daniel
2008-06-08 61d290c124aa65c9ad2edd183617b92660f92289
Modified install / update to copy over jailkit configs
Included jailkit config templates
Added bash.bashrc and motd templates to copy over for for chroot system
Updated ispconfig vhost to include php fastcgi configs if fastcgi is enabled. What if the module is loaded too ?
TODO: jailkit chroot is still not loading the modified motd in /etc/motd and /var/run/motd ??


7 files modified
5 files added
333 ■■■■■ changed files
install/dist/conf/debian40.conf.php 5 ●●●●● patch | view | raw | blame | history
install/dist/conf/gentoo.conf.php 5 ●●●●● patch | view | raw | blame | history
install/install.php 4 ●●●● patch | view | raw | blame | history
install/lib/installer_base.lib.php 19 ●●●●● patch | view | raw | blame | history
install/tpl/jk_chrootsh.ini.master 13 ●●●●● patch | view | raw | blame | history
install/tpl/jk_init.ini.master 151 ●●●●● patch | view | raw | blame | history
install/update.php 6 ●●●● patch | view | raw | blame | history
interface/bin/php-fcgi 10 ●●●●● patch | view | raw | blame | history
server/conf/bash.bashrc.master 63 ●●●●● patch | view | raw | blame | history
server/conf/motd.master 4 ●●●● patch | view | raw | blame | history
server/plugins-available/apache2_plugin.inc.php 8 ●●●●● patch | view | raw | blame | history
server/plugins-available/shelluser_jailkit_plugin.inc.php 45 ●●●● patch | view | raw | blame | history
install/dist/conf/debian40.conf.php
@@ -76,4 +76,9 @@
$conf['mydns']['config_dir'] = '/etc';
$conf['mydns']['init_script'] = 'mydns';
//* Jailkit
$conf['jailkit']['config_dir'] = '/etc/jailkit';
$conf['jailkit']['jk_init'] = 'jk_init.ini';
$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
?>
install/dist/conf/gentoo.conf.php
@@ -62,4 +62,9 @@
$dist['mydns']['config_dir'] = '/etc';
$dist['mydns']['init_script'] = 'mydns';
//* Jailkit
$conf['jailkit']['config_dir'] = '/etc/jailkit';
$conf['jailkit']['jk_init'] = 'jk_init.ini';
$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
?>
install/install.php
@@ -134,6 +134,10 @@
    //* Configure postfix
    $inst->configure_postfix();
    //* Configure postfix
    swriteln('Configuring Jailkit');
    $inst->configure_jailkit();
    //* Configure saslauthd
    swriteln('Configuring SASL');
install/lib/installer_base.lib.php
@@ -183,7 +183,24 @@
        wf($full_file_name, $content);
    }
    public function configure_jailkit()
    {
        $cf = $this->conf['jailkit'];
        $config_dir = $cf['config_dir'];
        $jk_init = $cf['jk_init'];
        $jk_chrootsh = $cf['jk_chrootsh'];
        if (!is_dir($config_dir))
        {
            copy($config_dir.'/'.$jk_init, $config_dir.'/'.$jk_init.'~');
            copy($config_dir.'/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh.'~');
            copy('tpl/'.$jk_init.".master", $config_dir.'/'.$jk_init);
            copy('tpl/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh);
        }
    }
    public function configure_postfix($options = '')
    {
        $cf = $this->conf['postfix'];
install/tpl/jk_chrootsh.ini.master
New file
@@ -0,0 +1,13 @@
## example for a user
#[test]
#env= DISPLAY, XAUTHORITY
#
##example for a group, there should be only 1 space inbetween the words!
#[group users]
#env = DISPLAY, XAUTHORITY
#
[DEFAULT]
#relax_home_group=1
skip_injail_passwd_check=1
injail_shell=/bin/bash
env = TERM, PATH
install/tpl/jk_init.ini.master
New file
@@ -0,0 +1,151 @@
[uidbasics]
# this section probably needs adjustment on 64bit systems
# or non-Linux systems
comment = common files for all jails that need user/group information
libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2
regularfiles = /etc/nsswitch.conf /etc/ld.so.conf
[netbasics]
comment = common files for all jails that need any internet connectivity
libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2
regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
[logbasics]
comment = timezone information
regularfiles = /etc/localtime
need_logsocket = 1
[jk_lsh]
comment = Jailkit limited shell
executables = /usr/sbin/jk_lsh
regularfiles = /etc/jailkit/jk_lsh.ini
users = root
groups = root
need_logsocket = 1
includesections = uidbasics
[limitedshell]
comment = alias for jk_lsh
includesections = jk_lsh
[cvs]
comment = Concurrent Versions System
executables = /usr/bin/cvs
devices = /dev/null
[git]
comment = Fast Version Control System
executables = /usr/bin/git*
directories = /usr/share/git-core
includesections = editors
[scp]
comment = ssh secure copy
executables = /usr/bin/scp
includesections = netbasics, uidbasics
devices = /dev/urandom
[sftp]
comment = ssh secure ftp
executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
[ssh]
comment = ssh secure shell
executables = /usr/bin/ssh
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/tty
[rsync]
executables = /usr/bin/rsync
includesections = netbasics, uidbasics
[procmail]
comment = procmail mail delivery
executables = /usr/bin/procmail, /bin/sh
devices = /dev/null
[basicshell]
comment = bash based shell with several basic utilities
executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat
regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile
directories = /usr/lib/locale/en_US.utf8
users = root
groups = root
includesections = uidbasics
[midnightcommander]
comment = Midnight Commander
executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview
directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc
includesections = basicshell
[extendedshell]
comment = bash shell including things like awk, bzip, tail, less
executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usb/bin/whoami
includesections = basicshell, midnightcommander, editors
[editors]
comment = vim, joe and nano
executables = /usb/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico
regularfiles = /etc/vimrc
directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo
[netutils]
comment = several internet utilities like wget, ftp, rsync, scp, ssh
executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
includesections = netbasics, ssh, sftp, scp
[apacheutils]
comment = htpasswd utility
executables = /usr/bin/htpasswd
[extshellplusnet]
comment = alias for extendedshell + netutils + apacheutils
includesections = extendedshell, netutils, apacheutils
[openvpn]
comment = jail for the openvpn daemon
executables = /usr/sbin/openvpn
users = root,nobody
groups = root,nogroup
includesections = netbasics
devices = /dev/urandom, /dev/random, /dev/net/tun
includesections = netbasics, uidbasics
need_logsocket = 1
[apache]
comment = the apache webserver, very basic setup, probably too limited for you
executables = /usr/sbin/apache
users = root, www-data
groups = root, www-data
includesections = netbasics, uidbasics
[perl]
comment = the perl interpreter and libraries
executables = /usr/bin/perl
directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
[xauth]
comment = getting X authentication to work
executables = /usr/bin/X11/xauth
regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
[xclients]
comment = minimal files for X clients
regularfiles = /usr/X11R6/lib/X11/rgb.txt
includesections = xauth
[vncserver]
comment = the VNC server program
executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc
directories = /usr/X11R6/lib/X11/fonts/
includesections = xclients
#[xterm]
#comment = xterm
#executables = /usr/bin/X11/xterm
#directories = /usr/share/terminfo, /etc/terminfo
#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
install/update.php
@@ -134,7 +134,11 @@
if($reconfigure_services_answer == 'yes') {
    //** Configure postfix
    $inst->configure_postfix('dont-create-certs');
    //* Configure postfix
    swriteln('Configuring Jailkit');
    $inst->configure_jailkit();
    //** Configure saslauthd
    swriteln('Configuring SASL');
    $inst->configure_saslauthd();
interface/bin/php-fcgi
New file
@@ -0,0 +1,10 @@
#!/bin/sh
PHPRC="/etc/php5/cgi/"
export PHPRC
PHP_DOCUMENT_ROOT="/usr/local/ispconfig/interface/web/"
export PHP_DOCUMENT_ROOT
PHP_FCGI_CHILDREN=8
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php-cgi $1
server/conf/bash.bashrc.master
New file
@@ -0,0 +1,63 @@
<tmpl_if name='jailkit_chroot'>
## Hack for Jailkit User to change back to the logged in user ##
if [ "$LOGNAME" != $USER ]; then
 export HOME=<tmpl_var name='home_dir'>$LOGNAME
 export USER=$LOGNAME
 export USERNAME=$LOGNAME
 cd $HOME
fi
## Change machine hostname to site domain ##
export HOSTNAME=<tmpl_var name='domain'>
</tmpl_if>
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color)
    PS1='\[\033[01;32m\]$USER@$HOSTNAME\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
    ;;
*)
    PS1='\$USER@$HOSTNAME:\w\$ '
    ;;
esac
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"'
    ;;
*)
    ;;
esac
# enable color support of ls and also add handy aliases
if [ "$TERM" != "dumb" ]; then
    eval "`dircolors -b`"
    alias ls='ls --color=auto'
    #alias dir='ls --color=auto --format=vertical'
    #alias vdir='ls --color=auto --format=long'
fi
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
server/conf/motd.master
New file
@@ -0,0 +1,4 @@
Welcome To Site <tmpl_var name='domain'>
server/plugins-available/apache2_plugin.inc.php
@@ -385,10 +385,12 @@
            $fastcgi_config = $app->getconf->get_server_config($conf["server_id"], 'fastcgi');
            
            $fastcgi_starter_path = str_replace("[system_user]",$data["new"]["system_user"],$fastcgi_config["fastcgi_starter_path"]);
            $fastcgi_starter_path = str_replace("[client_id]",$client_id,$fastcgi_starter_path);
            if (!is_dir($fastcgi_starter_path))
            {
                exec("mkdir -p $fastcgi_starter_path");
                exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." $fastcgi_starter_path");
                exec("mkdir -p ".escapeshellcmd($fastcgi_starter_path));
                exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." ".escapeshellcmd($fastcgi_starter_path));
                
                
                $app->log("Creating fastcgi starter script directory: $fastcgi_starter_path",LOGLEVEL_DEBUG);
@@ -403,7 +405,7 @@
            $fcgi_tpl->setVar('php_fcgi_max_requests',$fastcgi_config["fastcgi_max_requests"]);
            $fcgi_tpl->setVar('php_fcgi_bin',$fastcgi_config["fastcgi_bin"]);
                
            $fcgi_starter_script = escapeshellcmd($fastcgi_starter_path."/".$fastcgi_config["fastcgi_starter_script"]);
            $fcgi_starter_script = escapeshellcmd($fastcgi_starter_path.$fastcgi_config["fastcgi_starter_script"]);
            file_put_contents($fcgi_starter_script,$fcgi_tpl->grab());
            unset($fcgi_tpl);
            
server/plugins-available/shelluser_jailkit_plugin.inc.php
@@ -100,6 +100,9 @@
    }
    
    //* This function is called, when a shell user is deleted in the database
    /**
     * TODO: Remove chroot user home and from the chroot passwd file
     */
    function delete($event_name,$data) {
        global $app, $conf;
        
@@ -110,7 +113,8 @@
            
            $jailkit_chroot_userhome = $this->_get_home_dir($data['old']['username']);
            
            exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
            //commented out proved to be dangerous on config errors
            //exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
            
            
            $app->log("Jalikit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG);
@@ -135,6 +139,36 @@
                
                $this->_add_jailkit_programs();
                
                //add bash.bashrc script
                //we need to collect the domain name to be used as the HOSTNAME in the bashrc script
                $web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".intval($this->data['new']["parent_domain_id"]));
                $this->app->load('tpl');
                $tpl = new tpl();
                $tpl->newTemplate("bash.bashrc.master");
                $tpl->setVar('jailkit_chroot',true);
                $tpl->setVar('domain',$web['domain']);
                $tpl->setVar('home_dir',$this->_get_home_dir(""));
                $bashrc = escapeshellcmd($this->data['new']['dir']).'/etc/bash.bashrc';
                exec('rm '.$bashrc);
                file_put_contents($bashrc,$tpl->grab());
                unset($tpl);
                $this->app->log("Added bashrc scrpt : ".$bashrc,LOGLEVEL_DEBUG);
                $tpl = new tpl();
                $tpl->newTemplate("motd.master");
                $tpl->setVar('domain',$web['domain']);
                $motd = escapeshellcmd($this->data['new']['dir']).'/var/run/motd';
                exec('rm '.$motd);
                file_put_contents($motd,$tpl->grab());
                
            }
    }
@@ -174,15 +208,16 @@
                
                $this->app->log("Added jailkit user to chroot with command: ".$command,LOGLEVEL_DEBUG);
                
                exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_userhome);
                exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_userhome);
                exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome));
                exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome));
                
                $this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG);
                
                exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_puserhome);
                exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_puserhome);
                exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome));
                exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome));
                
                $this->app->log("Added created jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome,LOGLEVEL_DEBUG);
            }    
    }