From 61d290c124aa65c9ad2edd183617b92660f92289 Mon Sep 17 00:00:00 2001 From: daniel Date: Sun, 8 Jun 2008 17:14:01 +0000 Subject: [PATCH] Modified install / update to copy over jailkit configs Included jailkit config templates Added bash.bashrc and motd templates to copy over for for chroot system Updated ispconfig vhost to include php fastcgi configs if fastcgi is enabled. What if the module is loaded too ? TODO: jailkit chroot is still not loading the modified motd in /etc/motd and /var/run/motd ?? --- install/dist/conf/debian40.conf.php | 5 + install/dist/conf/gentoo.conf.php | 5 + install/install.php | 4 + install/lib/installer_base.lib.php | 19 ++- install/tpl/jk_chrootsh.ini.master | 13 ++ install/tpl/jk_init.ini.master | 151 ++++++++++++++++++ install/update.php | 6 +- interface/bin/php-fcgi | 10 ++ server/conf/bash.bashrc.master | 63 ++++++++ server/conf/motd.master | 4 + .../plugins-available/apache2_plugin.inc.php | 8 +- .../shelluser_jailkit_plugin.inc.php | 45 +++++- 12 files changed, 323 insertions(+), 10 deletions(-) create mode 100644 install/tpl/jk_chrootsh.ini.master create mode 100644 install/tpl/jk_init.ini.master create mode 100644 interface/bin/php-fcgi create mode 100644 server/conf/bash.bashrc.master create mode 100644 server/conf/motd.master diff --git a/install/dist/conf/debian40.conf.php b/install/dist/conf/debian40.conf.php index fc1527558..2223e1985 100644 --- a/install/dist/conf/debian40.conf.php +++ b/install/dist/conf/debian40.conf.php @@ -76,4 +76,9 @@ $conf['pureftpd']['init_script'] = 'pure-ftpd-mysql'; $conf['mydns']['config_dir'] = '/etc'; $conf['mydns']['init_script'] = 'mydns'; +//* Jailkit +$conf['jailkit']['config_dir'] = '/etc/jailkit'; +$conf['jailkit']['jk_init'] = 'jk_init.ini'; +$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini'; + ?> \ No newline at end of file diff --git a/install/dist/conf/gentoo.conf.php b/install/dist/conf/gentoo.conf.php index 6edd4baf9..50930c76d 100644 --- a/install/dist/conf/gentoo.conf.php +++ b/install/dist/conf/gentoo.conf.php @@ -62,4 +62,9 @@ $dist['pureftpd']['init_script'] = 'pure-ftpd'; $dist['mydns']['config_dir'] = '/etc'; $dist['mydns']['init_script'] = 'mydns'; +//* Jailkit +$conf['jailkit']['config_dir'] = '/etc/jailkit'; +$conf['jailkit']['jk_init'] = 'jk_init.ini'; +$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini'; + ?> \ No newline at end of file diff --git a/install/install.php b/install/install.php index c64b25d13..3138ee515 100644 --- a/install/install.php +++ b/install/install.php @@ -134,6 +134,10 @@ if($install_mode == 'Standard') { //* Configure postfix $inst->configure_postfix(); + + //* Configure postfix + swriteln('Configuring Jailkit'); + $inst->configure_jailkit(); //* Configure saslauthd swriteln('Configuring SASL'); diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 42325db5e..942d03f4f 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -183,7 +183,24 @@ class installer_base { wf($full_file_name, $content); } - + public function configure_jailkit() + { + $cf = $this->conf['jailkit']; + $config_dir = $cf['config_dir']; + $jk_init = $cf['jk_init']; + $jk_chrootsh = $cf['jk_chrootsh']; + + if (!is_dir($config_dir)) + { + copy($config_dir.'/'.$jk_init, $config_dir.'/'.$jk_init.'~'); + copy($config_dir.'/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh.'~'); + + copy('tpl/'.$jk_init.".master", $config_dir.'/'.$jk_init); + copy('tpl/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh); + } + + } + public function configure_postfix($options = '') { $cf = $this->conf['postfix']; diff --git a/install/tpl/jk_chrootsh.ini.master b/install/tpl/jk_chrootsh.ini.master new file mode 100644 index 000000000..cfd9e8d19 --- /dev/null +++ b/install/tpl/jk_chrootsh.ini.master @@ -0,0 +1,13 @@ +## example for a user +#[test] +#env= DISPLAY, XAUTHORITY +# +##example for a group, there should be only 1 space inbetween the words! +#[group users] +#env = DISPLAY, XAUTHORITY +# +[DEFAULT] +#relax_home_group=1 +skip_injail_passwd_check=1 +injail_shell=/bin/bash +env = TERM, PATH diff --git a/install/tpl/jk_init.ini.master b/install/tpl/jk_init.ini.master new file mode 100644 index 000000000..dcfc0f35a --- /dev/null +++ b/install/tpl/jk_init.ini.master @@ -0,0 +1,151 @@ +[uidbasics] +# this section probably needs adjustment on 64bit systems +# or non-Linux systems +comment = common files for all jails that need user/group information +libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2 +regularfiles = /etc/nsswitch.conf /etc/ld.so.conf + +[netbasics] +comment = common files for all jails that need any internet connectivity +libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2 +regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols + +[logbasics] +comment = timezone information +regularfiles = /etc/localtime +need_logsocket = 1 + +[jk_lsh] +comment = Jailkit limited shell +executables = /usr/sbin/jk_lsh +regularfiles = /etc/jailkit/jk_lsh.ini +users = root +groups = root +need_logsocket = 1 +includesections = uidbasics + +[limitedshell] +comment = alias for jk_lsh +includesections = jk_lsh + +[cvs] +comment = Concurrent Versions System +executables = /usr/bin/cvs +devices = /dev/null + +[git] +comment = Fast Version Control System +executables = /usr/bin/git* +directories = /usr/share/git-core +includesections = editors + +[scp] +comment = ssh secure copy +executables = /usr/bin/scp +includesections = netbasics, uidbasics +devices = /dev/urandom + +[sftp] +comment = ssh secure ftp +executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server +includesections = netbasics, uidbasics +devices = /dev/urandom, /dev/null + +[ssh] +comment = ssh secure shell +executables = /usr/bin/ssh +includesections = netbasics, uidbasics +devices = /dev/urandom, /dev/tty + +[rsync] +executables = /usr/bin/rsync +includesections = netbasics, uidbasics + +[procmail] +comment = procmail mail delivery +executables = /usr/bin/procmail, /bin/sh +devices = /dev/null + +[basicshell] +comment = bash based shell with several basic utilities +executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat +regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile +directories = /usr/lib/locale/en_US.utf8 +users = root +groups = root +includesections = uidbasics + +[midnightcommander] +comment = Midnight Commander +executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview +directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc +includesections = basicshell + +[extendedshell] +comment = bash shell including things like awk, bzip, tail, less +executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usb/bin/whoami +includesections = basicshell, midnightcommander, editors + +[editors] +comment = vim, joe and nano +executables = /usb/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico +regularfiles = /etc/vimrc +directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo + +[netutils] +comment = several internet utilities like wget, ftp, rsync, scp, ssh +executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient +includesections = netbasics, ssh, sftp, scp + +[apacheutils] +comment = htpasswd utility +executables = /usr/bin/htpasswd + +[extshellplusnet] +comment = alias for extendedshell + netutils + apacheutils +includesections = extendedshell, netutils, apacheutils + +[openvpn] +comment = jail for the openvpn daemon +executables = /usr/sbin/openvpn +users = root,nobody +groups = root,nogroup +includesections = netbasics +devices = /dev/urandom, /dev/random, /dev/net/tun +includesections = netbasics, uidbasics +need_logsocket = 1 + +[apache] +comment = the apache webserver, very basic setup, probably too limited for you +executables = /usr/sbin/apache +users = root, www-data +groups = root, www-data +includesections = netbasics, uidbasics + +[perl] +comment = the perl interpreter and libraries +executables = /usr/bin/perl +directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5 + +[xauth] +comment = getting X authentication to work +executables = /usr/bin/X11/xauth +regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf + +[xclients] +comment = minimal files for X clients +regularfiles = /usr/X11R6/lib/X11/rgb.txt +includesections = xauth + +[vncserver] +comment = the VNC server program +executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc +directories = /usr/X11R6/lib/X11/fonts/ +includesections = xclients + + +#[xterm] +#comment = xterm +#executables = /usr/bin/X11/xterm +#directories = /usr/share/terminfo, /etc/terminfo +#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4 diff --git a/install/update.php b/install/update.php index 06961a07a..3095b04c1 100644 --- a/install/update.php +++ b/install/update.php @@ -134,7 +134,11 @@ $reconfigure_services_answer = $inst->simple_query('Reconfigure Services?', arra if($reconfigure_services_answer == 'yes') { //** Configure postfix $inst->configure_postfix('dont-create-certs'); - + + //* Configure postfix + swriteln('Configuring Jailkit'); + $inst->configure_jailkit(); + //** Configure saslauthd swriteln('Configuring SASL'); $inst->configure_saslauthd(); diff --git a/interface/bin/php-fcgi b/interface/bin/php-fcgi new file mode 100644 index 000000000..e09339df0 --- /dev/null +++ b/interface/bin/php-fcgi @@ -0,0 +1,10 @@ +#!/bin/sh +PHPRC="/etc/php5/cgi/" +export PHPRC +PHP_DOCUMENT_ROOT="/usr/local/ispconfig/interface/web/" +export PHP_DOCUMENT_ROOT +PHP_FCGI_CHILDREN=8 +export PHP_FCGI_CHILDREN +PHP_FCGI_MAX_REQUESTS=5000 +export PHP_FCGI_MAX_REQUESTS +exec /usr/bin/php-cgi $1 diff --git a/server/conf/bash.bashrc.master b/server/conf/bash.bashrc.master new file mode 100644 index 000000000..7347074bf --- /dev/null +++ b/server/conf/bash.bashrc.master @@ -0,0 +1,63 @@ + + +## Hack for Jailkit User to change back to the logged in user ## +if [ "$LOGNAME" != $USER ]; then + export HOME=$LOGNAME + export USER=$LOGNAME + export USERNAME=$LOGNAME + cd $HOME +fi + +## Change machine hostname to site domain ## +export HOSTNAME= + + + + +# If not running interactively, don't do anything +[ -z "$PS1" ] && return + + +# check the window size after each command and, if necessary, +# update the values of LINES and COLUMNS. +shopt -s checkwinsize + +# make less more friendly for non-text input files, see lesspipe(1) +[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)" + + +# set a fancy prompt (non-color, unless we know we "want" color) +case "$TERM" in +xterm-color) + PS1='\[\033[01;32m\]$USER@$HOSTNAME\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' + ;; +*) + PS1='\$USER@$HOSTNAME:\w\$ ' + ;; +esac + + +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"' + ;; +*) + ;; +esac + + +# enable color support of ls and also add handy aliases +if [ "$TERM" != "dumb" ]; then + eval "`dircolors -b`" + alias ls='ls --color=auto' + #alias dir='ls --color=auto --format=vertical' + #alias vdir='ls --color=auto --format=long' +fi + +# some more ls aliases +#alias ll='ls -l' +#alias la='ls -A' +#alias l='ls -CF' + + diff --git a/server/conf/motd.master b/server/conf/motd.master new file mode 100644 index 000000000..7467ff3ad --- /dev/null +++ b/server/conf/motd.master @@ -0,0 +1,4 @@ +Welcome To Site + + + diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php index d8b0c0640..a5f5f428d 100644 --- a/server/plugins-available/apache2_plugin.inc.php +++ b/server/plugins-available/apache2_plugin.inc.php @@ -385,10 +385,12 @@ class apache2_plugin { $fastcgi_config = $app->getconf->get_server_config($conf["server_id"], 'fastcgi'); $fastcgi_starter_path = str_replace("[system_user]",$data["new"]["system_user"],$fastcgi_config["fastcgi_starter_path"]); + $fastcgi_starter_path = str_replace("[client_id]",$client_id,$fastcgi_starter_path); + if (!is_dir($fastcgi_starter_path)) { - exec("mkdir -p $fastcgi_starter_path"); - exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." $fastcgi_starter_path"); + exec("mkdir -p ".escapeshellcmd($fastcgi_starter_path)); + exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." ".escapeshellcmd($fastcgi_starter_path)); $app->log("Creating fastcgi starter script directory: $fastcgi_starter_path",LOGLEVEL_DEBUG); @@ -403,7 +405,7 @@ class apache2_plugin { $fcgi_tpl->setVar('php_fcgi_max_requests',$fastcgi_config["fastcgi_max_requests"]); $fcgi_tpl->setVar('php_fcgi_bin',$fastcgi_config["fastcgi_bin"]); - $fcgi_starter_script = escapeshellcmd($fastcgi_starter_path."/".$fastcgi_config["fastcgi_starter_script"]); + $fcgi_starter_script = escapeshellcmd($fastcgi_starter_path.$fastcgi_config["fastcgi_starter_script"]); file_put_contents($fcgi_starter_script,$fcgi_tpl->grab()); unset($fcgi_tpl); diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php index a74f1712f..6a35f9593 100755 --- a/server/plugins-available/shelluser_jailkit_plugin.inc.php +++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php @@ -100,6 +100,9 @@ class shelluser_jailkit_plugin { } //* This function is called, when a shell user is deleted in the database + /** + * TODO: Remove chroot user home and from the chroot passwd file + */ function delete($event_name,$data) { global $app, $conf; @@ -110,7 +113,8 @@ class shelluser_jailkit_plugin { $jailkit_chroot_userhome = $this->_get_home_dir($data['old']['username']); - exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome); + //commented out proved to be dangerous on config errors + //exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome); $app->log("Jalikit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG); @@ -135,6 +139,36 @@ class shelluser_jailkit_plugin { $this->_add_jailkit_programs(); + //add bash.bashrc script + //we need to collect the domain name to be used as the HOSTNAME in the bashrc script + $web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".intval($this->data['new']["parent_domain_id"])); + + $this->app->load('tpl'); + + $tpl = new tpl(); + $tpl->newTemplate("bash.bashrc.master"); + + $tpl->setVar('jailkit_chroot',true); + $tpl->setVar('domain',$web['domain']); + $tpl->setVar('home_dir',$this->_get_home_dir("")); + + $bashrc = escapeshellcmd($this->data['new']['dir']).'/etc/bash.bashrc'; + exec('rm '.$bashrc); + + file_put_contents($bashrc,$tpl->grab()); + unset($tpl); + + $this->app->log("Added bashrc scrpt : ".$bashrc,LOGLEVEL_DEBUG); + + $tpl = new tpl(); + $tpl->newTemplate("motd.master"); + + $tpl->setVar('domain',$web['domain']); + + $motd = escapeshellcmd($this->data['new']['dir']).'/var/run/motd'; + exec('rm '.$motd); + + file_put_contents($motd,$tpl->grab()); } } @@ -174,15 +208,16 @@ class shelluser_jailkit_plugin { $this->app->log("Added jailkit user to chroot with command: ".$command,LOGLEVEL_DEBUG); - exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_userhome); - exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_userhome); + exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome)); + exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome)); $this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG); - exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_puserhome); - exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_puserhome); + exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome)); + exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome)); $this->app->log("Added created jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome,LOGLEVEL_DEBUG); + } } -- GitLab