dropbox (3245B)
1 #!/bin/bash 2 3 # dropbox wrapper script 4 # check that Dropbox is correctly sandboxed, mount the endpoint if required, and 5 # pass commands to the Dropbox client 6 # see http://a3nm.net/blog/dropbox_sandbox.html 7 # this script is not part of Dropbox and not endorsed by Dropbox, inc. 8 9 # sandbox user is "dropbox" 10 VOLUME="/home" # where quotas are setup 11 ID=`whoami` 12 PRIVATE="/home/$ID/.ssh/id_rsa" # an existing file that you want to protect 13 QUOTA="4096000" # dropbox's quota, in bytes 14 ENDPOINT="$HOME/mnt/dropbox" # where to mount dropbox (do not use '~') 15 DCMD="sudo su dropbox -s /bin/bash -c" 16 PRIVPORT="23" # a port that dropbox shouldn't be able to access 17 18 if groups dropbox | tr -d ':' | tr ' ' '\n' | grep -v '^$' | 19 grep -v dropbox > /dev/null 20 then 21 echo "dropbox should be in group dropbox, actual groups are:" 22 groups dropbox 23 echo aborted 24 exit 1 25 fi 26 27 if [ ! -f "$PRIVATE" ] 28 then 29 echo "\$PRIVATE is not correctly set: cannot reach $PRIVATE" 30 echo aborted 31 exit 2 32 fi 33 34 if $DCMD "ls $PRIVATE >/dev/null 2>/dev/null" 35 then 36 echo "dropbox shouldn't be able to access $PRIVATE" 37 echo aborted 38 exit 2 39 fi 40 41 BADL=$(xhost 2>/dev/null | sed 1d | grep -v "SI:localuser:$ID" | 42 grep -vE "SI:localuser:(browser|browser2|bitcoin)" | wc -l) 43 if [ $BADL -gt 0 ] 44 then 45 echo "bad xhost permissions:" 46 xhost 47 echo aborted 48 exit 3 49 fi 50 51 if $DCMD xinput 2>/dev/null >/dev/null 52 then 53 echo "dropbox shouldn't be able to connect to the X server but can:" 54 $DCMD xinput 55 echo aborted 56 exit 4 57 fi 58 59 if ! (quotaon -p "$VOLUME" | grep '^user' | grep 'is on' >/dev/null) 60 then 61 echo "quotas are not enabled for $VOLUME:" 62 quotaon -p "$VOLUME" 63 echo aborted 64 exit 5 65 fi 66 67 RQUOTA=$($DCMD "quota --show-mntpoint" | 68 grep -A1 "$VOLUME" | sed 1d | awk '{print $3}' | tr -dc '0-9\n') 69 70 # http://stackoverflow.com/a/806923 71 re='^[0-9]+$' 72 if ! [[ $RQUOTA =~ $re ]] 73 then 74 echo "could not understand quota for dropbox" 75 $DCMD "quota --show-mntpoint" 76 echo aborted 77 exit 6 78 fi 79 80 if [ ! "$RQUOTA" -gt 0 ] 81 then 82 echo "no quota for dropbox seems set" 83 $DCMD "quota --show-mntpoint" 84 echo aborted 85 exit 6 86 fi 87 88 if [ ! "$RQUOTA" -le "$QUOTA" ] 89 then 90 echo "quota limit for dropbox is $RQUOTA which is >$QUOTA" 91 $DCMD "quota --show-mntpoint" 92 echo aborted 93 exit 6 94 fi 95 96 if ! ($DCMD "cat /proc/\$\$/cgroup" | 97 grep 'memory:/dropbox' >/dev/null) 98 then 99 echo "dropbox processes are not in the dropbox cgroup for memory:" 100 $DCMD "cat /proc/\$\$/cgroup" 101 echo aborted 102 exit 7 103 fi 104 105 if $DCMD "curl portquiz.net:80 2>/dev/null >/dev/null" 106 then 107 if $DCMD "curl portquiz.net:$PRIVPORT 2>/dev/null >/dev/null" 108 then 109 echo "dropbox port $PRIVPORT is not filtered" 110 echo aborted 111 exit 8 112 fi 113 else 114 echo "dropbox cannot access portquiz.net:80, are you connected?" 115 echo aborted 116 exit 9 117 fi 118 119 # now everything is in order 120 121 grep -qs " $ENDPOINT fuse " /proc/mounts || ( 122 echo "$ENDPOINT was not mounted, mounting it" 123 sudo bindfs --create-for-user=$(id -u dropbox) \ 124 --create-for-group=$(id -g dropbox) \ 125 --create-with-perms='f-x' --chown-deny --chgrp-deny \ 126 --chmod-filter='of-x,gf-x,uf-x' -p 'f-x' \ 127 -u $(id -u) -g $(id -g) \ 128 ~dropbox/Dropbox "$ENDPOINT" 129 ) 130 131 # pass command though 132 ARGS=$(printf " %q" "$@") 133 $DCMD "DISPLAY='' ~/dropbox.py $ARGS" 134 135