From b419d2de8779a70617b07536f0be30b4b61bbbe7 Mon Sep 17 00:00:00 2001 From: Ludwig Behm Date: Thu, 6 Apr 2023 00:28:43 +0200 Subject: [PATCH] init.sh: sandboxed borg invocations and new param-change-safeguard --- init.sh | 67 ++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 52 insertions(+), 15 deletions(-) diff --git a/init.sh b/init.sh index 04be8db..59480d0 100755 --- a/init.sh +++ b/init.sh @@ -8,7 +8,7 @@ NAME="" LOGIN="$(whoami)" die () { - echo $1 >&2 + echo -e $1 | sed -e 's-^-! -' >&2 exit 1 } generate_passphrase() { @@ -23,7 +23,30 @@ init_config_dir() { generate_passphrase > "$CONFIGDIR/borg_passphrase" ssh-keygen -t ed25519 -N "" -q -f "$CONFIGDIR/ssh_key" -C "borg access from $(hostname --long)" - exec ssh-copy-id -i "$CONFIGDIR/ssh_key.pub" -p $PORT "$LOGIN@$HOST" + ssh-copy-id -i "$CONFIGDIR/ssh_key.pub" -p $PORT "$LOGIN@$HOST" +} +set_env_config() { + local file="$1" + local param="$2" + local value="$3" + + # test current config + # file does not exist + [ ! -e $file ] && echo "$param=$value" >> $file + # file isn't readable + [ ! -r $file ] && die "Config file isn't readable: $file" + # file exists and value is set => early exit + local curr_line="$(grep "^$param=" $file)" + if [ "x$curr_line" == "x" ]; then + # file ist nicht änderbar + [ ! -w $file ] && die "Config file isn't writable: $file" + # param isn't set => append + echo "$param=$value" >> $file + elif [ "x${curr_line#$param=}" != "x$value" ]; then + # param is set with different value + die "Environment parameter '$param' is already set to '${curr_line#$param=}' in config file: $file\nPlease confirm that you know what you're doing by manually setting the parameter to the desired value '$value'." + fi + return 0 } test_ssh() { ssh -q -o "BatchMode=yes" -i "$CONFIGDIR/ssh_key" -p "$PORT" "$LOGIN@$HOST" "mkdir -p $REMOTE_PATH" \ @@ -35,12 +58,21 @@ test_repo_exists() { return $? } invoke_borg() { - ( - export BORG_RSH="ssh -i $CONFIGDIR/ssh_key" - export BORG_REPO="ssh://$LOGIN@$HOST:${PORT}${REMOTE_PATH}" - export BORG_PASSPHRASE_FD=0 - exec /usr/bin/borg $@ < "$CONFIGDIR/borg_passphrase" - ) + # do some sandboxinng + systemd-run --pipe --collect --unit=temp-borg-init-sandbox.service \ + --working-directory=/tmp \ + -p "ConfigurationDirectory=borg/$NAME" \ + -p "CacheDirectory=borg/$NAME" \ + -p "ConfigurationDirectoryMode=550" \ + -p "CacheDirectoryMode=550" \ + -p "PrivateTmp=yes" \ + -p "ReadOnlyDirectories=/" \ + -p "EnvironmentFile=/etc/borg/$NAME/config.env" \ + --setenv=BORG_PASSPHRASE_FD=0 \ + --setenv=BORG_BASE_DIR=/tmp/ \ + --setenv=BORG_CONFIG_DIR=/etc/borg/$NAME \ + --setenv=BORG_CACHE_DIR=/var/cache/borg/$NAME \ + /usr/bin/borg $@ < /etc/borg/$NAME/borg_passphrase } init_repo() { echo "> init repo" @@ -57,6 +89,12 @@ usage() { for arg in "$@"; do case "$arg" in + -h*) + HOST="${arg#-h}" + ;; + --host=*) + HOST="${arg#--host=}" + ;; -p*) PORT="${arg#-p}" ;; @@ -69,12 +107,6 @@ for arg in "$@"; do --login=*) LOGIN="${arg#--login=}" ;; - -h*) - HOST="${arg#-h}" - ;; - --host=*) - HOST="${arg#--host=}" - ;; -d*) REMOTE_PATH="${arg#-d}" ;; @@ -85,7 +117,9 @@ for arg in "$@"; do usage ;; *) + [ "x$NAME" == "x" ] || usage NAME="$arg" + ;; esac done @@ -100,9 +134,12 @@ echo "> checking config" [ -r "$CONFIGDIR/ssh_key" ] || die "File isn't readable: $CONFIGDIR/ssh_key" # write config every time, parameter may change with each invocation -echo "BORG_REPO=ssh://$LOGIN@$HOST:${PORT}${REMOTE_PATH}" > "$CONFIGDIR/config.env" +set_env_config "$CONFIGDIR/config.env" BORG_REPO "ssh://$LOGIN@$HOST:${PORT}${REMOTE_PATH}" +set_env_config "$CONFIGDIR/config.env" BORG_RSH "ssh -i $CONFIGDIR/ssh_key" + [ -r "$CONFIGDIR/config.env" ] || die "File isn't readable: $CONFIGDIR/config.env" + echo "> testing ssh and destination path" test_ssh || die "Can't establish ssh connection! Try: ssh-copy-id -i $CONFIGDIR/ssh_key.pub -p $PORT $LOGIN@$HOST"