|
|
||
|---|---|---|
| .github/workflows | ||
| bin | ||
| etc/rc.d | ||
| libexec/sourcezap | ||
| man/man8 | ||
| share/sourcezap | ||
| .editorconfig | ||
| .projectile | ||
| .shellcheckrc | ||
| Makefile | ||
| README.md | ||
About
The sourcezap utility manages a local copy of the hardenedBSD source tree in a way that is efficient, scalable, and secure. The utility provides consistent ownership and permissions for the source tree, maintains a clean separation between root-only operations and unprivileged operations, and offers a simple workflow for updating and installing the source tree.
Features
- Easy to use.
- A simple workflow: clone, pull, then install.
- Uses
rsyncandgitfor fast, efficient updates. - Restricts access to root and
_sourcezapgroup members. - Separates unprivileged operations from root-only operations.
- One dedicated user (
_sourcezap) for managing the source tree. - Keeps ownership and permissions consistent in
/home/_sourcezap/src/and/usr/src/. - Delegation: mdo(1) runs commands as
_sourcezap. - Clear permissions: mac_do(4) rules decide who can act as
_sourcezap.
Commands
User
The following commands are delegated to the _sourcezap user and
authorized by mac_do(4) rules. By default you must be root or a
member of the _sourcezap group to run the following commands:
-
sourcezap clone
Clone the hardenedBSD source tree into/home/_sourcezap/src/ -
sourcezap pull
Pull updates into/home/_sourcezap/src/ -
sourcezap sh
Run /bin/sh within/home/_sourcezap/src/ -
sourcezap status
Show whether mac_do(4) rules are applied
Superuser
The following commands are restricted to root, or user id 0.
Permission to run the following commands is denied for any other user:
-
sourcezap rm
Remove the contents of/usr/src/and/home/_sourcezap/src/ -
sourcezap install
Install/home/_sourcezap/src/into/usr/src/ -
sourcezap apply
Apply mac_do(4) rules
Allows root and members of the_sourcezapgroup to act as the_sourcezapuser -
sourcezap unapply
Remove mac_do(4) rules
Setup
mac_do(4)
The
mac_do(4)
policy must be loaded into the kernel before sourcezap(1)
can use the
mdo(1)
utility successfully. This can be done in one of two ways, the
recommended way is to add the following line to /boot/loader.conf:
mac_do_load="YES"
And then reboot the system. Otherwise, the policy can be loaded manually with the following command and without a reboot:
root@localhost# kldload mac_do
Environment
After installation is complete the sourcezap environment should be setup.
That includes the creation of the _sourcezap user and group, as well as
the creation of /home/_sourcezap. Adding a user to the _sourcezap group is
recommended when you want to manage the tree as a non-root user (who will
then be delegated to _sourcezap). The process is mostly automated, and the
following commands should be run as a superuser:
-
sourcezap setup
Creates the_sourcezapuser and group -
sourcezap teardown
Tears down the_sourcezapuser and group -
pw groupmod _sourcezap -m
<user>
Add a user to the_sourcezapgroup.
rc.d
The rc.d script that manages the mac_do(4) rules should also be enabled:
sysrc sourcezap_enable="YES"
And then the service should be started:
service sourcezap start
Install
Package
sourcezap is available
from the hardenedBSD src tree.
"pkg install sourcezap" should work too but expect slower updates.
Source
The first step is to clone the repository.
Afterwards sourcezap can be installed (and deinstalled) through make:
git clone https://github.com/0x1eef/sourcezap
cd sourcezap
make install
make deinstall