blob: 0b02c4c44305125f5d968683c971dfe787fa4c87 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
#!/bin/sh -
# $Id$
#
# Create a chroot jail for rcynic. You need to build staticly linked
# rcynic and rsync binaries and install them in the jail yourself.
#
# Cobbled together from bits and pieces of existing system scripts,
# mostly /usr/ports/mail/postfix/pkg-install and /etc/rc.d/named.
jaildir="/var/rcynic"
jailuser="rcynic"
jailgroup="rcynic"
if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then
echo "You already have a group \"${jailgroup}\", so I will use it."
elif /usr/sbin/pw groupadd ${jailgroup}; then
echo "Added group \"${jailgroup}\"."
else
echo "Adding group \"${jailgroup}\" failed..."
echo "Please create it, and try again."
exit 1
fi
if /usr/sbin/pw usershow "${jailuser}" 2>/dev/null; then
echo "You already have a user \"${jailuser}\", so I will use it."
elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"; then
echo "Added user \"${jailuser}\"."
else
echo "Adding user \"${jailuser}\" failed..."
echo "Please create it, and try again."
exit 1
fi
if ! /bin/test -d "${jaildir}"; then
/bin/mkdir "${jaildir}"
fi
/usr/sbin/mtree -deU -p "${jaildir}" <<EOF
/set type=dir uname=root gname=wheel mode=0555
.
bin
..
dev
..
etc
trust-anchors
..
..
var
run
..
..
data uname=$jailuser gname=$jailgroup mode=0755
..
..
EOF
/sbin/umount "${jaildir}/dev" 2>/dev/null
if ! /sbin/mount -t devfs dev "${jaildir}/dev"; then
echo "Mounting devfs on ${jaildir}/dev failed..."
exit 1
fi
/sbin/devfs -m "${jaildir}/dev" rule apply hide
/sbin/devfs -m "${jaildir}/dev" rule apply path null unhide
/sbin/devfs -m "${jaildir}/dev" rule apply path random unhide
for i in /etc/localtime /etc/resolv.conf; do
j="${jaildir}${i}"
if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then
/bin/cp -p "$i" "$j"
/usr/sbin/chown root:wheel "$j"
/bin/chmod 444 "$j"
fi
done
if /bin/test -d trust-anchors; then
for i in trust-anchors/*.cer; do
j="$jaildir/etc/trust-anchors/${i##*/}"
/bin/test -r "$j" && continue
echo "Copying $i to $j"
/bin/cp -p "$i" "$j"
/usr/sbin/chown root:wheel "$j"
/bin/chmod 444 "$j"
done
fi
if /bin/test -r "$jaildir/etc/rcynic.conf"; then
echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it."
else
echo "Creating minmal ${jaildir}/etc/rcynic.conf"
/bin/cat >"${jaildir}/etc/rcynic.conf" <<-EOF
[rcynic]
rsync-program = /bin/rsync
authenticated = /data/authenticated
old-authenticated = /data/authenticated.old
unauthenticated = /data/unauthenticated
lockfile = /data/lock
EOF
j=1
for i in $jaildir/etc/trust-anchors/*.cer; do
echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor.$j = /etc/trust-anchors/${i##*/}"
j=$((j+1))
done
fi
/usr/sbin/chown root:wheel "${jaildir}/etc/rcynic.conf"
/bin/chmod 444 "${jaildir}/etc/rcynic.conf"
�
|
