feat: allow shutdown and reboot with ssh

jc-lab · Aug 15, 2021 · 01b622f · 01b622f
1 parent 76bcad6
commit 01b622f
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 6 deletions.
diff --git a/pkg/securekit-sshd/Dockerfile b/pkg/securekit-sshd/Dockerfile
@@ -21,10 +21,12 @@ RUN mkdir -p /work/patches /out
 
 COPY [ "*.patch", "/work/patches/" ]
 RUN cd /work/patches && echo $'\
-289dcc0537af3e3d623226278f58e756a33b6015d8ac8325421642f80f62c16d  disable-forwarding-by-default.patch\n\
-1c85437fd94aa4fc269e6297e4eb790baa98c39949ec0410792c09ee31ba9782  fix-utmp.patch\n\
-3638f1b7969d49934130479835167250fb18f61a198593f3c0c5254089bbbb53  fix-verify-dns-segfault.patch\n\
-4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376  sftp-interactive.patch\
+289dcc0537af3e3d623226278f58e756a33b6015d8ac8325421642f80f62c16d  openssh-disable-forwarding-by-default.patch\n\
+1c85437fd94aa4fc269e6297e4eb790baa98c39949ec0410792c09ee31ba9782  openssh-fix-utmp.patch\n\
+3638f1b7969d49934130479835167250fb18f61a198593f3c0c5254089bbbb53  openssh-fix-verify-dns-segfault.patch\n\
+4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376  openssh-sftp-interactive.patch\n\
+976329ee4da4fbccc77b447f7c9d34f1fe83d45a4c0570f855bf5001bd2cb5df  sudo-fix-cross-compile.patch\n\
+75e1a7dc553a767dd3b438d1e6bb229fcb56ceceecada3e94917635383b7c791  sudo-SIGUNUSED.patch\
 ' | sha256sum -c
 
 ARG OPENSSH_URL=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
@@ -35,7 +37,7 @@ RUN mkdir -p /work/openssh && \
     echo "${OPENSSH_HASH}  openssh.tar.gz" | sha256sum -c && \
     cd openssh && \
     tar --strip-components 1 -zxf ../openssh.tar.gz && \
-    (for name in $(find /work/patches -type f -name "*.patch"); do patch -p1 < $name; done) && \
+    (for name in $(find /work/patches -type f -name "openssh-*.patch"); do patch -p1 < $name; done) && \
     ./configure \
 		--build=`uname -m` \
 		--host=`uname -m` \
@@ -56,6 +58,32 @@ RUN mkdir -p /work/openssh && \
     make
 RUN cd /work/openssh && make install DESTDIR=/out
 
+ARG SUDO_URL=https://www.sudo.ws/dist/sudo-1.9.7p2.tar.gz
+ARG SUDO_HASH=28b5ee725dbf89a7852f42f309ca877d2810a9531b4eecfe59f3a84b6b4afca8
+RUN mkdir -p /work/sudo && \
+    cd /work && \
+    curl -L ${SUDO_URL} -o sudo.tar.gz && \
+    echo "${SUDO_HASH}  sudo.tar.gz" | sha256sum -c && \
+    cd sudo && \
+    tar --strip-components 1 -zxf ../sudo.tar.gz && \
+    (for name in $(find /work/patches -type f -name "sudo-*.patch"); do patch -p1 < $name; done) && \
+	  ./configure \
+		--prefix=/usr \
+		--libexecdir=/usr/lib \
+		--mandir=/usr/share/man \
+		--disable-nls \
+		--enable-pie \
+		--with-env-editor \
+		--with-mdoc \
+		--without-pam \
+		--without-skey \
+		--with-sendmail=/usr/sbin/sendmail \
+		--with-passprompt="[sudo] password for %p: " && \
+    rm lib/util/mksiglist.h lib/util/mksigname.h && \
+    make -C lib/util DEVEL=1 mksiglist.h mksigname.h && \
+    make
+RUN cd /work/sudo && make install DESTDIR=/out
+
 FROM scratch
 ENTRYPOINT []
 WORKDIR /
@@ -68,6 +96,7 @@ RUN adduser -u 1002 -s /bin/bash -D manager && \
     chown manager:manager -R /home/manager && \
     chmod 700 /home/manager && \
     mkdir -p /etc/ssh /var/empty && \
-    chmod +x /usr/bin/*.sh
+    chmod +x /usr/bin/*.sh && \
+    echo "manager ALL = NOPASSWD: /sbin/reboot, /sbin/poweroff" > /etc/sudoers.d/manager
 
 CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
diff --git a/...-sshd/disable-forwarding-by-default.patch → ...enssh-disable-forwarding-by-default.patch b/...-sshd/disable-forwarding-by-default.patch → ...enssh-disable-forwarding-by-default.patch
diff --git a/pkg/securekit-sshd/fix-utmp.patch → pkg/securekit-sshd/openssh-fix-utmp.patch b/pkg/securekit-sshd/fix-utmp.patch → pkg/securekit-sshd/openssh-fix-utmp.patch
diff --git a/...urekit-sshd/fix-verify-dns-segfault.patch → ...shd/openssh-fix-verify-dns-segfault.patch b/...urekit-sshd/fix-verify-dns-segfault.patch → ...shd/openssh-fix-verify-dns-segfault.patch
diff --git a/pkg/securekit-sshd/sftp-interactive.patch → ...rekit-sshd/openssh-sftp-interactive.patch b/pkg/securekit-sshd/sftp-interactive.patch → ...rekit-sshd/openssh-sftp-interactive.patch
diff --git a/pkg/securekit-sshd/sudo-SIGUNUSED.patch b/pkg/securekit-sshd/sudo-SIGUNUSED.patch
@@ -0,0 +1,19 @@
+Upstream: No
+Reason: Musl compatibility
+
+--- a/lib/util/siglist.in	2019-10-10 11:32:54.000000000 -0500
++++ b/lib/util/siglist.in	2019-10-14 16:42:46.259938722 -0500
+@@ -17,11 +17,12 @@
+     EMT     EMT trap
+     FPE     Floating point exception
+     KILL    Killed
++# before UNUSED (musl defines them as the same number)
++    SYS     Bad system call
+ # before BUS (Older Linux doesn't really have a BUS, but defines it to UNUSED)
+     UNUSED  Unused
+     BUS     Bus error
+     SEGV    Memory fault
+-    SYS     Bad system call
+     PIPE    Broken pipe
+     ALRM    Alarm clock
+     TERM    Terminated
diff --git a/pkg/securekit-sshd/sudo-fix-cross-compile.patch b/pkg/securekit-sshd/sudo-fix-cross-compile.patch
@@ -0,0 +1,18 @@
+Upstream: No
+Reason: Enable cross-compile
+
+--- ./lib/util/Makefile.in.orig
++++ ./lib/util/Makefile.in
+@@ -160,10 +160,10 @@
+ 	./mksigname > $@
+
+ mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/sudo_compat.h $(top_builddir)/config.h
+-	$(CC) $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksiglist.c -o $@
++	$${HOSTCC:-gcc} $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksiglist.c -o $@
+
+ mksigname: $(srcdir)/mksigname.c $(srcdir)/mksigname.h $(incdir)/sudo_compat.h $(top_builddir)/config.h
+-	$(CC) $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksigname.c -o $@
++	$${HOSTCC:-gcc} $(CPPFLAGS) $(CFLAGS) $(srcdir)/mksigname.c -o $@
+
+ $(srcdir)/mksiglist.h: $(srcdir)/siglist.in
+ 	@if [ -n "$(DEVEL)" ]; then \