Hallo, Update for Jailkit to 2.21:
https://olivier.sessink.nl/jailkit/ OK? Comments? Cheers.- -- - gonzalo
Index: Makefile =================================================================== RCS file: /cvs/ports/security/jailkit/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- Makefile 12 Jul 2019 20:49:03 -0000 1.15 +++ Makefile 15 Jan 2020 16:33:38 -0000 @@ -2,7 +2,7 @@ COMMENT= utilities for jailing a user or process -DISTNAME= jailkit-2.19 +DISTNAME= jailkit-2.21 CATEGORIES= security sysutils HOMEPAGE= http://olivier.sessink.nl/jailkit/ @@ -13,6 +13,8 @@ MASTER_SITES= http://olivier.sessink.nl PERMIT_PACKAGE= Yes MODULES= lang/python +MODPY_VERSION = ${MODPY_DEFAULT_VERSION_3} + WANTLIB += c pthread NO_TEST= Yes Index: distinfo =================================================================== RCS file: /cvs/ports/security/jailkit/distinfo,v retrieving revision 1.8 diff -u -p -r1.8 distinfo --- distinfo 20 Dec 2015 15:43:46 -0000 1.8 +++ distinfo 15 Jan 2020 16:33:38 -0000 @@ -1,2 +1,2 @@ -SHA256 (jailkit-2.19.tar.gz) = /ZYS3Vf0o5q/zeZHxCBhbFyjf1mCuMB6j7XLNSSU/Ig= -SIZE (jailkit-2.19.tar.gz) = 142280 +SHA256 (jailkit-2.21.tar.gz) = egIOB635OGDFOPDZgZauoz1GG6vbqLs+3fcIHleinBQ= +SIZE (jailkit-2.21.tar.gz) = 141341 Index: patches/patch-Makefile_in =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-Makefile_in,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-Makefile_in --- patches/patch-Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ patches/patch-Makefile_in 15 Jan 2020 16:33:38 -0000 @@ -2,24 +2,25 @@ $OpenBSD: patch-Makefile_in,v 1.1.1.1 20 We do not want the packge to manipulate our /etc/shells, use @shell in PLIST ---- Makefile.in.orig Sat Sep 11 15:45:26 2010 -+++ Makefile.in Mon Sep 13 08:01:37 2010 +Index: Makefile.in +--- Makefile.in.orig ++++ Makefile.in @@ -69,12 +69,12 @@ install: @cd man/ && $(MAKE) install # test if the jk_chrootsh is already in /etc/shells # this previously had @echo but that fails on FreeBSD -- if test -w /etc/shells; then \ -- if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ -- echo "appending ${prefix}/sbin/jk_chroots to /etc/shells";\ -- echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ -- fi \ -- fi -+ #if test -w /etc/shells; then \ -+ # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ -+ # echo "appending ${prefix}/sbin/jk_chroots to /etc/shells";\ -+ # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ -+ # fi \ -+ #fi +- #if test -w /etc/shells; then \ +- # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ +- # echo "appending ${prefix}/sbin/jk_chroots to /etc/shells";\ +- # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ +- # fi \ +- #fi ++ if test -w /etc/shells; then \ ++ if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ ++ echo "appending ${prefix}/sbin/jk_chroots to /etc/shells";\ ++ echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ ++ fi \ ++ fi uninstall: Index: patches/patch-ini_jk_init_ini =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-ini_jk_init_ini,v retrieving revision 1.3 diff -u -p -r1.3 patch-ini_jk_init_ini --- patches/patch-ini_jk_init_ini 26 Mar 2014 17:38:27 -0000 1.3 +++ patches/patch-ini_jk_init_ini 15 Jan 2020 16:33:38 -0000 @@ -2,13 +2,14 @@ $OpenBSD: patch-ini_jk_init_ini,v 1.3 20 fix some default paths in the jail creation configuration file ---- ini/jk_init.ini.orig Mon Dec 23 06:02:42 2013 -+++ ini/jk_init.ini Wed Dec 25 16:04:26 2013 +Index: ini/jk_init.ini +--- ini/jk_init.ini.orig ++++ ini/jk_init.ini @@ -2,18 +2,18 @@ # this section probably needs adjustment on 64bit systems # or non-Linux systems comment = common files for all jails that need user/group information --paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf +-paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, /lib/arm-linux-gnueabihf/libnsl*.so.1, /etc/nsswitch.conf, /etc/ld.so.conf +paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, ${SYSCONFDIR}/nsswitch.conf, ${SYSCONFDIR}/ld.so.conf # Solaris needs -# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, /etc/nsswitch.conf @@ -16,7 +17,7 @@ fix some default paths in the jail creat [netbasics] comment = common files for all jails that need any internet connectivity --paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services +-paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services +paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, ${SYSCONFDIR}/resolv.conf, ${SYSCONFDIR}/host.conf, ${SYSCONFDIR}/hosts, ${SYSCONFDIR}/protocols, ${SYSCONFDIR}/services # on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure @@ -27,89 +28,3 @@ fix some default paths in the jail creat need_logsocket = 1 # Solaris does not need logsocket # but needs -@@ -21,7 +21,7 @@ need_logsocket = 1 - - [jk_lsh] - comment = Jailkit limited shell --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini -+paths = ${TRUEPREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini - users = root - groups = root - includesections = uidbasics, logbasics -@@ -71,14 +71,14 @@ devices = /dev/null - - [basicshell] - comment = bash based shell with several basic utilities --paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8 -+paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, ${SYSCONFDIR}/motd, ${SYSCONFDIR}/issue, ${SYSCONFDIR}/bash.bashrc, ${SYSCONFDIR}/bashrc, ${SYSCONFDIR}/profile, /usr/lib/locale/en_US.utf8 - users = root - groups = root - includesections = uidbasics - - [midnightcommander] - comment = Midnight Commander --paths = mc, mcedit, mcview, /usr/share/mc -+paths = mc, mcedit, mcview, ${LOCALBASE}/share/mc - includesections = basicshell, terminfo - - [extendedshell] -@@ -88,12 +88,12 @@ includesections = basicshell, midnightcommander, edito - - [terminfo] - comment = terminfo databases, required for example for ncurses or vim --paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo -+paths = ${SYSCONFDIR}/terminfo, /usr/share/terminfo, /lib/terminfo - - [editors] - comment = vim, joe and nano - includesections = terminfo --paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim -+paths = joe, nano, vi, vim, ${SYSCONFDIR}/vimrc, ${SYSCONFDIR}/joe, /usr/share/vim - - [netutils] - comment = several internet utilities like wget, ftp, rsync, scp, ssh -@@ -110,7 +110,7 @@ includesections = extendedshell, netutils, apacheutils - - [openvpn] - comment = jail for the openvpn daemon --paths = /usr/sbin/openvpn -+paths = ${LOCALBASE}/sbin/openvpn - users = root,nobody - groups = root,nogroup - includesections = netbasics -@@ -120,7 +120,7 @@ need_logsocket = 1 - - [apache] - comment = the apache webserver, very basic setup, probably too limited for you --paths = /usr/sbin/apache -+paths = ${TRUEPREFIX}/apache - users = root, www-data - groups = root, www-data - includesections = netbasics, uidbasics -@@ -131,16 +131,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/shar - - [xauth] - comment = getting X authentication to work --paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf -+paths = ${X11BASE}/bin/xauth, ${X11BASE}/lib/X11/rgb.txt - - [xclients] - comment = minimal files for X clients --paths = /usr/X11R6/lib/X11/rgb.txt -+paths = ${X11BASE}/lib/X11/rgb.txt - includesections = xauth - - [vncserver] - comment = the VNC server program --paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/ -+paths = Xvnc, Xrealvnc, ${X11BASE}/lib/X11/fonts/ - includesections = xclients - - [ping] -@@ -149,5 +149,5 @@ paths_w_setuid = /bin/ping - - #[xterm] - #comment = xterm --#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo -+#paths = ${X11BASE}/bin/xterm, /usr/share/terminfo, ${SYSCONFDIR}/terminfo - #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4 Index: patches/patch-man_Makefile_in =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_Makefile_in,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_Makefile_in --- patches/patch-man_Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ patches/patch-man_Makefile_in 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ ---- man/Makefile.in.orig Mon Oct 20 00:03:54 2008 -+++ man/Makefile.in Mon Oct 20 00:05:31 2008 -@@ -21,7 +21,7 @@ SRCS = \ +Index: man/Makefile.in +--- man/Makefile.in.orig ++++ man/Makefile.in +@@ -20,7 +20,7 @@ SRCS = \ @HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.8 --MANS = $(SRCS:.8=.8.gz) -+MANS = $(SRCS) +-MANS = $(SRCS) ++MANS = $(SRCS:.8=.8.gz) #%.8.gz : %.8 # gzip -9 > $@ < $< Index: patches/patch-man_jailkit_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jailkit_8,v retrieving revision 1.2 diff -u -p -r1.2 patch-man_jailkit_8 --- patches/patch-man_jailkit_8 26 Mar 2014 17:38:27 -0000 1.2 +++ patches/patch-man_jailkit_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $ ---- man/jailkit.8.orig Sat Dec 21 18:05:22 2013 -+++ man/jailkit.8 Wed Dec 25 16:01:05 2013 +Index: man/jailkit.8 +--- man/jailkit.8.orig ++++ man/jailkit.8 @@ -36,7 +36,7 @@ This section gives summary sketches of the various pro .BR jk_init can be used to quickly create a jail with several files or directories needed for a specific task or profile. Creating the same jail over and over again is easily automated with jk_init. There are many tasks in --.I /etc/jailkit/jk_init.ini -+.I ${SYSCONFDIR}/jailkit/jk_init.ini +-.I ${SYSCONFDIR}/jailkit/jk_init.ini ++.I /etc/jailkit/jk_init.ini predefined that work on Debian or Ubuntu systems. For other platforms you might need to update the predefined configuration. For example, you can use jk_init to quickly set up a limited shell, a jail to run apache, or a jail for just sftp and scp. It will copy the binaries, the required libraries (and related symlinks) as well as other files such as /etc/passwd. These are all copied into the jail directory so that a jailed process can run them. .BR jk_cp @@ -14,18 +15,18 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 .BR jk_lsh is a limited shell that allows only those commands to be executed as specified in its configuration file. --.I /etc/jailkit/jk_lsh.ini. -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. ++.I /etc/jailkit/jk_lsh.ini. It is typically started in one of two ways, by specifying it as the user's shell or by using the jk_chrootsh program. The first way is implemented by specifying jk_lsh as the shell in the user's entry in the 'real' .I /etc/passwd file. In this case, it executes in the normal file system and reads its configuration from --.I /etc/jailkit/jk_lsh.ini. -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. ++.I /etc/jailkit/jk_lsh.ini. In the second way, jk_lsh is started from within jk_chrootsh by specifying it as the shell in the passwd file located inside the JAIL directory: .I JAIL/etc/passwd, in which case it reads its configuration from within the JAIL: --.I JAIL/etc/jailkit/jk_lsh.ini. -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini. +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini. ++.I JAIL/etc/jailkit/jk_lsh.ini. The latter is the recommended approach for highest security. Use this program if you want to deny regular shell access (e.g. logins) but you want to allow execution of only one or a few commands such sftp, scp, rsync, or cvs. @@ -33,14 +34,14 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 is a utility to give regular users access to the .BR chroot(2) (change root) system call in a safe way. Which users are allowed in which jails is controlled from --.I /etc/jailkit/jk_uchroot.ini -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini ++.I /etc/jailkit/jk_uchroot.ini Use this utility for users that can run processes both inside a jail and outside a jail. .BR jk_socketd is a daemon that allows logging safely to syslog from within a jail. It limits the logging rate based on parameters set in its configuration file: --.I /etc/jailkit/jk_socketd.ini -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini ++.I /etc/jailkit/jk_socketd.ini .BR jk_chrootlaunch is a utility to start a daemon that cannot do a @@ -48,20 +49,20 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 .BR jk_check is a jail integrity checker. It checks a jail for some of the potential security problems. (Obviously it does not check all possible weaknesses.) It reports any setuid and setgid programs, checks for any modified programs, checks for world writable directories, and more. It is configured by --.I /etc/jailkit/jk_check.ini -+.I ${SYSCONFDIR}/jailkit/jk_check.ini +-.I ${SYSCONFDIR}/jailkit/jk_check.ini ++.I /etc/jailkit/jk_check.ini . .BR jk_list -@@ -127,9 +127,9 @@ tail /var/log/daemon.log /var/log/auth.log +@@ -129,9 +129,9 @@ journalctl --since=-1h .SH FILES The jailkit configuration files are located in --.I /etc/jailkit/ -+.I ${SYSCONFDIR}/jailkit/ +-.I ${SYSCONFDIR}/jailkit/ ++.I /etc/jailkit/ Note that in some cases the configuration files must be replicated into the JAIL/etc/jailkit directory and edited appropriately. A jk program that is run within the jail directory is able to read its configuration from only the jailed --.I etc/jailkit -+.I ${SYSCONFDIR}/jailkit +-.I ${SYSCONFDIR}/jailkit ++.I etc/jailkit directory. .SH "SEE ALSO" Index: patches/patch-man_jk_check_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_check_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_check_8 --- patches/patch-man_jk_check_8 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ patches/patch-man_jk_check_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_check_8,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ ---- man/jk_check.8.orig Tue Oct 28 12:13:02 2008 -+++ man/jk_check.8 Tue Oct 28 12:13:32 2008 +Index: man/jk_check.8 +--- man/jk_check.8.orig ++++ man/jk_check.8 @@ -22,7 +22,7 @@ jk_check will run several tests on all files and direc -test for matching user information in the jail and on the real system It will test directories based on the config file --.I /etc/jailkit/jk_check.ini -+.I ${SYSCONFDIR}/jailkit/jk_check.ini +-.I ${SYSCONFDIR}/jailkit/jk_check.ini ++.I /etc/jailkit/jk_check.ini but also based on jail patterns (dir/./dir) found in the home directories in .I /etc/passwd @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_check_8,v 1.1.1.1 The help screen .SH FILES --.I /etc/jailkit/jk_check.ini -+.I ${SYSCONFDIR}/jailkit/jk_check.ini +-.I ${SYSCONFDIR}/jailkit/jk_check.ini ++.I /etc/jailkit/jk_check.ini .SH "SEE ALSO" .BR jailkit(8) Index: patches/patch-man_jk_chrootlaunch_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootlaunch_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_chrootlaunch_8 --- patches/patch-man_jk_chrootlaunch_8 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ patches/patch-man_jk_chrootlaunch_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_chrootlaunch_8,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ ---- man/jk_chrootlaunch.8.orig Tue Oct 28 12:13:39 2008 -+++ man/jk_chrootlaunch.8 Tue Oct 28 12:35:22 2008 +Index: man/jk_chrootlaunch.8 +--- man/jk_chrootlaunch.8.orig ++++ man/jk_chrootlaunch.8 @@ -59,7 +59,7 @@ Suppose you want to start Apache inside a jail. Apache First we create the jail using .BR jk_init(8). --The apachectl program is a shell script, it also needs /bin/sh and /usr/bin/kill. We also have to copy these into the jail using -+The apachectl program is a shell script, it also needs /bin/sh and /bin/kill. We also have to copy these into the jail using +-The apachectl program is a shell script, it also needs /bin/sh and /bin/kill. We also have to copy these into the jail using ++The apachectl program is a shell script, it also needs /bin/sh and /usr/bin/kill. We also have to copy these into the jail using .BR jk_cp(8). Apache also needs its modules from /usr/lib/apache, copy those as well. Then we can start Apache: Index: patches/patch-man_jk_chrootsh_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootsh_8,v retrieving revision 1.2 diff -u -p -r1.2 patch-man_jk_chrootsh_8 --- patches/patch-man_jk_chrootsh_8 16 Nov 2015 13:43:40 -0000 1.2 +++ patches/patch-man_jk_chrootsh_8 15 Jan 2020 16:33:38 -0000 @@ -1,19 +1,20 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 2015/11/16 13:43:40 ajacoutot Exp $ ---- man/jk_chrootsh.8.orig Wed Nov 4 22:14:40 2015 -+++ man/jk_chrootsh.8 Mon Nov 16 14:41:41 2015 +Index: man/jk_chrootsh.8 +--- man/jk_chrootsh.8.orig ++++ man/jk_chrootsh.8 @@ -11,13 +11,13 @@ jk_chrootsh \- a shell that will put the user inside a jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or your ldap store). That user will be put into a changed root. The directory where to put the user in is read from the users home directory, the last occurring /./ sequence is used to mark the location of the changed root. An example line in /etc/passwd would look like --test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh -+test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh +-test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh ++test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh In this example the user will be chroot-ed into /home/testchroot Inside the chroot-ed directory, it will look for /etc/passwd and it will execute the shell for the user from that file. For the above example the /etc/passwd file inside the jail should have an entry like --test:x:10000:10000::/home/test:/usr/sbin/jk_lsh -+test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh +-test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh ++test:x:10000:10000::/home/test:/usr/sbin/jk_lsh Notice that the home directory and the shell are local inside the chroot @@ -21,8 +22,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 system call. Therefore it is setuid root. It will drop its root priveleges immediately after making the chroot() system call. Since Jailkit 2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems that support capabilities, and then the setuid bit can be removed. By default jk_chrootsh does not copy any environment variables. For some functionality, however, environment variables need to be copied (e.g. the TERM variable for a functional terminal emulation, or the DISPLAY variable for X forwarding). In --.I /etc/jailkit/jk_chrootsh.ini -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini ++.I /etc/jailkit/jk_chrootsh.ini the required environment variables can be listed. An example config file is shown below. In the example, user bill will get the DISPLAY variable, and all users in group jail will get the TERM and PATH variables. By default jk_chrootsh requires a home directory owned by the user with the same group as the primary group from the user, and requires the home directory to be non-writable for group and others. You can relax these requirements in the configfile as shown below. @@ -30,8 +31,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 .SH FILES .I /etc/passwd --.I /etc/jailkit/jk_chrootsh.ini -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini ++.I /etc/jailkit/jk_chrootsh.ini .SH DIAGNOSTICS Index: patches/patch-man_jk_cp_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_cp_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_cp_8 --- patches/patch-man_jk_cp_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 +++ patches/patch-man_jk_cp_8 15 Jan 2020 16:33:38 -0000 @@ -1,15 +1,16 @@ $OpenBSD: patch-man_jk_cp_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ ---- man/jk_cp.8.orig Tue Oct 28 12:14:36 2008 -+++ man/jk_cp.8 Tue Oct 28 12:38:41 2008 +Index: man/jk_cp.8 +--- man/jk_cp.8.orig ++++ man/jk_cp.8 @@ -19,9 +19,9 @@ jk_cp -j /home/testchroot /usr/bin/cvs will copy /usr/bin/cvs to /home/testchroot/usr/bin/cvs, and it will copy the libraries used by cvs also to the jail. --jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox -+jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox ${LOCALBASE}/mozilla-firefox +-jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox ${LOCALBASE}/mozilla-firefox ++jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox --will hardlink /usr/bin/firefox and all files in /usr/share/firefox into jail /svr/testjail -+will hardlink ${LOCALBASE}/bin/firefox and all files in ${LOCALBASE}/mozilla-firefox into jail /svr/testjail +-will hardlink ${LOCALBASE}/bin/firefox and all files in ${LOCALBASE}/mozilla-firefox into jail /svr/testjail ++will hardlink /usr/bin/firefox and all files in /usr/share/firefox into jail /svr/testjail .SH OPTIONS Index: patches/patch-man_jk_init_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_init_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_init_8 --- patches/patch-man_jk_init_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 +++ patches/patch-man_jk_init_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ ---- man/jk_init.8.orig Sun Feb 7 17:13:06 2010 -+++ man/jk_init.8 Tue Sep 14 19:12:38 2010 +Index: man/jk_init.8 +--- man/jk_init.8.orig ++++ man/jk_init.8 @@ -14,7 +14,7 @@ jk_init \- a utility to quicky create functional jail It is not an easy task to setup a jail (a changed root) in a functional way. If you want the user to be able to run cvs for example, it will not work to simply copy the cvs binary into the users jail. You will find that cvs needs libraries as well. cvs also needs the /dev/null device. Finally you need something to start cvs: you need a shell too. And the shell might need files like /etc/passwd and /etc/nsswitch.conf. With jk_init you can automate these tasks. You can create a section in the configfile --.I /etc/jailkit/jk_init.ini -+.I ${SYSCONFDIR}/jailkit/jk_init.ini +-.I ${SYSCONFDIR}/jailkit/jk_init.ini ++.I /etc/jailkit/jk_init.ini that has all the files, directories and devices, and you can use jk_init to setup such a jail with a single command. The default configfile has examples for cvs, sftp, scp, rsync and more for Debian and Ubuntu Linux. For other operating systems the defaults might need some (minor) updates. .SH EXAMPLE @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 .sp [jk_lsh] comment = Jailkit limited shell --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini -+paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini +-paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini ++paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini users = root groups = root need_logsocket = 1 @@ -23,8 +24,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 [sftp] comment = ssh secure ftp with Jailkit limited shell --paths = /usr/lib/sftp-server -+paths = /usr/libexec/sftp-server +-paths = /usr/libexec/sftp-server ++paths = /usr/lib/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null emptydirs = /svr @@ -32,8 +33,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 The help screen .SH FILES --.I /etc/jailkit/jk_init.ini -+.I ${SYSCONFDIR}/jailkit/jk_init.ini +-.I ${SYSCONFDIR}/jailkit/jk_init.ini ++.I /etc/jailkit/jk_init.ini .SH "SEE ALSO" .BR jailkit(8) Index: patches/patch-man_jk_jailuser_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_jailuser_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_jailuser_8 --- patches/patch-man_jk_jailuser_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 +++ patches/patch-man_jk_jailuser_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_jailuser_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ ---- man/jk_jailuser.8.orig Tue Oct 28 12:16:15 2008 -+++ man/jk_jailuser.8 Tue Oct 28 12:40:07 2008 +Index: man/jk_jailuser.8 +--- man/jk_jailuser.8.orig ++++ man/jk_jailuser.8 @@ -36,7 +36,7 @@ Move the contents of the home directory inside the jai No user interaction. .TP .BR \-s\ \-\-shell= shell --The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh -+The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh +-The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh ++The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh .SH "SEE ALSO" .BR jailkit(8) Index: patches/patch-man_jk_lsh_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_lsh_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_lsh_8 --- patches/patch-man_jk_lsh_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 +++ patches/patch-man_jk_lsh_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ ---- man/jk_lsh.8.orig Sun Feb 7 17:13:06 2010 -+++ man/jk_lsh.8 Tue Sep 14 19:08:21 2010 +Index: man/jk_lsh.8 +--- man/jk_lsh.8.orig ++++ man/jk_lsh.8 @@ -12,7 +12,7 @@ jk_lsh \- a shell that limits the binaries it will exe The jailkit limited shell jk_lsh is not an interactive shell. jk_lsh will only execute commands that are passed during startup (e.g. /bin/sh -c command) and will deny to start all but explicitly allowed commands. All other commands, or regular shell access are denied. This can be used to restrict an account to a specific use. For example, jk_lsh can be used to make rsync-, cvs-, sftp- or scp-only accounts, or even an account that can start firefox or opera but nothing else. The allowed actions are read from --.I /etc/jailkit/jk_lsh.ini -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini ++.I /etc/jailkit/jk_lsh.ini If you run jk_lsh inside a changed root jail, make sure jk_lsh.ini is present inside that chroot jail. .SH LIMITATIONS @@ -14,25 +15,25 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2 .nf .sp [DEFAULT] --executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync --paths = /usr/bin/, /usr/lib -+executables = /usr/bin/scp, /usr/libexec/sftp-server, ${LOCALBASE}/bin/rsync -+paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin +-executables = /usr/bin/scp, /usr/libexec/sftp-server, ${LOCALBASE}/bin/rsync +-paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin ++executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync ++paths = /usr/bin/, /usr/lib allow_word_expansion = 1 [test] --executables = /usr/bin/scp, /usr/lib/sftp-server --paths = /usr/bin/, /usr/lib -+executables = /usr/bin/scp, /usr/libexec/sftp-server -+paths = /usr/bin/, /usr/libexec +-executables = /usr/bin/scp, /usr/libexec/sftp-server +-paths = /usr/bin/, /usr/libexec ++executables = /usr/bin/scp, /usr/lib/sftp-server ++paths = /usr/bin/, /usr/lib allow_word_expansion = 0 umask = 002 [group test] --executables = /usr/bin/rsync --paths = /usr/bin/ -+executables = ${LOCALBASE}/bin/rsync -+paths = ${LOCALBASE}/bin/ +-executables = ${LOCALBASE}/bin/rsync +-paths = ${LOCALBASE}/bin/ ++executables = /usr/bin/rsync ++paths = /usr/bin/ allow_word_expansion = 1 environment=TERM=linux,FOO=bar .fi @@ -40,11 +41,11 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2 .BR jk_chrootsh(8) .SH FILES --.I /etc/jailkit/jk_lsh.ini -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini ++.I /etc/jailkit/jk_lsh.ini .I /etc/passwd --.I JAIL/etc/jailkit/jk_lsh.ini -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini ++.I JAIL/etc/jailkit/jk_lsh.ini .I JAIL/etc/passwd .SH DIAGNOSTICS Index: patches/patch-man_jk_socketd_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_socketd_8,v retrieving revision 1.2 diff -u -p -r1.2 patch-man_jk_socketd_8 --- patches/patch-man_jk_socketd_8 26 Mar 2014 17:38:27 -0000 1.2 +++ patches/patch-man_jk_socketd_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_socketd_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $ ---- man/jk_socketd.8.orig Fri Jan 3 18:51:20 2014 -+++ man/jk_socketd.8 Wed Dec 25 15:54:12 2013 +Index: man/jk_socketd.8 +--- man/jk_socketd.8.orig ++++ man/jk_socketd.8 @@ -18,7 +18,7 @@ jk_socketd \- a daemon to create a rate-limited /dev/l .SH DESCRIPTION The jailkit socket daemon creates a rate-limited /dev/log socket inside a jail according to --.I /etc/jailkit/jk_socketd.ini -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini ++.I /etc/jailkit/jk_socketd.ini and writes all data eventually to syslog using the real .I /dev/log Programs like jk_lsh and also many daemons need a /dev/log socket to do logging to syslog. @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_socketd_8,v 1.2 2 .SH FILES --.I /etc/jailkit/jk_socketd.ini -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini ++.I /etc/jailkit/jk_socketd.ini .SH DIAGNOSTICS Index: patches/patch-man_jk_uchroot_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_uchroot_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_uchroot_8 --- patches/patch-man_jk_uchroot_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 +++ patches/patch-man_jk_uchroot_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_uchroot_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ ---- man/jk_uchroot.8.orig Tue Oct 28 12:24:53 2008 -+++ man/jk_uchroot.8 Tue Oct 28 12:25:07 2008 +Index: man/jk_uchroot.8 +--- man/jk_uchroot.8.orig ++++ man/jk_uchroot.8 @@ -31,7 +31,7 @@ In the above example jk_uchroot is configured not to c .SH FILES --.I /etc/jailkit/jk_uchroot.ini -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini ++.I /etc/jailkit/jk_uchroot.ini .SH DIAGNOSTICS Index: patches/patch-man_jk_update_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_update_8,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_jk_update_8 --- patches/patch-man_jk_update_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 +++ patches/patch-man_jk_update_8 15 Jan 2020 16:33:38 -0000 @@ -1,12 +1,13 @@ $OpenBSD: patch-man_jk_update_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ ---- man/jk_update.8.orig Sun Feb 7 17:13:06 2010 -+++ man/jk_update.8 Tue Sep 14 19:08:21 2010 +Index: man/jk_update.8 +--- man/jk_update.8.orig ++++ man/jk_update.8 @@ -44,7 +44,7 @@ hardlinks = 1 directories = /usr, /bin, /lib [/home/otherjail] --skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox -+skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox +-skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox ++skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox .fi where the options have the following meaning: Index: patches/patch-py_jk_lib_py =================================================================== RCS file: patches/patch-py_jk_lib_py diff -N patches/patch-py_jk_lib_py --- patches/patch-py_jk_lib_py 24 Apr 2013 12:47:39 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,18 +0,0 @@ -$OpenBSD: patch-py_jk_lib_py,v 1.3 2013/04/24 12:47:39 gonzalo Exp $ - -Fix running jk_init trying to create a jail the first time - ---- py/jk_lib.py.orig Thu Aug 2 14:55:28 2012 -+++ py/jk_lib.py Tue Apr 23 06:35:23 2013 -@@ -461,7 +461,10 @@ def create_parent_path(chroot,path,be_verbose=0, copy_ - if (stat.S_ISDIR(sb.st_mode)): - if (be_verbose): - print 'Create directory '+jailpath -- os.mkdir(jailpath, 0755) -+ try: -+ os.mkdir(jailpath, 0755) -+ except OSError, (errno,strerror): -+ sys.stderr.write('NOTE: Jail directory already existed:\n') - if (copy_permissions): - try: - copy_time_and_permissions(origpath, jailpath, be_verbose, allow_suid, copy_ownership) Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/jailkit/pkg/PLIST,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 PLIST --- pkg/PLIST 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ pkg/PLIST 15 Jan 2020 16:33:38 -0000 @@ -3,7 +3,6 @@ @bin bin/jk_uchroot @mode @man man/man8/jailkit.8 -@man man/man8/jk_addjailuser.8 @man man/man8/jk_check.8 @man man/man8/jk_chrootlaunch.8 @man man/man8/jk_chrootsh.8 @@ -16,7 +15,6 @@ @man man/man8/jk_socketd.8 @man man/man8/jk_uchroot.8 @man man/man8/jk_update.8 -sbin/jk_addjailuser sbin/jk_check @bin sbin/jk_chrootlaunch @mode 4755 @@ -32,22 +30,23 @@ sbin/jk_list @mode @bin sbin/jk_socketd sbin/jk_update -@sample /etc/jailkit/ +@sample ${SYSCONFDIR}/jailkit/ share/examples/jailkit/ share/examples/jailkit/jk_check.ini -@sample /etc/jailkit/jk_check.ini +@sample ${SYSCONFDIR}/jailkit/jk_check.ini share/examples/jailkit/jk_chrootsh.ini -@sample /etc/jailkit/jk_chrootsh.ini +@sample ${SYSCONFDIR}/jailkit/jk_chrootsh.ini share/examples/jailkit/jk_init.ini -@sample /etc/jailkit/jk_init.ini +@sample ${SYSCONFDIR}/jailkit/jk_init.ini share/examples/jailkit/jk_lsh.ini -@sample /etc/jailkit/jk_lsh.ini +@sample ${SYSCONFDIR}/jailkit/jk_lsh.ini share/examples/jailkit/jk_socketd.ini -@sample /etc/jailkit/jk_socketd.ini +@sample ${SYSCONFDIR}/jailkit/jk_socketd.ini share/examples/jailkit/jk_uchroot.ini -@sample /etc/jailkit/jk_uchroot.ini +@sample ${SYSCONFDIR}/jailkit/jk_uchroot.ini share/examples/jailkit/jk_update.ini -@sample /etc/jailkit/jk_update.ini +@sample ${SYSCONFDIR}/jailkit/jk_update.ini share/jailkit/ +${MODPY_COMMENT}share/jailkit/${MODPY_PYCACHE}/ +share/jailkit/${MODPY_PYCACHE}jk_lib.${MODPY_PYC_MAGIC_TAG}pyc share/jailkit/jk_lib.py -share/jailkit/jk_lib.pyc
