1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
#!/usr/bin/python
# IVLE - Informatics Virtual Learning Environment
# Copyright (C) 2009 The University of Melbourne
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
import optparse
import os
import stat
import sys
import shutil
import ivle.config
import ivle.jailbuilder.debian
class UnsafeJail(Exception):
pass
usage = """usage: %prog [options]
(requires root)
Builds or updates the base IVLE jail."""
# Requires root
if os.getuid() != 0:
print >> sys.stderr, "This script requires root privileges to run"
sys.exit(1)
conf = ivle.config.Config()
build_path = conf['paths']['jails']['template_build']
# Parse arguments
parser = optparse.OptionParser(usage)
parser.add_option("-r", "--recreate",
action="store_true", dest="recreate",
help='''Completely recreate the jail - don't just update its IVLE code.
Be warned, this may download hundreds of megabytes!''')
parser.add_option("-u", "--upgrade",
action="store_true", dest="upgrade",
help='''Apply any package updates in the jail.''')
parser.add_option("-m", "--mirror",
action="store", dest="apt_mirror",
help="Sets the apt mirror.", default=conf['jail']['mirror'])
parser.add_option("--python-site-packages",
action="store", dest="python_site_packages",
help="Path to Python site packages directory inside the jail.",
default=None)
(options, args) = parser.parse_args(sys.argv)
if os.geteuid() != 0:
print >> sys.stderr, "Must be root to run buildjail."
sys.exit(1)
if not options.recreate and not os.path.exists(build_path):
print >> sys.stderr, "No jail exists -- please rerun with -r."
sys.exit(1)
if (options.python_site_packages is not None and
options.python_site_packages[:1] not in (os.path.sep, os.path.altsep)):
print >> sys.stderr, "python-site-packages must be an absolute path."
sys.exit(1)
if options.recreate:
options.upgrade = True
# Create the jail and its subdirectories
# Note: Other subdirs will be made by copying files
if options.apt_mirror is not None:
os.environ['MIRROR'] = options.apt_mirror
os.system('rm -rf --one-file-system ' + build_path)
ivle.jailbuilder.debian.debootstrap_create_jail(conf['jail']['suite'],
build_path, mirror=options.apt_mirror)
ivle.jailbuilder.debian.apt_update_cache(build_path)
# Minimal required packages
ivle.jailbuilder.debian.apt_install(build_path,
['python2.5', 'python-cjson', 'python-svn', 'python-configobj'])
ivle.jailbuilder.debian.apt_clean(build_path)
if options.upgrade:
# Run apt-get update, apt-get upgrade and apt-get clean.
ivle.jailbuilder.debian.mangle_sources_list(build_path, clobber=True)
ivle.jailbuilder.debian.mangle_sources_list(build_path, lines=[
'deb %s %s%s %s' % (options.apt_mirror, conf['jail']['suite'],
pocket, ' '.join(['main', 'universe']))
for pocket in ('', '-updates', '-security')])
# Add any extra site apt sources.
if conf['jail']['extra_sources']:
ivle.jailbuilder.debian.mangle_sources_list(build_path,
conf['jail']['extra_sources'])
# Add any extra site apt keys.
if conf['jail']['extra_keys']:
ivle.jailbuilder.debian.apt_add_key(build_path,
conf['jail']['extra_keys'])
ivle.jailbuilder.debian.apt_update_cache(build_path)
ivle.jailbuilder.debian.apt_upgrade(build_path)
# Install any extra site packages.
if conf['jail']['extra_packages']:
ivle.jailbuilder.debian.apt_install(build_path,
conf['jail']['extra_packages'])
ivle.jailbuilder.debian.apt_clean(build_path)
# Configure locales to allow en_US.UTF-8 (which IVLE uses)
ivle.jailbuilder.debian._execute_in_chroot(build_path,
['locale-gen', 'en_US.UTF-8'])
if conf['jail']['devmode']:
# Copy all console and operating system files into the jail
services_path = os.path.join(conf['paths']['share'], 'services')
jail_services_path = os.path.join(build_path, services_path[1:])
if os.path.exists(jail_services_path):
shutil.rmtree(jail_services_path)
shutil.copytree(services_path, jail_services_path)
# Also copy the IVLE lib directory into the jail
# This is necessary for running certain services
# ivle_site_packages is the IVLE install location outside the jail
ivle_site_packages = os.path.dirname(ivle.__file__)
if options.python_site_packages is None:
# Get the site packages from the IVLE install location *OUTSIDE* the
# jail. Warning! This only works if you have the same Python site
# packages directory inside and out (ie. same Python version).
# If not, you should use --python-site-packages.
jail_site_packages = os.path.join(build_path, ivle_site_packages[1:])
else:
# User-specified site packages
jail_site_packages = os.path.join(build_path,
options.python_site_packages[1:], "ivle")
if os.path.exists(jail_site_packages):
shutil.rmtree(jail_site_packages)
shutil.copytree(ivle_site_packages, jail_site_packages)
# And finally copy in /etc/hosts, /etc/resolv.conf and /etc/hostname,
# so name resolution is less unlikely to work.
shutil.copy(
'/etc/resolv.conf', os.path.join(build_path, 'etc/resolv.conf'))
shutil.copy('/etc/hosts', os.path.join(build_path, 'etc/hosts'))
shutil.copy('/etc/hostname', os.path.join(build_path, 'etc/hostname'))
# Make /tmp and /var/lock un-world-writable. /tmp will be mounted over,
# and /var/{lock,tmp} should die.
for path in ('tmp', 'var/lock', 'var/tmp'):
path = os.path.join(build_path, path)
os.chmod(path, os.stat(path).st_mode & ~stat.S_IWOTH)
# Verify that nothing in the jail is world-writable.
# We don't want students to write into places that others can see.
try:
for path, dirs, files in os.walk(build_path):
for dname in dirs:
d = os.path.join(path, dname)
if os.path.islink(d):
continue
if os.stat(d).st_mode & stat.S_IWOTH:
raise UnsafeJail(d)
for fname in files:
f = os.path.join(path, fname)
if os.path.islink(f):
continue
if os.stat(f).st_mode & stat.S_IWOTH:
if (os.path.dirname(f) == os.path.join(build_path, 'dev') and
os.path.basename(f) in ('ptmx', 'null', 'tty', 'full', 'zero',
'random', 'urandom')
):
continue
raise UnsafeJail(f)
except UnsafeJail, e:
print >> sys.stderr,"""Error: Jail contains world writable path: '%s'.
This is a security vulnerability as jail template contents are shared between
users. Please either make this path world unwriteable or remove it from the
jail."""%str(e)
sys.exit(1)
# Copy jail template build to actual jail template
template_path = conf['paths']['jails']['template']
if os.spawnvp(os.P_WAIT, 'rsync', ['rsync', '-a', '--delete',
build_path + '/', template_path]) != 0:
print >> sys.stderr, "Jail copying failed."
sys.exit(1)
# Now mangle things a bit, so we can bind-mount the user bits in.
# /etc/passwd and /etc/ivle/ivle.conf need to be symlinks to somewhere in /home
os.rename(os.path.join(template_path, 'etc/passwd'),
os.path.join(template_path, 'home/.passwd')
)
os.symlink('../home/.passwd', os.path.join(template_path, 'etc/passwd'))
os.makedirs(os.path.join(template_path, "etc/ivle"))
os.symlink('../../home/.ivle.conf',
os.path.join(template_path, "etc/ivle/ivle.conf"))
|