← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to bin/ivle-buildjail

  • Committer: Matt Giuca
  • Date: 2010-02-11 05:54:45 UTC
  • Revision ID: matt.giuca@gmail.com-20100211055445-151qrs4xczzl5rns
Docs: Completed Tour of IVLE (finished Admin section). Apologies for the mess on the previous commit -- committed an unfinished document.

Show diffs side-by-side

added added

removed removed

Lines of Context:
bin/ivle-buildjail
22
22
import sys
23
23
import shutil
24
24
 
25
 
import ivle.conf
26
25
import ivle.config
27
26
import ivle.jailbuilder.debian
28
27
 
33
32
(requires root)
34
33
Builds or updates the base IVLE jail."""
35
34
 
 
35
# Requires root
 
36
if os.getuid() != 0:
 
37
    print >> sys.stderr, "This script requires root privileges to run"
 
38
    sys.exit(1)
 
39
 
36
40
conf = ivle.config.Config()
37
 
build_path = ivle.conf.jail_system_build
 
41
build_path = conf['paths']['jails']['template_build']
38
42
 
39
43
# Parse arguments
40
44
parser = optparse.OptionParser(usage)
80
84
              build_path, mirror=options.apt_mirror)
81
85
 
82
86
    ivle.jailbuilder.debian.apt_update_cache(build_path)
 
87
    # Minimal required packages
83
88
    ivle.jailbuilder.debian.apt_install(build_path,
84
 
                        ['python2.5', 'python-cjson', 'python-svn'])
 
89
            ['python2.5', 'python-cjson', 'python-svn', 'python-configobj'])
85
90
 
86
91
    ivle.jailbuilder.debian.apt_clean(build_path)
87
92
 
115
120
 
116
121
if conf['jail']['devmode']:
117
122
    # Copy all console and operating system files into the jail
118
 
    services_path = os.path.join(ivle.conf.share_path, 'services')
 
123
    services_path = os.path.join(conf['paths']['share'], 'services')
119
124
    jail_services_path = os.path.join(build_path, services_path[1:])
120
125
    if os.path.exists(jail_services_path):
121
126
        shutil.rmtree(jail_services_path)
141
146
        shutil.rmtree(jail_site_packages)
142
147
    shutil.copytree(ivle_site_packages, jail_site_packages)
143
148
 
 
149
    # And finally copy in /etc/hosts, /etc/resolv.conf and /etc/hostname,
 
150
    # so name resolution is less unlikely to work.
 
151
    shutil.copy(
 
152
        '/etc/resolv.conf', os.path.join(build_path, 'etc/resolv.conf'))
 
153
    shutil.copy('/etc/hosts', os.path.join(build_path, 'etc/hosts'))
 
154
    shutil.copy('/etc/hostname', os.path.join(build_path, 'etc/hostname'))
 
155
 
144
156
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
145
157
# and /var/{lock,tmp} should die.
146
158
for path in ('tmp', 'var/lock', 'var/tmp'):
149
161
 
150
162
# Verify that nothing in the jail is world-writable.
151
163
# We don't want students to write into places that others can see.
152
 
for path, dirs, files in os.walk(build_path):
153
 
    for dname in dirs:
154
 
        d = os.path.join(path, dname)
155
 
        if os.path.islink(d):
156
 
            continue
157
 
        if os.stat(d).st_mode & stat.S_IWOTH:
158
 
            raise UnsafeJail(d)
159
 
 
160
 
    for fname in files:
161
 
        f = os.path.join(path, fname)
162
 
        if os.path.islink(f):
163
 
            continue
164
 
        if os.stat(f).st_mode & stat.S_IWOTH:
165
 
            if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
166
 
                os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
167
 
                                        'random', 'urandom')
168
 
                ):
169
 
                continue
170
 
            raise UnsafeJail(f)
171
 
    
172
 
 
 
164
try:
 
165
    for path, dirs, files in os.walk(build_path):
 
166
        for dname in dirs:
 
167
            d = os.path.join(path, dname)
 
168
            if os.path.islink(d):
 
169
                continue
 
170
            if os.stat(d).st_mode & stat.S_IWOTH:
 
171
                raise UnsafeJail(d)
 
172
 
 
173
        for fname in files:
 
174
            f = os.path.join(path, fname)
 
175
            if os.path.islink(f):
 
176
                continue
 
177
            if os.stat(f).st_mode & stat.S_IWOTH:
 
178
                if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
 
179
                    os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
 
180
                                            'random', 'urandom')
 
181
                    ):
 
182
                    continue
 
183
                raise UnsafeJail(f)
 
184
except UnsafeJail, e:
 
185
    print >> sys.stderr,"""Error: Jail contains world writable path: '%s'.
 
186
This is a security vulnerability as jail template contents are shared between 
 
187
users. Please either make this path world unwriteable or remove it from the 
 
188
jail."""%str(e)
 
189
    sys.exit(1)
 
190
 
 
191
# Copy jail template build to actual jail template
 
192
template_path = conf['paths']['jails']['template']
173
193
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete',
174
 
              build_path + '/', ivle.conf.jail_system]) != 0:
 
194
              build_path + '/', template_path]) != 0:
175
195
    print >> sys.stderr, "Jail copying failed."
176
196
    sys.exit(1)
177
197
 
178
198
# Now mangle things a bit, so we can bind-mount the user bits in.
179
199
# /etc/passwd and /etc/ivle/ivle.conf need to be symlinks to somewhere in /home
180
200
 
181
 
os.rename(os.path.join(ivle.conf.jail_system, 'etc/passwd'),
182
 
          os.path.join(ivle.conf.jail_system, 'home/.passwd')
 
201
os.rename(os.path.join(template_path, 'etc/passwd'),
 
202
          os.path.join(template_path, 'home/.passwd')
183
203
          )
184
 
os.symlink('../home/.passwd', os.path.join(ivle.conf.jail_system, 'etc/passwd'))
 
204
os.symlink('../home/.passwd', os.path.join(template_path, 'etc/passwd'))
185
205
 
186
 
os.makedirs(os.path.join(ivle.conf.jail_system, "etc/ivle"))
 
206
os.makedirs(os.path.join(template_path, "etc/ivle"))
187
207
os.symlink('../../home/.ivle.conf',
188
 
           os.path.join(ivle.conf.jail_system, "etc/ivle/ivle.conf"))
 
208
           os.path.join(template_path, "etc/ivle/ivle.conf"))