80
84
build_path, mirror=options.apt_mirror)
82
86
ivle.jailbuilder.debian.apt_update_cache(build_path)
87
# Minimal required packages
83
88
ivle.jailbuilder.debian.apt_install(build_path,
84
['python2.5', 'python-cjson', 'python-svn'])
89
['python2.5', 'python-cjson', 'python-svn', 'python-configobj'])
86
91
ivle.jailbuilder.debian.apt_clean(build_path)
114
119
ivle.jailbuilder.debian.apt_clean(build_path)
121
# Configure locales to allow en_US.UTF-8 (which IVLE uses)
122
ivle.jailbuilder.debian._execute_in_chroot(build_path,
123
['locale-gen', 'en_US.UTF-8'])
116
125
if conf['jail']['devmode']:
117
126
# Copy all console and operating system files into the jail
118
services_path = os.path.join(ivle.conf.share_path, 'services')
127
services_path = os.path.join(conf['paths']['share'], 'services')
119
128
jail_services_path = os.path.join(build_path, services_path[1:])
120
129
if os.path.exists(jail_services_path):
121
130
shutil.rmtree(jail_services_path)
141
150
shutil.rmtree(jail_site_packages)
142
151
shutil.copytree(ivle_site_packages, jail_site_packages)
153
# And finally copy in /etc/hosts, /etc/resolv.conf and /etc/hostname,
154
# so name resolution is less unlikely to work.
156
'/etc/resolv.conf', os.path.join(build_path, 'etc/resolv.conf'))
157
shutil.copy('/etc/hosts', os.path.join(build_path, 'etc/hosts'))
158
shutil.copy('/etc/hostname', os.path.join(build_path, 'etc/hostname'))
144
160
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
145
161
# and /var/{lock,tmp} should die.
146
162
for path in ('tmp', 'var/lock', 'var/tmp'):
150
166
# Verify that nothing in the jail is world-writable.
151
167
# We don't want students to write into places that others can see.
152
for path, dirs, files in os.walk(build_path):
154
d = os.path.join(path, dname)
155
if os.path.islink(d):
157
if os.stat(d).st_mode & stat.S_IWOTH:
161
f = os.path.join(path, fname)
162
if os.path.islink(f):
164
if os.stat(f).st_mode & stat.S_IWOTH:
165
if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
166
os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
169
for path, dirs, files in os.walk(build_path):
171
d = os.path.join(path, dname)
172
if os.path.islink(d):
174
if os.stat(d).st_mode & stat.S_IWOTH:
178
f = os.path.join(path, fname)
179
if os.path.islink(f):
181
if os.stat(f).st_mode & stat.S_IWOTH:
182
if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
183
os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
188
except UnsafeJail, e:
189
print >> sys.stderr,"""Error: Jail contains world writable path: '%s'.
190
This is a security vulnerability as jail template contents are shared between
191
users. Please either make this path world unwriteable or remove it from the
195
# Copy jail template build to actual jail template
196
template_path = conf['paths']['jails']['template']
173
197
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete',
174
build_path + '/', ivle.conf.jail_system]) != 0:
198
build_path + '/', template_path]) != 0:
175
199
print >> sys.stderr, "Jail copying failed."
178
202
# Now mangle things a bit, so we can bind-mount the user bits in.
179
203
# /etc/passwd and /etc/ivle/ivle.conf need to be symlinks to somewhere in /home
181
os.rename(os.path.join(ivle.conf.jail_system, 'etc/passwd'),
182
os.path.join(ivle.conf.jail_system, 'home/.passwd')
205
os.rename(os.path.join(template_path, 'etc/passwd'),
206
os.path.join(template_path, 'home/.passwd')
184
os.symlink('../home/.passwd', os.path.join(ivle.conf.jail_system, 'etc/passwd'))
208
os.symlink('../home/.passwd', os.path.join(template_path, 'etc/passwd'))
186
os.makedirs(os.path.join(ivle.conf.jail_system, "etc/ivle"))
210
os.makedirs(os.path.join(template_path, "etc/ivle"))
187
211
os.symlink('../../home/.ivle.conf',
188
os.path.join(ivle.conf.jail_system, "etc/ivle/ivle.conf"))
212
os.path.join(template_path, "etc/ivle/ivle.conf"))
added
removed
bin/ivle-buildjail
