nixops/modules/pub/restrict

   1 #!/usr/bin/env bash
   2 user="$1"
   3 rootuser="$HOME/$user/"
   4 mkdir -p $rootuser
   5
   6 orig="$SSH_ORIGINAL_COMMAND"
   7 if [ -z "$orig" ]; then
   8   orig="/bin/bash -l"
   9 fi
  10 if [ "${orig:0:7}" = "command" ]; then
  11   orig="${orig:8}"
  12 fi
  13
  14 case "$orig" in
  15 rsync*)
  16         rrsync $HOME/$user/
  17         ;;
  18 *)
  19         nix_store_paths() {
  20           nix-store -q -R \
  21                /run/current-system/sw \
  22                /etc/profiles/per-user/pub \
  23                | while read i; do
  24             printf '%s--bind\0'$i'\0'$i'\0' ''
  25           done
  26         }
  27
  28         set -euo pipefail
  29         (exec -c bwrap --ro-bind /usr /usr \
  30               --args 10 \
  31               --dir /tmp \
  32               --dir /var \
  33               --symlink ../tmp var/tmp \
  34               --proc /proc \
  35               --dev /dev \
  36               --ro-bind /etc/resolv.conf /etc/resolv.conf \
  37               --ro-bind /etc/zoneinfo /etc/zoneinfo \
  38               --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
  39               --ro-bind /run/current-system/sw/bin /bin \
  40               --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
  41               --bind /var/lib/pub/$user /var/lib/pub \
  42               --ro-bind $TMUX_RESTRICT /var/lib/pub/.tmux.restrict.conf \
  43               --chdir /var/lib/pub \
  44               --unshare-all \
  45               --share-net \
  46               --dir /run/user/$(id -u) \
  47               --setenv TERM "$TERM" \
  48               --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
  49               --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
  50               --setenv PS1 "$user@pub $ " \
  51               --setenv PATH "/bin:/bin-pub" \
  52               --setenv HOME "/var/lib/pub" \
  53               --file 11 /etc/passwd \
  54               --file 12 /etc/group \
  55               -- $orig) \
  56               10< <(nix_store_paths) \
  57               11< <(getent passwd $UID 65534) \
  58               12< <(getent group $(id -g) 65534)
  59         ;;
  60 esac