WIP: jail cleanup and updates

Author: jnorell

server/lib/classes/system.inc.php

@@ -941,6 +941,22 @@ function move($file1, $file2) {
                 return $return_var == 0 ? true : false;
         }
 
+	function rmdir($dir, $recursive=false) {
+		$dir = rtrim($dir, '/');
+		if (is_dir($dir)) {
+			$objects = scandir($dir);
+			foreach ($objects as $object) {
+				if ($object != "." && $object != ".." && $recursive) {
+					if (filetype($dir.'/'.$object) == 'dir') 
+						$this->rmdir($dir.'/'.$object, $recursive); 
+					else unlink ($dir.'/'.$object);
+				}
+			}
+			reset($objects);
+			rmdir($dir);
+		}
+	}
+
 	function touch($file, $allow_symlink = false){
 		global $app;
 		if($allow_symlink == false && @file_exists($file) && $this->checkpath($file) == false) {
@@ -2223,61 +2239,192 @@ public function create_jailkit_user($username, $home_dir, $user_home_dir, $shell
 		return true;
 	}
 
-	public function create_jailkit_programs($home_dir, $programs = array()) {
+	public function create_jailkit_chroot($home_dir, $app_sections = array(), $options = array()) {
+		if(!is_dir($home_dir)) {
+			$app->log("Jail directory does not exist: $homedir", LOGLEVEL_WARN);
+			return false;
+		}
+		if(empty($app_sections)) {
+			return true;
+		} elseif(is_string($app_sections)) {
+			$app_sections = preg_split('/[\s,]+/', $app_sections);
+		}
+
+		// Change ownership of the chroot directory to root
+		$this->chown($home_dir, 'root');
+		$this->chgrp($home_dir, 'root');
+
+		$program_args = '';
+		foreach ($options as $opt) {
+			switch ($opt) {
+			case '-k|hardlink':
+				$program_args .= ' -k';
+				break;
+			case '-f|force':
+				$program_args .= ' -f';
+				break;
+			}
+		}
+		# /etc/jailkit/jk_init.ini is the default path, probably not needed?
+		$program_args .= ' -c /etc/jailkit/jk_init.ini -j ?';
+		foreach($app_sections as $app_section) {
+			# should check that section exists with jk_init --list ?
+			$program_args .= ' ' . escapeshellarg($app_section);
+		}
+
+		// Initialize the chroot into the specified directory with the specified applications
+		$cmd = 'jk_init' . $program_args;
+		$this->exec_safe($cmd, $home_dir);
+
+		// Create the temp directory
+		if(!is_dir($home_dir . '/tmp')) {
+			$this->mkdirpath($home_dir . '/tmp', 0770);
+		} else {
+			$this->chmod($home_dir . '/tmp', 0770, true);
+		}
+
+		// Fix permissions of the root firectory
+		$this->chmod($home_dir . '/bin', 0755, true);  // was chmod g-w $CHROOT_HOMEDIR/bin
+
+		return true;
+	}
+
+	public function create_jailkit_programs($home_dir, $programs = array(), $options = array()) {
+		if(!is_dir($home_dir)) {
+			$app->log("Jail directory does not exist: $homedir", LOGLEVEL_WARN);
+			return false;
+		}
 		if(empty($programs)) {
 			return true;
 		} elseif(is_string($programs)) {
 			$programs = preg_split('/[\s,]+/', $programs);
 		}
+
+		# prohibit ill-advised copying paths known to be sensitive/problematic
+		# (easy to bypass if needed, eg. use /./etc)
+		$blacklisted_paths_regex = array(
+			'|^/$|',
+			'|^/proc(/.*)?$|',
+			'|^/sys(/.*)?$|',
+			'|^/etc/?$|',
+			'|^/dev/?$|',
+			'|^/tmp/?$|',
+			'|^/run/?$|',
+			'|^/boot/?$|',
+		);
+
 		$program_args = '';
+		foreach ($options as $opt) {
+			switch ($opt) {
+			case '-k|hardlink':
+				$program_args .= ' -k';
+				break;
+			case '-f|force':
+				$program_args .= ' -f';
+				break;
+			}
+		}
+		$program_args .= ' -j ?';
+
+		$bad_paths = array();
 		foreach($programs as $prog) {
-			$program_args .= ' ' . escapeshellarg($prog);
+			foreach ($blacklisted_paths_regex as $re) {
+				if (preg_match($re, $prog, $matches)) {
+					$bad_paths[] = $matches[0];
+				}
+			}
+			if (count($bad_paths) > 0) {
+				$app->log("Prohibited path not added to jail $homedir: " . implode(", ", $bad_paths), LOGLEVEL_WARN);
+			} else {
+				$program_args .= ' ' . escapeshellarg($prog);
+			}
 		}
 
-		$cmd = 'jk_cp -j ?' . $program_args;
-		$this->exec_safe($cmd, $home_dir);
+		if (count($programs) > count($bad_paths)) {
+			$cmd = 'jk_cp' . $program_args;
+			$this->exec_safe($cmd, $home_dir);
+		}
 
 		return true;
 	}
 
-	public function create_jailkit_chroot($home_dir, $app_sections = array()) {
-		if(empty($app_sections)) {
-			return true;
-		} elseif(is_string($app_sections)) {
-			$app_sections = preg_split('/[\s,]+/', $app_sections);
+	public function update_jailkit_chroot($home_dir, $sections = array(), $programs = array(), $options = array()) {
+		if(!is_dir($home_dir)) {
+			$app->log("Jail directory does not exist: $homedir", LOGLEVEL_WARN);
+			return false;
+		}
+
+		$opts = array('force');
+		foreach ($options as $opt) {
+			switch ($opt) {
+			case '-k|hardlink':
+				$opts[] = 'hardlink';
+				break;
+			}
 		}
 
 		// Change ownership of the chroot directory to root
 		$this->chown($home_dir, 'root');
 		$this->chgrp($home_dir, 'root');
 
-		$app_args = '';
-		foreach($app_sections as $app_section) {
-			$app_args .= ' ' . escapeshellarg($app_section);
+		$jailkit_directories = array(
+			'bin',
+			'dev',
+			'etc',
+			'lib',
+			'lib32',
+			'lib64',
+			'opt',
+			'sys',
+			'usr',
+			'var',
+		);
+
+		foreach ($jailkit_directories as $dir) {
+			$root_dir = '/'.$dir;
+			$jail_dir = rtrim($home_dir, '/') . '/'.$dir;
+
+			if (!is_dir($jail_dir)) {
+				continue;
+			}
+
+			// if directory exists in jail but not in root, remove it
+			if (is_dir($jail_dir) && !is_dir($root_dir)) {
+				$this->rmdir($jail_dir, true);
+				continue;
+			}
+
+			// remove dangling symlinks
+			$app->log("TODO: search for and remove dangling symlinks", LOGLEVEL_DEBUG);
+
+			// search for and remove hardlinked
+			if (!in_array($opts, 'hardlink') && !in_array($options, 'allow_hardlink')) {
+				$app->log("TODO: search for and remove hardlinked files", LOGLEVEL_DEBUG);
+				// search for and save list of files
+			}
 		}
 
-		// Initialize the chroot into the specified directory with the specified applications
-		$cmd = 'jk_init -f -c /etc/jailkit/jk_init.ini -j ?' . $app_args;
-		$this->exec_safe($cmd, $home_dir);
+		// reinstall jailkit sections and programs
+		if(!(empty($sections) && empty($programs))) {
+			$this->create_jailkit_chroot($home_dir, $sections, $opts);
+			$this->create_jailkit_programs($home_dir, $programs, $opts);
+		}
 
 		// Create the temp directory
 		if(!is_dir($home_dir . '/tmp')) {
-			$this->mkdirpath($home_dir . '/tmp', 0777);
+			$this->mkdirpath($home_dir . '/tmp', 0770);
 		} else {
-			$this->chmod($home_dir . '/tmp', 0777, true);
+			$this->chmod($home_dir . '/tmp', 0770, true);
+		}
+
+		// search for and remove hardlinked
+		if (!in_array($opts, 'hardlink') && !in_array($options, 'allow_hardlink')) {
+			$app->log("TODO: search for hardlinked files now missing and add back", LOGLEVEL_DEBUG);
 		}
 
 		// Fix permissions of the root firectory
 		$this->chmod($home_dir . '/bin', 0755, true);  // was chmod g-w $CHROOT_HOMEDIR/bin
 
-		// mysql needs the socket in the chrooted environment
-		$this->mkdirpath($home_dir . '/var/run/mysqld');
-
-		// ln /var/run/mysqld/mysqld.sock $CHROOT_HOMEDIR/var/run/mysqld/mysqld.sock
-		if(!file_exists("/var/run/mysqld/mysqld.sock")) {
-			$this->exec_safe('ln ? ?', '/var/run/mysqld/mysqld.sock', $home_dir . '/var/run/mysqld/mysqld.sock');
-		}
-
 		return true;
 	}
 

server/plugins-available/apache2_plugin.inc.php

@@ -779,7 +779,7 @@ function update($event_name, $data) {
 		if($data['new']['stats_type'] != '' && !is_dir($data['new']['document_root'].'/' . $web_folder . '/stats')) $app->system->mkdirpath($data['new']['document_root'].'/' . $web_folder . '/stats');
 		if(!is_dir($data['new']['document_root'].'/ssl')) $app->system->mkdirpath($data['new']['document_root'].'/ssl');
 		if(!is_dir($data['new']['document_root'].'/cgi-bin')) $app->system->mkdirpath($data['new']['document_root'].'/cgi-bin');
-		if(!is_dir($data['new']['document_root'].'/tmp')) $app->system->mkdirpath($data['new']['document_root'].'/tmp');
+		if(!is_dir($data['new']['document_root'].'/tmp')) $app->system->mkdirpath($data['new']['document_root'].'/tmp', 0770);
 		if(!is_dir($data['new']['document_root'].'/webdav')) $app->system->mkdirpath($data['new']['document_root'].'/webdav');
 
 		if(!is_dir($data['new']['document_root'].'/.ssh')) {

server/plugins-available/shelluser_base_plugin.inc.php

@@ -233,7 +233,6 @@ function update($event_name, $data) {
 					$app->system->web_folder_protection($web['document_root'], false);
 
 					if($homedir != $homedir_old){
-						$app->system->web_folder_protection($web['document_root'], false);
 						// Rename dir, in case the new directory exists already.
 						if(is_dir($homedir)) {
 							$app->log("New Homedir exists, renaming it to ".$homedir.'_bak', LOGLEVEL_DEBUG);
@@ -245,10 +244,8 @@ function update($event_name, $data) {
 						$app->file->mkdirs($homedir, '0750');
 						$app->system->chown($homedir,$data['new']['puser']);
 						$app->system->chgrp($homedir,$data['new']['pgroup']);
-						$app->system->web_folder_protection($web['document_root'], true);
 					} else {
 						if(!is_dir($homedir)){
-							$app->system->web_folder_protection($web['document_root'], false);
 							if(!is_dir($data['new']['dir'].'/home')){
 								$app->file->mkdirs($data['new']['dir'].'/home', '0755');
 								$app->system->chown($data['new']['dir'].'/home','root');
@@ -257,7 +254,6 @@ function update($event_name, $data) {
 							$app->file->mkdirs($homedir, '0750');
 							$app->system->chown($homedir,$data['new']['puser']);
 							$app->system->chgrp($homedir,$data['new']['pgroup']);
-							$app->system->web_folder_protection($web['document_root'], true);
 						}
 					}
 					$app->system->usermod($data['old']['username'], 0, $app->system->getgid($data['new']['pgroup']), $homedir, $data['new']['shell'], $data['new']['password'], $data['new']['username']);
@@ -361,7 +357,7 @@ function delete($event_name, $data) {
 
 				// We delete only non jailkit users, jailkit users will be deleted by the jailkit plugin.
 				if ($data['old']['chroot'] != "jailkit") {
-					// if this web uses PHP-FPM, that PPH-FPM service must be stopped before we can delete this user
+					// if this web uses PHP-FPM, that PHP-FPM service must be stopped before we can delete this user
 					if($web['php'] == 'php-fpm'){
 						if($web['server_php_id'] != 0){
 							$default_php_fpm = false;

server/plugins-available/shelluser_jailkit_plugin.inc.php

@@ -109,6 +109,11 @@ function insert($event_name, $data) {
 						$this->data = $data;
 						$this->app = $app;
 						$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
+						foreach (array('jailkit_chroot_app_sections', 'jailkit_chroot_app_programs', 'jailkit_do_not_remove_paths') as $section) {
+							if (isset($web[$section]) && $web[$section] != '' ) {
+								$this->jailkit_config[$section] = $web[$section];
+							}
+						}
 
 						$this->_update_website_security_level();
 
@@ -158,8 +163,6 @@ function update($event_name, $data) {
 			return false;
 		}
 
-		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']);
-
 		if(!$app->system->is_allowed_user($data['new']['username'], false, false)
 			|| !$app->system->is_allowed_user($data['new']['puser'], true, true)
 			|| !$app->system->is_allowed_group($data['new']['pgroup'], true, true)) {
@@ -168,6 +171,8 @@ function update($event_name, $data) {
 		}
 
 		if($app->system->is_user($data['new']['puser'])) {
+			$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['new']['parent_domain_id']);
+
 			// Get the UID of the parent user
 			$uid = intval($app->system->getuid($data['new']['puser']));
 			if($uid > $this->min_uid) {
@@ -186,6 +191,11 @@ function update($event_name, $data) {
 						$this->data = $data;
 						$this->app = $app;
 						$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
+						foreach (array('jailkit_chroot_app_sections', 'jailkit_chroot_app_programs', 'jailkit_do_not_remove_paths') as $section) {
+							if (isset($web[$section]) && $web[$section] != '' ) {
+								$this->jailkit_config[$section] = $web[$section];
+							}
+						}
 
 						$this->_update_website_security_level();
 
@@ -231,12 +241,17 @@ function delete($event_name, $data) {
 			return false;
 		}
 
-		$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['old']['parent_domain_id']);
-
 		if ($data['old']['chroot'] == "jailkit")
 		{
+			$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ?", $data['old']['parent_domain_id']);
+
 			$app->uses("getconf");
 			$this->jailkit_config = $app->getconf->get_server_config($conf["server_id"], 'jailkit');
+			foreach (array('jailkit_chroot_app_sections', 'jailkit_chroot_app_programs', 'jailkit_do_not_remove_paths') as $section) {
+				if (isset($web[$section]) && $web[$section] != '' ) {
+					$this->jailkit_config[$section] = $web[$section];
+				}
+			}
 
 			$jailkit_chroot_userhome = $this->_get_home_dir($data['old']['username']);
 
@@ -248,15 +263,19 @@ function delete($event_name, $data) {
 			$app->system->exec_safe($command, $data['old']['username'], $data['old']['username']);
 
 			// Remove the jailed user from passwd and shadow file inside the jail
-			$app->system->removeLine($data['old']['dir'].'/etc/passwd', $data['old']['username']);
-			$app->system->removeLine($data['old']['dir'].'/etc/shadow', $data['old']['username']);
+			$app->system->removeLine($data['old']['dir'].'/etc/passwd', $data['old']['username'].':');
+			$app->system->removeLine($data['old']['dir'].'/etc/shadow', $data['old']['username'].':');
 
 			if(@is_dir($data['old']['dir'].$jailkit_chroot_userhome)) {
 				$this->_delete_homedir($data['old']['dir'].$jailkit_chroot_userhome,$userid,$data['old']['parent_domain_id']);
 
 				$app->log("Jailkit Plugin -> delete chroot home:".$data['old']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG);
 			}
 
+			if (isset($web['delete_unused_jailkit']) && $web['delete_unused_jailkit']) {
+				$app->system->delete_jailkit_if_unused($web['domain_id']);
+			}
+
 			$app->system->web_folder_protection($web['document_root'], true);
 
 		}