From 891386e61ff3dca846e48ebc256cc9d6f3eb8393 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sun, 22 Sep 2024 12:44:09 -0400 Subject: [PATCH] various fixes --- .bashrc | 5 +- brc | 4 + brc2 | 162 ++++++++++++++++++++---- distro-end | 30 +++-- filesystem/etc/profile.d/environment.sh | 36 +++--- pkgs | 3 - 6 files changed, 185 insertions(+), 55 deletions(-) diff --git a/.bashrc b/.bashrc index 3e90a50..7085f71 100644 --- a/.bashrc +++ b/.bashrc @@ -52,10 +52,9 @@ HISTCONTROL=ignoredups HISTIGNORE='pass *:otp *:oathtool *:histrm *:h *' # note: duplicated in /a/bin/ds/filesystem/etc/profile.d/environment.sh -umask 022 +umask g-w,o-w - -if [[ $EUID == 1000 && ! $_ran_bashrc && $TERM == linux && ! $DISPLAY && $(tty) = /dev/tty1 && -x /usr/bin/startx ]]; then +if [[ $PWD == /home/iank && $EUID == 1000 && ! $_ran_bashrc && $TERM == linux && ! $DISPLAY && $(tty) = /dev/tty1 && -x /usr/bin/startx ]]; then _ran_bashrc=t if tmp=$(systemctl status |& head) && \ grep -qi '^ *state: running' <<<"$tmp" && grep -qi '^ *failed: 0' <<<"$tmp" && grep -qi '^ *jobs: 0' <<<"$tmp"; then diff --git a/brc b/brc index 3aad896..acf2950 100644 --- a/brc +++ b/brc @@ -2596,6 +2596,10 @@ EOF # reapply bashrc reb() { + if (( $# >= 1 )); then + echo error: reb: expected 0 arguments >&2 + return 1 + fi # shellcheck disable=SC1090 # expected to not follow source ~/.bashrc } diff --git a/brc2 b/brc2 index 32f0065..b156819 100644 --- a/brc2 +++ b/brc2 @@ -230,8 +230,11 @@ rm-docker-iptables() { s iptables -S -t nat | gr docker | gr -- -N | sed 's/-N/-X/'| while read -r l; do sudo iptables -t nat $l; done } -# usage mkschroot [-] distro codename packages -# - means no piping in of sources.list +# usage mkschroot [OPTIONS] SCHROOT_NAME DISTRO_CODENAME PACKAGES... +# +# -f Overwrite any existing schroot +# -s SOURCES_LIST_FILE After debootstrap, install this (for example, to get updates section instead of just main). +# -t TARGET_DIR Instead of default /nocow/schroot/SCHROOT_NAME # # note some useful post mkschroot i've used in the past # tu /nocow/schroot/flidas/etc/sudoers </dev/null; then m sudm unshare --propagation slave --mount=/root/mount_namespaces/$ns /bin/true fi +} +# like mns() but without calling mns-setup +# +# When we are setting up a mount namespace, we use this to avoid +# redundant calls of mns-setup +mns-no-setup() { + local ns + ns=$1 + shift + m sudm -E /usr/bin/nsenter --mount=/root/mount_namespaces/$ns "$@" } mns() { # mount namespace @@ -3020,17 +3041,86 @@ mns() { # mount namespace m sudm -E /usr/bin/nsenter --mount=/root/mount_namespaces/$ns "$@" } -mnsd() { # mount namespace + systemd namespace - local ns unit +# systemd namespace + mount namespace +sdmn() { + local ns unit user tmpf alt_user=false + local -a final_args + user=$USER + while [[ $1 ]]; do + case $1 in + -u) + alt_user=true + user="$2" + shift 2 + ;; + -p) + pre_check="$2" + shift 2 + ;; + *) + break + ;; + esac + done + ns=$1 unit=$2 shift 2 + pid=$(servicepid $unit) + env-tmpf "$@" + if $alt_user; then + final_args=("$@") + else + final_args=(bash -c ". $tmpf") + fi + if [[ $pre_check ]]; then + sudm $pre_check + else + m sudm nsenter -t $pid -n -m mns-setup $ns + fi + m sudm nsenter -t $pid -n --mount=/root/mount_namespaces/$ns sudo -u $user -i "${final_args[@]}" +} - mns-setup $ns +mnsd() { # mount namespace + systemd network namespace + local ns unit user tmpf alt_user=false + local -a final_args + + ## begin command line args ## + user=$USER + while [[ $1 ]]; do + case $1 in + -u) + alt_user=true + user="$2" + shift 2 + ;; + -p) + pre_check="$2" + shift 2 + ;; + *) + break + ;; + esac + done + ns=$1 + unit=$2 + shift 2 + ## end command line args ## pid=$(servicepid $unit) env-tmpf "$@" - m sudo nsenter -t $pid -n --mount=/root/mount_namespaces/$ns sudo -u $USER -i bash -c ". $tmpf" + if $alt_user; then + final_args=("$@") + else + final_args=(bash -c ". $tmpf") + fi + if [[ $pre_check ]]; then + if ! sudm $pre_check; then + m sudm nsenter -t $pid -n -m mns-setup $ns + fi + fi + m sudo nsenter -t $pid -n --mount=/root/mount_namespaces/$ns sudo -u $user -i "${final_args[@]}" } @@ -3358,7 +3448,7 @@ myprof() { day_logs=() if [[ -e office_at_conference.fsf.org/$log_base ]]; then day_logs+=(office_at_conference.fsf.org/$log_base) - fi + fi if [[ -e sys_at_conference.fsf.org/$log_base ]]; then day_logs+=(office_at_conference.fsf.org/$log_base) fi @@ -4069,16 +4159,31 @@ sdnbashroot() { # systemd namespace bash as root # systemd namespace cmd # usage: UNIT CMD... sdncmd() { - local unit pid tmpf - if (( $# <= 1 )); then + local unit pid tmpf alt_user=false + local -a final_args + if [[ $1 == -u* ]]; then + alt_user=true + user=${1#-u} + shift + else + user=$USER + fi + + if (( $# == 0 )); then echo $0: error wrong number of args >&2 return 1 fi + unit=$1 shift pid=$(servicepid $unit) env-tmpf "$@" - m sudo nsenter -t $pid -n -m sudo -u $USER -i bash -c ". $tmpf" + if $alt_user; then + final_args=("$@") + else + final_args=(bash -c ". $tmpf") + fi + m sudo nsenter -t $pid -n -m sudo -u $user -i "${final_args[@]}" } sdncmdroot() { # systemd namespace root command @@ -4090,7 +4195,7 @@ sdncmdroot() { # systemd namespace root command unit=$1 shift pid=$(servicepid $unit) - m sudo nsenter -t $pid -n -m "$@" + m sudm nsenter -t $pid -n -m "$@" } ## create tempfile script which runs command under same env then deletes itself. @@ -4099,7 +4204,13 @@ sdncmdroot() { # systemd namespace root command # we could just set those explicity, PATH is the main one. It also # seems less secure since another process could modify the temp file. env-tmpf() { - tmpf=$(mktemp --tmpdir $unit.XXXXXXXXXX) + if [[ $user != $USER ]]; then + tmpf=$(sudo -u $user mktemp --tmpdir $unit.XXXXXXXXXX) + sudo chmod 660 $tmpf + sudo chown iank $tmpf + else + tmpf=$(mktemp --tmpdir $unit.XXXXXXXXXX) + fi { export -p printf "%s " "${@@Q}" @@ -4189,6 +4300,9 @@ mailnncheck() { vpncmd() { sdncmd openvpn-client-tr@client.service "$@" } +vpncmdroot() { + sdncmdroot openvpn-client-tr@client.service "$@" +} vpni() { sdncmd openvpn-client-tr@client.service bash } @@ -5040,9 +5154,9 @@ ffdefault() { snap-last() { ls -lad /mnt/o/btrbk/o.* | tail -n2 for sub in a q; do - ls -lad /mnt/root/btrbk/$sub.* | tail -n2 + ls -lad /mnt/root/btrbk/$sub.* | tail -n2 done - } +} export BASEFILE_DIR=/a/bin/fai-basefiles diff --git a/distro-end b/distro-end index f98a459..2ba7205 100755 --- a/distro-end +++ b/distro-end @@ -973,7 +973,7 @@ Package: ubuntu-system-adjustments Description: ubuntu-system-adjustments-dummy EOF equivs-build ubuntu-system-adjustments - sudo dpkg -i ../ubuntu-system-adjustments_2030_all.deb + sudo dpkg -i /tmp/user/1000/ubuntu-system-adjustments_2030_all.deb cd rm -r "$tmpdir" fi @@ -1049,15 +1049,19 @@ pi-nostart schroot # other than systemd showing in degraded state. So, we dont bother # fixing the current state, let it fix on the next reboot. # https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a -if pcheck binfmt-support; then - tmp=$(systemctl cat binfmt-support.service | grep ^After=) - if [[ $tmp != *systemd-binfmt.service* ]]; then - s u /etc/systemd/system/binfmt-support.service.d/override.conf <