You said at beginning of your comments "now i don't use firefox (or any 'modern browser)" may I ask which browser you like to use? And for what reasons?
thanks in advance On Thu, Mar 19, 2015 at 7:56 PM, dan mclaughlin <thev...@openmailbox.org> wrote: > here are the scripts i wrote to make this easier. these really were made > for my own use, but i hope others may find them useful. i would be > interested to know if anyone else actually does find them useful. would > also be glad to know of any errors/problems/things that can go wrong i > didn't think of. > > > the first one (jail_new) creates a new jail (and possibly the user). > the second one (jail_pkgadd) adds a package and its dependencies to an > existing jail. they are expected to be in the same directory (jail_new > cannot add packages (-p) otherwise). > > to relate to my earlier examples: > > $ jail_new -tu _inmate:_chaingang /home/jail > > will create the jail in /home/jail and also the user _inmate and group > _chaingang. this case it will be just be a regular shell account (just > chrooted). > > $ jail_new -t _inmate:_chaingang /home/jail > > will create the jail, but will not create the user:group. > > > a real case: > > $ jail_new -tux -k /home/null/.ssh/id_rsa.pub -p w3m,feh:/usr/release/pkg > browse /home/browse w3m -B > > this command sets up the terminal (-t) and X (-x) in a directory (here > /home/browse), creates a user (-u) (in this case 'browse'), uses the given > key file (-k) for the authorized keys, installs the packages (-p) w3m and > feh (and all of their dependencies) from directory /usr/release/pkg, and > sets 'w3m -B' to run automatically via ForceCommand in sshd_config. > > this is the equivalent of: > > $ jail_new -tux -k /home/null/.ssh/id_rsa.pub browse /home/browse w3m -B > $ jail_pkgadd -p /usr/release/pkg w3m /home/browse > $ jail_pkgadd -p /usr/release/pkg feh /home/browse > > if you want bzip2 in there as well, you can always add it later: > > $ jail_pkgadd -p /usr/release/pkg bzip2 /home/browse > > or, if PKG_PATH is set (and not remote) you can omit -p > > $ jail_pkgadd bzip2 /home/browse > > if PKG_PATH is set, and is remote, you need: > > $ jail_pkgadd -r bzip2 /home/browse > > (note: will only allow a single directory for PKG_PATH) > > this can be used by running: > > $ Xephyr :1 & env DISPLAY=:1 ssh -X browse@localhost > > (side note: w3m runs 'display' to display an image, so i create a symlink > to feh to view images) > > > another case: > > $ jail_new -tuxr -k /home/null/.ssh/id_rsa.pub -p > xpdf:scp://null@node02/usr/release/pkg > pdf /home/pdf > > you need to specify -r (remote) directly to use remote pkg src. > > which is the equivalent of: > > $ jail_new -tux -k /home/null/.ssh/id_rsa.pub pdf /home/pdf > $ jail_pkgadd -r -p scp://null@node02/usr/release/pkg xpdf /home/pdf > > which can be used: > > $ cp test.pdf /home/pdf/tmp > $ Xephyr :1 & env DISPLAY=:1 ssh -X browse@localhost xpdf -fullscreen > /tmp/test.pdf > > (in this case it may be best not to use ForceCommand, since you may want to > open multiple documents.) > > > WARNING use at your own peril. if you can't read the scripts, you probably > shouldn't use them, and then i am certain there are other glaring security > flaws you need to know about. i include these because it is a dull pain in > the ass to do this manually, and hopefully someone may get some use out of > them. > > other than that, do with it what you wish. > > they are as fool-proof as i could make them, so that i don't shoot myself > in > the foot accidently (and i have been around long enough to have done that a > few times, even while being careful). but you never know. > > jail_new: > -------------------------------------------------- > #!/bin/ksh > USAGE="${0##*/} [-jrtux] [-k authkeys] [-p pkg[,pkg2...][:pkgpath]] > user[:group] path [cmd [args ...]]" > [[ "$1" = -h ]] && { echo "USAGE $USAGE"; return 0; } > > #-t sets PermitTTY and copies files for term > #-x sets X11Forwarding and copies files for X (fonts,xauth) > #-u creates user; fails if user exists > #-j joins group; needed to join existing group > #-p pkg[,pkg2...][:pkgpath] > #-r allows remote pkg access > #uses existing PKG_PATH > #pkgpath arg overrides PKG_PATH > > #only accepts a lone pkgpath > > PATH=/sbin:/bin:/usr/sbin:/usr/bin > > echov() { eval echo \"\$$1\"; } > isemptyv() { eval [ \${#$1} -eq 0 ]; } > notemptyv() { eval [ \${#$1} -gt 0 ]; } > alias xt='set -o xtrace' > alias xt-='set +o xtrace' > > if [ $(id -u) -eq 0 ];then > echo "ERR cannot run as root" > return 1 > fi > > _sshd_config=/etc/ssh/sshd_config > _sshd_config_tmp=/tmp/sshd_config > > trap "rm -f $_sshd_config_tmp" 0 2 > > #for convenience > _fontdir=/usr/X11R6/lib/X11/fonts > _terminfo=/usr/share/misc/terminfo.db > _termcap=/usr/share/misc/termcap > > _do_x=no > _do_tty=no > _do_useradd= > _do_joingrp= > _do_remote= > _authkeys= > _pkg= > _pkgpath= > _userhome=/home/cell > while getopts :jrtuxk:p: _opt;do > case "$_opt" in > j) _do_joingrp=yes ;; > r) _do_remote=-r ;; > t) _do_tty=yes ;; > u) _do_useradd=yes ;; > x) _do_x=yes ;; > k) _authkeys=$OPTARG > if [ ! -f "$_authkeys" ];then > echo "ERR no such file '$_authkeys'" > return 1 > fi > ;; > p) _pkg=$OPTARG > if [[ "$_pkg" = *:* ]];then > _pkgpath=${_pkg#*:} > _pkg=${_pkg%%:*} > export PKG_PATH=$_pkgpath > else > if isemptyv PKG_PATH;then > echo "ERR PKG_PATH not set and none given" > return 1 > fi > _pkgpath=$PKG_PATH > fi > if [[ "$_pkgpath" = *://* ]];then > if isemptyv _do_remote;then > echo "ERR pkgpath is remote; use -r" > return 1 > fi > if [[ "$_pkgpath" = *:*:* ]];then > echo "ERR invalid pkgpath '$_pkgpath'; only one dir permitted" > return 1 > fi > else > if [[ "$_pkgpath" = *:* ]];then > echo "ERR invalid pkgpath '$_pkgpath'; only one dir permitted" > return 1 > fi > fi > if isemptyv _do_remote && [ ! -d "$_pkgpath" ];then > echo "ERR no such dir '$_pkgpath'" > return 1 > fi > _cmd_jailpkgadd=$(dirname $0)/jail_pkgadd > if [ ! -f $_cmd_jailpkgadd ];then > echo "ERR cannot locate jail_pkgadd script" > return 1 > fi > ;; > :) echo "ERR no arg for '-$OPTARG'"; return 1 ;; > *) echo "ERR invalid arg '-$OPTARG'"; return 1 ;; > esac > done > shift $((OPTIND-1)) > > _user=$1 > _jailroot=$2 > _cmd=$3 > > if isemptyv _user;then > echo "ERR user not given" > return 1 > fi > if isemptyv _jailroot;then > echo "ERR jailroot path not given" > return 1 > fi > shift 2 > if [ -e $_jailroot ];then > echo "ERR $_jailroot already exists" > return 1 > fi > > _authkeysfile=$_jailroot.authkeys > _dbdir=$_jailroot/var/db/pkg > > #check/setup user/group > getfreeuid() { > local _uid=1000 > local _uid_list="$(awk -F : '{printf $3"\n"}' /etc/passwd)" > local _gid_list="$(awk -F : '{printf $3"\n"}' /etc/group)" > while [ $_uid -gt 900 ];do > _uid=$((_uid-1)) > echov _uid_list | grep -q "^$_uid$" && continue > echov _gid_list | grep -q "^$_uid$" && continue > break > done > [ $_uid -lt 900 ] && return 1 > echo $_uid > } > > _group=${_user#*:} > _user=${_user%:*} > if grep -q ^$_user: /etc/passwd;then > if notemptyv _do_useradd;then > echo "ERR user '$_user' already exists" > return 1 > fi > _userhome=$(grep ^$_user: /etc/passwd | awk -F : '{printf $4":"$6}') > _group=${_userhome%:*} > _userhome=${_userhome#*:} > _jailhome=$_jailroot$_userhome > else > if isemptyv _do_useradd;then > echo "ERR user '$_user' does not exist; use -u to create" > return 1 > fi > _uid=$(getfreeuid) || { echo "ERR no uid free"; return 1; } > if [[ "$_user" = "$_group" ]];then > _group="=uid" > else > if grep -q ^$_group: /etc/group;then > if isemptyv _do_joingrp;then > echo "ERR group '$_group' exists; use -j to join" > return 1 > fi > else > if notemptyv _do_joingrp;then > echo "ERR group '$_group' doesn't exist; cannot use -j to join" > return 1 > fi > if ! sudo groupadd -g $_uid $_group;then > echo "ERR failed to add group '$_group' gid '$_uid'" > return 1 > fi > fi fi > if ! sudo useradd -u $_uid -g $_group -c "public jail" \ > -s /bin/sh -d $_userhome $_user 2>&1 > then > echo "ERR useradd failed" > return 1 > fi | grep -v "Warning: home" > _group=$_uid > fi > > _jailhome=$_jailroot$_userhome > > sudo mkdir -p $_jailhome || return 1 > > > cat >$_sshd_config_tmp <<CONF > Match User $_user > ChrootDirectory $_jailroot > AuthorizedKeysFile $_authkeysfile > X11Forwarding $_do_x > PermitTTY $_do_tty > CONF > set -f > notemptyv _cmd && echo " ForceCommand $*" >>$_sshd_config_tmp > set +f > > > #setup filesystem > > isemptyv _authkeys && _authkeys=/dev/null > sudo sh -c "cat $_authkeys >$_authkeysfile" || return 1 > sudo chown $_user:$_group $_jailhome $_authkeysfile || return 1 > > sudo mkdir -p $_jailroot/dev || return 1 > if [[ "$_do_tty" = yes ]];then > sudo mknod -m 644 $_jailroot/dev/arandom c 45 3 || return 1 > sudo mknod -m 666 $_jailroot/dev/null c 2 2 || return 1 > sudo mknod -m 666 $_jailroot/dev/stderr c 22 2 || return 1 > sudo mknod -m 666 $_jailroot/dev/stdin c 22 0 || return 1 > sudo mknod -m 666 $_jailroot/dev/stdout c 22 1 || return 1 > sudo mknod -m 666 $_jailroot/dev/tty c 1 0 || return 1 > sudo mknod -m 666 $_jailroot/dev/zero c 2 12 || return 1 > #sudo mknod -m 666 $_jailroot/dev/ttyp0 c 5 0 || return 1 > #might want to add ttypN to make sshd happy > fi > > sudo mkdir -p $_jailroot/{bin,sbin,etc,tmp,var/run} $_dbdir > sudo mkdir -p $_jailroot/usr/{libexec,{,X11R6,local}/{bin,lib}} > sudo cp -p /sbin/ldconfig $_jailroot/sbin > sudo cp -p /usr/libexec/ld.so $_jailroot/usr/libexec > sudo chroot $_jailroot ldconfig /usr/{,X11R6,local}/lib > sudo chmod 1777 $_jailroot/tmp > > sudo cp -p /bin/sh $_jailroot/bin > > sudo cp -pR /etc/{hosts,resolv.conf,localtime} $_jailroot/etc > > > if [[ "$_do_x" = yes ]];then > _xauth=/usr/X11R6/bin/xauth > sudo cp -p /bin/sh $_jailroot/bin > sudo cp -p $_xauth $_jailroot$_xauth > for _lib in $(ldd $_xauth | grep ' rlib ' | awk '{printf $7" "}');do > [ -f $_jailroot/$_lib ] && continue > sudo cp -p $_lib $_jailroot/$_lib || return 1 > done > sudo cp -rp /etc/fonts $_jailroot/etc || return 1 > sudo mkdir -p $_jailroot/${_fontdir%/*} || return 1 > sudo cp -rp $_fontdir $_jailroot/$_fontdir || return 1 > fi > > if [[ "$_do_tty" = yes ]];then > #for terminal eg w3m > sudo mkdir -p $_jailroot${_terminfo%/*} || return 1 > sudo cp -p $_terminfo $_termcap $_jailroot${_terminfo%/*} || return 1 > #may still need /etc/termcap > #sudo cp -R /etc/termcap $_jailroot/etc || return 1 > fi > > echo "WARNING will update /etc/ssh/sshd_config with the following:\n" > cat $_sshd_config_tmp > echo > read _update_ssh?"update sshd_config and restart sshd? (type 'yes') " > if notemptyv _update_ssh && [[ "$_update_ssh" = yes ]];then > sudo sh -c "cat $_sshd_config_tmp >>$_sshd_config" > [ -f /var/run/sshd.pid ] && sudo kill -1 $(</var/run/sshd.pid) > fi > > if notemptyv _pkg;then > IFS=, > for _thispkg in $_pkg;do > $_cmd_jailpkgadd $_do_remote -p $_pkgpath $_thispkg $_jailroot > done > fi > > -------------------------------------------------- > > > jail_pkgadd: > -------------------------------------------------- > #!/bin/ksh > USAGE="${0##*/} [-r] [-p pkg_path] pkg [jailroot]" > [[ "$1" = -h ]] && { echo "USAGE $USAGE"; return 0; } > > PATH=/sbin:/bin:/usr/sbin:/usr/bin > > #a few functions of my own > #these are easier to type, and save me debugging time due to common things > #like quotes, $, etc > #takes a variable name as an arg, hence 'v' suffix > echov() { eval echo \"\$$1\"; } > isemptyv() { eval [ \${#$1} -eq 0 ]; } > notemptyv() { eval [ \${#$1} -gt 0 ]; } > alias usage='echo "USAGE $USAGE"' > alias xt='set -o xtrace' > alias xt-='set +o xtrace' > > if [ $(id -u) -eq 0 ];then > echo "ERR should not run as root" > return 1 > fi > if [[ "$(id -nG)" != *wsrc* ]];then > echo "ERR user not in wsrc; needed for pkg_add" > return 1 > fi > > #_pkg_dir read from PKG_PATH > #-p overrides PKG_PATH > #if neither set, uses default > > _do_remote= > _pkg_dir=$PKG_PATH > while getopts :rp: _opt;do > case "$_opt" in > r) _do_remote=true ;; > p) _pkg_dir=$OPTARG > ;; > :) echo "ERR no arg for '-$OPTARG'"; return 1 ;; > *) echo "ERR invalid arg '-$OPTARG'"; return 1 ;; > esac > done > shift $((OPTIND-1)) > _pkg_dir=${_pkg_dir:-/usr/ports/packages/`arch -s`/all} > _pkg_dbdir=/var/db/pkg > export PKG_PATH="$_pkg_dir" > > if [[ "$_pkg_dir" = *://* ]];then > if isemptyv _do_remote;then > echo "ERR invalid pkg dir; need -r for remote" > return 1 > fi > if [[ "$_pkg_dir" = *:*:* ]];then > echo "ERR invalid pkg dir; only one dir allowed" > return 1 > fi > else > _do_remote= > if [[ "$_pkg_dir" = *:* ]];then > echo "ERR invalid pkg dir; only one dir allowed" > return 1 > fi > if [ ! -d "$_pkg_dir" ];then > echo "ERR pkg dir '$_pkg_dir' does not exist" > return 1 > fi > fi > > _pkg=$1 > _jailroot=$2 > if isemptyv _pkg;then > echo "ERR no package given" > usage > return 1 > fi > _jailroot=${_jailroot:-/home/jail} > if [ ! -d "$_jailroot" ];then > echo "ERR no such dir '$_jailroot'" > return 1 > fi > _jail_dbdir=$_jailroot$_pkg_dbdir > > #set to /tmp to ignore installed package and use PKG_PATH > _pkg_file=$(PKG_DBDIR=/tmp pkg_info -c $_pkg | sed -n 's!^Information > for.*/!!p') > if isemptyv _pkg_file;then > echo "ERR could not find pkg '$_pkg'" > return 1 > fi > > ##get list of required packages > ##only works if /usr/ports is in sync with packages in PKG_PATH > #_pkgpath=$(pkg_info -P $_pkg | grep ^[a-z]) > #if isemptyv _pkgpath;then > # echo "ERR cannot find port '$_pkg'" > # return 1 > #fi > #_pkgpath=/usr/ports/$_pkgpath > #cd $_pkgpath > #_pkg_list=$(make print-run-depends) || return $? > #_pkg_list=$(echov _pkg_list | sed -e 's/.*"\([^"]*\)".*/\1 /' -e 's/ > /.tgz /g') > #_pkg_list="${_pkg_list}$_pkg_file" > > _depend_list= > function get_depends { > local _pkg=$1 _depend > for _depend in $(pkg_info -f $_pkg | sed -n 's/^@depend.*://p');do > echo $_pkg $_depend > [[ "$_depend_list" = *\ $_depend\ * ]] && continue > get_depends $_depend > _depend_list="$_depend_list $_depend " > done > } > _pkg_list="$(get_depends ${_pkg_file%.tgz} | tsort -r)" > isemptyv _pkg_list && _pkg_list=${_pkg_file%.tgz} > > > #if local go thru list to make sure pkgs are all there > if isemptyv _do_remote;then > for _pkg in $_pkg_list;do > [ -f $_pkg_dir/$_pkg.tgz ] && continue > echo "ERR pkg '$_pkg' not found" > return 1 > done > fi > > #keep list of libraries to avoid repeating find > _lib_tree=$(find /usr/{,X11R6}/lib -type f) > > for _pkg in $_pkg_list;do > #check if package already installed > [ -d $_jail_dbdir/$_pkg ] && continue > > #get list of @wantlib's that need copying > _lib_list=$(pkg_info -f $_pkg | sed -n 's/^@wantlib //p') > > #get list of binaries in the pkg to check for more dependencies > _bin_list=$(pkg_info -f $_pkg | sed -n 's/^@bin //p') > > #hopefully this handles all the quicks for @lib > for _lib in $_lib_list;do > _lib_relpath= > if [[ "$_lib" = */* ]];then > _lib_relpath=${_lib%/*} > _lib=${_lib##*/} > fi > _lib_ver_min=${_lib##*.} > _lib_name=${_lib%.*} > _lib_ver_maj=${_lib_name##*.} > _lib_name=${_lib_name%.*} > _lib_fn=lib$_lib_name.so.$_lib_ver_maj.$_lib_ver_min > > if isemptyv _lib_relpath;then > #ASSUME want libraries only -maxdepth 1 > _lib_pathn=$(find $_jailroot/usr/{,X11R6,local}/lib -maxdepth 1 > -name $_lib_fn) > else > _lib_pathn=$_jailroot/usr/local/$_lib_relpath/$_lib_fn > fi > [ -f "$_lib_pathn" ] && continue > #lib not in jail > _lib_pathn=$(echov _lib_tree | grep $_lib_fn$) > if isemptyv _lib_pathn || notemptyv _lib_relpath;then > #never copy from /usr/local > echo "WARN could not find $_lib_fn" > else > sudo cp -p $_lib_pathn $_jailroot/$_lib_pathn > fi > done > > #ignore unsigned packages (-D unsigned) since i built them > #sudo env PKG_DBDIR=$_jail_dbdir pkg_add -m -B $_jailroot -D unsigned > $_pkg > sudo env PKG_DBDIR=$_jail_dbdir pkg_add -m -B $_jailroot $_pkg > > #rebuild ld.so.hints with new libraries > sudo chroot $_jailroot ldconfig /usr/{,X11R6,local}/lib > > #go thru binaries in package and get additional dependencies > (cd $_jailroot/usr/local > for _bin in $_bin_list;do > for _lib in $(ldd $_bin | grep ' rlib ' | grep -v /usr/local/lib | > awk '{printf $7" "}');do > [ -f $_jailroot/$_lib ] || sudo cp -p $_lib $_jailroot/$_lib > done > done) > done > > #env PKG_DBDIR=$_dbdir pkg_add -B /home/chroot $_pkg > #env PKG_DBDIR=$_dbdir pkg_delete -B /home/chroot $_pkg