs(os.path.join(ivle.conf.jail_system, "etc/ivle"))
211
154
os.symlink('../../home/.ivle.conf',
212
 
           os.path.join(template_path, "etc/ivle/ivle.conf"))
 
155
           os.path.join(ivle.conf.jail_system, "etc/ivle/ivle.conf"))