From 7e99863c301b535b6225a490c7acae58883c368c Mon Sep 17 00:00:00 2001
From: Boris Kolpackov <boris@codesynthesis.com>
Date: Wed, 29 Mar 2017 09:59:01 +0200
Subject: Setup /build/tftp size-limited tmpfs, make accessible via TFTP

---
 init | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'init')

diff --git a/init b/init
index 8714955..e189bbc 100755
--- a/init
+++ b/init
@@ -357,6 +357,13 @@ if [ -z "$machines" ]; then
   error
 fi
 
+# Create /build/tftp. We make it a size-limited tmpfs since potentially-
+# compromized VMs will be able to upload to.
+#
+mkdir -p /build/tftp
+o="nodev,noexec,nosuid,size=200M,mode=0755,uid=$(id -u build),gid=$(id -g build)"
+echo "tmpfs /build/tftp tmpfs $o 0 0" >>$fstab
+
 # Configure Postfix.
 #
 cat <<<"$hname" >/etc/mailname
@@ -410,6 +417,16 @@ if [ -n "$ssh_key" ]; then
   chmod 600 /root/.ssh/authorized_keys
 fi
 
+# Configure the TFTP server (tftpd-hpa).
+#
+# We could have ran it as user 'build' but since it is read-only, the default
+# user 'tftp' works just as well. Note that by default it is running chroot'ed
+# (--secure) so no symlinks pointing outside /build/tftp will work.
+#
+sed -r -i \
+  -e "s%^(TFTP_DIRECTORY).*%\1=\"/build/tftp\"%" \
+ /etc/default/tftpd-hpa
+
 # Hand off to systemd. But first arrange to keep console output (which
 # becomes tty1).
 #
-- 
cgit v1.1