From 11349c8a7c2c5ce48863e70d4da276811c4c8b02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sol=C3=A8ne=20Rapenne?= Date: Wed, 14 Jun 2023 13:37:48 +0200 Subject: [PATCH] use Xephyr to run programs securely --- bin/configure_template.sh | 10 +++++++++- bin/connect.sh | 18 +++++++++++++++--- bin/copy_clipboard.sh | 29 +++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 4 deletions(-) create mode 100755 bin/copy_clipboard.sh diff --git a/bin/configure_template.sh b/bin/configure_template.sh index cd126d5..17b4027 100755 --- a/bin/configure_template.sh +++ b/bin/configure_template.sh @@ -22,6 +22,14 @@ pkg_add openbox neofetch xneko dillo firefox-esr chromium claws-mail-- thunar ke # so copied/mounted /home is ready rcctl disable sshd +cat </etc/stumpwmrc +(setf *startup-message* nil) +(defun st-kill-empty (a) + (if (= 0 (length (screen-windows (current-screen)))) + (stumpwm:quit))) +(stumpwm:add-hook stumpwm:*destroy-window-hook* 'st-kill-empty) +NESTED + cat </etc/rc.local #!/bin/sh HOST=\\\$(awk '/^host-name/ { print \\\$2}' /var/db/dhcpleased/vio0) @@ -69,7 +77,7 @@ chmod +x /etc/rc.local halt EOF -./connect.sh openbsd-template uptime +./connect.sh openbsd-template "xterm -e /bin/sh -c 'sleep 5 && exit'" cat $FILE | ssh -o StrictHostKeyChecking=no root@openbsd-template.kube "cat >/$FILE" ssh -o StrictHostKeyChecking=no root@openbsd-template.kube "sh /$FILE" diff --git a/bin/connect.sh b/bin/connect.sh index 5bc0b32..65674ee 100755 --- a/bin/connect.sh +++ b/bin/connect.sh @@ -38,13 +38,25 @@ then done fi +ID=$(vmctl show "${HOST%.kube}" | awk 'END { print $2 }') + +# uncomment to set a dedicated X server per program +ID="${ID}$(( $(date +%s) % 3600))" + ssh-keygen -R "$HOST" >/dev/null 2>/dev/null if [ -n "$DISPLAY" ] then PROG="${2:-xterm}" + + VM_INFO="$$ $HOST $ID $PROG" + echo "$VM_INFO" >> /tmp/kubes.txt + Xephyr -xkb-layout fr -once -terminate 1 -title "[${HOST}] - ${PROG}" -resizeable -reset -br ":${ID}" & + export DISPLAY=":${ID}" + ssh -o StrictHostKeyChecking=no -Y "user@${HOST}" "stumpwm" & + WAIT_FOR=$! ssh -o StrictHostKeyChecking=no -Y "user@${HOST}" "${PROG}" -else - PROG="${2:-}" - ssh -o StrictHostKeyChecking=no -Y "user@${HOST}" "${PROG}" + wait $WAIT_FOR + kill $(jobs -p) + sed -i "/^$$/d" /tmp/kubes.txt fi diff --git a/bin/copy_clipboard.sh b/bin/copy_clipboard.sh new file mode 100755 index 0000000..0062ceb --- /dev/null +++ b/bin/copy_clipboard.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +SOURCE=$(zenity \ + --list --radiolist --width=600 \ + --title="Copy clipboard between programs" \ + --text="Choose a clipboard to copy from" \ + --print-column=4 \ + --column="From" --column="PID" --column="Kube name" --column="Local X server" --column="Program running" \ + $(awk '{ print "FALSE "$0 }' /tmp/kubes.txt)) + +if [ -z "$SOURCE" ] +then + exit 0 +fi + +DESTINATION=$(zenity \ + --list --radiolist --width=600 \ + --title="Copy clipboard between programs" \ + --text="Choose a destination clipboard" \ + --print-column=4 \ + --column="To" --column="PID" --column="Kube name" --column="Local X server" --column="Program running" \ + $(awk -v orig="${SOURCE}" '$3!=orig { print "FALSE "$0 }' /tmp/kubes.txt)) + +if [ -z "$DESTINATION" ] +then + exit 0 +fi + +env DISPLAY=":$SOURCE" xclip -o - | env DISPLAY=":$DESTINATION" xclip