Commit 88c60a54 authored by Marius Burkard's avatar Marius Burkard
Browse files

Merge branch '6024-jailkit_errors' into 'develop'

jailkit bugfixes

Closes #6041, #6036, #6040, and #6042

See merge request !1401
parents eb1416d3 1070f878
Pipeline #7591 passed with stage
in 13 seconds
......@@ -114,7 +114,8 @@ class cronjob_jailkit_maintenance extends cronjob {
if (is_file( $rec['document_root']."/bin/bash" )) {
# test that /bin/bash functions in the jail
print "chroot --userspec ".$rec['system_user'].":".$rec['system_group']." ".$rec['document_root']." /bin/bash -c true 2>/dev/null\n";
if (! $app->system->exec_safe("chroot --userspec ?:? ? /bin/bash -c true 2>/dev/null", $rec['system_user'], $rec['system_group'], $rec['document_root'])) {
$app->system->exec_safe("chroot --userspec ?:? ? /bin/bash -c true 2>/dev/null", $rec['system_user'], $rec['system_group'], $rec['document_root']);
if ($app->system->last_exec_retcode()) { # return 0 means success
print "/bin/bash test failed, forcing update\n";
$options[] = 'force';
# bogus hash will not match, triggering an update
......
......@@ -2412,6 +2412,7 @@ class system{
public function create_jailkit_chroot($home_dir, $app_sections = array(), $options = array()) {
global $app;
$app->log("create_jailkit_chroot: called for home_dir $home_dir with options: " . print_r($options, true), LOGLEVEL_DEBUG);
// Disallow operating on root directory
if(realpath($home_dir) == '/') {
......@@ -2428,6 +2429,9 @@ class system{
} elseif(is_string($app_sections)) {
$app_sections = preg_split('/[\s,]+/', $app_sections);
}
if(! is_array($options)) {
$options = (is_string($options) ? preg_split('/[\s,]+/', $options) : array());
}
// Change ownership of the chroot directory to root
$this->chown($home_dir, 'root');
......@@ -2485,6 +2489,7 @@ class system{
public function create_jailkit_programs($home_dir, $programs = array(), $options = array()) {
global $app;
$app->log("create_jailkit_programs: called for home_dir $home_dir with options: " . print_r($options, true), LOGLEVEL_DEBUG);
// Disallow operating on root directory
if(realpath($home_dir) == '/') {
......@@ -2501,6 +2506,9 @@ class system{
} elseif(is_string($programs)) {
$programs = preg_split('/[\s,]+/', $programs);
}
if(! is_array($options)) {
$options = (is_string($options) ? preg_split('/[\s,]+/', $options) : array());
}
# prohibit ill-advised copying paths known to be sensitive/problematic
# (easy to bypass if needed, eg. use /./etc)
......
......@@ -788,17 +788,18 @@ class apache2_plugin {
$last_updated = array_unique($last_updated, SORT_REGULAR);
sort($last_updated, SORT_STRING);
$update_hash = hash('md5', implode(' ', $last_updated));
$check_for_jailkit_updates=false;
// Create jailkit chroot when enabling php_fpm_chroot
if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y') {
if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y' && $data['new']['php'] != 'no') {
$website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = ?', $data['new']['domain_id']);
$this->website = array_merge($website, $data['new'], array('new_jailkit_hash' => $update_hash));
$this->jailkit_config = $jailkit_config;
$this->_setup_jailkit_chroot();
$this->_add_jailkit_user();
$check_for_jailkit_updates=false;
// else delete if unused
} elseif ($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') {
} elseif (($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') ||
($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php'] == 'no')) {
$check_for_jailkit_updates=false;
$this->_delete_jailkit_if_unused($data['new']['domain_id']);
if(is_dir($data['new']['document_root'].'/etc/jailkit')) {
......@@ -3820,7 +3821,7 @@ class apache2_plugin {
}
// chroot is used by php-fpm
if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y') {
if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y' && $parent_domain['php'] != 'no') {
return;
}
......
......@@ -626,17 +626,18 @@ class nginx_plugin {
$last_updated = array_unique($last_updated, SORT_REGULAR);
sort($last_updated, SORT_STRING);
$update_hash = hash('md5', implode(' ', $last_updated));
$check_for_jailkit_updates=false;
// Create jailkit chroot when enabling php_fpm_chroot
if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y') {
if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y' && $data['new']['php'] != 'no') {
$website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = ?', $data['new']['domain_id']);
$this->website = array_merge($website, $data['new'], array('new_jailkit_hash' => $update_hash));
$this->jailkit_config = $jailkit_config;
$this->_setup_jailkit_chroot();
$this->_add_jailkit_user();
$check_for_jailkit_updates=false;
// else delete if unused
} elseif ($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') {
} elseif (($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') ||
($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php'] == 'no')) {
$check_for_jailkit_updates=false;
$this->_delete_jailkit_if_unused($data['new']['domain_id']);
if(is_dir($data['new']['document_root'].'/etc/jailkit')) {
......@@ -3599,7 +3600,7 @@ class nginx_plugin {
}
// chroot is used by php-fpm
if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y') {
if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y' && $parent_domain['php'] != 'no') {
return;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment