aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2006-10-07 16:00:05 +0000
committerRob Austein <sra@hactrn.net>2006-10-07 16:00:05 +0000
commitf43469888acb78e774f3ab8f4d594aa8eb63bb6b (patch)
treed5e28cee959bc07d3d09776b9fa80af940c835f8
parent7fdcc7ac161e534c7daca96835215752e0f94313 (diff)
Initial FreeBSD jail scripts (not quite ready for use yet).
svn path=/rcynic/scripts/freebsd/rc.d.rcynic; revision=368
Diffstat
-rwxr-xr-xrcynic/scripts/freebsd/rc.d.rcynic76
-rw-r--r--rcynic/scripts/freebsd/setup-jail.sh111
2 files changed, 187 insertions, 0 deletions
diff --git a/rcynic/scripts/freebsd/rc.d.rcynic b/rcynic/scripts/freebsd/rc.d.rcynic
new file mode 100755
index 00000000..e3f7a293
--- /dev/null
+++ b/rcynic/scripts/freebsd/rc.d.rcynic
@@ -0,0 +1,76 @@
+#!/bin/sh -
+#
+# $Id$
+#
+# PROVIDE: rcynic
+# REQUIRE: DAEMON
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="rcynic"
+start_cmd="rcynic_start"
+stop_cmd="rcynic_stop"
+
+: ${rcynic_jaildir="/var/rcynic"}
+: ${rcynic_user="rcynic"}
+: ${rcynic_group="rcynic"}
+
+rcynic_start()
+{
+ /bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}"
+ /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
+
+ /bin/chmod -R a-w "${rcynic_jaildir}"
+ /usr/sbin/chown -R root:wheel "${rcynic_jaildir}"
+
+ /usr/sbin/mtree -deU -p "${jaildir}" <<EOF
+
+ /set type=dir uname=root gname=wheel mode=0555
+ .
+ bin
+ ..
+ dev
+ ..
+ etc
+ trust-anchors
+ ..
+ ..
+ var
+ run
+ ..
+ ..
+ data uname=${rcynic_user} gname=${rcynic_group} mode=0755
+ ..
+ ..
+EOF
+
+ if ! /sbin/mount -t devfs dev "${rcynic_jaildir}/dev"; then
+ echo "Mounting devfs on ${rcynic_jaildir}/dev failed..."
+ exit 1
+ fi
+
+ /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply hide
+ /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path null unhide
+ /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path random unhide
+
+ for i in /etc/localtime /etc/resolv.conf; do
+ j="${rcynic_jaildir}${i}"
+ if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then
+ /bin/cp -p "$i" "$j"
+ /usr/sbin/chown root:wheel "$j"
+ /bin/chmod 444 "$j"
+ fi
+ done
+
+ /bin/chmod -R u+w "${rcynic_jaildir}/data"
+ /usr/sbin/chown -R "${rcynic_user}:${rcynic_group}" "${rcynic_jaildir}/data"
+}
+
+rcynic_stop()
+{
+ /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/rcynic/scripts/freebsd/setup-jail.sh b/rcynic/scripts/freebsd/setup-jail.sh
new file mode 100644
index 00000000..0b02c4c4
--- /dev/null
+++ b/rcynic/scripts/freebsd/setup-jail.sh
@@ -0,0 +1,111 @@
+#!/bin/sh -
+# $Id$
+#
+# Create a chroot jail for rcynic. You need to build staticly linked
+# rcynic and rsync binaries and install them in the jail yourself.
+#
+# Cobbled together from bits and pieces of existing system scripts,
+# mostly /usr/ports/mail/postfix/pkg-install and /etc/rc.d/named.
+
+jaildir="/var/rcynic"
+jailuser="rcynic"
+jailgroup="rcynic"
+
+if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then
+ echo "You already have a group \"${jailgroup}\", so I will use it."
+elif /usr/sbin/pw groupadd ${jailgroup}; then
+ echo "Added group \"${jailgroup}\"."
+else
+ echo "Adding group \"${jailgroup}\" failed..."
+ echo "Please create it, and try again."
+ exit 1
+fi
+
+if /usr/sbin/pw usershow "${jailuser}" 2>/dev/null; then
+ echo "You already have a user \"${jailuser}\", so I will use it."
+elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"; then
+ echo "Added user \"${jailuser}\"."
+else
+ echo "Adding user \"${jailuser}\" failed..."
+ echo "Please create it, and try again."
+ exit 1
+fi
+
+if ! /bin/test -d "${jaildir}"; then
+ /bin/mkdir "${jaildir}"
+fi
+
+/usr/sbin/mtree -deU -p "${jaildir}" <<EOF
+
+ /set type=dir uname=root gname=wheel mode=0555
+ .
+ bin
+ ..
+ dev
+ ..
+ etc
+ trust-anchors
+ ..
+ ..
+ var
+ run
+ ..
+ ..
+ data uname=$jailuser gname=$jailgroup mode=0755
+ ..
+ ..
+
+EOF
+
+/sbin/umount "${jaildir}/dev" 2>/dev/null
+if ! /sbin/mount -t devfs dev "${jaildir}/dev"; then
+ echo "Mounting devfs on ${jaildir}/dev failed..."
+ exit 1
+fi
+/sbin/devfs -m "${jaildir}/dev" rule apply hide
+/sbin/devfs -m "${jaildir}/dev" rule apply path null unhide
+/sbin/devfs -m "${jaildir}/dev" rule apply path random unhide
+
+for i in /etc/localtime /etc/resolv.conf; do
+ j="${jaildir}${i}"
+ if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then
+ /bin/cp -p "$i" "$j"
+ /usr/sbin/chown root:wheel "$j"
+ /bin/chmod 444 "$j"
+ fi
+done
+
+if /bin/test -d trust-anchors; then
+ for i in trust-anchors/*.cer; do
+ j="$jaildir/etc/trust-anchors/${i##*/}"
+ /bin/test -r "$j" && continue
+ echo "Copying $i to $j"
+ /bin/cp -p "$i" "$j"
+ /usr/sbin/chown root:wheel "$j"
+ /bin/chmod 444 "$j"
+ done
+fi
+
+if /bin/test -r "$jaildir/etc/rcynic.conf"; then
+ echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it."
+else
+ echo "Creating minmal ${jaildir}/etc/rcynic.conf"
+ /bin/cat >"${jaildir}/etc/rcynic.conf" <<-EOF
+ [rcynic]
+ rsync-program = /bin/rsync
+ authenticated = /data/authenticated
+ old-authenticated = /data/authenticated.old
+ unauthenticated = /data/unauthenticated
+ lockfile = /data/lock
+ EOF
+ j=1
+ for i in $jaildir/etc/trust-anchors/*.cer; do
+ echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor.$j = /etc/trust-anchors/${i##*/}"
+ j=$((j+1))
+ done
+fi
+
+/usr/sbin/chown root:wheel "${jaildir}/etc/rcynic.conf"
+/bin/chmod 444 "${jaildir}/etc/rcynic.conf"
+
+ \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-16 00:33:12 +0000