From 50b3d047921b489ad35a86a3de08a34e5bde1e8a Mon Sep 17 00:00:00 2001 From: Nulo Date: Tue, 28 Sep 2021 13:32:02 -0300 Subject: [PATCH 01/10] Crear usuarix dentro de haini.sh ..en vez de mentir en $HOME. /Sutty$ id uid=1000(suttier) gid=1000(suttier) groups=65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),1000(suttier) /Sutty$ ssh -vvv 0xacab.org debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/suttier/.ssh/known_hosts' --- haini.sh | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/haini.sh b/haini.sh index 92aa8d9..e59b754 100755 --- a/haini.sh +++ b/haini.sh @@ -40,9 +40,17 @@ ENTORNO=${ENTORNO:-${ROOT}/hain} correr() { echo "> $1" >&2 + if test "$AS_ROOT"; then + SET_UID=0 + SET_GID=0 + else + SET_UID="$(id -u)" + SET_GID="$(id -g)" + fi + env -i \ TERM="$TERM" \ - USER="$USER" \ + USER="suttier" \ HOME="/home/suttier" \ HAIN_ENV=true \ RAILS_ENV="${RAILS_ENV:-development}" \ @@ -51,15 +59,15 @@ correr() { PAGER="less -niSFX" \ bwrap \ --die-with-parent \ - --unshare-user-try \ + --unshare-user \ + --uid "$SET_UID" \ + --gid "$SET_GID" \ --unshare-ipc \ --unshare-uts \ --unshare-cgroup-try \ --bind "$ENTORNO" / \ --bind "$ROOT" /Sutty \ --ro-bind /etc/hosts /etc/hosts \ - --ro-bind /etc/passwd /etc/passwd \ - --ro-bind /etc/group /etc/group \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /etc/localtime /etc/localtime \ --dev-bind /dev /dev \ @@ -169,6 +177,22 @@ crear_entorno() { && mv "$ENTORNO$HOME" "$ENTORNO/home/suttier" mkdir -p "$ENTORNO/home/suttier" + if ! grep ^suttier: "$ENTORNO/etc/group" >/dev/null 2>&1 ; then + AS_ROOT=true correr "addgroup \ + -g $(id -g) \ + suttier" + fi + if ! correr "id suttier" >/dev/null 2>&1 ; then + AS_ROOT=true correr "adduser \ + --disabled-password \ + --gecos '' \ + --home /home/suttier \ + --no-create-home \ + --uid $(id -u) \ + --ingroup suttier \ + suttier" + fi + # Configurar rubygems para que descargue las gemas desde Sutty install -m 640 "$DIR/.gemrc" "$ENTORNO/home/suttier/.gemrc" From d088b5115e788e4cd3b23fa0132b3fd0dc8808cf Mon Sep 17 00:00:00 2001 From: f Date: Thu, 26 Aug 2021 09:17:05 -0300 Subject: [PATCH 02/10] Soportar las llaves SSH de le usuarie --- haini.sh | 1 + packages | 1 + 2 files changed, 2 insertions(+) diff --git a/haini.sh b/haini.sh index e59b754..d092237 100755 --- a/haini.sh +++ b/haini.sh @@ -70,6 +70,7 @@ correr() { --ro-bind /etc/hosts /etc/hosts \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /etc/localtime /etc/localtime \ + --ro-bind ~/.ssh /home/suttier/.ssh \ --dev-bind /dev /dev \ --dev-bind /sys /sys \ --dev-bind /proc /proc \ diff --git a/packages b/packages index eb05796..8f2492c 100644 --- a/packages +++ b/packages @@ -14,6 +14,7 @@ nano-syntax ncurses-terminfo nginx nodejs +openssh-client openssl postgresql postgresql-contrib From c1525d9e0feafad5e7ccec333c6dff15cac1e476 Mon Sep 17 00:00:00 2001 From: f Date: Mon, 27 Sep 2021 19:56:51 -0300 Subject: [PATCH 03/10] Utilizar SSH Agent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Es necesario usar ssh-agent para poder hacer conexiones SSH dentro de Hainish compartiendo las mismas llaves. Si montáramos ~/.ssh, el cliente SSH insiste en expandir ~ al home externo en lugar del interno y no encontramos documentación al respecto. --- haini.sh | 13 ++++++++++++- ssh/config | 2 ++ ssh/known_hosts | 3 +++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ssh/config create mode 100644 ssh/known_hosts diff --git a/haini.sh b/haini.sh index d092237..e9b566b 100755 --- a/haini.sh +++ b/haini.sh @@ -57,6 +57,7 @@ correr() { JEKYLL_ENV="${JEKYLL_ENV:-development}" \ EDITOR="nano" \ PAGER="less -niSFX" \ + SSH_AUTH_SOCK="${SSH_AUTH_SOCK}" \ bwrap \ --die-with-parent \ --unshare-user \ @@ -70,7 +71,7 @@ correr() { --ro-bind /etc/hosts /etc/hosts \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /etc/localtime /etc/localtime \ - --ro-bind ~/.ssh /home/suttier/.ssh \ + --bind "${SSH_AUTH_SOCK}" "${SSH_AUTH_SOCK}" \ --dev-bind /dev /dev \ --dev-bind /sys /sys \ --dev-bind /proc /proc \ @@ -205,6 +206,10 @@ crear_entorno() { install -m 755 "$script" "$ENTORNO/usr/local/bin/${script##*/}" done + # Configurar SSH + install -m 644 "$DIR/ssh/known_hosts" "$ENTORNO/root/known_hosts" + install -m 644 "$DIR/ssh/config" "$ENTORNO/etc/ssh_config" + test -f "$ENTORNO/etc/ssl/certs/sutty.local.crt" || generar_certificado test -f "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" || mv "$ENTORNO/etc/ssl/certs/ca-sutty.crt" "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" } @@ -228,6 +233,12 @@ esac if test "$HAIN_ENV"; then ${*:-$DEFAULT} else + if test -z "${SSH_AUTH_SOCK}"; then + echo "Iniciando un ssh-agent temporal, te recomendamos instalarlo en tu terminal." >&2 + eval "$(ssh-agent)" + ssh-add + fi + crear_entorno stdin=/dev/stdin correr "${*:-$DEFAULT}" fi diff --git a/ssh/config b/ssh/config new file mode 100644 index 0000000..c212952 --- /dev/null +++ b/ssh/config @@ -0,0 +1,2 @@ +Host * + UserKnownHostsFile /root/known_hosts diff --git a/ssh/known_hosts b/ssh/known_hosts new file mode 100644 index 0000000..21f5b80 --- /dev/null +++ b/ssh/known_hosts @@ -0,0 +1,3 @@ +0xacab.org,198.252.153.239 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdh69MJNIA4hZNdplalK1BOD4QZEKn8msMwsEzA7nrr +athshe.sutty.nl,172.96.172.58 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIDqJl9IW6WXAxrtZXMzvMnIpTjIZB+Tp+dDUpSaOrqdjqdMVjHVQSFnVh0MLHbvdjKKtxaKDAuT3JXGrSp8wyA= +anarres.sutty.nl,54.39.161.205 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGw9aXovdiR44WzGfaitjlGiAO7I5OP/XgxFEc+t6HWeS0oqIVaEo17y7j29hLZbTRpN8vWoGSMa+UtquQZ6JG8= From 1af786a9e1c08d586335c0c988cc9161b93ad96a Mon Sep 17 00:00:00 2001 From: f Date: Tue, 28 Sep 2021 12:52:02 -0300 Subject: [PATCH 04/10] No dejar ssh-agents flotando --- haini.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/haini.sh b/haini.sh index e9b566b..9ff2c0e 100755 --- a/haini.sh +++ b/haini.sh @@ -8,6 +8,7 @@ uname -m | grep -q x86_64 || exit 1 DIR="$(dirname "$(realpath "$0")")" ROOT="$(dirname "$DIR")" SELF="$(basename "$0")" +SSH_ADHOC=false # Sólo se puede correr desde el directorio de Sutty if test "$ROOT" != "$(dirname "$PWD")" && test "$ROOT" != "$PWD"; then @@ -234,6 +235,8 @@ if test "$HAIN_ENV"; then ${*:-$DEFAULT} else if test -z "${SSH_AUTH_SOCK}"; then + SSH_ADHOC=true + echo "Iniciando un ssh-agent temporal, te recomendamos instalarlo en tu terminal." >&2 eval "$(ssh-agent)" ssh-add @@ -241,4 +244,6 @@ else crear_entorno stdin=/dev/stdin correr "${*:-$DEFAULT}" + + ${SSH_ADHOC} && ssh-agent -k fi From 19aac59bdc065eb7c7dd30c5888f46e0789121e8 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 28 Sep 2021 12:54:48 -0300 Subject: [PATCH 05/10] Avisar cuando no hay ssh-agent --- haini.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/haini.sh b/haini.sh index 9ff2c0e..38ec411 100755 --- a/haini.sh +++ b/haini.sh @@ -235,11 +235,15 @@ if test "$HAIN_ENV"; then ${*:-$DEFAULT} else if test -z "${SSH_AUTH_SOCK}"; then - SSH_ADHOC=true + if ! type ssh-agent >/dev/null 2>&1 ; then + echo "Instala ssh-agent para poder trabajar con git remoto dentro de haini.sh" >&2 + else + SSH_ADHOC=true - echo "Iniciando un ssh-agent temporal, te recomendamos instalarlo en tu terminal." >&2 - eval "$(ssh-agent)" - ssh-add + echo "Iniciando un ssh-agent temporal, te recomendamos instalarlo en tu terminal." >&2 + eval "$(ssh-agent)" + ssh-add + fi fi crear_entorno From 74a4985ea20bf0de4f89fbd095860432429a1a08 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 28 Sep 2021 13:10:51 -0300 Subject: [PATCH 06/10] Instalar archivos dentro de /home/suttier --- haini.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/haini.sh b/haini.sh index 38ec411..d715e8d 100755 --- a/haini.sh +++ b/haini.sh @@ -208,8 +208,9 @@ crear_entorno() { done # Configurar SSH - install -m 644 "$DIR/ssh/known_hosts" "$ENTORNO/root/known_hosts" - install -m 644 "$DIR/ssh/config" "$ENTORNO/etc/ssh_config" + install -m 700 -d "$ENTORNO/home/suttier/.ssh" + install -m 644 "$DIR/ssh/known_hosts" "$ENTORNO/home/suttier/.ssh/known_hosts" + install -m 644 "$DIR/ssh/config" "$ENTORNO/home/suttier/.ssh/config" test -f "$ENTORNO/etc/ssl/certs/sutty.local.crt" || generar_certificado test -f "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" || mv "$ENTORNO/etc/ssl/certs/ca-sutty.crt" "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" From 62cb0883cc9c6aa43a2f9cebf58db8da482a7c74 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 28 Sep 2021 15:11:19 -0300 Subject: [PATCH 07/10] No fallar si no hay ssh-agent --- haini.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/haini.sh b/haini.sh index d715e8d..02c9c3e 100755 --- a/haini.sh +++ b/haini.sh @@ -49,6 +49,13 @@ correr() { SET_GID="$(id -g)" fi + # Agregar flags dinámicas + EXTRA_FLAGS="" + + if test -S "${SSH_AUTH_SOCK}"; then + EXTRA_FLAGS="${EXTRA_FLAGS} --bind ${SSH_AUTH_SOCK} ${SSH_AUTH_SOCK}" + fi + env -i \ TERM="$TERM" \ USER="suttier" \ @@ -72,12 +79,12 @@ correr() { --ro-bind /etc/hosts /etc/hosts \ --ro-bind /etc/resolv.conf /etc/resolv.conf \ --ro-bind /etc/localtime /etc/localtime \ - --bind "${SSH_AUTH_SOCK}" "${SSH_AUTH_SOCK}" \ --dev-bind /dev /dev \ --dev-bind /sys /sys \ --dev-bind /proc /proc \ --dev-bind /tmp /tmp \ --chdir "$WORKDIR" \ + ${EXTRA_FLAGS} \ /bin/sh -l -c "$1" < "${stdin:-/dev/null}" } From 347b7eab2ccc3c226dd02a9814faaa06e8656f59 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 28 Sep 2021 15:11:36 -0300 Subject: [PATCH 08/10] =?UTF-8?q?No=20hace=20falta=20recomendar=20la=20ins?= =?UTF-8?q?talaci=C3=B3n=20si=20no=20dejamos=20agents=20abiertos?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- haini.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/haini.sh b/haini.sh index 02c9c3e..120a71e 100755 --- a/haini.sh +++ b/haini.sh @@ -248,7 +248,7 @@ else else SSH_ADHOC=true - echo "Iniciando un ssh-agent temporal, te recomendamos instalarlo en tu terminal." >&2 + echo "Iniciando un ssh-agent temporal." >&2 eval "$(ssh-agent)" ssh-add fi From 5b3516d0f87c6c6cd0b61467b1449cfa52e08d3a Mon Sep 17 00:00:00 2001 From: f Date: Tue, 28 Sep 2021 15:16:28 -0300 Subject: [PATCH 09/10] =?UTF-8?q?Eliminar=20la=20configuraci=C3=B3n?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- haini.sh | 1 - ssh/config | 2 -- 2 files changed, 3 deletions(-) delete mode 100644 ssh/config diff --git a/haini.sh b/haini.sh index 120a71e..20c893f 100755 --- a/haini.sh +++ b/haini.sh @@ -217,7 +217,6 @@ crear_entorno() { # Configurar SSH install -m 700 -d "$ENTORNO/home/suttier/.ssh" install -m 644 "$DIR/ssh/known_hosts" "$ENTORNO/home/suttier/.ssh/known_hosts" - install -m 644 "$DIR/ssh/config" "$ENTORNO/home/suttier/.ssh/config" test -f "$ENTORNO/etc/ssl/certs/sutty.local.crt" || generar_certificado test -f "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" || mv "$ENTORNO/etc/ssl/certs/ca-sutty.crt" "$ENTORNO/usr/local/share/ca-certificates/ca-sutty.crt" diff --git a/ssh/config b/ssh/config deleted file mode 100644 index c212952..0000000 --- a/ssh/config +++ /dev/null @@ -1,2 +0,0 @@ -Host * - UserKnownHostsFile /root/known_hosts From b372a54e1f4be2feb2bfc3591c87fb35d91f7b79 Mon Sep 17 00:00:00 2001 From: f Date: Tue, 28 Sep 2021 15:21:54 -0300 Subject: [PATCH 10/10] =?UTF-8?q?No=20hac=C3=ADa=20falta=20bindear=20el=20?= =?UTF-8?q?socket?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- haini.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/haini.sh b/haini.sh index 20c893f..6653eb9 100755 --- a/haini.sh +++ b/haini.sh @@ -49,13 +49,6 @@ correr() { SET_GID="$(id -g)" fi - # Agregar flags dinámicas - EXTRA_FLAGS="" - - if test -S "${SSH_AUTH_SOCK}"; then - EXTRA_FLAGS="${EXTRA_FLAGS} --bind ${SSH_AUTH_SOCK} ${SSH_AUTH_SOCK}" - fi - env -i \ TERM="$TERM" \ USER="suttier" \ @@ -84,7 +77,6 @@ correr() { --dev-bind /proc /proc \ --dev-bind /tmp /tmp \ --chdir "$WORKDIR" \ - ${EXTRA_FLAGS} \ /bin/sh -l -c "$1" < "${stdin:-/dev/null}" }