From 61d290c124aa65c9ad2edd183617b92660f92289 Mon Sep 17 00:00:00 2001
From: daniel <daniel@ispconfig3>
Date: Sun, 08 Jun 2008 13:14:01 -0400
Subject: [PATCH] Modified install / update to copy over jailkit configs Included jailkit config templates Added bash.bashrc and motd templates to copy over for for chroot system Updated ispconfig vhost to include php fastcgi configs if fastcgi is enabled. What if the module is loaded too ? TODO: jailkit chroot is still not loading the modified motd in /etc/motd and /var/run/motd ??
---
install/tpl/jk_init.ini.master | 151 +++++++++++++++++++++++++
install/install.php | 4
install/lib/installer_base.lib.php | 19 +++
server/plugins-available/shelluser_jailkit_plugin.inc.php | 45 ++++++
server/plugins-available/apache2_plugin.inc.php | 8
install/dist/conf/debian40.conf.php | 5
interface/bin/php-fcgi | 10 +
server/conf/bash.bashrc.master | 63 ++++++++++
install/dist/conf/gentoo.conf.php | 5
install/tpl/jk_chrootsh.ini.master | 13 ++
install/update.php | 6
server/conf/motd.master | 4
12 files changed, 323 insertions(+), 10 deletions(-)
diff --git a/install/dist/conf/debian40.conf.php b/install/dist/conf/debian40.conf.php
index fc15275..2223e19 100644
--- a/install/dist/conf/debian40.conf.php
+++ b/install/dist/conf/debian40.conf.php
@@ -76,4 +76,9 @@
$conf['mydns']['config_dir'] = '/etc';
$conf['mydns']['init_script'] = 'mydns';
+//* Jailkit
+$conf['jailkit']['config_dir'] = '/etc/jailkit';
+$conf['jailkit']['jk_init'] = 'jk_init.ini';
+$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
+
?>
\ No newline at end of file
diff --git a/install/dist/conf/gentoo.conf.php b/install/dist/conf/gentoo.conf.php
index 6edd4ba..50930c7 100644
--- a/install/dist/conf/gentoo.conf.php
+++ b/install/dist/conf/gentoo.conf.php
@@ -62,4 +62,9 @@
$dist['mydns']['config_dir'] = '/etc';
$dist['mydns']['init_script'] = 'mydns';
+//* Jailkit
+$conf['jailkit']['config_dir'] = '/etc/jailkit';
+$conf['jailkit']['jk_init'] = 'jk_init.ini';
+$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
+
?>
\ No newline at end of file
diff --git a/install/install.php b/install/install.php
index c64b25d..3138ee5 100644
--- a/install/install.php
+++ b/install/install.php
@@ -134,6 +134,10 @@
//* Configure postfix
$inst->configure_postfix();
+
+ //* Configure postfix
+ swriteln('Configuring Jailkit');
+ $inst->configure_jailkit();
//* Configure saslauthd
swriteln('Configuring SASL');
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 42325db..942d03f 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -183,7 +183,24 @@
wf($full_file_name, $content);
}
-
+ public function configure_jailkit()
+ {
+ $cf = $this->conf['jailkit'];
+ $config_dir = $cf['config_dir'];
+ $jk_init = $cf['jk_init'];
+ $jk_chrootsh = $cf['jk_chrootsh'];
+
+ if (!is_dir($config_dir))
+ {
+ copy($config_dir.'/'.$jk_init, $config_dir.'/'.$jk_init.'~');
+ copy($config_dir.'/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh.'~');
+
+ copy('tpl/'.$jk_init.".master", $config_dir.'/'.$jk_init);
+ copy('tpl/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh);
+ }
+
+ }
+
public function configure_postfix($options = '')
{
$cf = $this->conf['postfix'];
diff --git a/install/tpl/jk_chrootsh.ini.master b/install/tpl/jk_chrootsh.ini.master
new file mode 100644
index 0000000..cfd9e8d
--- /dev/null
+++ b/install/tpl/jk_chrootsh.ini.master
@@ -0,0 +1,13 @@
+## example for a user
+#[test]
+#env= DISPLAY, XAUTHORITY
+#
+##example for a group, there should be only 1 space inbetween the words!
+#[group users]
+#env = DISPLAY, XAUTHORITY
+#
+[DEFAULT]
+#relax_home_group=1
+skip_injail_passwd_check=1
+injail_shell=/bin/bash
+env = TERM, PATH
diff --git a/install/tpl/jk_init.ini.master b/install/tpl/jk_init.ini.master
new file mode 100644
index 0000000..dcfc0f3
--- /dev/null
+++ b/install/tpl/jk_init.ini.master
@@ -0,0 +1,151 @@
+[uidbasics]
+# this section probably needs adjustment on 64bit systems
+# or non-Linux systems
+comment = common files for all jails that need user/group information
+libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2
+regularfiles = /etc/nsswitch.conf /etc/ld.so.conf
+
+[netbasics]
+comment = common files for all jails that need any internet connectivity
+libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2
+regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
+
+[logbasics]
+comment = timezone information
+regularfiles = /etc/localtime
+need_logsocket = 1
+
+[jk_lsh]
+comment = Jailkit limited shell
+executables = /usr/sbin/jk_lsh
+regularfiles = /etc/jailkit/jk_lsh.ini
+users = root
+groups = root
+need_logsocket = 1
+includesections = uidbasics
+
+[limitedshell]
+comment = alias for jk_lsh
+includesections = jk_lsh
+
+[cvs]
+comment = Concurrent Versions System
+executables = /usr/bin/cvs
+devices = /dev/null
+
+[git]
+comment = Fast Version Control System
+executables = /usr/bin/git*
+directories = /usr/share/git-core
+includesections = editors
+
+[scp]
+comment = ssh secure copy
+executables = /usr/bin/scp
+includesections = netbasics, uidbasics
+devices = /dev/urandom
+
+[sftp]
+comment = ssh secure ftp
+executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
+includesections = netbasics, uidbasics
+devices = /dev/urandom, /dev/null
+
+[ssh]
+comment = ssh secure shell
+executables = /usr/bin/ssh
+includesections = netbasics, uidbasics
+devices = /dev/urandom, /dev/tty
+
+[rsync]
+executables = /usr/bin/rsync
+includesections = netbasics, uidbasics
+
+[procmail]
+comment = procmail mail delivery
+executables = /usr/bin/procmail, /bin/sh
+devices = /dev/null
+
+[basicshell]
+comment = bash based shell with several basic utilities
+executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat
+regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile
+directories = /usr/lib/locale/en_US.utf8
+users = root
+groups = root
+includesections = uidbasics
+
+[midnightcommander]
+comment = Midnight Commander
+executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview
+directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc
+includesections = basicshell
+
+[extendedshell]
+comment = bash shell including things like awk, bzip, tail, less
+executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usb/bin/whoami
+includesections = basicshell, midnightcommander, editors
+
+[editors]
+comment = vim, joe and nano
+executables = /usb/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico
+regularfiles = /etc/vimrc
+directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo
+
+[netutils]
+comment = several internet utilities like wget, ftp, rsync, scp, ssh
+executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
+includesections = netbasics, ssh, sftp, scp
+
+[apacheutils]
+comment = htpasswd utility
+executables = /usr/bin/htpasswd
+
+[extshellplusnet]
+comment = alias for extendedshell + netutils + apacheutils
+includesections = extendedshell, netutils, apacheutils
+
+[openvpn]
+comment = jail for the openvpn daemon
+executables = /usr/sbin/openvpn
+users = root,nobody
+groups = root,nogroup
+includesections = netbasics
+devices = /dev/urandom, /dev/random, /dev/net/tun
+includesections = netbasics, uidbasics
+need_logsocket = 1
+
+[apache]
+comment = the apache webserver, very basic setup, probably too limited for you
+executables = /usr/sbin/apache
+users = root, www-data
+groups = root, www-data
+includesections = netbasics, uidbasics
+
+[perl]
+comment = the perl interpreter and libraries
+executables = /usr/bin/perl
+directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
+
+[xauth]
+comment = getting X authentication to work
+executables = /usr/bin/X11/xauth
+regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
+
+[xclients]
+comment = minimal files for X clients
+regularfiles = /usr/X11R6/lib/X11/rgb.txt
+includesections = xauth
+
+[vncserver]
+comment = the VNC server program
+executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc
+directories = /usr/X11R6/lib/X11/fonts/
+includesections = xclients
+
+
+#[xterm]
+#comment = xterm
+#executables = /usr/bin/X11/xterm
+#directories = /usr/share/terminfo, /etc/terminfo
+#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
diff --git a/install/update.php b/install/update.php
index 06961a0..3095b04 100644
--- a/install/update.php
+++ b/install/update.php
@@ -134,7 +134,11 @@
if($reconfigure_services_answer == 'yes') {
//** Configure postfix
$inst->configure_postfix('dont-create-certs');
-
+
+ //* Configure postfix
+ swriteln('Configuring Jailkit');
+ $inst->configure_jailkit();
+
//** Configure saslauthd
swriteln('Configuring SASL');
$inst->configure_saslauthd();
diff --git a/interface/bin/php-fcgi b/interface/bin/php-fcgi
new file mode 100644
index 0000000..e09339d
--- /dev/null
+++ b/interface/bin/php-fcgi
@@ -0,0 +1,10 @@
+#!/bin/sh
+PHPRC="/etc/php5/cgi/"
+export PHPRC
+PHP_DOCUMENT_ROOT="/usr/local/ispconfig/interface/web/"
+export PHP_DOCUMENT_ROOT
+PHP_FCGI_CHILDREN=8
+export PHP_FCGI_CHILDREN
+PHP_FCGI_MAX_REQUESTS=5000
+export PHP_FCGI_MAX_REQUESTS
+exec /usr/bin/php-cgi $1
diff --git a/server/conf/bash.bashrc.master b/server/conf/bash.bashrc.master
new file mode 100644
index 0000000..7347074
--- /dev/null
+++ b/server/conf/bash.bashrc.master
@@ -0,0 +1,63 @@
+
+<tmpl_if name='jailkit_chroot'>
+## Hack for Jailkit User to change back to the logged in user ##
+if [ "$LOGNAME" != $USER ]; then
+ export HOME=<tmpl_var name='home_dir'>$LOGNAME
+ export USER=$LOGNAME
+ export USERNAME=$LOGNAME
+ cd $HOME
+fi
+
+## Change machine hostname to site domain ##
+export HOSTNAME=<tmpl_var name='domain'>
+
+</tmpl_if>
+
+
+# If not running interactively, don't do anything
+[ -z "$PS1" ] && return
+
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# make less more friendly for non-text input files, see lesspipe(1)
+[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"
+
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+xterm-color)
+ PS1='\[\033[01;32m\]$USER@$HOSTNAME\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+ ;;
+*)
+ PS1='\$USER@$HOSTNAME:\w\$ '
+ ;;
+esac
+
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+ PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"'
+ ;;
+*)
+ ;;
+esac
+
+
+# enable color support of ls and also add handy aliases
+if [ "$TERM" != "dumb" ]; then
+ eval "`dircolors -b`"
+ alias ls='ls --color=auto'
+ #alias dir='ls --color=auto --format=vertical'
+ #alias vdir='ls --color=auto --format=long'
+fi
+
+# some more ls aliases
+#alias ll='ls -l'
+#alias la='ls -A'
+#alias l='ls -CF'
+
+
diff --git a/server/conf/motd.master b/server/conf/motd.master
new file mode 100644
index 0000000..7467ff3
--- /dev/null
+++ b/server/conf/motd.master
@@ -0,0 +1,4 @@
+Welcome To Site <tmpl_var name='domain'>
+
+
+
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index d8b0c06..a5f5f42 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -385,10 +385,12 @@
$fastcgi_config = $app->getconf->get_server_config($conf["server_id"], 'fastcgi');
$fastcgi_starter_path = str_replace("[system_user]",$data["new"]["system_user"],$fastcgi_config["fastcgi_starter_path"]);
+ $fastcgi_starter_path = str_replace("[client_id]",$client_id,$fastcgi_starter_path);
+
if (!is_dir($fastcgi_starter_path))
{
- exec("mkdir -p $fastcgi_starter_path");
- exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." $fastcgi_starter_path");
+ exec("mkdir -p ".escapeshellcmd($fastcgi_starter_path));
+ exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." ".escapeshellcmd($fastcgi_starter_path));
$app->log("Creating fastcgi starter script directory: $fastcgi_starter_path",LOGLEVEL_DEBUG);
@@ -403,7 +405,7 @@
$fcgi_tpl->setVar('php_fcgi_max_requests',$fastcgi_config["fastcgi_max_requests"]);
$fcgi_tpl->setVar('php_fcgi_bin',$fastcgi_config["fastcgi_bin"]);
- $fcgi_starter_script = escapeshellcmd($fastcgi_starter_path."/".$fastcgi_config["fastcgi_starter_script"]);
+ $fcgi_starter_script = escapeshellcmd($fastcgi_starter_path.$fastcgi_config["fastcgi_starter_script"]);
file_put_contents($fcgi_starter_script,$fcgi_tpl->grab());
unset($fcgi_tpl);
diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php
index a74f171..6a35f95 100755
--- a/server/plugins-available/shelluser_jailkit_plugin.inc.php
+++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php
@@ -100,6 +100,9 @@
}
//* This function is called, when a shell user is deleted in the database
+ /**
+ * TODO: Remove chroot user home and from the chroot passwd file
+ */
function delete($event_name,$data) {
global $app, $conf;
@@ -110,7 +113,8 @@
$jailkit_chroot_userhome = $this->_get_home_dir($data['old']['username']);
- exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
+ //commented out proved to be dangerous on config errors
+ //exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
$app->log("Jalikit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG);
@@ -135,6 +139,36 @@
$this->_add_jailkit_programs();
+ //add bash.bashrc script
+ //we need to collect the domain name to be used as the HOSTNAME in the bashrc script
+ $web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".intval($this->data['new']["parent_domain_id"]));
+
+ $this->app->load('tpl');
+
+ $tpl = new tpl();
+ $tpl->newTemplate("bash.bashrc.master");
+
+ $tpl->setVar('jailkit_chroot',true);
+ $tpl->setVar('domain',$web['domain']);
+ $tpl->setVar('home_dir',$this->_get_home_dir(""));
+
+ $bashrc = escapeshellcmd($this->data['new']['dir']).'/etc/bash.bashrc';
+ exec('rm '.$bashrc);
+
+ file_put_contents($bashrc,$tpl->grab());
+ unset($tpl);
+
+ $this->app->log("Added bashrc scrpt : ".$bashrc,LOGLEVEL_DEBUG);
+
+ $tpl = new tpl();
+ $tpl->newTemplate("motd.master");
+
+ $tpl->setVar('domain',$web['domain']);
+
+ $motd = escapeshellcmd($this->data['new']['dir']).'/var/run/motd';
+ exec('rm '.$motd);
+
+ file_put_contents($motd,$tpl->grab());
}
}
@@ -174,15 +208,16 @@
$this->app->log("Added jailkit user to chroot with command: ".$command,LOGLEVEL_DEBUG);
- exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_userhome);
- exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_userhome);
+ exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome));
+ exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome));
$this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG);
- exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_puserhome);
- exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_puserhome);
+ exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome));
+ exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome));
$this->app->log("Added created jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome,LOGLEVEL_DEBUG);
+
}
}
--
Gitblit v1.9.1