Got the initial restricted file list setup; some things are missing because they may expose a security hole, and they need a further, more detailed wrapper (like mount, find, etc etc), because they expose both harmless read-only, and extremely damaging write functions.

client/bin/disco-fs-mount

@@ -12,14 +12,15 @@ fi
 # Cleanup old junk
 rm -rf ${DISCOROOT}/scratchfs
 rm -rf ${DISCOROOT}/restricted/*
+rm -rf ${DISCOROOT}/munge/*
 
 # Prepare all the mountpoint directories
 mkdir -p ${DISCOROOT}/chroot
-mkdir -p ${DISCOROOT}/execs/bin
-mkdir -p ${DISCOROOT}/proc/proc
-mkdir -p ${DISCOROOT}/sysfs/sys
+#mkdir -p ${DISCOROOT}/proc/proc
+#mkdir -p ${DISCOROOT}/sysfs/sys
 mkdir -p ${DISCOROOT}/rootfs
 mkdir -p ${DISCOROOT}/scratchfs
+mkdir -p ${DISCOROOT}/munge
 mkdir -p ${DISCOROOT}/dev/dev
 mkdir -p ${DISCOROOT}/restricted/bin
 
@@ -28,35 +29,34 @@ mkdir -p ${DISCOROOT}/restricted/bin
 mkdir -p ${DISCOCFG}/restricted.d
 for file in $(cat ${DISCOCFG}/restricted.d/* 2>/dev/null | grep -v "^#")
 do
-    mkdir -p ${DISCOROOT}/restricted/bin$(echo $file | dirname $file)
-    ln -s $file ${DISCOROOT}/restricted/bin/$file
+    if [ ! -e ${DISCOROOT}/restricted/bin/$(basename $file) ]; then
+	ln -s $file ${DISCOROOT}/restricted/bin/$(basename $file)
+    fi
 done
 
 # Setup some more restricted execution stuff, but only if we actually have $NOOP
 
 if [ "$NOOP" != "" ]; then
+    # Munge up /etc/profile
+    mkdir -p ${DISCOROOT}/munge/etc
+    cp /etc/profile ${DISCOROOT}/munge/etc/profile
+    echo "export PATH=${DISCOROOT}/restricted/bin" >> ${DISCOROOT}/munge/etc/profile
+
+    # Make default wrapper
+    echo -e "#!/bin/bash\necho \"info: Would execute \$0 \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
+    chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
+
+    # Now link everything to the default wrapper
     for dir in $(echo $PATH | sed s/":"/" "/g)
     do
 	for file in ${dir}/*
 	do
-	    if [ "$file" != "/bin/bash" ] && [ -x $file ] && [ ! -x ${DISCOROOT}/restricted${file} ] ; then
-		mkdir -p $(dirname ${DISCOROOT}/restricted/${file})
-		echo -e "#!/bin/bash\necho \"info: Would execute \$0 \$@\"" > ${DISCOROOT}/restricted${file}
-		chmod +x ${DISCOROOT}/restricted${file}
+	    FNAME=$(basename $file)
+	    if [ "$FNAME" != "bash" ] && [ -x $file ] && [ ! -x ${DISCOROOT}/restricted/bin/$FNAME ] ; then
+		ln -s ${DISCOROOT}/restricted/bin/_disco_restricted_cmd ${DISCOROOT}/restricted/bin/${FNAME}
 	    fi
 	done
     done
-    # Here we play a pretty lame trick on the user. /bin/bash will always exist 
-    # (unfortunately), but we can force everything else to our rbash wrapper,
-    # forcing restricted execution. The user can get around this by calling
-    # /bin/bash directly, but that's on the user. TNMP, RTFM!
-    #ln -s /bin/bash ${DISCOROOT}/restricted/bin/rbash
-    #for dir in /usr/bin /usr/local/bin /usr/sbin; 
-    #do
-    #	mkdir -p ${DISCOROOT}/restricted/${dir}
-    #	echo "#!/bin/bash --restricted\neval \$@" > ${DISCOROOT}/restricted/${dir}/bash
-    #	chmod +x ${DISCOROOT}/restricted/${dir}/bash
-    #done
 fi
 
 # We need SOME special files in /dev like /dev/null, so make them here
@@ -69,26 +69,25 @@ chmod 666 ${DISCOROOT}/dev/dev/null
 mount --bind -o ro / ${DISCOROOT}/rootfs 2>&1 | grep -v "seems to be mounted read-write"
 mount -o remount,ro ${DISCOROOT}/rootfs
 
+# Setup filesystem layers. The read/write ones go on the top, with scratchfs ALWAYS on top.
+FSLAYERS="${DISCOROOT}/scratchfs=rw"
+FSLAYERS="${FSLAYERS}:${DISCOROOT}/munge=ro"
+FSLAYERS="${FSLAYERS}:${DISCOROOT}/dev=rw"
+#FSLAYERS="${FSLAYERS}:${DISCOROOT}/proc=ro"
+#FSLAYERS="${FSLAYERS}:${DISCOROOT}/sysfs=ro"
+FSLAYERS="${FSLAYERS}:${DISCOROOT}/rootfs=ro"
+
+# Union
+unionfs -o cow,dev,dirs=$FSLAYERS ${DISCOROOT}/chroot
+
 # Duplicate /proc and /sys if they already exist
 mount | grep " on /proc" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
-    mount -t proc -o ro none ${DISCOROOT}/proc/proc
+    mount -t proc -o ro none ${DISCOROOT}/chroot/proc
 fi
 mount | grep " on /sys" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
-    mount -t sysfs -o ro none ${DISCOROOT}/sysfs/sys
+    mount -t sysfs -o ro none ${DISCOROOT}/chroot/sys
 fi
 
-# Setup filesystem layers. The read/write ones go on the top, with scratchfs ALWAYS on top.
-FSLAYERS="${DISCOROOT}/scratchfs=rw"
-FSLAYERS="${FSLAYERS}:${DISCOROOT}/dev=rw"
-FSLAYERS="${FSLAYERS}:${DISCOROOT}/restricted=ro"
-FSLAYERS="${FSLAYERS}:${DISCOROOT}/execs=ro"
-FSLAYERS="${FSLAYERS}:${DISCOROOT}/proc=ro"
-FSLAYERS="${FSLAYERS}:${DISCOROOT}/sysfs=ro"
-FSLAYERS="${FSLAYERS}:${DISCOROOT}/rootfs=ro"
-
-# Here we go
-unionfs -o cow,dev,dirs=$FSLAYERS ${DISCOROOT}/chroot
-
 exit 0

client/bin/disco-fs-unmount

@@ -10,25 +10,21 @@ fi
 
 umount ${DISCOROOT}/chroot
 umount ${DISCOROOT}/proc/proc
-
-#Unmount the proc/sys mirrors if they were mounted
-mount | grep " on /${DISCOROOT}/proc/proc" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-    mount -t proc -o ro none ${DISCOROOT}/proc/proc
-    mount -t sysfs -o ro none ${DISCOROOT}/sysfs/sys
-fi
-mount | grep " on /${DISCOROOT}/sysfs/sys" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-    mount -t sysfs -o ro none ${DISCOROOT}/sysfs/sys
-fi
-
-umount ${DISCOROOT}/sysfs/sys
 umount ${DISCOROOT}/rootfs
 mount | grep $DISCOROOT > /dev/null 2>&1
 if [ $? -eq 0 ]; then
     # Sometimes required
     umount ${DISCOROOT}/rootfs
 fi
+#Unmount the proc/sys mirrors if they were mounted
+mount | grep " on ${DISCOROOT}/proc/proc" >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+    mount -t proc -o ro none ${DISCOROOT}/proc/proc
+fi
+mount | grep " on ${DISCOROOT}/sysfs/sys" >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+    mount -t sysfs -o ro none ${DISCOROOT}/sysfs/sys
+fi
 
 rm -rf ${DISCOROOT}/scratchfs/* ${DISCOROOT}/scratchfs/.unionfs
 rm -rf ${DISCOROOT}/dev/*