add chroot wrapper (tested on debian only)

2025-08-17 09:02:15 -06:00 · 2021-08-09 00:42:21 +02:00 · 2021-08-09 00:42:21 +02:00 · 6cb5a87c79
parent b9f89ca552
commit 6cb5a87c79
3 changed files with 76 additions and 1 deletions
--- a/bin/README.md
+++ b/bin/README.md
@ -61,3 +61,8 @@ cd /mnt/nas/music/.hist
 ~/src/copyparty/bin/dbtool.py -src up2k.*.v3 up2k.db -rm-mtp-flag -copy key
 ~/src/copyparty/bin/dbtool.py -src up2k.*.v3 up2k.db -rm-mtp-flag -copy .bpm -vac
 ```
+
+
+# [`prisonparty.sh`](prisonparty.sh)
+* run copyparty in a chroot, preventing any accidental file access
+* creates bindmounts for /bin, /lib, and so on, see `sysdirs=`
--- a/bin/prisonparty.sh
+++ b/bin/prisonparty.sh
@ -0,0 +1,68 @@
+#!/bin/bash
+set -e
+
+# runs copyparty in a chroot
+#
+# assumption: all items within the following directories are owned by root
+sysdirs=(bin lib lib32 lib64 sbin usr)
+
+
+# read arguments
+{
+	jail="$1"; shift
+	uid="$1"; shift
+	gid="$1"; shift
+	
+	vols=()
+	while true; do
+		v="$1"; shift
+		[ "$v" = -- ] && break  # end of volumes
+		[ "$#" -eq 0 ] && break  # invalid usage
+		vols+=("$v")
+	done
+	cpp="$1"; shift
+} || {
+	echo "usage: ./prisonparty.sh <ROOTDIR> <UID> <GID> [VOLDIR [VOLDIR...]] -- copyparty-sfx.py [...]"
+	echo "example: ./prisonparty.sh /var/jail 1000 1000 /mnt/nas/music -- copyparty-sfx.py -v /mnt/nas/music::rwmd"
+	exit 1
+}
+
+
+# debug/vis
+echo "chroot-dir: [$jail]"
+echo "user:group: [$uid:$gid]"
+echo " copyparty: [$cpp]"
+for v in "${vols[@]}"; do
+	echo "     mount: [$v]"
+done
+
+
+# resolve and remove trailing slash
+jail="$(realpath "$jail")"
+jail="${jail%/}"
+
+
+# bind-mount system directories and volumes
+for v in "${sysdirs[@]}" "${vols[@]}"; do
+  mkdir -p "$jail/$v"
+  mount | grep -qF " on $jail/$v " ||
+    mount --bind /$v "$jail/$v"
+done
+
+
+# create a tmp
+mkdir -p "$jail/tmp"
+chown -R "$uid:$gid" "$jail/tmp"
+
+
+# copy sfx into jail
+cp -pv "$cpp" "$jail/copyparty.py"
+
+
+# run copyparty
+/sbin/chroot --userspec=$uid:$gid "$jail" "$(which python3)" /copyparty.py "$@"
+
+
+# cleanup if not in use
+lsof "$jail" | grep -qF "$jail" ||
+mount | grep -F " on $jail" | awk '{sub(/ type .*/,"");sub(/.* on /,"");print}' | LC_ALL=C sort -r  | tr '\n' '\0' | xargs -r0 umount
--- a/scripts/make-sfx.sh
+++ b/scripts/make-sfx.sh
@ -239,7 +239,8 @@ awk '/^LOREM_IPSUM_WORDS/{o=1;print "LOREM_IPSUM_WORDS = u\"a\"";next} !o; /"""/
 tmv "$f"

 # up2k goes from 28k to 22k laff
-echo entabbening
+awk 'BEGIN{gensub(//,"",1)}' </dev/null &&
+echo entabbening &&
 find | grep -E '\.css$' | while IFS= read -r f; do
 	awk '{
 		sub(/^[ \t]+/,"");
@ -253,6 +254,7 @@ find | grep -E '\.css$' | while IFS= read -r f; do
 	' <$f | sed 's/;\}$/}/' >t
 	tmv "$f"
 done
+unexpand -h 2>/dev/null &&
 find | grep -E '\.(js|html)$' | while IFS= read -r f; do
 	unexpand -t 4 --first-only <"$f" >t
 	tmv "$f"