Commit 61d290c1 authored by daniel's avatar daniel
Browse files

Modified install / update to copy over jailkit configs

Included jailkit config templates
Added bash.bashrc and motd templates to copy over for for chroot system
Updated ispconfig vhost to include php fastcgi configs if fastcgi is enabled. What if the module is loaded too ?
TODO: jailkit chroot is still not loading the modified motd in /etc/motd and /var/run/motd ??
parent a014c2c4
......@@ -76,4 +76,9 @@ $conf['pureftpd']['init_script'] = 'pure-ftpd-mysql';
$conf['mydns']['config_dir'] = '/etc';
$conf['mydns']['init_script'] = 'mydns';
//* Jailkit
$conf['jailkit']['config_dir'] = '/etc/jailkit';
$conf['jailkit']['jk_init'] = 'jk_init.ini';
$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
?>
\ No newline at end of file
......@@ -62,4 +62,9 @@ $dist['pureftpd']['init_script'] = 'pure-ftpd';
$dist['mydns']['config_dir'] = '/etc';
$dist['mydns']['init_script'] = 'mydns';
//* Jailkit
$conf['jailkit']['config_dir'] = '/etc/jailkit';
$conf['jailkit']['jk_init'] = 'jk_init.ini';
$conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
?>
\ No newline at end of file
......@@ -134,6 +134,10 @@ if($install_mode == 'Standard') {
//* Configure postfix
$inst->configure_postfix();
//* Configure postfix
swriteln('Configuring Jailkit');
$inst->configure_jailkit();
//* Configure saslauthd
swriteln('Configuring SASL');
......
......@@ -183,7 +183,24 @@ class installer_base {
wf($full_file_name, $content);
}
public function configure_jailkit()
{
$cf = $this->conf['jailkit'];
$config_dir = $cf['config_dir'];
$jk_init = $cf['jk_init'];
$jk_chrootsh = $cf['jk_chrootsh'];
if (!is_dir($config_dir))
{
copy($config_dir.'/'.$jk_init, $config_dir.'/'.$jk_init.'~');
copy($config_dir.'/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh.'~');
copy('tpl/'.$jk_init.".master", $config_dir.'/'.$jk_init);
copy('tpl/'.$jk_chrootsh.".master", $config_dir.'/'.$jk_chrootsh);
}
}
public function configure_postfix($options = '')
{
$cf = $this->conf['postfix'];
......
## example for a user
#[test]
#env= DISPLAY, XAUTHORITY
#
##example for a group, there should be only 1 space inbetween the words!
#[group users]
#env = DISPLAY, XAUTHORITY
#
[DEFAULT]
#relax_home_group=1
skip_injail_passwd_check=1
injail_shell=/bin/bash
env = TERM, PATH
[uidbasics]
# this section probably needs adjustment on 64bit systems
# or non-Linux systems
comment = common files for all jails that need user/group information
libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2
regularfiles = /etc/nsswitch.conf /etc/ld.so.conf
[netbasics]
comment = common files for all jails that need any internet connectivity
libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2
regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
[logbasics]
comment = timezone information
regularfiles = /etc/localtime
need_logsocket = 1
[jk_lsh]
comment = Jailkit limited shell
executables = /usr/sbin/jk_lsh
regularfiles = /etc/jailkit/jk_lsh.ini
users = root
groups = root
need_logsocket = 1
includesections = uidbasics
[limitedshell]
comment = alias for jk_lsh
includesections = jk_lsh
[cvs]
comment = Concurrent Versions System
executables = /usr/bin/cvs
devices = /dev/null
[git]
comment = Fast Version Control System
executables = /usr/bin/git*
directories = /usr/share/git-core
includesections = editors
[scp]
comment = ssh secure copy
executables = /usr/bin/scp
includesections = netbasics, uidbasics
devices = /dev/urandom
[sftp]
comment = ssh secure ftp
executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
[ssh]
comment = ssh secure shell
executables = /usr/bin/ssh
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/tty
[rsync]
executables = /usr/bin/rsync
includesections = netbasics, uidbasics
[procmail]
comment = procmail mail delivery
executables = /usr/bin/procmail, /bin/sh
devices = /dev/null
[basicshell]
comment = bash based shell with several basic utilities
executables = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat
regularfiles = /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile
directories = /usr/lib/locale/en_US.utf8
users = root
groups = root
includesections = uidbasics
[midnightcommander]
comment = Midnight Commander
executables = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview
directories = /etc/terminfo, /usr/share/terminfo, /usr/share/mc
includesections = basicshell
[extendedshell]
comment = bash shell including things like awk, bzip, tail, less
executables = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usb/bin/whoami
includesections = basicshell, midnightcommander, editors
[editors]
comment = vim, joe and nano
executables = /usb/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /usr/bin/pico
regularfiles = /etc/vimrc
directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /lib/terminfo
[netutils]
comment = several internet utilities like wget, ftp, rsync, scp, ssh
executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
includesections = netbasics, ssh, sftp, scp
[apacheutils]
comment = htpasswd utility
executables = /usr/bin/htpasswd
[extshellplusnet]
comment = alias for extendedshell + netutils + apacheutils
includesections = extendedshell, netutils, apacheutils
[openvpn]
comment = jail for the openvpn daemon
executables = /usr/sbin/openvpn
users = root,nobody
groups = root,nogroup
includesections = netbasics
devices = /dev/urandom, /dev/random, /dev/net/tun
includesections = netbasics, uidbasics
need_logsocket = 1
[apache]
comment = the apache webserver, very basic setup, probably too limited for you
executables = /usr/sbin/apache
users = root, www-data
groups = root, www-data
includesections = netbasics, uidbasics
[perl]
comment = the perl interpreter and libraries
executables = /usr/bin/perl
directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
[xauth]
comment = getting X authentication to work
executables = /usr/bin/X11/xauth
regularfiles = /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
[xclients]
comment = minimal files for X clients
regularfiles = /usr/X11R6/lib/X11/rgb.txt
includesections = xauth
[vncserver]
comment = the VNC server program
executables = /usr/bin/Xvnc, /usr/bin/Xrealvnc
directories = /usr/X11R6/lib/X11/fonts/
includesections = xclients
#[xterm]
#comment = xterm
#executables = /usr/bin/X11/xterm
#directories = /usr/share/terminfo, /etc/terminfo
#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
......@@ -134,7 +134,11 @@ $reconfigure_services_answer = $inst->simple_query('Reconfigure Services?', arra
if($reconfigure_services_answer == 'yes') {
//** Configure postfix
$inst->configure_postfix('dont-create-certs');
//* Configure postfix
swriteln('Configuring Jailkit');
$inst->configure_jailkit();
//** Configure saslauthd
swriteln('Configuring SASL');
$inst->configure_saslauthd();
......
#!/bin/sh
PHPRC="/etc/php5/cgi/"
export PHPRC
PHP_DOCUMENT_ROOT="/usr/local/ispconfig/interface/web/"
export PHP_DOCUMENT_ROOT
PHP_FCGI_CHILDREN=8
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php-cgi $1
<tmpl_if name='jailkit_chroot'>
## Hack for Jailkit User to change back to the logged in user ##
if [ "$LOGNAME" != $USER ]; then
export HOME=<tmpl_var name='home_dir'>$LOGNAME
export USER=$LOGNAME
export USERNAME=$LOGNAME
cd $HOME
fi
## Change machine hostname to site domain ##
export HOSTNAME=<tmpl_var name='domain'>
</tmpl_if>
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color)
PS1='\[\033[01;32m\]$USER@$HOSTNAME\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
;;
*)
PS1='\$USER@$HOSTNAME:\w\$ '
;;
esac
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"'
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ "$TERM" != "dumb" ]; then
eval "`dircolors -b`"
alias ls='ls --color=auto'
#alias dir='ls --color=auto --format=vertical'
#alias vdir='ls --color=auto --format=long'
fi
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
Welcome To Site <tmpl_var name='domain'>
......@@ -385,10 +385,12 @@ class apache2_plugin {
$fastcgi_config = $app->getconf->get_server_config($conf["server_id"], 'fastcgi');
$fastcgi_starter_path = str_replace("[system_user]",$data["new"]["system_user"],$fastcgi_config["fastcgi_starter_path"]);
$fastcgi_starter_path = str_replace("[client_id]",$client_id,$fastcgi_starter_path);
if (!is_dir($fastcgi_starter_path))
{
exec("mkdir -p $fastcgi_starter_path");
exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." $fastcgi_starter_path");
exec("mkdir -p ".escapeshellcmd($fastcgi_starter_path));
exec("chown ".$data["new"]["system_user"].":".$data["new"]["system_group"]." ".escapeshellcmd($fastcgi_starter_path));
$app->log("Creating fastcgi starter script directory: $fastcgi_starter_path",LOGLEVEL_DEBUG);
......@@ -403,7 +405,7 @@ class apache2_plugin {
$fcgi_tpl->setVar('php_fcgi_max_requests',$fastcgi_config["fastcgi_max_requests"]);
$fcgi_tpl->setVar('php_fcgi_bin',$fastcgi_config["fastcgi_bin"]);
$fcgi_starter_script = escapeshellcmd($fastcgi_starter_path."/".$fastcgi_config["fastcgi_starter_script"]);
$fcgi_starter_script = escapeshellcmd($fastcgi_starter_path.$fastcgi_config["fastcgi_starter_script"]);
file_put_contents($fcgi_starter_script,$fcgi_tpl->grab());
unset($fcgi_tpl);
......
......@@ -100,6 +100,9 @@ class shelluser_jailkit_plugin {
}
//* This function is called, when a shell user is deleted in the database
/**
* TODO: Remove chroot user home and from the chroot passwd file
*/
function delete($event_name,$data) {
global $app, $conf;
......@@ -110,7 +113,8 @@ class shelluser_jailkit_plugin {
$jailkit_chroot_userhome = $this->_get_home_dir($data['old']['username']);
exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
//commented out proved to be dangerous on config errors
//exec('rm -rf '.$data['old']['dir'].$jailkit_chroot_userhome);
$app->log("Jalikit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG);
......@@ -135,6 +139,36 @@ class shelluser_jailkit_plugin {
$this->_add_jailkit_programs();
//add bash.bashrc script
//we need to collect the domain name to be used as the HOSTNAME in the bashrc script
$web = $this->app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".intval($this->data['new']["parent_domain_id"]));
$this->app->load('tpl');
$tpl = new tpl();
$tpl->newTemplate("bash.bashrc.master");
$tpl->setVar('jailkit_chroot',true);
$tpl->setVar('domain',$web['domain']);
$tpl->setVar('home_dir',$this->_get_home_dir(""));
$bashrc = escapeshellcmd($this->data['new']['dir']).'/etc/bash.bashrc';
exec('rm '.$bashrc);
file_put_contents($bashrc,$tpl->grab());
unset($tpl);
$this->app->log("Added bashrc scrpt : ".$bashrc,LOGLEVEL_DEBUG);
$tpl = new tpl();
$tpl->newTemplate("motd.master");
$tpl->setVar('domain',$web['domain']);
$motd = escapeshellcmd($this->data['new']['dir']).'/var/run/motd';
exec('rm '.$motd);
file_put_contents($motd,$tpl->grab());
}
}
......@@ -174,15 +208,16 @@ class shelluser_jailkit_plugin {
$this->app->log("Added jailkit user to chroot with command: ".$command,LOGLEVEL_DEBUG);
exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_userhome);
exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_userhome);
exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome));
exec("chown ".$this->data['new']['username'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome));
$this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome,LOGLEVEL_DEBUG);
exec("mkdir -p ".$this->data['new']['dir'].$jailkit_chroot_puserhome);
exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".$this->data['new']['dir'].$jailkit_chroot_puserhome);
exec("mkdir -p ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome));
exec("chown ".$this->data['new']['puser'].":".$this->data['new']['pgroup']." ".escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome));
$this->app->log("Added created jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome,LOGLEVEL_DEBUG);
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment