jk_init.ini.master 8.5 KB
Newer Older
1 2 3 4 5 6
# jk_init.ini:  jailkit initialization config

# Includes paths to handle Debian 10/9,
# if other paths are needed please create an issue with the details:
# https://git.ispconfig.org/ispconfig/ispconfig3/-/issues

7 8
[uidbasics]
comment = common files for all jails that need user/group information
9
paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, /lib/arm-linux-gnueabihf/libnsl*.so.1, /etc/nsswitch.conf, /etc/ld.so.conf
10 11 12

[netbasics]
comment = common files for all jails that need any internet connectivity
13
paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/libnss_mdns*.so.2, /lib/i386-linux-gnu/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services, /etc/ssl/certs/, /usr/lib/ssl/certs
14 15

[logbasics]
16 17
comment = timezone information and log sockets
paths = /etc/localtime
18 19 20 21
need_logsocket = 1

[jk_lsh]
comment = Jailkit limited shell
22
paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
23 24
users = root
groups = root
25
includesections = uidbasics, logbasics
26 27 28 29 30 31 32

[limitedshell]
comment = alias for jk_lsh
includesections = jk_lsh

[cvs]
comment = Concurrent Versions System
33
paths = cvs
34 35 36 37
devices = /dev/null

[git]
comment = Fast Version Control System
38 39
paths = /usr/bin/git*, /usr/lib/git-core, /usr/share/git-core, /usr/bin/pager
includesections = editors, perl, netbasics, basicshell, coreutils
40 41 42

[scp]
comment = ssh secure copy
43
paths = scp
44 45 46 47 48
includesections = netbasics, uidbasics
devices = /dev/urandom

[sftp]
comment = ssh secure ftp
49
paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server
50 51
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
52 53
# on solaris 
#paths = /usr/lib/ssh/sftp-server
54 55 56

[ssh]
comment = ssh secure shell
57
paths = ssh
58
includesections = netbasics, uidbasics
59
devices = /dev/urandom, /dev/tty, /dev/null
60 61

[rsync]
62
paths = rsync
63 64 65 66
includesections = netbasics, uidbasics

[procmail]
comment = procmail mail delivery
67
paths = procmail, /bin/sh
68 69 70 71
devices = /dev/null

[basicshell]
comment = bash based shell with several basic utilities
72
paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8, uname, expr, xargs
73 74 75 76 77 78
users = root
groups = root
includesections = uidbasics

[midnightcommander]
comment = Midnight Commander
79 80
paths = mc, mcedit, mcview, /usr/share/mc
includesections = basicshell, terminfo
81 82 83

[extendedshell]
comment = bash shell including things like awk, bzip, tail, less
84
paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami
85 86
includesections = basicshell, midnightcommander, editors

87 88 89 90
[terminfo]
comment = terminfo databases, required for example for ncurses or vim 
paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo

91 92
[editors]
comment = vim, joe and nano
93 94
includesections = terminfo
paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim
95 96 97

[netutils]
comment = several internet utilities like wget, ftp, rsync, scp, ssh
98
paths = wget, lynx, ftp, host, rsync, smbclient
99 100 101 102
includesections = netbasics, ssh, sftp, scp

[apacheutils]
comment = htpasswd utility
103
paths = htpasswd
104 105 106 107 108 109 110

[extshellplusnet]
comment = alias for extendedshell + netutils + apacheutils
includesections = extendedshell, netutils, apacheutils

[openvpn]
comment = jail for the openvpn daemon
111
paths = /usr/sbin/openvpn
112 113 114 115 116 117 118 119
users = root,nobody
groups = root,nogroup
devices = /dev/urandom, /dev/random, /dev/net/tun
includesections = netbasics, uidbasics
need_logsocket = 1

[apache]
comment = the apache webserver, very basic setup, probably too limited for you
120
paths = /usr/sbin/apache
121 122 123 124 125 126
users = root, www-data
groups = root, www-data
includesections = netbasics, uidbasics

[perl]
comment = the perl interpreter and libraries
127
paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
128 129 130

[xauth]
comment = getting X authentication to work
131
paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
132 133 134

[xclients]
comment = minimal files for X clients
135
paths = /usr/X11R6/lib/X11/rgb.txt
136 137 138 139
includesections = xauth

[vncserver]
comment = the VNC server program
140
paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
141 142
includesections = xclients

143 144 145
[ping]
comment = Ping program
paths_w_setuid = /bin/ping
146 147 148

#[xterm]
#comment = xterm
149
#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
150
#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
151 152 153 154 155 156 157 158

+# coreutils from:
+# (echo -ne '\n[coreutils]\ncomment = non-sbin progs from coreutils\npaths = '; dpkg --listfiles coreutils | grep -E '^/bin/|/usr/bin/' | xargs -n1 -i@ echo -n "@, " | sed -e 's/, *$/\n/g' -e 's|/usr/bin/||g' -e 's|/bin/||g') >> /etc/jailkit/jk_init.ini

[coreutils]
comment = non-sbin progs from coreutils
paths = cat, chgrp, chmod, chown, cp, date, dd, df, dir, echo, false, ln, ls, mkdir, mknod, mktemp, mv, pwd, readlink, rm, rmdir, sleep, stty, sync, touch, true, uname, vdir, [, arch, b2sum, base32, base64, basename, chcon, cksum, comm, csplit, cut, dircolors, dirname, du, env, expand, expr, factor, fmt, fold, groups, head, hostid, id, install, join, link, logname, md5sum, mkfifo, nice, nl, nohup, nproc, numfmt, od, paste, pathchk, pinky, pr, printenv, printf, ptx, realpath, runcon, seq, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, shred, shuf, sort, split, stat, stdbuf, sum, tac, tail, tee, test, timeout, tr, truncate, tsort, tty, unexpand, uniq, unlink, users, wc, who, whoami, yes, md5sum.textutils

159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175
[wp]
comment = WordPress Command Line
paths = wp, /usr/local/bin/php
includesections = php, mysql-client

[mysql-client]
comment = mysql client
paths = mysql, mysqldump, mysqlshow, /usr/lib/libmysqlclient.so, /usr/lib/i386-linux-gnu/libmariadb.so.3, /usr/lib/i386-linux-gnu/mariadb19, /usr/lib/x86_64-linux-gnu/libmariadb.so.3, /usr/lib/x86_64-linux-gnu/mariadb19
includesections = netbasics

[composer]
comment = composer
paths = composer, /usr/local/bin/composer, /usr/share/doc/composer
includesections = php, uidbasics, netbasics

[node]
comment = NodeJS
176
paths = npm, node, nodejs, /usr/lib/nodejs, /usr/share/npm, /usr/share/node-mime, /usr/lib/node_modules, /usr/local/lib/nodejs, /usr/local/lib/node_modules, elmi-to-json, /usr/local/bin/elmi-to-json
177

178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227
[env]
comment = /usr/bin/env for environment variables
paths = env

# Debian 10 default php version is 7.3 (Debian 9 is 7.0)
# Todo: set default version in ISPConfig installer,
# but install the php cli version matching the website
[php]
comment = default php version and libraries
paths = /usr/bin/php
includesections = php_common, php7_3

[php_common]
comment = common php directories and libraries
# notice:  potential information leak
#  do not add all of /etc/php/ or any of the fpm directories
#  or the php config (which includes custom php snippets) from *all*
#  sites which use fpm will be copied to *every* jailkit
paths = /usr/bin/php, /usr/lib/php/, /usr/share/php/, /usr/share/zoneinfo/
includesections = env

[php5_6]
comment = php version 5.6
paths = /usr/bin/php5.6, /usr/lib/php/5.6/, /usr/lib/php/20131226/, /usr/share/php/5.6/, /etc/php/5.6/cli/, /etc/php/5.6/mods-available/
includesections = php_common

[php7_0]
comment = php version 7.0
paths = /usr/bin/php7.0, /usr/lib/php/7.0/, /usr/lib/php/20151012/, /usr/share/php/7.0/, /etc/php/7.0/cli/, /etc/php/7.0/mods-available/
includesections = php_common

[php7_1]
comment = php version 7.1
paths = /usr/bin/php7.1, /usr/lib/php/7.1/, /usr/lib/php/20160303/, /usr/share/php/7.1/, /etc/php/7.1/cli/, /etc/php/7.1/mods-available/
includesections = php_common

[php7_2]
comment = php version 7.2
paths = /usr/bin/php7.2, /usr/lib/php/7.2/, /usr/lib/php/20170718/, /usr/share/php/7.2/, /etc/php/7.2/cli/, /etc/php/7.2/mods-available/
includesections = php_common

[php7_3]
comment = php version 7.3
paths = /usr/bin/php7.3, /usr/lib/php/7.3/, /usr/lib/php/20180731/, /usr/share/php/7.3/, /etc/php/7.3/cli/, /etc/php/7.3/mods-available/
includesections = php_common

[php7_4]
comment = php version 7.4
paths = /usr/bin/php7.4, /usr/lib/php/7.4/, /usr/lib/php/20190902/, /usr/share/php/7.4/, /etc/php/7.4/cli/, /etc/php/7.4/mods-available/
includesections = php_common