← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to bin/ivle-buildjail

  • Committer: David Coles
  • Date: 2009-12-02 00:31:40 UTC
  • mfrom: (1326.1.4 svn-fixes)
  • Revision ID: coles.david@gmail.com-20091202003140-n0k6rmv86hu6mj2p
https://launchpad.net/bugs/456922
Allow updating files to past revisions through 'Subversion Log' page.

Show diffs side-by-side

added added

removed removed

Lines of Context:
bin/ivle-buildjail
22
22
import sys
23
23
import shutil
24
24
 
 
25
import ivle.conf
25
26
import ivle.config
26
27
import ivle.jailbuilder.debian
27
28
 
32
33
(requires root)
33
34
Builds or updates the base IVLE jail."""
34
35
 
35
 
# Requires root
36
 
if os.getuid() != 0:
37
 
    print >> sys.stderr, "This script requires root privileges to run"
38
 
    sys.exit(1)
39
 
 
40
36
conf = ivle.config.Config()
41
 
build_path = conf['paths']['jails']['template_build']
 
37
build_path = ivle.conf.jail_system_build
42
38
 
43
39
# Parse arguments
44
40
parser = optparse.OptionParser(usage)
84
80
              build_path, mirror=options.apt_mirror)
85
81
 
86
82
    ivle.jailbuilder.debian.apt_update_cache(build_path)
87
 
    # Minimal required packages
88
83
    ivle.jailbuilder.debian.apt_install(build_path,
89
 
            ['python2.5', 'python-cjson', 'python-svn', 'python-configobj'])
 
84
                        ['python2.5', 'python-cjson', 'python-svn'])
90
85
 
91
86
    ivle.jailbuilder.debian.apt_clean(build_path)
92
87
 
120
115
 
121
116
if conf['jail']['devmode']:
122
117
    # Copy all console and operating system files into the jail
123
 
    services_path = os.path.join(conf['paths']['share'], 'services')
 
118
    services_path = os.path.join(ivle.conf.share_path, 'services')
124
119
    jail_services_path = os.path.join(build_path, services_path[1:])
125
120
    if os.path.exists(jail_services_path):
126
121
        shutil.rmtree(jail_services_path)
146
141
        shutil.rmtree(jail_site_packages)
147
142
    shutil.copytree(ivle_site_packages, jail_site_packages)
148
143
 
149
 
    # And finally copy in /etc/hosts, /etc/resolv.conf and /etc/hostname,
150
 
    # so name resolution is less unlikely to work.
151
 
    shutil.copy(
152
 
        '/etc/resolv.conf', os.path.join(build_path, 'etc/resolv.conf'))
153
 
    shutil.copy('/etc/hosts', os.path.join(build_path, 'etc/hosts'))
154
 
    shutil.copy('/etc/hostname', os.path.join(build_path, 'etc/hostname'))
155
 
 
156
144
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
157
145
# and /var/{lock,tmp} should die.
158
146
for path in ('tmp', 'var/lock', 'var/tmp'):
161
149
 
162
150
# Verify that nothing in the jail is world-writable.
163
151
# We don't want students to write into places that others can see.
164
 
try:
165
 
    for path, dirs, files in os.walk(build_path):
166
 
        for dname in dirs:
167
 
            d = os.path.join(path, dname)
168
 
            if os.path.islink(d):
169
 
                continue
170
 
            if os.stat(d).st_mode & stat.S_IWOTH:
171
 
                raise UnsafeJail(d)
172
 
 
173
 
        for fname in files:
174
 
            f = os.path.join(path, fname)
175
 
            if os.path.islink(f):
176
 
                continue
177
 
            if os.stat(f).st_mode & stat.S_IWOTH:
178
 
                if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
179
 
                    os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
180
 
                                            'random', 'urandom')
181
 
                    ):
182
 
                    continue
183
 
                raise UnsafeJail(f)
184
 
except UnsafeJail, e:
185
 
    print >> sys.stderr,"""Error: Jail contains world writable path: '%s'.
186
 
This is a security vulnerability as jail template contents are shared between 
187
 
users. Please either make this path world unwriteable or remove it from the 
188
 
jail."""%str(e)
189
 
    sys.exit(1)
190
 
 
191
 
# Copy jail template build to actual jail template
192
 
template_path = conf['paths']['jails']['template']
 
152
for path, dirs, files in os.walk(build_path):
 
153
    for dname in dirs:
 
154
        d = os.path.join(path, dname)
 
155
        if os.path.islink(d):
 
156
            continue
 
157
        if os.stat(d).st_mode & stat.S_IWOTH:
 
158
            raise UnsafeJail(d)
 
159
 
 
160
    for fname in files:
 
161
        f = os.path.join(path, fname)
 
162
        if os.path.islink(f):
 
163
            continue
 
164
        if os.stat(f).st_mode & stat.S_IWOTH:
 
165
            if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
 
166
                os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
 
167
                                        'random', 'urandom')
 
168
                ):
 
169
                continue
 
170
            raise UnsafeJail(f)
 
171
    
 
172
 
193
173
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete',
194
 
              build_path + '/', template_path]) != 0:
 
174
              build_path + '/', ivle.conf.jail_system]) != 0:
195
175
    print >> sys.stderr, "Jail copying failed."
196
176
    sys.exit(1)
197
177
 
198
178
# Now mangle things a bit, so we can bind-mount the user bits in.
199
179
# /etc/passwd and /etc/ivle/ivle.conf need to be symlinks to somewhere in /home
200
180
 
201
 
os.rename(os.path.join(template_path, 'etc/passwd'),
202
 
          os.path.join(template_path, 'home/.passwd')
 
181
os.rename(os.path.join(ivle.conf.jail_system, 'etc/passwd'),
 
182
          os.path.join(ivle.conf.jail_system, 'home/.passwd')
203
183
          )
204
 
os.symlink('../home/.passwd', os.path.join(template_path, 'etc/passwd'))
 
184
os.symlink('../home/.passwd', os.path.join(ivle.conf.jail_system, 'etc/passwd'))
205
185
 
206
 
os.makedirs(os.path.join(template_path, "etc/ivle"))
 
186
os.makedirs(os.path.join(ivle.conf.jail_system, "etc/ivle"))
207
187
os.symlink('../../home/.ivle.conf',
208
 
           os.path.join(template_path, "etc/ivle/ivle.conf"))
 
188
           os.path.join(ivle.conf.jail_system, "etc/ivle/ivle.conf"))