54
66
print >> sys.stderr, "No jail exists -- please rerun with -r."
69
if (options.python_site_packages is not None and
70
options.python_site_packages[:1] not in (os.path.sep, os.path.altsep)):
71
print >> sys.stderr, "python-site-packages must be an absolute path."
57
74
if options.recreate:
75
options.upgrade = True
58
77
# Create the jail and its subdirectories
59
78
# Note: Other subdirs will be made by copying files
60
79
if options.apt_mirror is not None:
61
80
os.environ['MIRROR'] = options.apt_mirror
82
# Print a final warning to the user that this is a potentially-expensive
84
recreating = "Re-creating" if os.path.exists(build_path) else "Creating"
85
print_mirror = options.apt_mirror or 'http://archive.ubuntu.com/ubuntu'
86
print """%s jail from %s
87
Be warned, this may download hundreds of megabytes!
88
If this is the wrong source, please cancel now (note that it is too late to
89
save the existing jail; you will have to rebuild the jail from scratch now).\
90
""" % (recreating, print_mirror)
63
92
os.system('rm -rf --one-file-system ' + build_path)
64
93
ivle.jailbuilder.debian.debootstrap_create_jail(conf['jail']['suite'],
65
94
build_path, mirror=options.apt_mirror)
96
ivle.jailbuilder.debian.apt_update_cache(build_path)
97
# Minimal required packages
98
ivle.jailbuilder.debian.apt_install(build_path,
99
['python', 'python-simplejson', 'python-svn', 'python-configobj'])
101
ivle.jailbuilder.debian.apt_clean(build_path)
104
# Run apt-get update, apt-get upgrade and apt-get clean.
105
ivle.jailbuilder.debian.mangle_sources_list(build_path, clobber=True)
106
ivle.jailbuilder.debian.mangle_sources_list(build_path, lines=[
107
'deb %s %s%s %s' % (options.apt_mirror, conf['jail']['suite'],
108
pocket, ' '.join(['main', 'universe']))
109
for pocket in ('', '-updates', '-security')])
67
111
# Add any extra site apt sources.
68
112
if conf['jail']['extra_sources']:
69
113
ivle.jailbuilder.debian.mangle_sources_list(build_path,
86
129
ivle.jailbuilder.debian.apt_clean(build_path)
89
# Run apt-get update, apt-get upgrade and apt-get clean.
90
ivle.jailbuilder.debian.apt_update_cache(build_path)
91
ivle.jailbuilder.debian.apt_upgrade(build_path)
92
ivle.jailbuilder.debian.apt_clean(build_path)
94
# Copy all console and operating system files into the jail
95
services_path = os.path.join(ivle.conf.share_path, 'services')
96
jail_services_path = os.path.join(build_path, services_path[1:])
97
if os.path.exists(jail_services_path):
98
shutil.rmtree(jail_services_path)
99
shutil.copytree(services_path, jail_services_path)
101
# Also copy the IVLE lib directory into the jail
102
# This is necessary for running certain services
103
ivle_site_packages = os.path.join(ivle.conf.python_site_packages, 'ivle')
104
jail_site_packages = os.path.join(build_path, ivle_site_packages[1:])
105
if os.path.exists(jail_site_packages):
106
shutil.rmtree(jail_site_packages)
107
shutil.copytree(ivle_site_packages, jail_site_packages)
109
# IMPORTANT: ivle/conf/conf.py contains details which could compromise security
110
# if left in the jail (such as the DB password). We delete it now! It would be
111
# shadowed by the per-user conf.py anyway, but it's best to be safe.
112
os.unlink(os.path.join(jail_site_packages, 'conf/conf.py'))
113
# XXX: Shouldn't copy the compiled files at all, but compile them in the jail!
114
os.unlink(os.path.join(jail_site_packages, 'conf/conf.pyc'))
131
# Configure locales to allow en_US.UTF-8 (which IVLE uses)
132
ivle.jailbuilder.debian._execute_in_chroot(build_path,
133
['locale-gen', 'en_US.UTF-8'])
135
if conf['jail']['devmode']:
136
# Copy all console and operating system files into the jail
137
services_path = os.path.join(conf['paths']['share'], 'services')
138
jail_services_path = os.path.join(build_path, services_path[1:])
139
if os.path.exists(jail_services_path):
140
shutil.rmtree(jail_services_path)
141
shutil.copytree(services_path, jail_services_path)
143
# Also copy the IVLE lib directory into the jail
144
# This is necessary for running certain services
146
# ivle_site_packages is the IVLE install location outside the jail
147
ivle_site_packages = os.path.dirname(ivle.__file__)
149
if options.python_site_packages is None:
150
# Get the site packages from the IVLE install location *OUTSIDE* the
151
# jail. Warning! This only works if you have the same Python site
152
# packages directory inside and out (ie. same Python version).
153
# If not, you should use --python-site-packages.
154
jail_site_packages = os.path.join(build_path, ivle_site_packages[1:])
156
# User-specified site packages
157
jail_site_packages = os.path.join(build_path,
158
options.python_site_packages[1:], "ivle")
159
if os.path.exists(jail_site_packages):
160
shutil.rmtree(jail_site_packages)
161
shutil.copytree(ivle_site_packages, jail_site_packages)
163
# And finally copy in /etc/hosts, /etc/resolv.conf and /etc/hostname,
164
# so name resolution is less unlikely to work.
166
'/etc/resolv.conf', os.path.join(build_path, 'etc/resolv.conf'))
167
shutil.copy('/etc/hosts', os.path.join(build_path, 'etc/hosts'))
168
shutil.copy('/etc/hostname', os.path.join(build_path, 'etc/hostname'))
170
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
171
# and /var/{lock,tmp} should die.
172
for path in ('tmp', 'var/lock', 'var/tmp'):
173
path = os.path.join(build_path, path)
174
os.chmod(path, os.stat(path).st_mode & ~stat.S_IWOTH)
176
# Verify that nothing in the jail is world-writable.
177
# We don't want students to write into places that others can see.
179
for path, dirs, files in os.walk(build_path):
181
d = os.path.join(path, dname)
182
if os.path.islink(d):
184
if os.stat(d).st_mode & stat.S_IWOTH:
188
f = os.path.join(path, fname)
189
if os.path.islink(f):
191
if os.stat(f).st_mode & stat.S_IWOTH:
192
if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
193
os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
198
except UnsafeJail, e:
199
print >> sys.stderr,"""Error: Jail contains world writable path: '%s'.
200
This is a security vulnerability as jail template contents are shared between
201
users. Please either make this path world unwriteable or remove it from the
205
# Copy jail template build to actual jail template
206
template_path = conf['paths']['jails']['template']
116
207
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete',
117
build_path + '/', ivle.conf.jail_system]) != 0:
208
build_path + '/', template_path]) != 0:
118
209
print >> sys.stderr, "Jail copying failed."
212
# Now mangle things a bit, so we can bind-mount the user bits in.
213
# /etc/passwd and /etc/ivle/ivle.conf need to be symlinks to somewhere in /home
215
os.rename(os.path.join(template_path, 'etc/passwd'),
216
os.path.join(template_path, 'home/.passwd')
218
os.symlink('../home/.passwd', os.path.join(template_path, 'etc/passwd'))
220
os.makedirs(os.path.join(template_path, "etc/ivle"))
221
os.symlink('../../home/.ivle.conf',
222
os.path.join(template_path, "etc/ivle/ivle.conf"))