init.sh: sandboxed borg invocations and new param-change-safeguard

2023-04-06 00:28:43 +02:00 · 2023-04-06 00:28:43 +02:00 · b419d2de87
commit b419d2de87
parent 42daa9e35e
1 changed files with 52 additions and 15 deletions
--- a/init.sh
+++ b/init.sh
@ -8,7 +8,7 @@ NAME=""
 LOGIN="$(whoami)"

 die () {
-	echo $1 >&2
+	echo -e $1 | sed -e 's-^-! -' >&2
 	exit 1
 }
 generate_passphrase() {
@ -23,7 +23,30 @@ init_config_dir() {

 	generate_passphrase > "$CONFIGDIR/borg_passphrase"
 	ssh-keygen -t ed25519 -N "" -q -f "$CONFIGDIR/ssh_key" -C "borg access from $(hostname --long)"
-	exec ssh-copy-id -i "$CONFIGDIR/ssh_key.pub" -p $PORT "$LOGIN@$HOST"
+	ssh-copy-id -i "$CONFIGDIR/ssh_key.pub" -p $PORT "$LOGIN@$HOST"
+}
+set_env_config() {
+	local file="$1"
+	local param="$2"
+	local value="$3"
+	
+	# test current config
+	# file does not exist
+	[ ! -e $file ] && echo "$param=$value" >> $file
+	# file isn't readable
+	[ ! -r $file ] && die "Config file isn't readable: $file"
+	# file exists and value is set => early exit
+	local curr_line="$(grep "^$param=" $file)"
+	if [ "x$curr_line" == "x" ]; then
+		# file ist nicht änderbar
+		[ ! -w $file ] && die "Config file isn't writable: $file"
+		# param isn't set => append
+		echo "$param=$value" >> $file
+	elif [ "x${curr_line#$param=}" != "x$value" ]; then
+		# param is set with different value
+		die "Environment parameter '$param' is already set to '${curr_line#$param=}' in config file: $file\nPlease confirm that you know what you're doing by manually setting the parameter to the desired value '$value'."
+	fi
+	return 0
 }
 test_ssh() {
 	ssh -q -o "BatchMode=yes" -i "$CONFIGDIR/ssh_key" -p "$PORT" "$LOGIN@$HOST" "mkdir -p $REMOTE_PATH" \
@ -35,12 +58,21 @@ test_repo_exists() {
 	return $?
 }
 invoke_borg() {
-	(
-		export BORG_RSH="ssh -i $CONFIGDIR/ssh_key"
-		export BORG_REPO="ssh://$LOGIN@$HOST:${PORT}${REMOTE_PATH}"
-		export BORG_PASSPHRASE_FD=0
-		exec /usr/bin/borg $@ < "$CONFIGDIR/borg_passphrase"
-	)
+	# do some sandboxinng
+	systemd-run --pipe --collect --unit=temp-borg-init-sandbox.service \
+		--working-directory=/tmp \
+		-p "ConfigurationDirectory=borg/$NAME" \
+		-p "CacheDirectory=borg/$NAME" \
+		-p "ConfigurationDirectoryMode=550" \
+		-p "CacheDirectoryMode=550" \
+		-p "PrivateTmp=yes" \
+		-p "ReadOnlyDirectories=/" \
+		-p "EnvironmentFile=/etc/borg/$NAME/config.env" \
+		--setenv=BORG_PASSPHRASE_FD=0 \
+		--setenv=BORG_BASE_DIR=/tmp/ \
+		--setenv=BORG_CONFIG_DIR=/etc/borg/$NAME \
+		--setenv=BORG_CACHE_DIR=/var/cache/borg/$NAME \
+		/usr/bin/borg $@ < /etc/borg/$NAME/borg_passphrase
 }
 init_repo() {
 	echo "> init repo"
@ -57,6 +89,12 @@ usage() {

 for arg in "$@"; do
 	case "$arg" in
+		-h*)
+			HOST="${arg#-h}"
+			;;
+		--host=*)
+			HOST="${arg#--host=}"
+			;;
 		-p*)
 			PORT="${arg#-p}"
 			;;
@ -69,12 +107,6 @@ for arg in "$@"; do
 		--login=*)
 			LOGIN="${arg#--login=}"
 			;;
-		-h*)
-			HOST="${arg#-h}"
-			;;
-		--host=*)
-			HOST="${arg#--host=}"
-			;;
 		-d*)
 			REMOTE_PATH="${arg#-d}"
 			;;
@ -85,7 +117,9 @@ for arg in "$@"; do
 			usage
 			;;
 		*)
+			[ "x$NAME" == "x" ] || usage
 			NAME="$arg"
+			;;
 	esac
 done

@ -100,9 +134,12 @@ echo "> checking config"
 [ -r "$CONFIGDIR/ssh_key" ] || die "File isn't readable: $CONFIGDIR/ssh_key"

 # write config every time, parameter may change with each invocation
-echo "BORG_REPO=ssh://$LOGIN@$HOST:${PORT}${REMOTE_PATH}" > "$CONFIGDIR/config.env"
+set_env_config "$CONFIGDIR/config.env" BORG_REPO "ssh://$LOGIN@$HOST:${PORT}${REMOTE_PATH}"
+set_env_config "$CONFIGDIR/config.env" BORG_RSH "ssh -i $CONFIGDIR/ssh_key"
+
 [ -r "$CONFIGDIR/config.env" ] || die "File isn't readable: $CONFIGDIR/config.env"

+
 echo "> testing ssh and destination path"
 test_ssh || die "Can't establish ssh connection! Try: ssh-copy-id -i $CONFIGDIR/ssh_key.pub -p $PORT $LOGIN@$HOST"