ssfs rev 13
Implement Ssfs virtual disk (more secure, easier to backup and readicaly minimal chroot include using 2.1Mb!
author | Christophe Lincoln <pankso@slitaz.org> |
---|---|
date | Sat Jun 11 22:26:13 2011 +0200 (2011-06-11) |
parents | adba1713f615 |
children | 048464223866 |
files | Makefile README data/ssfs-server.conf ssfs-server |
line diff
1.1 --- a/Makefile Sat Jun 11 19:15:28 2011 +0100 1.2 +++ b/Makefile Sat Jun 11 22:26:13 2011 +0200 1.3 @@ -11,14 +11,13 @@ 1.4 1.5 install: 1.6 mkdir -p \ 1.7 + $(DESTDIR)/etc/$(PACKAGE) \ 1.8 $(DESTDIR)$(DOCDIR)/$(PACKAGE) \ 1.9 $(DESTDIR)$(PREFIX)/bin \ 1.10 - $(DESTDIR)$(PREFIX)/sbin \ 1.11 - $(DESTDIR)/etc/$(PACKAGE) 1.12 + $(DESTDIR)$(PREFIX)/sbin 1.13 install -m 0755 $(PACKAGE) $(DESTDIR)$(PREFIX)/bin 1.14 install -m 0755 $(PACKAGE)-box $(DESTDIR)$(PREFIX)/bin 1.15 install -m 0755 $(PACKAGE)-server $(DESTDIR)$(PREFIX)/sbin 1.16 install -m 0644 README $(DESTDIR)$(DOCDIR)/$(PACKAGE) 1.17 - install -m 0600 data/$(PACKAGE)-server.conf \ 1.18 - $(DESTDIR)/etc/$(PACKAGE) 1.19 + install -m 0600 data/$(PACKAGE)-server.conf $(DESTDIR)/etc/$(PACKAGE) 1.20
2.1 --- a/README Sat Jun 11 19:15:28 2011 +0100 2.2 +++ b/README Sat Jun 11 22:26:13 2011 +0200 2.3 @@ -63,18 +63,51 @@ 2.4 Server setup 2.5 ------------ 2.6 On the server you must have a SSH server running and an user account with a 2.7 -~/Sync folder. If you want to create a chroot for users you can use the 2.8 -tool ssfs-server. Here is a short example to create a chroot and create a user 2.9 -login 'tux-sync' with a protected $HOME in the chroot. The root directory can 2.10 -be specified on the command line or changed in the configuration file: 2.11 +~/Sync folder in user home. You can have both, staandard accounts or chrooted 2.12 +accounts, for a hosted service it is recommended to use a chroot and Ssfs 2.13 +virtual disk. The vdisk can be any size you want and have a minimal chroot 2.14 +environment that is under 3Mb. 2.15 2.16 -# ssfs-server gen-chroot 2.17 +If you want to create a vdisk and chroot automaticaly you can use use the tool 2.18 +ssfs-server. Here is a short example to create a chroot and create a user 2.19 +login 'tux-sync' with a protected $HOME in the chroot, the root directory can 2.20 +be specified on the command line or changed in the configuration file. The 2.21 +vdisk creation size is set in Gb and can be changed in config file or from 2.22 +the cmdline: 2.23 + 2.24 +# ssfs-server gen-vdisk --size=2 2.25 # ssfs-server adduser --login=tux-sync --id=2000 --pass=tuX0cc 2.26 2.27 Users can be listed or completely deleted including all files in home. More 2.28 information can be found with: ssfs-server usage 2.29 2.30 2.31 +Ssfs virtual disk 2.32 +----------------- 2.33 +A virtual Ssfs disk is a raw file created with dd and formated in ext3. It is 2.34 +mounted by default on /ssfs and contain a minimal chroot environemt with users 2.35 +home directory. We use a virtual disk to enforce securiry and use a separate 2.36 +media for Ssfs secure files, it also protect the host and limit storage size. 2.37 +The tool ssfs-server handle vdisk creation but you can also create one manually 2.38 +or use a separate HD if the server have more than one disk. To create 2Gb 2.39 +vdisk and format it to ext3: 2.40 + 2.41 +# dd if=/dev/zero of=/home/ssfs.ext3 bs=1G count=2 2.42 +# mkfs.ext3 -T ext3 -L "Ssfs" -F /home/ssfs.ext3 2.43 + 2.44 +Now you have a virtual disk you can mount it, the path must match SSFS_CHROOT 2.45 +found in ssfs-server.conf, default mount point is /ssfs to clearly separate 2.46 +the filesystem from the standard host file hierarchy: 2.47 + 2.48 +# mkdir /ssfs 2.49 +# mount -o loop -t ext3 /home/ssfs.ext3 /ssfs 2.50 + 2.51 +To automaticaly mount the vdisk on boot you may want to add a ssfs system user 2.52 +and a line into the file /etc/fstab: 2.53 + 2.54 +# adduser -S -g "Ssfs Server" -h /ssfs -s /bin/false ssfs 2.55 +/home/ssfs.ext3 /ssfs ext3 rw,loop,ssfs,ssfs 0 0 2.56 + 2.57 Server users config 2.58 ------------------- 2.59 When adding a user with 'ssfs-server adduser', the user is added to the host 2.60 @@ -88,15 +121,17 @@ 2.61 clone the ssfs Mercurial repository. As usual, closely follow the SliTaz light 2.62 philosophy with speed and security in mind: 2.63 2.64 - $ hg clone http://hg.slitaz.org/ssfs 2.65 +$ hg clone http://hg.slitaz.org/ssfs 2.66 2.67 Install with 'make install' (DESTDIR is supported for packaging), update the POT 2.68 file if any new strings have been added with 'make pot', and merger PO files with 2.69 the command 'make msgmerge'. Any ideas are welcome and can be discussed. If you 2.70 are searching for something to do you can have a look to the TODO file :-) 2.71 2.72 -Bugs can be reported on the SliTaz mailing list, forum or scn since the devel forum 2.73 -is synced. All sites are liked from the main website at: http://www.slitaz.org/ 2.74 +Bugs can be reported on the SliTaz mailing list, forum or scn since the devel 2.75 +forum is synced. All sites are liked from the main website at: 2.76 + 2.77 +http://www.slitaz.org/ 2.78 2.79 2.80 ===============================================================================
3.1 --- a/data/ssfs-server.conf Sat Jun 11 19:15:28 2011 +0100 3.2 +++ b/data/ssfs-server.conf Sat Jun 11 22:26:13 2011 +0200 3.3 @@ -1,8 +1,14 @@ 3.4 # Ssfs server side tool configuration file. 3.5 # 3.6 3.7 -# Path to Ssfs storage root. 3.8 -SSFS_CHROOT="/home/ssfs" 3.9 +# Path to Ssfs storage root to mount the vdisk. 3.10 +SSFS_CHROOT="/ssfs" 3.11 + 3.12 +# Path to Ssfs virtual disk. 3.13 +SSFS_VDISK="/home/ssfs.ext3" 3.14 + 3.15 +# Virtual disk size in Gb. 3.16 +SSFS_SIZE="10" 3.17 3.18 # User configuration file path. 3.19 SSFS_USERS="/etc/ssfs/users"
4.1 --- a/ssfs-server Sat Jun 11 19:15:28 2011 +0100 4.2 +++ b/ssfs-server Sat Jun 11 22:26:13 2011 +0200 4.3 @@ -26,12 +26,18 @@ 4.4 pass=${opt#--pass=} ;; 4.5 --root=*) 4.6 root=${opt#--root=} ;; 4.7 + --vdisk=*) 4.8 + vdisk=${opt#--vdisk=} ;; 4.9 + --size=*) 4.10 + size=${opt#--size=} ;; 4.11 *) 4.12 continue ;; 4.13 esac 4.14 done 4.15 4.16 [ "$root" ] || root=${SSFS_CHROOT} 4.17 +[ "$vdisk" ] || vdisk=${SSFS_VDISK} 4.18 +[ "$size" ] || size=${SSFS_SIZE} 4.19 4.20 # 4.21 # Functions 4.22 @@ -49,14 +55,18 @@ 4.23 adduser $(gettext "Add a user to the system with \$HOME in chroot.") 4.24 deluser $(gettext "Delete a user and remove \$HOME files.") 4.25 chroot $(gettext "Chroot to Ssfs storage root.") 4.26 - gen-chroot $(gettext "Create a chroot for users files storage.") 4.27 - clean-chroot $(gettext "Clean the chroot but skip home/ and root/.") 4.28 + gen-vdisk $(gettext "Create a vdisk with chroot for files storage.") 4.29 + clean-vdisk $(gettext "Clean the vdisk but skip home and root.") 4.30 + mount-vdisk $(gettext "Mount ssfs virtual disk.") 4.31 + umount-vdisk $(gettext "Unmount the vdisk and free loop device.") 4.32 4.33 $(echo -e "\033[1m$(gettext "Options:")\033[0m") 4.34 --login= $(gettext "Login name for add or del an user.") 4.35 --id= $(gettext "User id for adduser command.") 4.36 --pass= $(gettext "User password for adduser.") 4.37 - --root= $(gettext "The path to the Ssfs chroot.") 4.38 + --root= $(gettext "The path to the Ssfs vdisk chroot.") 4.39 + --vdisk= $(gettext "Set the Ssfs vdisk path and name.") 4.40 + --size= $(gettext "Set the ext3 vdisk size in Gb.") 4.41 4.42 EOT 4.43 } 4.44 @@ -66,6 +76,11 @@ 4.45 [ $? = 1 ] && echo -e " ERROR\n" && exit 1 4.46 } 4.47 4.48 +separator() { 4.49 + echo "================================================================================" 4.50 +} 4.51 + 4.52 +# We have custom config when adding user to handle quota and user info. 4.53 user_paths() { 4.54 config=$SSFS_USERS/$login.conf 4.55 home=$root/./home/$login 4.56 @@ -81,7 +96,6 @@ 4.57 EOT 4.58 } 4.59 4.60 -# Create a custom config when adding user to handle quota and user info. 4.61 user_config() { 4.62 gettext "Creating Ssfs user configuration file..." 4.63 cat > $config << EOT 4.64 @@ -94,6 +108,26 @@ 4.65 echo "" 4.66 } 4.67 4.68 +# Handle Ssfs virtual disk. 4.69 +umount_vdisk() { 4.70 + if mount | fgrep -q $root; then 4.71 + loop=$(mount | fgrep $root | awk '{print $1}') 4.72 + gettext "Unmounting Ssfs vdisk:"; echo " $vdisk" 4.73 + umount $root && sleep 1 4.74 + gettext "Detaching loop device:"; echo " $loop" 4.75 + losetup -d $loop 4.76 + else 4.77 + gettext "Ssfs vdisk is not mounted:"; echo " $vdisk" 4.78 + fi 4.79 +} 4.80 + 4.81 +mount_vdisk() { 4.82 + umount_vdisk 4.83 + [ -d "$root" ] || mkdir -p $root 4.84 + gettext "Mounting virtual disk:"; echo " $vdisk $root" 4.85 + mount -o loop -t ext3 $vdisk $root 4.86 +} 4.87 + 4.88 # 4.89 # Commands 4.90 # 4.91 @@ -154,41 +188,99 @@ 4.92 chroot $root 4.93 gettext -e "\nBack to the host system:" 4.94 echo -e " $(hostname)\n" ;; 4.95 - gen-chroot) 4.96 - # Generate a minimal chroot for Ssfs users home. 4.97 + gen-vdisk) 4.98 + # Generated a virtual disk with a minimal chroot for Ssfs users home. 4.99 if [ -d "$root/bin" ]; then 4.100 gettext -e "A chroot already exists in:"; echo " $root" 4.101 exit 0 4.102 fi 4.103 - gettext -e "\nCreating chroot in:"; echo " $root" 4.104 - gettext "Installing SliTaz base files..." 4.105 - yes | tazpkg get-install slitaz-base-files --root=$root >/dev/null 4.106 + echo "" 4.107 + gettext "Creating chroot in:"; echo " $root" 4.108 + separator 4.109 + 4.110 + # Create vdisk if missing. 4.111 + if [ ! -f "$vdisk" ]; then 4.112 + gettext "Creating virtual disk:"; echo " $vdisk ${size}Gb" 4.113 + dd if=/dev/zero of=$vdisk bs=1G count=$size 4.114 + du -sh $vdisk 4.115 + gettext "Creating ext3 filesystem..." 4.116 + mkfs.ext3 -q -T ext3 -L "Ssfs" -F $vdisk 4.117 + status 4.118 + mount_vdisk 4.119 + fi 4.120 + 4.121 + # Create a radicaly minimal chroot with all libs in /lib. 4.122 + gettext "Creating base files..." 4.123 + mkdir -p $root && cd $root 4.124 + for d in etc tmp lib usr home root 4.125 + do 4.126 + mkdir -p $d 4.127 + done && status 4.128 + cp -a /etc/slitaz-release $root/etc 4.129 + #cp -a /etc/nsswitch.conf $root/etc 4.130 + echo "root:x:0:0:root:/root:/bin/sh" > etc/passwd 4.131 + echo "root::13525:0:99999:7:::" > etc/shadow 4.132 + echo "root:x:0:" > etc/group 4.133 + echo "root:*::" > etc/gshadow 4.134 + 4.135 + gettext "Setting files permissions..." 4.136 + chmod 640 etc/shadow etc/gshadow 4.137 + chmod 0700 root && chmod 1777 tmp 4.138 status 4.139 + 4.140 + # Busybox without deps (get && extract). No system comands are allowed 4.141 + # in /etc/busybox.conf to restrict SSHed users. 4.142 gettext "Installing Busybox..." 4.143 - yes | tazpkg get-install busybox --root=$root >/dev/null 4.144 + cd $root/tmp 4.145 + tazpkg get busybox >/dev/null 4.146 + tazpkg extract busybox-* >/dev/null 4.147 + rm -rf fs && mv -f busybox-*/fs . && rm -rf busybox-* 4.148 + cp -a fs/bin fs/sbin $root 4.149 + cp -a fs/usr/bin fs/usr/sbin $root/usr 4.150 + rm -rf fs 4.151 status 4.152 - gettext "Cleaning Ssfs chroot..." 4.153 - rm -f $root/init 4.154 - status && echo "" ;; 4.155 - clean-chroot) 4.156 - # clean up the storage chroot. 4.157 + gettext "Creatin restrictive Busybox config file..." 4.158 + echo '# /etc/busybox.conf: Ssfs Busybox configuration.' \ 4.159 + > $root/etc/busybox.conf 4.160 + echo -e "\nsu = ---" >> $root/etc/busybox.conf 4.161 + chmod 0600 $root/etc/busybox.conf 4.162 + status 4.163 + 4.164 + # Glib minimal libs, use host lib since package should be installed 4.165 + # from same repo. 4.166 + gettext "Installing Glibc libraries..." 4.167 + for l in ld-*.*so* libc-*.*so libc.so.* libnss_files* 4.168 + do 4.169 + cp -a /lib/$l* $root/lib 4.170 + done && status 4.171 + size=$(du -sh $root | awk '{print $1}') 4.172 + separator 4.173 + gettext "Vdisk used space:"; echo -e " $size\n" ;; 4.174 + mount-vdisk) 4.175 + mount_vdisk ;; 4.176 + umount-vdisk) 4.177 + umount_vdisk ;; 4.178 + clean-vdisk) 4.179 + # clean up the vdisk storage chroot. 4.180 if [ ! -d "$root/bin" ] || [ ! -d "$root/usr" ]; then 4.181 gettext -e "No chroot found in:"; echo " $root" 4.182 exit 0 4.183 fi 4.184 - gettext -e "\nChanging directory to:"; echo " $root" 4.185 + gettext -e "\nCleaning virtual disk\n" 4.186 + separator 4.187 + gettext "Changing directory to:"; echo " $root" 4.188 cd $root 4.189 for dir in * 4.190 do 4.191 size=$(du -sh $dir | awk '{print $1}') 4.192 case "$dir" in 4.193 - home|root) 4.194 + home|root|lost*) 4.195 gettext "Skipping:"; echo " $dir $size *" ;; 4.196 *) 4.197 gettext "Removing:"; echo " $dir $size" 4.198 rm -rf $dir ;; 4.199 esac 4.200 - done && echo "" ;; 4.201 + done && separator && echo "" ;; 4.202 *) 4.203 help ;; 4.204 esac