From 072be2252c5cad71dc3f8aa44693ad7be8f1cf76 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 2 Feb 2021 15:11:05 -0700
Subject: [PATCH 1/4] jailkit: fix bash test (closes #6042)

---
 server/lib/classes/cron.d/600-jailkit_maintenance.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/lib/classes/cron.d/600-jailkit_maintenance.inc.php b/server/lib/classes/cron.d/600-jailkit_maintenance.inc.php
index 547b7caa1a..4ef5835e67 100644
--- a/server/lib/classes/cron.d/600-jailkit_maintenance.inc.php
+++ b/server/lib/classes/cron.d/600-jailkit_maintenance.inc.php
@@ -114,7 +114,8 @@ class cronjob_jailkit_maintenance extends cronjob {
 				if (is_file( $rec['document_root']."/bin/bash" )) {
 					# test that /bin/bash functions in the jail
 print "chroot --userspec ".$rec['system_user'].":".$rec['system_group']." ".$rec['document_root']." /bin/bash -c true 2>/dev/null\n";
-					if (! $app->system->exec_safe("chroot --userspec ?:? ? /bin/bash -c true 2>/dev/null", $rec['system_user'], $rec['system_group'], $rec['document_root'])) {
+					$app->system->exec_safe("chroot --userspec ?:? ? /bin/bash -c true 2>/dev/null", $rec['system_user'], $rec['system_group'], $rec['document_root']);
+					if ($app->system->last_exec_retcode()) {  # return 0 means success
 print "/bin/bash test failed, forcing update\n";
 						$options[] = 'force';
 						# bogus hash will not match, triggering an update
-- 
GitLab


From 783d34c17dbe5a14aaa23199cddf9159438dc451 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 2 Feb 2021 16:13:29 -0700
Subject: [PATCH 2/4] jailkit: enabling due to php_fpm_chroot requires php in
 use (closes #6040)

---
 server/plugins-available/apache2_plugin.inc.php | 4 ++--
 server/plugins-available/nginx_plugin.inc.php   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 45594da5f1..cf69b38818 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -788,15 +788,15 @@ class apache2_plugin {
 		$last_updated = array_unique($last_updated, SORT_REGULAR);
 		sort($last_updated, SORT_STRING);
 		$update_hash = hash('md5', implode(' ', $last_updated));
+		$check_for_jailkit_updates=false;
 
 		// Create jailkit chroot when enabling php_fpm_chroot
-		if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y') {
+		if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y' && $data['new']['php'] != 'no') {
 			$website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = ?', $data['new']['domain_id']);
 			$this->website = array_merge($website, $data['new'], array('new_jailkit_hash' => $update_hash));
 			$this->jailkit_config = $jailkit_config;
 			$this->_setup_jailkit_chroot();
 			$this->_add_jailkit_user();
-			$check_for_jailkit_updates=false;
 		// else delete if unused
 		} elseif ($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') {
 			$check_for_jailkit_updates=false;
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 62a618ce7f..6ba24ead07 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -626,15 +626,15 @@ class nginx_plugin {
 		$last_updated = array_unique($last_updated, SORT_REGULAR);
 		sort($last_updated, SORT_STRING);
 		$update_hash = hash('md5', implode(' ', $last_updated));
+		$check_for_jailkit_updates=false;
 
 		// Create jailkit chroot when enabling php_fpm_chroot
-		if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y') {
+		if($data['new']['php_fpm_chroot'] == 'y' && $data['old']['php_fpm_chroot'] != 'y' && $data['new']['php'] != 'no') {
 			$website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = ?', $data['new']['domain_id']);
 			$this->website = array_merge($website, $data['new'], array('new_jailkit_hash' => $update_hash));
 			$this->jailkit_config = $jailkit_config;
 			$this->_setup_jailkit_chroot();
 			$this->_add_jailkit_user();
-			$check_for_jailkit_updates=false;
 		// else delete if unused
 		} elseif ($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') {
 			$check_for_jailkit_updates=false;
-- 
GitLab


From 17c4a07e54f2e81635844ea125a3c0f2b153e8c0 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Tue, 2 Feb 2021 17:19:29 -0700
Subject: [PATCH 3/4] jailkit: fix php warnings (closes #6036)

---
 server/lib/classes/system.inc.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php
index a26707b0ae..5a99bbda20 100644
--- a/server/lib/classes/system.inc.php
+++ b/server/lib/classes/system.inc.php
@@ -2412,6 +2412,7 @@ class system{
 
 	public function create_jailkit_chroot($home_dir, $app_sections = array(), $options = array()) {
 		global $app;
+$app->log("create_jailkit_chroot: called for home_dir $home_dir with options: " . print_r($options, true), LOGLEVEL_DEBUG);
 
 		// Disallow operating on root directory
 		if(realpath($home_dir) == '/') {
@@ -2428,6 +2429,9 @@ class system{
 		} elseif(is_string($app_sections)) {
 			$app_sections = preg_split('/[\s,]+/', $app_sections);
 		}
+		if(! is_array($options)) {
+			$options = (is_string($options) ? preg_split('/[\s,]+/', $options) : array());
+		}
 
 		// Change ownership of the chroot directory to root
 		$this->chown($home_dir, 'root');
@@ -2485,6 +2489,7 @@ class system{
 
 	public function create_jailkit_programs($home_dir, $programs = array(), $options = array()) {
 		global $app;
+$app->log("create_jailkit_programs: called for home_dir $home_dir with options: " . print_r($options, true), LOGLEVEL_DEBUG);
 
 		// Disallow operating on root directory
 		if(realpath($home_dir) == '/') {
@@ -2501,6 +2506,9 @@ class system{
 		} elseif(is_string($programs)) {
 			$programs = preg_split('/[\s,]+/', $programs);
 		}
+		if(! is_array($options)) {
+			$options = (is_string($options) ? preg_split('/[\s,]+/', $options) : array());
+		}
 
 		# prohibit ill-advised copying paths known to be sensitive/problematic
 		# (easy to bypass if needed, eg. use /./etc)
-- 
GitLab


From 1070f878c2d6375762bb9217904dadc3837e6b80 Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Wed, 3 Feb 2021 09:50:34 -0700
Subject: [PATCH 4/4] jailkit: disable php should clean up jailkit (closes
 #6041)

---
 server/plugins-available/apache2_plugin.inc.php | 5 +++--
 server/plugins-available/nginx_plugin.inc.php   | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index cf69b38818..170f8b1b72 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -798,7 +798,8 @@ class apache2_plugin {
 			$this->_setup_jailkit_chroot();
 			$this->_add_jailkit_user();
 		// else delete if unused
-		} elseif ($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') {
+		} elseif (($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') ||
+			($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php'] == 'no')) {
 			$check_for_jailkit_updates=false;
 			$this->_delete_jailkit_if_unused($data['new']['domain_id']);
 			if(is_dir($data['new']['document_root'].'/etc/jailkit')) {
@@ -3820,7 +3821,7 @@ class apache2_plugin {
 		}
 
 		// chroot is used by php-fpm
-		if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y') {
+		if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y' && $parent_domain['php'] != 'no') {
 			return;
 		}
 
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 6ba24ead07..bec59fddc4 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -636,7 +636,8 @@ class nginx_plugin {
 			$this->_setup_jailkit_chroot();
 			$this->_add_jailkit_user();
 		// else delete if unused
-		} elseif ($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') {
+		} elseif (($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php_fpm_chroot'] != 'y') ||
+			($data['new']['delete_unused_jailkit'] == 'y' && $data['new']['php'] == 'no')) {
 			$check_for_jailkit_updates=false;
 			$this->_delete_jailkit_if_unused($data['new']['domain_id']);
 			if(is_dir($data['new']['document_root'].'/etc/jailkit')) {
@@ -3599,7 +3600,7 @@ class nginx_plugin {
 		}
 
 		// chroot is used by php-fpm
-		if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y') {
+		if (isset($parent_domain['php_fpm_chroot']) && $parent_domain['php_fpm_chroot'] == 'y' && $parent_domain['php'] != 'no') {
 			return;
 		}
 
-- 
GitLab