Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
pwdjail/pwdjail-mkdir
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
executable file
63 lines (53 sloc)
1.67 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
## Copyright 2017 Clemens Fruhwirth <clemens@endorphin.org> | |
## | |
## Usage: pwdjail-mkdir DIR | |
## | |
absolute() { | |
cd $1 && pwd | |
} | |
ZSH=$(grep zsh /etc/shells | head -1) | |
if [ -z "ZSH" ]; then | |
(>&2 echo "Could not find zsh in /etc/shells. Please install zsh.") | |
exit 1 | |
fi | |
PWDJAIL_ROOT=$(absolute $(dirname $0)) | |
if [ -z $PWDJAIL_ROOT ]; then | |
(>&2 echo "Could not find install dir of pwdjail.") | |
exit 1 | |
fi | |
pick_user_name() { | |
PREFIX=$1 | |
for CANDIDATE in $PREFIX $PREFIX-$(seq -s " $PREFIX-" 1 10); do | |
# Verify that this user does not exist. | |
getent passwd $CANDIDATE > /dev/null | |
if [ "$?" -ne 0 ]; then | |
echo $CANDIDATE | |
return | |
fi | |
done | |
(>&2 echo "Could not find a username for sandbox user.") | |
} | |
# FIXME: Add a check to match against ([a-z_][a-z0-9_]{0,30}) | |
SANDBOX_USER=$(pick_user_name $(basename $1)) | |
if [ -z "$SANDBOX_USER" ]; then | |
exit 1 | |
fi | |
mkdir $1 || exit 1 | |
SANDBOX_HOME=$(absolute $1) | |
if [ -z $SANDBOX_HOME ]; then | |
(>&2 echo "Could not access $1 after creating it.") | |
exit 1 | |
fi | |
MASTER_USER=$USER | |
sudo useradd -d $SANDBOX_HOME -g sandboxes -c "Sandbox user" -s $ZSH $SANDBOX_USER | |
sudo chown $SANDBOX_USER:sandboxes $SANDBOX_HOME | |
sudo chmod 700 $SANDBOX_HOME | |
# Allow the master user access to all files and dirs created within | |
# there even when created by the sandbox user. | |
sudo setfacl -d -m u:$MASTER_USER:rwx $SANDBOX_HOME | |
# Allow the sandbox user access to all files and dirs created within | |
# there even when created by the master user. | |
sudo setfacl -d -m u:$SANDBOX_USER:rwx $SANDBOX_HOME | |
sudo setfacl -m u:$MASTER_USER:rwx $SANDBOX_HOME | |
sudo echo "source $PWDJAIL_ROOT/sandbox-zshrc" > $SANDBOX_HOME/.zshrc |