github.com/freiheit-com/kuberpult@v1.24.2-0.20240328135542-315d5630abe6/infrastructure/docker/git-ssh/start.sh

github.com/freiheit-com/kuberpult@v1.24.2-0.20240328135542-315d5630abe6/infrastructure/docker/git-ssh/start.sh (about)

     1  #!/bin/sh
     2  
     3  PROG=/usr/sbin/sshd
     4  PSHELL=/usr/bin/git-shell
     5  PUSR=git
     6  PHOME=/${PUSR}
     7  PCONFIG=${PHOME}/sshd_config
     8  PKEYSHOST=${PHOME}/keys-host
     9  PKEYS=${PHOME}/keys
    10  PREPOS=${PHOME}/repos
    11  
    12  # Minimum UID/GID allowed
    13  ID_MIN_ALLOWED=1000
    14  
    15  # Print UID and GID for confirmation
    16  echo "PUID:${PUID}"
    17  echo "PGID:${PGID}"
    18  
    19  # Sanity check on UID/GID
    20  if [ "${PUID}" -lt "${ID_MIN_ALLOWED}" ]; then
    21      echo "PUID cannot be \< ${ID_MIN_ALLOWED}"
    22      exit 1 # Fail
    23  fi
    24  
    25  if [ "${PGID}" -lt "${ID_MIN_ALLOWED}" ]; then
    26      echo "PGID cannot be \< ${ID_MIN_ALLOWED}"
    27      exit 1 # Fail
    28  fi
    29  
    30  # If `git` user/group already exist, delete them so recreating them (see next
    31  # step) does not result in failures.
    32  # This is relevant, e.g., when the Docker container is restarted.
    33  if [ -n "$(getent passwd ${PUSR})" ]; then
    34      deluser ${PUSR}
    35  fi
    36  if [ -n "$(getent group ${PUSR})" ]; then
    37      delgroup ${PUSR}
    38  fi
    39  
    40  # Create user with provided UID:GID and git-shell, which provides restricted
    41  # Git access.
    42  # It permits execution only of server-side Git commands implementing the
    43  # pull/push functionality, plus custom commands present in a subdirectory
    44  # named `git-shell-commands` in the user’s home directory.
    45  # [More info](https://git-scm.com/docs/git-shell)
    46  # Set a (dummy) password, otherwise SSH login fails.
    47  addgroup -g ${PGID} ${PUSR}
    48  adduser -D -h ${PHOME}/ -G ${PUSR} -u ${PUID} -s ${PSHELL} ${PUSR}
    49  echo "${PUSR}:dummyPassword" | chpasswd
    50  chown -R ${PUSR}:${PUSR} ${PHOME}/ > /dev/null 2>&1
    51  
    52  # If no SSH host key pairs are present, generate them
    53  if [ -z "$(ls -A ${PKEYSHOST}/)" ]; then
    54      mkdir -p ${PKEYSHOST}/etc/ssh/ && \
    55      ssh-keygen -A -f ./keys-host && \
    56      mv ${PKEYSHOST}/etc/ssh/* ${PKEYSHOST}/ && \
    57      rm -rf ${PKEYSHOST}/etc/
    58      chown -R ${PUSR}:${PUSR} ${PKEYSHOST}/
    59  fi
    60  
    61  # If SSH public keys are present, copy them into the `authorized_keys` file
    62  if [ -n "$(ls -A ${PKEYS}/)" ]; then
    63      cat ${PKEYS}/*.pub > ${PHOME}/.ssh/authorized_keys
    64  else
    65      # If no SSH public keys are present, make the `authorized_keys` file empty.
    66      # This is important for some corner cases of restarting the Docker
    67      # container with no SSH public keys present.
    68      echo '' > ${PHOME}/.ssh/authorized_keys
    69  fi
    70  
    71  # Generate an SSH key pair for Docker `HEALTHCHECK`
    72  rm -rf ${PHOME}/.ssh/id_ed25519*
    73  ssh-keygen -q -t ed25519 -N '' -f ${PHOME}/.ssh/id_ed25519
    74  cat ${PHOME}/.ssh/id_ed25519.pub >> ${PHOME}/.ssh/authorized_keys
    75  
    76  # Set correct access permissions for the files created in the previous steps
    77  chown -R ${PUSR}:${PUSR} ${PHOME}/.ssh/
    78  chmod 700 ${PHOME}/.ssh/
    79  chmod -R 600 ${PHOME}/.ssh/*
    80  
    81  # Start the service
    82  # Running SSHD as (unprivileged) normal user *does not* provide better security.
    83  # In fact, running SSHD the "default way" (invoked by `root` user) might be
    84  # more secure.
    85  # [More info](https://security.stackexchange.com/questions/180471/what-are-the-disadvantages-of-running-ssh-daemon-without-root)
    86  exec ${PROG} -D -f ${PCONFIG}