- added debug log to exec_safe including returncode

- moved jailkit functions from bash files to system library

Author: Marius Burkard

server/lib/classes/system.inc.php

@@ -2070,6 +2070,8 @@ public function last_exec_retcode() {
 	}
 
 	public function exec_safe($cmd) {
+		global $app;
+		
 		$arg_count = func_num_args();
 		if($arg_count != substr_count($cmd, '?') + 1) {
 			trigger_error('Placeholder count not matching argument list.', E_USER_WARNING);
@@ -2096,12 +2098,93 @@ public function exec_safe($cmd) {
 
 		$this->_last_exec_out = null;
 		$this->_last_exec_retcode = null;
-		return exec($cmd, $this->_last_exec_out, $this->_last_exec_retcode);
+		$ret = exec($cmd, $this->_last_exec_out, $this->_last_exec_retcode);
+		
+		$this->app->log("safe_exec cmd: " . $cmd . " - return code: " . $this->_last_exec_retcode, LOGLEVEL_DEBUG);
+		
+		return $ret;
 	}
 
 	public function system_safe($cmd) {
 		call_user_func_array(array($this, 'exec_safe'), func_get_args());
 		return implode("\n", $this->_last_exec_out);
 	}
 
+	public function create_jailkit_user($username, $home_dir, $user_home_dir, $shell = '/bin/bash', $p_user = null, $p_user_home_dir = null) {
+		// Check if USERHOMEDIR already exists
+		if(!is_dir($home_dir . '/.' . $user_home_dir)) {
+			$this->mkdirpath($home_dir . '/.' . $user_home_dir, 0755, $username);
+		}
+
+		// Reconfigure the chroot home directory for the user
+		$cmd = 'usermod --home=? ? 2>/dev/null';
+		$this->exec_safe($cmd, $home_dir . '/.' . $user_home_dir, $username);
+
+		// Add the chroot user
+		$cmd = 'jk_jailuser -n -s ? -j ? ?';
+		$this->exec_safe($cmd, $shell, $home_dir, $username);
+
+		//  We have to reconfigure the chroot home directory for the parent user
+		if($p_user !== null) {
+			$cmd = 'usermod --home=? ? 2>/dev/null';
+			$this->exec_safe($cmd, $home_dir . '/.' . $p_user_home_dir, $p_user);
+		}
+		
+		return true;
+	}
+	
+	public function create_jailkit_programs($home_dir, $programs = array()) {
+		if(empty($programs)) {
+			return true;
+		}
+		$program_args = '';
+		foreach($programs as $prog) {
+			$program_args .= ' ' . escapeshellarg($prog);
+		}
+		
+		$cmd = 'jk_cp -k ?' . $program_args;
+		$this->exec_safe($cmd, $home_dir);
+		
+		return true;
+	}
+	
+	public function create_jailkit_chroot($home_dir, $app_sections = array()) {
+		if(empty($app_sections)) {
+			return true;
+		}
+		
+		// Change ownership of the chroot directory to root
+		$app->system->chown($home_dir, 'root');
+		$app->system->chgrp($home_dir, 'root');
+
+		$app_args = '';
+		foreach($app_sections as $app_section) {
+			$app_args .= ' ' . escapeshellarg($app_section);
+		}
+		
+		// Initialize the chroot into the specified directory with the specified applications
+		$cmd = 'jk_init -f -k -c /etc/jailkit/jk_init.ini -j ?' . $app_args;
+		$this->exec_safe($cmd, $home_dir);
+
+		// Create the temp directory
+		if(!is_dir($home_dir . '/tmp')) {
+			$this->mkdirpath($home_dir . '/tmp', 0777);
+		} else {
+			$this->chmod($home_dir . '/tmp', 0777);
+		}
+
+		// Fix permissions of the root firectory
+		$this->chmod($home_dir . '/bin', 0755);  // was chmod g-w $CHROOT_HOMEDIR/bin
+
+		// mysql needs the socket in the chrooted environment
+		$this->mkdirpath($home_dir . '/var/run/mysqld');
+		
+		// ln /var/run/mysqld/mysqld.sock $CHROOT_HOMEDIR/var/run/mysqld/mysqld.sock
+		if(!file_exists("/var/run/mysqld/mysqld.sock")) {
+			$this->exec_safe('ln ? ?', '/var/run/mysqld/mysqld.sock', $home_dir . '/var/run/mysqld/mysqld.sock');
+		}
+		
+		return true;
+	}
+	
 }

server/plugins-available/cron_jailkit_plugin.inc.php

@@ -216,12 +216,9 @@ function _setup_jailkit_chroot()
 		//check if the chroot environment is created yet if not create it with a list of program sections from the config
 		if (!is_dir($this->parent_domain['document_root'].'/etc/jailkit'))
 		{
-			$command = '/usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh';
-			$command .= ' ?';
-			$command .= ' ?';
-			$app->system->exec_safe($command.' 2>/dev/null', $this->parent_domain['document_root'], $this->jailkit_config['jailkit_chroot_app_sections']);
+			$app->system->create_jailkit_chroot($this->parent_domain['document_root'], preg_split('/[\s,]+/', $this->jailkit_config['jailkit_chroot_app_sections']));
 
-			$this->app->log("Added jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
+			$this->app->log("Added jailkit chroot", LOGLEVEL_DEBUG);
 
 			$this->app->load('tpl');
 
@@ -259,19 +256,11 @@ function _add_jailkit_programs()
 		global $app;
 
 		//copy over further programs and its libraries
-		$command = '/usr/local/ispconfig/server/scripts/create_jailkit_programs.sh';
-		$command .= ' ?';
-		$command .= ' ?';
-		$app->system->exec_safe($command.' 2>/dev/null', $this->parent_domain['document_root'], $this->jailkit_config['jailkit_chroot_app_programs']);
-
-		$this->app->log("Added programs to jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
-
-		$command = '/usr/local/ispconfig/server/scripts/create_jailkit_programs.sh';
-		$command .= ' ?';
-		$command .= ' ?';
-		$app->system->exec_safe($command.' 2>/dev/null', $this->parent_domain['document_root'], $this->jailkit_config['jailkit_chroot_cron_programs']);
-
-		$this->app->log("Added cron programs to jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
+		$app->system->create_jailkit_programs($this->parent_domain['document_root'], preg_split('/[\s,]+/', $this->jailkit_config['jailkit_chroot_app_programs']));
+		$this->app->log("Added app programs to jailkit chroot", LOGLEVEL_DEBUG);
+		
+		$app->system->create_jailkit_programs($this->parent_domain['document_root'], preg_split('/[\s,]+/', $this->jailkit_config['jailkit_chroot_cron_programs']));
+		$this->app->log("Added cron programs to jailkit chroot", LOGLEVEL_DEBUG);
 	}
 
 	function _add_jailkit_user()
@@ -288,14 +277,7 @@ function _add_jailkit_user()
 		// ALWAYS create the user. Even if the user was created before
 		// if we check if the user exists, then a update (no shell -> jailkit) will not work
 		// and the user has FULL ACCESS to the root of the server!
-		$command = '/usr/local/ispconfig/server/scripts/create_jailkit_user.sh';
-		$command .= ' ?';
-		$command .= ' ?';
-		$command .= ' ?';
-		$command .= ' /bin/bash';
-		$app->system->exec_safe($command.' 2>/dev/null', $this->parent_domain['system_user'], $this->parent_domain['document_root'], $jailkit_chroot_userhome);
-
-		$this->app->log("Added jailkit user to chroot with command: ".$command, LOGLEVEL_DEBUG);
+		$app->system->create_jailkit_user($this->parent_domain['system_user'], $this->parent_domain['document_root'], $jailkit_chroot_userhome);
 
 		$app->system->mkdir($this->parent_domain['document_root'].$jailkit_chroot_userhome, 0755, true);
 		$app->system->chown($this->parent_domain['document_root'].$jailkit_chroot_userhome, $this->parent_domain['system_user']);

server/plugins-available/shelluser_jailkit_plugin.inc.php

@@ -273,10 +273,8 @@ function _setup_jailkit_chroot()
 		//check if the chroot environment is created yet if not create it with a list of program sections from the config
 		if (!is_dir($this->data['new']['dir'].'/etc/jailkit'))
 		{
-			$command = '/usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh ? ?';
-			$app->system->exec_safe($command.' 2>/dev/null', $this->data['new']['dir'], $this->jailkit_config['jailkit_chroot_app_sections']);
-
-			$this->app->log("Added jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
+			$app->system->create_jailkit_chroot($this->data['new']['dir'], preg_split('/[\s,]+/', $this->jailkit_config['jailkit_chroot_app_sections']));
+			$this->app->log("Added jailkit chroot", LOGLEVEL_DEBUG);
 
 			$this->_add_jailkit_programs();
 
@@ -323,10 +321,8 @@ function _add_jailkit_programs()
 				$jailkit_chroot_app_program = trim($jailkit_chroot_app_program);
 				if(is_file($jailkit_chroot_app_program) || is_dir($jailkit_chroot_app_program)){			
 					//copy over further programs and its libraries
-					$command = '/usr/local/ispconfig/server/scripts/create_jailkit_programs.sh ? ?';
-					$app->system->exec_safe($command.' 2>/dev/null', $this->data['new']['dir'], $jailkit_chroot_app_program);
-
-					$this->app->log("Added programs to jailkit chroot with command: ".$command, LOGLEVEL_DEBUG);
+					$app->system->create_jailkit_programs($this->data['new']['dir'], $jailkit_chroot_app_program);
+					$this->app->log("Added programs to jailkit chroot", LOGLEVEL_DEBUG);
 				}
 			}
 		}
@@ -357,17 +353,14 @@ function _add_jailkit_user()
 		// ALWAYS create the user. Even if the user was created before
 		// if we check if the user exists, then a update (no shell -> jailkit) will not work
 		// and the user has FULL ACCESS to the root of the server!
-		$command = '/usr/local/ispconfig/server/scripts/create_jailkit_user.sh ? ? ? ? ? ?';
-		$app->system->exec_safe($command.' 2>/dev/null', $this->data['new']['username'], $this->data['new']['dir'], $jailkit_chroot_userhome, $this->data['new']['shell'], $this->data['new']['puser'], $jailkit_chroot_puserhome);
+		$app->system->create_jailkit_user($this->data['new']['username'], $this->data['new']['dir'], $jailkit_chroot_userhome, $this->data['new']['shell'], $this->data['new']['puser'], $jailkit_chroot_puserhome);
 
 		$shell = '/usr/sbin/jk_chrootsh';
 		if($this->data['new']['active'] != 'y') $shell = '/bin/false';
 
 		$app->system->usermod($this->data['new']['username'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_userhome, $shell);
 		$app->system->usermod($this->data['new']['puser'], 0, 0, $this->data['new']['dir'].'/.'.$jailkit_chroot_puserhome, '/usr/sbin/jk_chrootsh');
 
-		$this->app->log("Added jailkit user to chroot with command: ".$command, LOGLEVEL_DEBUG);
-
 		if(!is_dir($this->data['new']['dir'].$jailkit_chroot_userhome)) {
 			if(is_dir($this->data['old']['dir'].$jailkit_chroot_userhome_old)) {
 				$app->system->rename($this->data['old']['dir'].$jailkit_chroot_userhome_old,$this->data['new']['dir'].$jailkit_chroot_userhome);