#!/bin/csh
# http://www.berklix.com/~jhs/bin/.sh/chroot_build
# ~/bin/.sh/chroot_build

# See Also:
#	http://www.berklix.com/~jhs/txt/ct600.html
# A script to build a /chroot, as a sand pit to then run 
# untrusted- binary- only- no- source apps in, such as acroread,
# to avoid the possibility of them perhaps reaching out &
# searching the file system for data.  
# There's other remaining security risks they could pose,
# but it's better than nothing.

echo "This is not yet a shell to run, but to mouse copy."
more $0
exit 0


echo "One off build of /chroot Starting."
# Most likely /chroot will be a symbolic link to within another non root
# file system with > 10 Gig of space.

echo BASE
mkdir -p /chroot
cd /chroot || exit 1
cd /usr/src && make obj all
setenv DESTDIR /chroot
cd /usr/src/etc && make distrib-dirs
cd /usr/src && make install

echo ETC
mkdir -p /chroot/etc
( cd /etc ; tar cf - master.passwd passwd pwd.db spwd.db \
	termcap termcap.small ) | ( cd /chroot/etc && tar xf - )
# This above is too generous, as it gives rogues in sandpit too many 
# crypted passwords to crack.

cat > /etc/resolv.conf << EOF
# chroot/etc/resolv.conf
domain          js.berklix.net
nameserver      192.168.91.10
nameserver      192.168.91.41
EOF

cat > etc/host.conf << EOF
hosts
dns
EOF

cat > etc/hosts << EOF	# needed to avoid: "cannot open display: lapr:0"
192.168.91.68 lapr.js.berklix.net     lapr
127.0.0.1 localhost
EOF

echo DEV
mkdir /chroot/dev
echo "One off build of /chroot Finished."
echo "Necessary after each reboot, done by my /etc/rc.local:"
mount | grep devfs	# See if a reboot has happened & a new mount needed.
mount -t devfs dev /chroot/dev
#	mount to avoid acroread error: /dev/null: Permission denied

echo COMPAT
( cd / && tar cf - compat) | (cd /chroot && tar xf - )
#	To avoid error from acroread: /compat/linux/bin/sh: not found
# JJLATER I should install compat from source.

echo HOME
mkdir -p /chroot/home/`whoami`-l/tmp
chown -R `whoami`-l /chroot/home/`whoami`-l

echo LOCAL
mkdir -p /chroot/usr/local
(cd /usr/local && tar cf - .)|(cd /chroot/usr/local && tar xf -) #8.3 G.

echo TEST
echo SCREEN HOST
xauth extract /tmp/`whoami`.xauth.tmp `hostname`:0.0
chmod a+r /tmp/`whoami`.xauth.tmp

echo RUN HOST
echo "Switching to a skeletal user with no personal data."
rlogin  -l `whoami`-l localhost 
OR
ssh -l `whoami`-l localhost
xauth merge /host/screen/tmp/`whoami | sed -e s/-l//`.xauth.tmp
csh
setenv DISPLAY `hostname`:0.0	 # Assuming xinit already running on sandpit
xterm		# simple test
xv 		# better test

echo CHROOT
chroot /chroot
unsetenv TMPDIR # or setenv TMPDIR /tmp
ldconfig -R /usr/local/lib"
# ldconfig only needs to be run once, to avoid this error from xterm:
#	Shared object "libXft.so.2" not found, required by "xterm"
su `whoami`-l
csh
printenv DISPLAY
source `which unsetenv.csh`
setenv DISPLAY `hostname`:0
# if /bin/sh:
#	DISPLAY=0
#	export DISPLAY

acroread