Merge branch 'jailkit_update_exclude_web_folders' into 'develop'

Jailkit update exclude web folders

See merge request ispconfig/ispconfig3!1271

Author: Marius Burkard

server/lib/classes/cron.d/600-jailkit_maintenance.inc.php

@@ -58,12 +58,12 @@ public function onRunJob() {
 		$jailkit_config = $app->getconf->get_server_config($conf['server_id'], 'jailkit');
 		if (isset($this->jailkit_config) && isset($this->jailkit_config['jailkit_hardlinks'])) {
 			if ($this->jailkit_config['jailkit_hardlinks'] == 'yes') {
-				$update_options = array('hardlink');
+				$options = array('hardlink');
 			} elseif ($this->jailkit_config['jailkit_hardlinks'] == 'no') {
-				$update_options = array();
+				$options = array();
 			}
 		} else {
-			$update_options = array('allow_hardlink');
+			$options = array('allow_hardlink');
 		}
 
 		// limit the number of jails we update at one time according to time of day
@@ -86,6 +86,14 @@ public function onRunJob() {
 			// check for any cron job using this jail
 			$cron_inuse = $app->db->queryOneRecord('SELECT id FROM `cron` WHERE `parent_domain_id` = ? AND `type` = ? AND `server_id` = ?', $rec['domain_id'], 'chrooted', $conf['server_id']);
 
+			$records2 = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $rec['domain_id'], $rec['document_root'], $conf['server_id']);
+			foreach ($records2 as $record2) {
+				if ($record2['web_folder'] == NULL || $record2['web_folder'] == '') {
+					continue;
+				}
+				$options[] = 'skip='.$record2['web_folder'];
+			}
+
 			if ($shell_user_inuse || $cron_inuse || $rec['php_fpm_chroot'] == 'y' || $rec['delete_unused_jailkit'] != 'y') {
 				$sections = $jailkit_config['jailkit_chroot_app_sections'];
 				if (isset($rec['jailkit_chroot_app_sections']) && $rec['jailkit_chroot_app_sections'] != '') {
@@ -104,7 +112,7 @@ public function onRunJob() {
 
 				if ($update_hash != $rec['last_jailkit_hash']) {
 					$app->system->web_folder_protection($rec['document_root'], false);
-					$app->system->update_jailkit_chroot($rec['document_root'], $sections, $programs, $update_options);
+					$app->system->update_jailkit_chroot($rec['document_root'], $sections, $programs, $options);
 					$app->system->web_folder_protection($rec['document_root'], true);
 					$app->db->query("UPDATE `web_domain` SET `last_jailkit_update` = NOW(), `last_jailkit_hash` = ? WHERE `document_root` = ?", $update_hash, $rec['document_root']);
 				} else {
@@ -114,7 +122,7 @@ public function onRunJob() {
 				//$app->log('Removing unused jail: '.$rec['document_root'], LOGLEVEL_DEBUG);
 				print 'Removing unused jail: '.$rec['document_root']."\n";
 				$app->system->web_folder_protection($rec['document_root'], false);
-				$app->system->delete_jailkit_chroot($rec['document_root']);
+				$app->system->delete_jailkit_chroot($rec['document_root'], $options);
 				$app->system->web_folder_protection($rec['document_root'], true);
 
 				$app->db->query("UPDATE `web_domain` SET `last_jailkit_update` = NOW(), `last_jailkit_hash` = NULL WHERE `document_root` = ?", $rec['document_root']);

server/lib/classes/system.inc.php

@@ -2415,6 +2415,9 @@ public function create_jailkit_chroot($home_dir, $app_sections = array(), $optio
 		# /etc/jailkit/jk_init.ini is the default path, probably not needed?
 		$program_args .= ' -c /etc/jailkit/jk_init.ini -j ?';
 		foreach($app_sections as $app_section) {
+			if ($app_section == '') {
+				continue;
+			}
 			# should check that section exists with jk_init --list ?
 			$program_args .= ' ' . escapeshellarg($app_section);
 		}
@@ -2494,6 +2497,9 @@ public function create_jailkit_programs($home_dir, $programs = array(), $options
 
 		$bad_paths = array();
 		foreach($programs as $prog) {
+			if ($prog == '') {
+				continue;
+			}
 			foreach ($blacklisted_paths_regex as $re) {
 				if (preg_match($re, $prog, $matches)) {
 					$bad_paths[] = $matches[0];
@@ -2531,9 +2537,23 @@ public function update_jailkit_chroot($home_dir, $sections = array(), $programs
 			return false;
 		}
 
+		$jailkit_directories = array(
+			'bin',
+			'dev',
+			'etc',
+			'lib',
+			'lib32',
+			'lib64',
+			'opt',
+			'sys',
+			'usr',
+			'var',
+		);
+
 		$opts = array();
 		$jk_update_args = '';
 		$jk_cp_args = '';
+		$skips = '';
 		foreach ($options as $opt) {
 			switch ($opt) {
 			case '-k':
@@ -2547,27 +2567,23 @@ public function update_jailkit_chroot($home_dir, $sections = array(), $programs
 				$opts[] = 'force';
 				$jk_cp_args .= ' -f';
 				break;
+			default:
+				if (preg_match('@^skip[ =]/?(.+)$@', $opt, $matches) ) {
+					if (in_array($matches[1], $jailkit_directories)) {
+						$app->log("update_jailkit_chroot: skipping update of jailkit directory $home_dir/".$matches[1]
+							. "; if this is in use as a web folder, it is insecure and should be fixed.", LOGLEVEL_WARN);
+					}
+					$jailkit_directories = $app->functions->array_unset_by_value($jailkit_directories, $matches[1]);
+					$skips .= ' --skip=/'.escapeshellarg($matches[1]);
+				}
+				break;
 			}
 		}
 
 		// Change ownership of the chroot directory to root
 		$this->chown($home_dir, 'root');
 		$this->chgrp($home_dir, 'root');
 
-		$jailkit_directories = array(
-			'bin',
-			'dev',
-			'etc',
-			'lib',
-			'lib32',
-			'lib64',
-			'opt',
-			'sys',
-			'usr',
-			'var',
-		);
-
-		$skips = '';
 		$multiple_links = array();
 		foreach ($jailkit_directories as $dir) {
 			$root_dir = '/'.$dir;
@@ -2739,9 +2755,10 @@ public function update_jailkit_chroot($home_dir, $sections = array(), $programs
 		return true;
 	}
 
-	public function delete_jailkit_chroot($home_dir) {
+	public function delete_jailkit_chroot($home_dir, $options = array()) {
 		global $app;
 
+$app->log("delete_jailkit_chroot called for $home_dir with options ".print_r($options, true), LOGLEVEL_DEBUG);
 		$app->uses('ini_parser');
 
 		// Disallow operating on root directory
@@ -2769,6 +2786,21 @@ public function delete_jailkit_chroot($home_dir) {
 			'run',		# not used by jailkit, but added for cleanup
 		);
 
+		foreach ($options as $opt) {
+			switch ($opt) {
+			default:
+				if (preg_match('@^skip[ =]/?(.+)$@', $opt, $matches) ) {
+					$matches[1] = ltrim($matches[1], '/');
+					if (in_array($matches[1], $jailkit_directories)) {
+						$app->log("delete_jailkit_chroot: skipping removal of jailkit directory .$home_dir/".$matches[1]
+							. "; if this is in use as a web folder, it is insecure and should be fixed.", LOGLEVEL_WARN);
+					}
+					$jailkit_directories = $app->functions->array_unset_by_value($jailkit_directories, $matches[1]);
+				}
+				break;
+			}
+		}
+
 		$removed = '';
 		foreach ($jailkit_directories as $dir) {
 			$jail_dir = rtrim($home_dir, '/') . '/'.$dir;

server/plugins-available/apache2_plugin.inc.php

@@ -831,6 +831,11 @@ function update($event_name, $data) {
 			$programs = $jailkit_config['jailkit_chroot_app_programs'] . ' '
 				  . $jailkit_config['jailkit_chroot_cron_programs'];
 
+			$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $data['new']['domain_id'], $data['new']['document_root'], $conf['server_id']);
+			foreach ($records as $record) {
+				$options[] = 'skip='.$record['web_folder'];
+			}
+
 			// don't update if last_jailkit_hash is the same
 			$tmp = $app->db->queryOneRecord('SELECT `last_jailkit_hash` FROM web_domain WHERE domain_id = ?', $data['new']['parent_domain_id']);
 			if ($update_hash != $tmp['last_jailkit_hash']) {
@@ -3683,7 +3688,7 @@ private function get_seo_redirects($web, $prefix = ''){
 
 	function _setup_jailkit_chroot()
 	{
-		global $app;
+		global $app, $conf;
 
 		$app->uses('system');
 
@@ -3746,6 +3751,11 @@ function _setup_jailkit_chroot()
 				return;
 			}
 
+			$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $this->website['domain_id'], $this->website['document_root'], $conf['server_id']);
+			foreach ($records as $record) {
+				$options[] = 'skip='.$record['web_folder'];
+			}
+
 			$app->system->update_jailkit_chroot($this->website['document_root'], $sections, $programs, $options);
 		}
 
@@ -3824,7 +3834,13 @@ private function _delete_jailkit_if_unused($parent_domain_id) {
 			return;
 		}
 
-		$app->system->delete_jailkit_chroot($parent_domain['document_root']);
+		$options = array();
+		$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $parent_domain_id, $parent_domain['document_root'], $conf['server_id']);
+		foreach ($records as $record) {
+			$options[] = 'skip='.$record['web_folder'];
+		}
+
+		$app->system->delete_jailkit_chroot($parent_domain['document_root'], $options);
 
 		// this gets last_jailkit_update out of sync with master db, but that is ok,
 		// as it is only used as a timestamp to moderate the frequency of updating on the slaves

server/plugins-available/cron_jailkit_plugin.inc.php

@@ -296,6 +296,11 @@ function _setup_jailkit_chroot()
 				return;
 			}
 
+			$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $this->parent_domain['domain_id'], $this->parent_domain['document_root'], $conf['server_id']);
+			foreach ($records as $record) {
+				$options[] = 'skip='.$record['web_folder'];
+			}
+
 			$app->system->update_jailkit_chroot($this->parent_domain['document_root'], $sections, $programs, $options);
 		}
 
@@ -392,7 +397,13 @@ private function _delete_jailkit_if_unused($parent_domain_id) {
 			return;
 		}
 
-		$app->system->delete_jailkit_chroot($parent_domain['document_root']);
+		$options = array();
+		$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $parent_domain_id, $parent_domain['document_root'], $conf['server_id']);
+		foreach ($records as $record) {
+			$options[] = 'skip='.$record['web_folder'];
+		}
+
+		$app->system->delete_jailkit_chroot($parent_domain['document_root'], $options);
 
 		// this gets last_jailkit_update out of sync with master db, but that is ok,
 		// as it is only used as a timestamp to moderate the frequency of updating on the slaves

server/plugins-available/nginx_plugin.inc.php

@@ -669,6 +669,11 @@ function update($event_name, $data) {
 			$programs = $jailkit_config['jailkit_chroot_app_programs'] . ' '
 				  . $jailkit_config['jailkit_chroot_cron_programs'];
 
+			$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $data['new']['domain_id'], $data['new']['document_root'], $conf['server_id']);
+			foreach ($records as $record) {
+				$options[] = 'skip='.$record['web_folder'];
+			}
+
 			// don't update if last_jailkit_hash is the same
 			$tmp = $app->db->queryOneRecord('SELECT `last_jailkit_hash` FROM web_domain WHERE domain_id = ?', $data['new']['parent_domain_id']);
 			if ($update_hash != $tmp['last_jailkit_hash']) {
@@ -3462,7 +3467,7 @@ private function get_seo_redirects($web, $prefix = '', $force_subdomain = false)
 
 	function _setup_jailkit_chroot()
 	{
-		global $app;
+		global $app, $conf;
 
 		$app->uses('system');
 
@@ -3525,6 +3530,11 @@ function _setup_jailkit_chroot()
 				return;
 			}
 
+			$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $this->website['domain_id'], $this->website['document_root'], $conf['server_id']);
+			foreach ($records as $record) {
+				$options[] = 'skip='.$record['web_folder'];
+			}
+
 			$app->system->update_jailkit_chroot($this->website['document_root'], $sections, $programs, $options);
 		}
 
@@ -3602,7 +3612,13 @@ private function _delete_jailkit_if_unused($parent_domain_id) {
 			return;
 		}
 
-		$app->system->delete_jailkit_chroot($parent_domain['document_root']);
+		$options = array();
+		$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $parent_domain_id, $parent_domain['document_root'], $conf['server_id']);
+		foreach ($records as $record) {
+			$options[] = 'skip='.$record['web_folder'];
+		}
+
+		$app->system->delete_jailkit_chroot($parent_domain['document_root'], $options);
 
 		// this gets last_jailkit_update out of sync with master db, but that is ok,
 		// as it is only used as a timestamp to moderate the frequency of updating on the slaves

server/plugins-available/shelluser_jailkit_plugin.inc.php

@@ -286,7 +286,7 @@ function delete($event_name, $data) {
 
 	function _setup_jailkit_chroot()
 	{
-		global $app;
+		global $app, $conf;
 
 		if (isset($this->jailkit_config) && isset($this->jailkit_config['jailkit_hardlinks'])) {
 			if ($this->jailkit_config['jailkit_hardlinks'] == 'yes') {
@@ -356,6 +356,11 @@ function _setup_jailkit_chroot()
 				return;
 			}
 
+			$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $this->data['new']['parent_domain_id'], $this->data['new']['dir'], $conf['server_id']);
+			foreach ($records as $record) {
+				$options[] = 'skip='.$record['web_folder'];
+			}
+
 			$app->system->update_jailkit_chroot($this->data['new']['dir'], $sections, $programs, $options);
 		}
 
@@ -621,7 +626,13 @@ private function _delete_jailkit_if_unused($parent_domain_id) {
 			return;
 		}
 
-		$app->system->delete_jailkit_chroot($parent_domain['document_root']);
+		$options = array();
+		$records = $app->db->queryAllRecords('SELECT web_folder FROM `web_domain` WHERE `parent_domain_id` = ? AND `document_root` = ? AND web_folder != \'\' AND web_folder IS NOT NULL AND `server_id` = ?', $parent_domain_id, $parent_domain['document_root'], $conf['server_id']);
+		foreach ($records as $record) {
+			$options[] = 'skip='.$record['web_folder'];
+		}
+
+		$app->system->delete_jailkit_chroot($parent_domain['document_root'], $options);
 
 		// this gets last_jailkit_update out of sync with master db, but that is ok,
 		// as it is only used as a timestamp to moderate the frequency of updating on the slaves