diff options
author | Andrew Cady <d@jerkface.net> | 2023-05-27 22:11:22 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2023-05-27 22:11:22 -0400 |
commit | e6f31e56797cf45b13c0d98499d647125521feeb (patch) | |
tree | 70184d78e9588d933c69aec46d2f42c0e031840f | |
parent | f2ac2fe76e6d8fcad24daa1f8c16e207e95465f1 (diff) |
endoforge proof of concept
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | src/endofossil | 37 |
2 files changed, 36 insertions, 4 deletions
@@ -1,2 +1,3 @@ | |||
1 | work/ | 1 | /work/ |
2 | /remotes/ | ||
2 | /db | 3 | /db |
diff --git a/src/endofossil b/src/endofossil index 401806f..c4ae60d 100644 --- a/src/endofossil +++ b/src/endofossil | |||
@@ -1,15 +1,18 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | set -e | 2 | set -e -o pipefail |
3 | |||
4 | 3 | ||
5 | IFS=/ read n pid uid <<< "$1" | 4 | IFS=/ read n pid uid <<< "$1" |
6 | [ "$pid" ] | 5 | [ "$pid" ] |
7 | 6 | ||
7 | [ "$uid" -gt 0 ] | ||
8 | IFS=: read username realname _ _ gecos homedir shell < <(getent passwd "$uid") | ||
9 | |||
8 | authtype= | 10 | authtype= |
9 | while read -d '' | 11 | while read -d '' |
10 | do | 12 | do |
11 | case "${REPLY%%=*}" in | 13 | case "${REPLY%%=*}" in |
12 | 'SSH_USER_AUTH' ) read authtype keytype keyvalue < "${REPLY#*=}" ;; | 14 | 'SSH_USER_AUTH' ) read authtype keytype keyvalue < "${REPLY#*=}" ;; |
15 | 'SSH_ORIGINAL_COMMAND' ) SSH_ORIGINAL_COMMAND=${REPLY#*=} ;; | ||
13 | esac | 16 | esac |
14 | done < /proc/$pid/environ | 17 | done < /proc/$pid/environ |
15 | [ "$authtype" = publickey ] | 18 | [ "$authtype" = publickey ] |
@@ -26,4 +29,32 @@ do | |||
26 | done < <(ssh-keygen -f <(printf '%s\n' "$keytype $keyvalue") -r .) | 29 | done < <(ssh-keygen -f <(printf '%s\n' "$keytype $keyvalue") -r .) |
27 | [ "$keyhash" ] | 30 | [ "$keyhash" ] |
28 | 31 | ||
29 | printf '%s\n' "$keyhash" | 32 | case "$SSH_ORIGINAL_COMMAND" in |
33 | *\"* ) exit 1 ;; | ||
34 | fossil\ test-http\ * ) ;; | ||
35 | *) exit 1 ;; | ||
36 | esac | ||
37 | |||
38 | # This is no way to do it. | ||
39 | # Let's just share /home/*/src and /srv/src and /usr/src. | ||
40 | fossil_dir=$homedir/src/fossil | ||
41 | upstreamDatabase=$fossil_dir/db | ||
42 | readWriteDbName=db.fossil # Must end in .fossil for 'fossil test-http' to find it. | ||
43 | readWriteDir=$fossil_dir/remotes/$keyhash | ||
44 | |||
45 | as_user() | ||
46 | { | ||
47 | setpriv --reuid="$username" --init-groups --inh-caps=-all "$@" | ||
48 | } | ||
49 | if ! [ -d "$readWriteDir" ] | ||
50 | then | ||
51 | as_user mkdir "$readWriteDir" | ||
52 | fi | ||
53 | as_user cp -n --reflink -- "$upstreamDatabase" "$readWriteDir"/"$readWriteDbName" | ||
54 | |||
55 | exec systemd-run -P \ | ||
56 | --property=User="$username" \ | ||
57 | --property=ReadOnlyPaths=/ \ | ||
58 | --property=ReadWritePaths="$readWriteDir" \ | ||
59 | --property=WorkingDirectory="$readWriteDir" \ | ||
60 | -- fossil test-http "$readWriteDbName" | ||