diff options
Diffstat (limited to 'rcynic-ng/installation-scripts')
| -rwxr-xr-x | rcynic-ng/installation-scripts/darwin/RCynic/RCynic | 75 | ||||
| -rw-r--r-- | rcynic-ng/installation-scripts/darwin/RCynic/StartupParameters.plist | 19 | ||||
| -rw-r--r-- | rcynic-ng/installation-scripts/darwin/install.sh | 193 | ||||
| -rw-r--r-- | rcynic-ng/installation-scripts/deinstall.sh | 5 | ||||
| -rw-r--r-- | rcynic-ng/installation-scripts/freebsd/install.sh | 151 | ||||
| -rwxr-xr-x | rcynic-ng/installation-scripts/freebsd/rc.d.rcynic | 71 | ||||
| -rw-r--r-- | rcynic-ng/installation-scripts/install.sh | 14 | ||||
| -rw-r--r-- | rcynic-ng/installation-scripts/linux/install.sh.in | 236 | ||||
| -rw-r--r-- | rcynic-ng/installation-scripts/sample-rcynic.conf | 27 |
9 files changed, 791 insertions, 0 deletions
diff --git a/rcynic-ng/installation-scripts/darwin/RCynic/RCynic b/rcynic-ng/installation-scripts/darwin/RCynic/RCynic new file mode 100755 index 00000000..bf36d6e5 --- /dev/null +++ b/rcynic-ng/installation-scripts/darwin/RCynic/RCynic @@ -0,0 +1,75 @@ +#!/bin/sh - +# +# $Id$ +# +. /etc/rc.common + +name="rcynic" +start_cmd="rcynic_start" +stop_cmd="rcynic_stop" + +: ${rcynic_jaildir="/var/rcynic"} +: ${rcynic_user="rcynic"} +: ${rcynic_group="rcynic"} + +StartService() +{ + /bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}" + /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null + + /usr/sbin/mtree -deU -p "${rcynic_jaildir}" <<EOF + + /set type=dir uname=root gname=wheel mode=0555 + . + bin + .. + dev + .. + etc + trust-anchors + .. + .. + usr + lib + system + .. + .. + .. + var + run + .. + .. + data uname=${rcynic_user} gname=${rcynic_group} mode=0755 + .. + .. +EOF + + /bin/chmod -R a-w "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" + /usr/sbin/chown -R root:wheel "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" + + if ! /sbin/mount_devfs devfs "${rcynic_jaildir}/dev"; then + echo "Mounting devfs on ${rcynic_jaildir}/dev failed..." + exit 1 + fi + + for i in /etc/localtime /etc/resolv.conf; do + j="${rcynic_jaildir}${i}" + if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then + /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" + fi + done + + /bin/ln -f /var/run/mDNSResponder "${rcynic_jaildir}/var/run/mDNSResponder" +} + +StopService() +{ + /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null +} + +RestartService() +{ + StartService +} + +RunService "$1" diff --git a/rcynic-ng/installation-scripts/darwin/RCynic/StartupParameters.plist b/rcynic-ng/installation-scripts/darwin/RCynic/StartupParameters.plist new file mode 100644 index 00000000..ca46b676 --- /dev/null +++ b/rcynic-ng/installation-scripts/darwin/RCynic/StartupParameters.plist @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>Description</key> + <string>RCynic Setup</string> + <key>OrderPreference</key> + <string>None</string> + <key>Provides</key> + <array> + <string>RCynic</string> + </array> + <key>Uses</key> + <array> + <string>Network</string> + <string>Resolver</string> + </array> + </dict> +</plist> diff --git a/rcynic-ng/installation-scripts/darwin/install.sh b/rcynic-ng/installation-scripts/darwin/install.sh new file mode 100644 index 00000000..1f0dfe7d --- /dev/null +++ b/rcynic-ng/installation-scripts/darwin/install.sh @@ -0,0 +1,193 @@ +#!/bin/sh - +# $Id$ +# +# Create a chroot jail for rcynic. +# +# This is approximately what a pkg-install script might do if this were +# a FreeBSD port. Perhaps some day it will be. + +: ${jaildir="${DESTDIR}/var/rcynic"} +: ${jailuser="rcynic"} +: ${jailgroup="rcynic"} +: ${jailname="RPKI Validation System"} +: ${setupcron="YES"} + +echo "Setting up \"${jaildir}\" as a chroot jail for rcynic." + +if /usr/bin/dscl . -read "/Groups/${jailgroup}" >/dev/null 2>&1 +then + echo "You already have a group \"${jailgroup}\", so I will use it." +elif gid="$(/usr/bin/dscl . -list /Groups PrimaryGroupID | /usr/bin/awk 'BEGIN {gid = 501} $2 >= gid {gid = 1 + $2} END {print gid}')" && + /usr/bin/dscl . -create "/Groups/${jailgroup}" && + /usr/bin/dscl . -create "/Groups/${jailgroup}" RealName "${jailname}" && + /usr/bin/dscl . -create "/Groups/${jailgroup}" PrimaryGroupID "$gid" && + /usr/bin/dscl . -create "/Groups/${jailgroup}" GeneratedUID "$(/usr/bin/uuidgen)" && + /usr/bin/dscl . -create "/Groups/${jailgroup}" Password "*" +then + echo "Added group \"${jailgroup}\"." +else + echo "Adding group \"${jailgroup}\" failed..." + echo "Please create it, then try again." + exit 1 +fi + +if /usr/bin/dscl . -read "/Users/${jailuser}" >/dev/null 2>&1 +then + echo "You already have a user \"${jailuser}\", so I will use it." +elif uid="$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk 'BEGIN {uid = 501} $2 >= uid {uid = 1 + $2} END {print uid}')" && + /usr/bin/dscl . -create "/Users/${jailuser}" && + /usr/bin/dscl . -create "/Users/${jailuser}" UserShell "/usr/bin/false" && + /usr/bin/dscl . -create "/Users/${jailuser}" RealName "${jailname}" && + /usr/bin/dscl . -create "/Users/${jailuser}" UniqueID "$uid" && + /usr/bin/dscl . -create "/Users/${jailuser}" PrimaryGroupID "$gid" && + /usr/bin/dscl . -create "/Users/${jailuser}" NFSHomeDirectory "/var/empty" && + /usr/bin/dscl . -create "/Users/${jailuser}" GeneratedUID "$(/usr/bin/uuidgen)" && + /usr/bin/dscl . -create "/Users/${jailuser}" Password "*" +then + echo "Added user \"${jailuser}\"." +else + echo "Adding user \"${jailuser}\" failed..." + echo "Please create it, then try again." + exit 1 +fi + +if ! /bin/test -d "${jaildir}"; then + /bin/mkdir "${jaildir}" +fi + +if /usr/bin/install -o root -g wheel -d ${DESTDIR}/Library/StartupItems/RCynic && + /usr/bin/install -o root -g wheel -m 555 RCynic/RCynic RCynic/StartupParameters.plist ${DESTDIR}/Library/StartupItems/RCynic; then + echo "Installed ${DESTDIR}/Library/StartupItems/RCynic" +else + echo "Installing ${DESTDIR}/Library/StartupItems/RCynic failed" + exit 1 +fi + +echo "Running ${DESTDIR}/Library/StartupItems/RCynic/RCynic to set up directories" + +if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /Library/StartupItems/RCynic/RCynic start; then + echo "Directory setup failed" + exit 1 +fi + +if /bin/test -r "$jaildir/etc/rcynic.conf"; then + echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it." +elif /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then + echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors" + for i in ../../sample-trust-anchors/*.tal; do + j="$jaildir/etc/trust-anchors/${i##*/}" + /bin/test -r "$i" || continue + /bin/test -r "$j" && continue + echo "Installing $i as $j" + /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" + done + j=1 + for i in $jaildir/etc/trust-anchors/*.tal; do + echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j = /etc/trust-anchors/${i##*/}" + j=$((j+1)) + done +else + echo "Installing minimal ${jaildir}/etc/rcynic.conf failed" + exit 1 +fi + +echo "Installing rcynic as ${jaildir}/bin/rcynic" + +/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic" + +if /bin/test -x "$jaildir/bin/rsync"; then + echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it" +elif /usr/bin/install -m 555 -o root -g wheel -p /usr/bin/rsync "${jaildir}/bin/rsync"; then + echo "Installed ${jaildir}/bin/rsync" +else + echo "Installing ${jaildir}/bin/rsync failed" + exit 1 +fi + +echo "Copying required shared libraries" + +shared_libraries="${jaildir}/bin/rcynic ${jaildir}/bin/rsync" +while true +do + closure="$(/usr/bin/otool -L ${shared_libraries} | /usr/bin/awk '/:$/ {next} {print $1}' | /usr/bin/sort -u)" + if test "x$shared_libraries" = "x$closure" + then + break + else + shared_libraries="$closure" + fi +done + +for shared in /usr/lib/dyld $shared_libraries +do + if /bin/test -r "${jaildir}/${shared}" + then + echo "You already have a \"${jaildir}/${shared}\", so I will use it" + elif /usr/bin/install -m 555 -o root -g wheel -p "${shared}" "${jaildir}/${shared}" + then + echo "Copied ${shared} into ${jaildir}" + else + echo "Unable to copy ${shared} into ${jaildir}" + exit 1 + fi +done + +if /usr/bin/install -m 444 -o root -g wheel -p ../../rcynic.xsl "${jaildir}/etc/rcynic.xsl"; then + echo "Installed rcynic.xsl as \"${jaildir}/etc/rcynic.xsl\"" +else + echo "Installing rcynic.xsl failed" + exit 1 +fi + +echo "Setting up root's crontab to run jailed rcynic" + +case "$setupcron" in +YES|yes) + /usr/bin/crontab -l -u root 2>/dev/null | + /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" ' + BEGIN { + cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir; + cmd = cmd " /bin/rcynic -c /etc/rcynic.conf"; + } + $0 !~ cmd { + print; + } + END { + "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline; + printf "%u * * * *\t%s\n", $1 % 60, cmd; + }' | + /usr/bin/crontab -u root - + /bin/cat <<EOF + + crontab is set up to run rcynic hourly, at a randomly selected + minute (to spread load on the rsync servers). Please do NOT + adjust this to run on the hour. In particular please do NOT + adjust this to run at midnight UTC. +EOF + ;; + +*) + /bin/cat <<EOF + + You'll need to add a crontab entry running the following command as root: + + /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf + + Please try to pick a random time for this, don't just run it on the hour, + or at local midnight, or, worst of all, at midnight UTC. + +EOF + ;; + +esac + +/bin/cat <<EOF + + Jail set up. You may need to customize $jaildir/etc/rcynic.conf. + If you did not install your own trust anchors, a default set + of SAMPLE trust anchors may have been installed for you, but + you, the relying party, are the only one who can decide + whether you trust those anchors. rcynic will not do anything + useful without good trust anchors. + +EOF diff --git a/rcynic-ng/installation-scripts/deinstall.sh b/rcynic-ng/installation-scripts/deinstall.sh new file mode 100644 index 00000000..113794a4 --- /dev/null +++ b/rcynic-ng/installation-scripts/deinstall.sh @@ -0,0 +1,5 @@ +#!/bin/sh - +# $Id$ + +echo Sorry, automated deinstallation of rcynic is not implemented yet +exit 1 diff --git a/rcynic-ng/installation-scripts/freebsd/install.sh b/rcynic-ng/installation-scripts/freebsd/install.sh new file mode 100644 index 00000000..6c3453cb --- /dev/null +++ b/rcynic-ng/installation-scripts/freebsd/install.sh @@ -0,0 +1,151 @@ +#!/bin/sh - +# $Id$ +# +# Create a chroot jail for rcynic. +# +# This is approximately what a pkg-install script might do if this were +# a FreeBSD port. Perhaps some day it will be. + +: ${jaildir="${DESTDIR}/var/rcynic"} +: ${jailuser="rcynic"} +: ${jailgroup="rcynic"} +: ${setupcron="NO"} + +echo "Setting up \"${jaildir}\" as a chroot jail for rcynic." + +if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then + echo "You already have a group \"${jailgroup}\", so I will use it." +elif /usr/sbin/pw groupadd ${jailgroup}; then + echo "Added group \"${jailgroup}\"." +else + echo "Adding group \"${jailgroup}\" failed..." + echo "Please create it, then try again." + exit 1 +fi + +if /usr/sbin/pw usershow "${jailuser}" 2>/dev/null; then + echo "You already have a user \"${jailuser}\", so I will use it." +elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"; then + echo "Added user \"${jailuser}\"." +else + echo "Adding user \"${jailuser}\" failed..." + echo "Please create it, then try again." + exit 1 +fi + +if ! /bin/test -d "${jaildir}"; then + /bin/mkdir "${jaildir}" +fi + +if /usr/bin/install -m 555 -o root -g wheel -p rc.d.rcynic ${DESTDIR}/usr/local/etc/rc.d/rcynic; then + echo "Installed rc.d.rcynic as ${DESTDIR}/usr/local/etc/rc.d/rcynic" +else + echo "Installing ${DESTDIR}/usr/local/etc/rc.d/rcynic failed" + exit 1 +fi + +echo "Running /usr/local/etc/rc.d/rcynic to set up directories" + +if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /bin/sh /usr/local/etc/rc.d/rcynic start; then + echo "Directory setup failed" + exit 1 +fi + +if /bin/test -r "$jaildir/etc/rcynic.conf"; then + echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it." +elif /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then + echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors" + for i in ../../sample-trust-anchors/*.tal; do + j="$jaildir/etc/trust-anchors/${i##*/}" + /bin/test -r "$i" || continue + /bin/test -r "$j" && continue + echo "Installing $i as $j" + /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" + done + j=1 + for i in $jaildir/etc/trust-anchors/*.tal; do + echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j = /etc/trust-anchors/${i##*/}" + j=$((j+1)) + done +else + echo "Installing minimal ${jaildir}/etc/rcynic.conf failed" + exit 1 +fi + +echo "Installing rcynic as ${jaildir}/bin/rcynic" + +/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic" + +if /bin/test ! -x "$jaildir/bin/rsync" -a ! -x ../../static-rsync/rsync; then + echo "Building static rsync for jail, this may take a little while" + (cd ../../static-rsync && exec make) +fi + +if /bin/test -x "$jaildir/bin/rsync"; then + echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it" +elif /usr/bin/install -m 555 -o root -g wheel -p ../../static-rsync/rsync "${jaildir}/bin/rsync"; then + echo "Installed static rsync as \"${jaildir}/bin/rsync\"" +else + echo "Installing static rsync failed" + exit 1 +fi + +if /usr/bin/install -m 444 -o root -g wheel -p ../../rcynic.xsl "${jaildir}/etc/rcynic.xsl"; then + echo "Installed rcynic.xsl as \"${jaildir}/etc/rcynic.xsl\"" +else + echo "Installing rcynic.xsl failed" + exit 1 +fi + +echo "Setting up root's crontab to run jailed rcynic" + +case "$setupcron" in +YES|yes) + /usr/bin/crontab -l -u root 2>/dev/null | + /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" ' + BEGIN { + cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir; + cmd = cmd " /bin/rcynic -c /etc/rcynic.conf"; + } + $0 !~ cmd { + print; + } + END { + "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline; + printf "%u * * * *\t%s\n", $1 % 60, cmd; + }' | + /usr/bin/crontab -u root - + /bin/cat <<EOF + + crontab is set up to run rcynic hourly, at a randomly selected + minute (to spread load on the rsync servers). Please do NOT + adjust this to run on the hour. In particular please do NOT + adjust this to run at midnight UTC. +EOF + ;; + +*) + /bin/cat <<EOF + + You'll need to add a crontab entry running the following command as root: + + /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf + + Please try to pick a random time for this, don't just run it on the hour, + or at local midnight, or, worst of all, at midnight UTC. + +EOF + ;; + +esac + +/bin/cat <<EOF + + Jail set up. You may need to customize $jaildir/etc/rcynic.conf. + If you did not install your own trust anchors, a default set + of SAMPLE trust anchors may have been installed for you, but + you, the relying party, are the only one who can decide + whether you trust those anchors. rcynic will not do anything + useful without good trust anchors. + +EOF diff --git a/rcynic-ng/installation-scripts/freebsd/rc.d.rcynic b/rcynic-ng/installation-scripts/freebsd/rc.d.rcynic new file mode 100755 index 00000000..b86c9b81 --- /dev/null +++ b/rcynic-ng/installation-scripts/freebsd/rc.d.rcynic @@ -0,0 +1,71 @@ +#!/bin/sh - +# +# $Id$ +# +# PROVIDE: rcynic +# REQUIRE: DAEMON +# KEYWORD: nojail + +. /etc/rc.subr + +name="rcynic" +start_cmd="rcynic_start" +stop_cmd="rcynic_stop" + +: ${rcynic_jaildir="/var/rcynic"} +: ${rcynic_user="rcynic"} +: ${rcynic_group="rcynic"} + +rcynic_start() +{ + /bin/test -d "${rcynic_jaildir}" || /bin/mkdir "${rcynic_jaildir}" + /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null + + /usr/sbin/mtree -deU -p "${rcynic_jaildir}" <<EOF + + /set type=dir uname=root gname=wheel mode=0555 + . + bin + .. + dev + .. + etc + trust-anchors + .. + .. + var + run + .. + .. + data uname=${rcynic_user} gname=${rcynic_group} mode=0755 + .. + .. +EOF + + /bin/chmod -R a-w "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" + /usr/sbin/chown -R root:wheel "${rcynic_jaildir}/bin" "${rcynic_jaildir}/etc" + + if ! /sbin/mount -t devfs dev "${rcynic_jaildir}/dev"; then + echo "Mounting devfs on ${rcynic_jaildir}/dev failed..." + exit 1 + fi + + /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply hide + /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path null unhide + /sbin/devfs -m "${rcynic_jaildir}/dev" rule apply path random unhide + + for i in /etc/localtime /etc/resolv.conf; do + j="${rcynic_jaildir}${i}" + if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then + /usr/bin/install -m 444 -o root -g wheel -p "$i" "$j" + fi + done +} + +rcynic_stop() +{ + /sbin/umount "${rcynic_jaildir}/dev" 2>/dev/null +} + +load_rc_config $name +run_rc_command "$1" diff --git a/rcynic-ng/installation-scripts/install.sh b/rcynic-ng/installation-scripts/install.sh new file mode 100644 index 00000000..8c708a28 --- /dev/null +++ b/rcynic-ng/installation-scripts/install.sh @@ -0,0 +1,14 @@ +#!/bin/sh - +# $Id$ + +set -e + +case "${host_os}" in + +freebsd*) cd freebsd; . ./install.sh;; +darwin*) cd darwin; . ./install.sh;; +linux*) cd linux; . ./install.sh;; + +*) echo 1>&2 "Don't know how to install rcynic jail on platform ${host_os}" + exit 1;; +esac diff --git a/rcynic-ng/installation-scripts/linux/install.sh.in b/rcynic-ng/installation-scripts/linux/install.sh.in new file mode 100644 index 00000000..f0bdc505 --- /dev/null +++ b/rcynic-ng/installation-scripts/linux/install.sh.in @@ -0,0 +1,236 @@ +#!/bin/sh - +# $Id$ +# +# Create a chroot jail for rcynic. +# +# This is approximately what a package installation script might do. + +: ${jaildir="${DESTDIR}/var/rcynic"} +: ${jailuser="rcynic"} +: ${jailgroup="rcynic"} +: ${setupcron="YES"} + +AWK='@AWK@' +SORT='@SORT@' + +echo "Setting up \"${jaildir}\" as a chroot jail for rcynic." + +if ${AWK} -F: -v jailgroup="${jailgroup}" 'BEGIN {status = 1} $1 == jailgroup {status = 0} END {exit status}' /etc/group +then + echo "You already have a group \"${jailgroup}\", so I will use it." +elif /usr/sbin/groupadd ${jailgroup} +then + echo "Added group \"${jailgroup}\"." +else + echo "Adding group \"${jailgroup}\" failed..." + echo "Please create it, then try again." + exit 1 +fi + +# The adduser program on CentOS 5.x uses the -n flag instead of -N to +# avoid creating the associated group. +nogroup='-N' +if test -f /etc/redhat-release; then + read vendor release version < /etc/redhat-release + if test $vendor = CentOS; then + nogroup='-n' + fi +fi + +if ${AWK} -F: -v jailuser="${jailuser}" 'BEGIN {status = 1} $1 == jailuser {status = 0} END {exit status}' /etc/passwd +then + echo "You already have a user \"${jailuser}\", so I will use it." +elif /usr/sbin/useradd -g ${jailgroup} -M $nogroup -d "${jaildir}" -s /sbin/nologin -c "RPKI validation system" ${jailuser} +then + echo "Added user \"${jailuser}\"." +else + echo "Adding user \"${jailuser}\" failed..." + echo "Please create it, then try again." + exit 1 +fi + +# test for x86_64 target +if test -d /lib64; then + libdir=/lib64 +else + libdir=/lib +fi + +echo "Building directories" + +if ! /bin/mkdir -p -v -m 555 \ + "${jaildir}/bin" \ + "${jaildir}/dev" \ + "${jaildir}/etc/trust-anchors" \ + "${jaildir}/${libdir}" \ + "${jaildir}/usr/lib" \ + "${jaildir}/data" +then + echo "Unable to build directories under \"${jaildir}\", please fix this then try again." + exit 1 +fi + +echo "Installing device inodes" + +if ! (cd /dev; /bin/ls null zero random urandom | /bin/cpio -puv "${jaildir}/dev") +then + echo "Unable to install device inodes in ${jaildir}/dev/, please fix this then try again" + exit 1 +fi + +echo "Copying files from /etc" + +for i in /etc/localtime /etc/resolv.conf /etc/passwd /etc/group +do + j="${jaildir}${i}" + if test -r "$i" && + ! /usr/bin/cmp -s "$i" "$j" && + ! /bin/cp -p "$i" "$j" + then + echo "Unable to copy $i to ${jaildir}, please fix this then try again" + exit 1 + fi +done + +echo "Whacking file permissions" + +if ! /bin/chmod -R a-w "${jaildir}/bin" "${jaildir}/etc" || + ! /bin/chmod -R 755 "${jaildir}/data" || + ! /bin/chown -R root:root "${jaildir}/bin" "${jaildir}/etc" || + ! /bin/chown -R "${jailuser}:${jailgroup}" "${jaildir}/data" +then + echo "Unable to set file permissions and ownerships correctly, please fix this and try again" + exit 1 +fi + +if test -r "$jaildir/etc/rcynic.conf"; then + echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it." +elif /usr/bin/install -m 444 -o root -g root -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf"; then + echo "Installed minimal ${jaildir}/etc/rcynic.conf, adding SAMPLE trust anchors" + for i in ../../sample-trust-anchors/*.tal; do + j="$jaildir/etc/trust-anchors/${i##*/}" + test -r "$i" || continue + test -r "$j" && continue + echo "Installing $i as $j" + /usr/bin/install -m 444 -o root -g root -p "$i" "$j" + done + j=1 + for i in $jaildir/etc/trust-anchors/*.tal; do + echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor-locator.$j = /etc/trust-anchors/${i##*/}" + j=$((j+1)) + done +else + echo "Installing minimal ${jaildir}/etc/rcynic.conf failed" + exit 1 +fi + +echo "Installing rcynic as ${jaildir}/bin/rcynic" + +/usr/bin/install -m 555 -o root -g root -p ../../rcynic "${jaildir}/bin/rcynic" + +if test -x "$jaildir/bin/rsync"; then + echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it" +elif /usr/bin/install -m 555 -o root -g root -p /usr/bin/rsync "${jaildir}/bin/rsync"; then + echo "Installed ${jaildir}/bin/rsync" +else + echo "Installing ${jaildir}/bin/rsync failed" + exit 1 +fi + +echo "Copying required shared libraries" + +shared_libraries="${jaildir}/bin/rcynic ${jaildir}/bin/rsync" +while true +do + closure="$(/usr/bin/ldd ${shared_libraries} | + ${AWK} -v "rcynic=${jaildir}/bin/rcynic" -v "rsync=${jaildir}/bin/rsync" \ + '{sub(/:$/, "")} $0 == rcynic || $0 == rsync {next} {for (i = 1; i <= NF; i++) if ($i ~ /^\//) print $i}' | + ${SORT} -u)" + if test "x$shared_libraries" = "x$closure" + then + break + else + shared_libraries="$closure" + fi +done + +# Under CentOS 5.5, rsync requires libresolv, but ldd doesn't show +# it. +if test -f ${libdir}/libresolv.so.2; then + shared_libraries="${shared_libraries} ${libdir}/libresolv.so.2" +fi + +for shared in ${libdir}/ld*.so $shared_libraries ${libdir}/libnss*.so.* +do + if test -r "${jaildir}/${shared}" + then + echo "You already have a \"${jaildir}${shared}\", so I will use it" + elif /usr/bin/install -m 555 -o root -g root -d "${jaildir}${shared%/*}" && + /usr/bin/install -m 555 -o root -g root -p "${shared}" "${jaildir}${shared}" + then + echo "Copied ${shared} into ${jaildir}" + else + echo "Unable to copy ${shared} into ${jaildir}" + exit 1 + fi +done + +if /usr/bin/install -m 444 -o root -g root -p ../../rcynic.xsl "${jaildir}/etc/rcynic.xsl"; then + echo "Installed rcynic.xsl as \"${jaildir}/etc/rcynic.xsl\"" +else + echo "Installing rcynic.xsl failed" + exit 1 +fi + +echo "Setting up root's crontab to run jailed rcynic" + +case "$setupcron" in +YES|yes) + /usr/bin/crontab -l -u root 2>/dev/null | + ${AWK} -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" ' + BEGIN { + cmd = "exec /usr/sbin/chroot --userspec=" jailuser ":" jailgroup " " jaildir; + cmd = cmd " /bin/rcynic -c /etc/rcynic.conf"; + } + $0 !~ cmd { + print; + } + END { + "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline; + printf "%u * * * *\t%s\n", $1 % 60, cmd; + }' | + /usr/bin/crontab -u root - + /bin/cat <<EOF + + crontab is set up to run rcynic hourly, at a randomly selected + minute (to spread load on the rsync servers). Please do NOT + adjust this to run on the hour. In particular please do NOT + adjust this to run at midnight UTC. +EOF + ;; + +*) + /bin/cat <<EOF + + You'll need to add a crontab entry running the following command as root: + + /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf + + Please try to pick a random time for this, don't just run it on the hour, + or at local midnight, or, worst of all, at midnight UTC. + +EOF + ;; + +esac + +/bin/cat <<EOF + + Jail set up. You may need to customize $jaildir/etc/rcynic.conf. + If you did not install your own trust anchors, a default set + of SAMPLE trust anchors may have been installed for you, but + you, the relying party, are the only one who can decide + whether you trust those anchors. rcynic will not do anything + useful without good trust anchors. + +EOF diff --git a/rcynic-ng/installation-scripts/sample-rcynic.conf b/rcynic-ng/installation-scripts/sample-rcynic.conf new file mode 100644 index 00000000..6e464e7e --- /dev/null +++ b/rcynic-ng/installation-scripts/sample-rcynic.conf @@ -0,0 +1,27 @@ +# $Id$ +# +# Sample rcynic configuration file for FreeBSD jailed environment + +[rcynic] +rsync-program = /bin/rsync +authenticated = /data/authenticated +old-authenticated = /data/authenticated.old +unauthenticated = /data/unauthenticated +lockfile = /data/lock +jitter = 600 +use-syslog = true +log-level = log_usage_err + +# You need to specify some trust anchors here, eg: + +#trust-anchor.1 = /etc/trust-anchors/ta-1.cer +#trust-anchor.2 = /etc/trust-anchors/ta-2.cer + +# or, using the "Trust Anchor Locator" form: + +#trust-anchor-locator.1 = /etc/trust-anchors/ta-1.tal +#trust-anchor-locator.2 = /etc/trust-anchors/ta-2.tal + +# The choice between these two formats depends largely on the policies +# of the entity generating the corresponding trust anchor, ie, will +# probably be made for you by the generating entity. |