jk_init.ini.master

# jk_init.ini:  jailkit initialization config

# Includes paths to handle Debian 10/9,
# if other paths are needed please create an issue with the details:
# https://git.ispconfig.org/ispconfig/ispconfig3/-/issues

[uidbasics]
comment = common files for all jails that need user/group information
paths = /lib*/libnsl.so.*, /lib*/libnss*.so.*, /lib/*/libnsl.so.*, /lib/*/libnss*.so.*, /etc/nsswitch.conf, /etc/ld.so.conf

[netbasics]
comment = common files for all jails that need any internet connectivity
paths = /lib*/libnss_dns.so.*, /lib*/libnss_mdns*.so.*, /lib/*/libnss_dns.so.*, /lib/*/libnss_mdns*.so.*, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services, /etc/ssl/certs/, /usr/lib/ssl/certs

[logbasics]
comment = timezone information and log sockets
paths = /etc/localtime
need_logsocket = 1

[jk_lsh]
comment = Jailkit limited shell
paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
users = root
groups = root
includesections = uidbasics, logbasics

[limitedshell]
comment = alias for jk_lsh
includesections = jk_lsh

[openssl]
comment = Generic openssl files
paths =  /bin/openssl, /etc/ssl, /usr/lib/ssl, /usr/share/ca-certificates

[cvs]
comment = Concurrent Versions System
paths = cvs
devices = /dev/null

[git]
comment = Fast Version Control System
paths = /usr/bin/git*, /usr/lib/git-core, /usr/share/git-core, pager
includesections = editors, perl, netbasics, basicshell, coreutils

[scp]
comment = ssh secure copy
paths = scp
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null

[sftp]
comment = ssh secure ftp
paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null

[ssh]
comment = ssh secure shell
paths = ssh
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/tty, /dev/null

[rsync]
paths = rsync
includesections = netbasics, uidbasics

[procmail]
comment = procmail mail delivery
paths = procmail, /bin/sh
devices = /dev/null

[basicshell]
comment = bash based shell with several basic utilities
paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8, uname, expr, xargs
users = root
groups = root
includesections = uidbasics

[interactiveshell]
comment = for ssh access to a full shell
includesections = uidbasics, basicshell, terminfo, editors, extendedshell

[midnightcommander]
comment = Midnight Commander
paths = mc, mcedit, mcview, /usr/share/mc
includesections = basicshell, terminfo

[extendedshell]
comment = bash shell including things like awk, bzip, tail, less
paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami
includesections = basicshell, midnightcommander, editors

[terminfo]
comment = terminfo databases, required for example for ncurses or vim
paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo

[editors]
comment = vim, joe and nano
includesections = terminfo
paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim

[netutils]
comment = several internet utilities like curl, wget, ftp, rsync, scp, ssh
paths = curl, wget, lynx, ftp, host, rsync, smbclient
includesections = netbasics, ssh, sftp, scp

[apacheutils]
comment = htpasswd utility
paths = htpasswd

[extshellplusnet]
comment = alias for extendedshell + netutils + apacheutils
includesections = extendedshell, netutils, apacheutils

[openvpn]
comment = jail for the openvpn daemon
paths = /usr/sbin/openvpn
users = root,nobody
groups = root,nogroup
devices = /dev/urandom, /dev/random, /dev/net/tun
includesections = netbasics, uidbasics
need_logsocket = 1

[apache]
comment = the apache webserver, very basic setup, probably too limited for you
paths = /usr/sbin/apache
users = root, www-data
groups = root, www-data
includesections = netbasics, uidbasics

[perl]
comment = the perl interpreter and libraries
paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5

[xauth]
comment = getting X authentication to work
paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf

[xclients]
comment = minimal files for X clients
paths = /usr/X11R6/lib/X11/rgb.txt
includesections = xauth

[vncserver]
comment = the VNC server program
paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
includesections = xclients

[ping]
comment = Ping program
paths_w_setuid = /bin/ping

#[xterm]
#comment = xterm
#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4

# coreutils from:
# (echo -ne '\n[coreutils]\ncomment = non-sbin progs from coreutils\npaths = '; dpkg --listfiles coreutils | grep -E '^/bin/|/usr/bin/' | xargs -n1 -i@ echo -n "@, " | sed -e 's/, *$/\n/g' -e 's|/usr/bin/||g' -e 's|/bin/||g') >> /etc/jailkit/jk_init.ini

[coreutils]
comment = non-sbin progs from coreutils
paths = cat, chgrp, chmod, chown, cp, date, dd, df, dir, echo, false, ln, ls, mkdir, mknod, mktemp, mv, pwd, readlink, rm, rmdir, sleep, stty, sync, touch, true, uname, vdir, [, arch, b2sum, base32, base64, basename, chcon, cksum, comm, csplit, cut, dircolors, dirname, du, env, expand, expr, factor, fmt, fold, groups, head, hostid, id, install, join, link, logname, md5sum, mkfifo, nice, nl, nohup, nproc, numfmt, od, paste, pathchk, pinky, pr, printenv, printf, ptx, realpath, runcon, seq, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, shred, shuf, sort, split, stat, stdbuf, sum, tac, tail, tee, test, timeout, tr, truncate, tsort, tty, unexpand, uniq, unlink, users, wc, who, whoami, yes, md5sum.textutils

[wp]
comment = WordPress Command Line
paths = wp, which, mysqlcheck, tput, unrar, /usr/local/bin/php
includesections = php, mysql-client

[mysql-client]
comment = mysql client
paths = mysql, mysqldump, mysqlshow, /usr/lib/libmysqlclient.so, /usr/lib/i386-linux-gnu/libmariadb.so.3, /usr/lib/i386-linux-gnu/mariadb19, /usr/lib/x86_64-linux-gnu/libmariadb.so.3, /usr/lib/x86_64-linux-gnu/mariadb19, /usr/lib/arm-linux-gnueabihf/libmariadb.so.3, /usr/lib/arm-linux-gnueabihf/mariadb19, /usr/lib/aarch64-linux-gnu/libmariadb.so.3, /usr/lib/aarch64-linux-gnu/mariadb19
includesections = netbasics

[composer]
comment = composer
paths = composer, /usr/local/bin/composer, /usr/share/doc/composer
includesections = php, uidbasics, netbasics

[node]
comment = NodeJS
paths = npm, npx, node, nodejs, semver, /usr/lib/nodejs, /usr/share/nodejs, /usr/share/npm, /usr/share/node-mime, /usr/lib/node_modules, /usr/local/lib/nodejs, /usr/local/lib/node_modules, /etc/npmrc, /etc/npmignore, elmi-to-json, /usr/local/bin/elmi-to-json

[env]
comment = /usr/bin/env for environment variables
paths = env

# Debian 10 default php version is 7.3 (Debian 9 is 7.0)
# Todo: set default version in ISPConfig installer,
# but install the php cli version matching the website
[php]
comment = default php version and libraries
paths = /usr/bin/php
includesections = php_common, php7_3

[php_common]
comment = common php directories and libraries
# notice:  potential information leak
#  do not add all of /etc/php/ or any of the fpm directories
#  or the php config (which includes custom php snippets) from *all*
#  sites which use fpm will be copied to *every* jailkit
paths = /usr/bin/php, /usr/lib/php/, /usr/share/php/, /usr/share/zoneinfo/
includesections = env, logbasics, netbasics

[php5_6]
comment = php version 5.6
paths = /usr/bin/php5.6, /usr/lib/php/5.6/, /usr/lib/php/20131226/, /usr/share/php/5.6/, /etc/php/5.6/cli/, /etc/php/5.6/mods-available/
includesections = php_common

[php7_0]
comment = php version 7.0
paths = /usr/bin/php7.0, /usr/lib/php/7.0/, /usr/lib/php/20151012/, /usr/share/php/7.0/, /etc/php/7.0/cli/, /etc/php/7.0/mods-available/
includesections = php_common

[php7_1]
comment = php version 7.1
paths = /usr/bin/php7.1, /usr/lib/php/7.1/, /usr/lib/php/20160303/, /usr/share/php/7.1/, /etc/php/7.1/cli/, /etc/php/7.1/mods-available/
includesections = php_common

[php7_2]
comment = php version 7.2
paths = /usr/bin/php7.2, /usr/lib/php/7.2/, /usr/lib/php/20170718/, /usr/share/php/7.2/, /etc/php/7.2/cli/, /etc/php/7.2/mods-available/
includesections = php_common

[php7_3]
comment = php version 7.3
paths = /usr/bin/php7.3, /usr/lib/php/7.3/, /usr/lib/php/20180731/, /usr/share/php/7.3/, /etc/php/7.3/cli/, /etc/php/7.3/mods-available/
includesections = php_common

[php7_4]
comment = php version 7.4
paths = /usr/bin/php7.4, /usr/lib/php/7.4/, /usr/lib/php/20190902/, /usr/share/php/7.4/, /etc/php/7.4/cli/, /etc/php/7.4/mods-available/
includesections = php_common

[php8_0]
comment = php version 8.0
paths = /usr/bin/php8.0, /usr/lib/php/8.0/, /usr/lib/php/20200930/, /usr/share/php/8.0/, /etc/php/8.0/cli/, /etc/php/8.0/mods-available/
includesections = php_common

[php8_1]
comment = php version 8.1
paths = /usr/bin/php8.1, /usr/lib/php/8.1/, /usr/lib/php/20210902/, /usr/share/php/8.1/, /etc/php/8.1/cli/, /etc/php/8.1/mods-available/
includesections = php_common

[php8_2]
comment = php version 8.2
paths = /usr/bin/php8.2, /usr/lib/php/8.2/, /usr/lib/php/20220829/, /usr/share/php/8.2/, /etc/php/8.2/cli/, /etc/php/8.2/mods-available/
includesections = php_common

[php8_3]
comment = php version 8.3
paths = /usr/bin/php8.3, /usr/lib/php/8.3/, /usr/lib/php/20230831/, /usr/share/php/8.3/, /etc/php/8.3/cli/, /etc/php/8.3/mods-available/
includesections = php_common

[php8_4]
comment = php version 8.4
paths = /usr/bin/php8.4, /usr/lib/php/8.4/, /usr/lib/php/20240841/, /usr/share/php/8.4/, /etc/php/8.4/cli/, /etc/php/8.4/mods-available/
includesections = php_common

[imagemagick]
comment = ImageMagick needed for php-imagemagick extension
paths = /usr/share/ImageMagick-*, /etc/ImageMagick-*, /usr/lib/*/ImageMagick-*