diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /modules/private/pub/restrict | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'modules/private/pub/restrict')
-rw-r--r-- | modules/private/pub/restrict | 64 |
1 files changed, 0 insertions, 64 deletions
diff --git a/modules/private/pub/restrict b/modules/private/pub/restrict deleted file mode 100644 index b2f3be3..0000000 --- a/modules/private/pub/restrict +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | user="$1" | ||
3 | rootuser="$HOME/$user/" | ||
4 | mkdir -p $rootuser | ||
5 | |||
6 | orig="$SSH_ORIGINAL_COMMAND" | ||
7 | if [ -z "$orig" ]; then | ||
8 | orig="/bin/bash -l" | ||
9 | fi | ||
10 | if [ "${orig:0:7}" = "command" ]; then | ||
11 | orig="${orig:8}" | ||
12 | fi | ||
13 | |||
14 | case "$orig" in | ||
15 | rsync*) | ||
16 | rrsync $HOME/$user/ | ||
17 | ;; | ||
18 | *) | ||
19 | nix_store_paths() { | ||
20 | nix-store -q -R \ | ||
21 | /run/current-system/sw \ | ||
22 | /etc/profiles/per-user/pub \ | ||
23 | /etc/ssl/certs/ca-bundle.crt \ | ||
24 | | while read i; do | ||
25 | printf '%s--ro-bind\0'$i'\0'$i'\0' '' | ||
26 | done | ||
27 | } | ||
28 | |||
29 | set -euo pipefail | ||
30 | (exec -c bwrap --ro-bind /usr /usr \ | ||
31 | --args 10 \ | ||
32 | --dir /tmp \ | ||
33 | --dir /var \ | ||
34 | --symlink ../tmp var/tmp \ | ||
35 | --proc /proc \ | ||
36 | --dev /dev \ | ||
37 | --ro-bind /etc/resolv.conf /etc/resolv.conf \ | ||
38 | --ro-bind /etc/zoneinfo /etc/zoneinfo \ | ||
39 | --ro-bind /etc/ssl /etc/ssl \ | ||
40 | --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \ | ||
41 | --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \ | ||
42 | --ro-bind /run/current-system/sw/bin /bin \ | ||
43 | --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \ | ||
44 | --bind /var/lib/pub/$user /var/lib/pub \ | ||
45 | --dir /var/lib/commons \ | ||
46 | --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \ | ||
47 | --chdir /var/lib/pub \ | ||
48 | --unshare-all \ | ||
49 | --share-net \ | ||
50 | --dir /run/user/$(id -u) \ | ||
51 | --setenv TERM "$TERM" \ | ||
52 | --setenv LOCALE_ARCHIVE "/etc/locale-archive" \ | ||
53 | --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ | ||
54 | --setenv PS1 "$user@pub $ " \ | ||
55 | --setenv PATH "/bin:/bin-pub" \ | ||
56 | --setenv HOME "/var/lib/pub" \ | ||
57 | --file 11 /etc/passwd \ | ||
58 | --file 12 /etc/group \ | ||
59 | -- $orig) \ | ||
60 | 10< <(nix_store_paths) \ | ||
61 | 11< <(getent passwd $UID 65534) \ | ||
62 | 12< <(getent group $(id -g) 65534) | ||
63 | ;; | ||
64 | esac | ||