aboutsummaryrefslogtreecommitdiff
path: root/modules/private/pub/restrict
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2023-10-04 01:35:06 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2023-10-04 02:11:48 +0200
commit1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree1b9df4838f894577a09b9b260151756272efeb53 /modules/private/pub/restrict
parentfa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
downloadNix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
Diffstat (limited to 'modules/private/pub/restrict')
-rw-r--r--modules/private/pub/restrict64
1 files changed, 0 insertions, 64 deletions
diff --git a/modules/private/pub/restrict b/modules/private/pub/restrict
deleted file mode 100644
index b2f3be3..0000000
--- a/modules/private/pub/restrict
+++ /dev/null
@@ -1,64 +0,0 @@
1#!/usr/bin/env bash
2user="$1"
3rootuser="$HOME/$user/"
4mkdir -p $rootuser
5
6orig="$SSH_ORIGINAL_COMMAND"
7if [ -z "$orig" ]; then
8 orig="/bin/bash -l"
9fi
10if [ "${orig:0:7}" = "command" ]; then
11 orig="${orig:8}"
12fi
13
14case "$orig" in
15rsync*)
16 rrsync $HOME/$user/
17 ;;
18*)
19 nix_store_paths() {
20 nix-store -q -R \
21 /run/current-system/sw \
22 /etc/profiles/per-user/pub \
23 /etc/ssl/certs/ca-bundle.crt \
24 | while read i; do
25 printf '%s--ro-bind\0'$i'\0'$i'\0' ''
26 done
27 }
28
29 set -euo pipefail
30 (exec -c bwrap --ro-bind /usr /usr \
31 --args 10 \
32 --dir /tmp \
33 --dir /var \
34 --symlink ../tmp var/tmp \
35 --proc /proc \
36 --dev /dev \
37 --ro-bind /etc/resolv.conf /etc/resolv.conf \
38 --ro-bind /etc/zoneinfo /etc/zoneinfo \
39 --ro-bind /etc/ssl /etc/ssl \
40 --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
41 --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
42 --ro-bind /run/current-system/sw/bin /bin \
43 --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
44 --bind /var/lib/pub/$user /var/lib/pub \
45 --dir /var/lib/commons \
46 --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
47 --chdir /var/lib/pub \
48 --unshare-all \
49 --share-net \
50 --dir /run/user/$(id -u) \
51 --setenv TERM "$TERM" \
52 --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
53 --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
54 --setenv PS1 "$user@pub $ " \
55 --setenv PATH "/bin:/bin-pub" \
56 --setenv HOME "/var/lib/pub" \
57 --file 11 /etc/passwd \
58 --file 12 /etc/group \
59 -- $orig) \
60 10< <(nix_store_paths) \
61 11< <(getent passwd $UID 65534) \
62 12< <(getent group $(id -g) 65534)
63 ;;
64esac