Anyone? On Wed, 15 Jan 2020 at 17:35:47 +0100, Gonzalo L. Rodriguez wrote: > Hallo, > > Update for Jailkit to 2.21: > > https://olivier.sessink.nl/jailkit/ > > OK? Comments? > > Cheers.- > > -- > > - gonzalo
> Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/jailkit/Makefile,v > retrieving revision 1.15 > diff -u -p -r1.15 Makefile > --- Makefile 12 Jul 2019 20:49:03 -0000 1.15 > +++ Makefile 15 Jan 2020 16:33:38 -0000 > @@ -2,7 +2,7 @@ > > COMMENT= utilities for jailing a user or process > > -DISTNAME= jailkit-2.19 > +DISTNAME= jailkit-2.21 > CATEGORIES= security sysutils > > HOMEPAGE= http://olivier.sessink.nl/jailkit/ > @@ -13,6 +13,8 @@ MASTER_SITES= http://olivier.sessink.nl > PERMIT_PACKAGE= Yes > > MODULES= lang/python > +MODPY_VERSION = ${MODPY_DEFAULT_VERSION_3} > + > WANTLIB += c pthread > > NO_TEST= Yes > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/jailkit/distinfo,v > retrieving revision 1.8 > diff -u -p -r1.8 distinfo > --- distinfo 20 Dec 2015 15:43:46 -0000 1.8 > +++ distinfo 15 Jan 2020 16:33:38 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (jailkit-2.19.tar.gz) = /ZYS3Vf0o5q/zeZHxCBhbFyjf1mCuMB6j7XLNSSU/Ig= > -SIZE (jailkit-2.19.tar.gz) = 142280 > +SHA256 (jailkit-2.21.tar.gz) = egIOB635OGDFOPDZgZauoz1GG6vbqLs+3fcIHleinBQ= > +SIZE (jailkit-2.21.tar.gz) = 141341 > Index: patches/patch-Makefile_in > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-Makefile_in,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-Makefile_in > --- patches/patch-Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 > +++ patches/patch-Makefile_in 15 Jan 2020 16:33:38 -0000 > @@ -2,24 +2,25 @@ $OpenBSD: patch-Makefile_in,v 1.1.1.1 20 > > We do not want the packge to manipulate our /etc/shells, use @shell in PLIST > > ---- Makefile.in.orig Sat Sep 11 15:45:26 2010 > -+++ Makefile.in Mon Sep 13 08:01:37 2010 > +Index: Makefile.in > +--- Makefile.in.orig > ++++ Makefile.in > @@ -69,12 +69,12 @@ install: > @cd man/ && $(MAKE) install > # test if the jk_chrootsh is already in /etc/shells > # this previously had @echo but that fails on FreeBSD > -- if test -w /etc/shells; then \ > -- if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > -- echo "appending ${prefix}/sbin/jk_chroots to > /etc/shells";\ > -- echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > -- fi \ > -- fi > -+ #if test -w /etc/shells; then \ > -+ # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > -+ # echo "appending ${prefix}/sbin/jk_chroots to > /etc/shells";\ > -+ # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > -+ # fi \ > -+ #fi > +- #if test -w /etc/shells; then \ > +- # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > +- # echo "appending ${prefix}/sbin/jk_chroots to > /etc/shells";\ > +- # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > +- # fi \ > +- #fi > ++ if test -w /etc/shells; then \ > ++ if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > ++ echo "appending ${prefix}/sbin/jk_chroots to > /etc/shells";\ > ++ echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > ++ fi \ > ++ fi > > > uninstall: > Index: patches/patch-ini_jk_init_ini > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-ini_jk_init_ini,v > retrieving revision 1.3 > diff -u -p -r1.3 patch-ini_jk_init_ini > --- patches/patch-ini_jk_init_ini 26 Mar 2014 17:38:27 -0000 1.3 > +++ patches/patch-ini_jk_init_ini 15 Jan 2020 16:33:38 -0000 > @@ -2,13 +2,14 @@ $OpenBSD: patch-ini_jk_init_ini,v 1.3 20 > > fix some default paths in the jail creation configuration file > > ---- ini/jk_init.ini.orig Mon Dec 23 06:02:42 2013 > -+++ ini/jk_init.ini Wed Dec 25 16:04:26 2013 > +Index: ini/jk_init.ini > +--- ini/jk_init.ini.orig > ++++ ini/jk_init.ini > @@ -2,18 +2,18 @@ > # this section probably needs adjustment on 64bit systems > # or non-Linux systems > comment = common files for all jails that need user/group information > --paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, > /lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf > +-paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, > /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, > /lib/arm-linux-gnueabihf/libnsl*.so.1, /etc/nsswitch.conf, /etc/ld.so.conf > +paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, > /lib/x86_64-linux-gnu/libnss*.so.2, ${SYSCONFDIR}/nsswitch.conf, > ${SYSCONFDIR}/ld.so.conf > # Solaris needs > -# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, > /etc/nsswitch.conf > @@ -16,7 +17,7 @@ fix some default paths in the jail creat > > [netbasics] > comment = common files for all jails that need any internet connectivity > --paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf, > /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services > +-paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, > /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, > /etc/protocols, /etc/services > +paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, > ${SYSCONFDIR}/resolv.conf, ${SYSCONFDIR}/host.conf, ${SYSCONFDIR}/hosts, > ${SYSCONFDIR}/protocols, ${SYSCONFDIR}/services > # on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure > > @@ -27,89 +28,3 @@ fix some default paths in the jail creat > need_logsocket = 1 > # Solaris does not need logsocket > # but needs > -@@ -21,7 +21,7 @@ need_logsocket = 1 > - > - [jk_lsh] > - comment = Jailkit limited shell > --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini > -+paths = ${TRUEPREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini > - users = root > - groups = root > - includesections = uidbasics, logbasics > -@@ -71,14 +71,14 @@ devices = /dev/null > - > - [basicshell] > - comment = bash based shell with several basic utilities > --paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, > egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, > pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, > /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, > /usr/lib/locale/en_US.utf8 > -+paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, > egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, > pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, > ${SYSCONFDIR}/motd, ${SYSCONFDIR}/issue, ${SYSCONFDIR}/bash.bashrc, > ${SYSCONFDIR}/bashrc, ${SYSCONFDIR}/profile, /usr/lib/locale/en_US.utf8 > - users = root > - groups = root > - includesections = uidbasics > - > - [midnightcommander] > - comment = Midnight Commander > --paths = mc, mcedit, mcview, /usr/share/mc > -+paths = mc, mcedit, mcview, ${LOCALBASE}/share/mc > - includesections = basicshell, terminfo > - > - [extendedshell] > -@@ -88,12 +88,12 @@ includesections = basicshell, midnightcommander, edito > - > - [terminfo] > - comment = terminfo databases, required for example for ncurses or vim > --paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo > -+paths = ${SYSCONFDIR}/terminfo, /usr/share/terminfo, /lib/terminfo > - > - [editors] > - comment = vim, joe and nano > - includesections = terminfo > --paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim > -+paths = joe, nano, vi, vim, ${SYSCONFDIR}/vimrc, ${SYSCONFDIR}/joe, > /usr/share/vim > - > - [netutils] > - comment = several internet utilities like wget, ftp, rsync, scp, ssh > -@@ -110,7 +110,7 @@ includesections = extendedshell, netutils, apacheutils > - > - [openvpn] > - comment = jail for the openvpn daemon > --paths = /usr/sbin/openvpn > -+paths = ${LOCALBASE}/sbin/openvpn > - users = root,nobody > - groups = root,nogroup > - includesections = netbasics > -@@ -120,7 +120,7 @@ need_logsocket = 1 > - > - [apache] > - comment = the apache webserver, very basic setup, probably too limited for > you > --paths = /usr/sbin/apache > -+paths = ${TRUEPREFIX}/apache > - users = root, www-data > - groups = root, www-data > - includesections = netbasics, uidbasics > -@@ -131,16 +131,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/shar > - > - [xauth] > - comment = getting X authentication to work > --paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf > -+paths = ${X11BASE}/bin/xauth, ${X11BASE}/lib/X11/rgb.txt > - > - [xclients] > - comment = minimal files for X clients > --paths = /usr/X11R6/lib/X11/rgb.txt > -+paths = ${X11BASE}/lib/X11/rgb.txt > - includesections = xauth > - > - [vncserver] > - comment = the VNC server program > --paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/ > -+paths = Xvnc, Xrealvnc, ${X11BASE}/lib/X11/fonts/ > - includesections = xclients > - > - [ping] > -@@ -149,5 +149,5 @@ paths_w_setuid = /bin/ping > - > - #[xterm] > - #comment = xterm > --#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo > -+#paths = ${X11BASE}/bin/xterm, /usr/share/terminfo, ${SYSCONFDIR}/terminfo > - #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, > /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4 > Index: patches/patch-man_Makefile_in > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_Makefile_in,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_Makefile_in > --- patches/patch-man_Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 > +++ patches/patch-man_Makefile_in 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ > ---- man/Makefile.in.orig Mon Oct 20 00:03:54 2008 > -+++ man/Makefile.in Mon Oct 20 00:05:31 2008 > -@@ -21,7 +21,7 @@ SRCS = \ > +Index: man/Makefile.in > +--- man/Makefile.in.orig > ++++ man/Makefile.in > +@@ -20,7 +20,7 @@ SRCS = \ > > @HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.8 > > --MANS = $(SRCS:.8=.8.gz) > -+MANS = $(SRCS) > +-MANS = $(SRCS) > ++MANS = $(SRCS:.8=.8.gz) > > #%.8.gz : %.8 > # gzip -9 > $@ < $< > Index: patches/patch-man_jailkit_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jailkit_8,v > retrieving revision 1.2 > diff -u -p -r1.2 patch-man_jailkit_8 > --- patches/patch-man_jailkit_8 26 Mar 2014 17:38:27 -0000 1.2 > +++ patches/patch-man_jailkit_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jailkit_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $ > ---- man/jailkit.8.orig Sat Dec 21 18:05:22 2013 > -+++ man/jailkit.8 Wed Dec 25 16:01:05 2013 > +Index: man/jailkit.8 > +--- man/jailkit.8.orig > ++++ man/jailkit.8 > @@ -36,7 +36,7 @@ This section gives summary sketches of the various pro > > .BR jk_init > can be used to quickly create a jail with several files or directories > needed for a specific task or profile. Creating the same jail over and over > again is easily automated with jk_init. There are many tasks in > --.I /etc/jailkit/jk_init.ini > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini > ++.I /etc/jailkit/jk_init.ini > predefined that work on Debian or Ubuntu systems. For other platforms you > might need to update the predefined configuration. For example, you can use > jk_init to quickly set up a limited shell, a jail to run apache, or a jail > for just sftp and scp. It will copy the binaries, the required libraries (and > related symlinks) as well as other files such as /etc/passwd. These are all > copied into the jail directory so that a jailed process can run them. > > .BR jk_cp > @@ -14,18 +15,18 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 > > .BR jk_lsh > is a limited shell that allows only those commands to be executed as > specified in its configuration file. > --.I /etc/jailkit/jk_lsh.ini. > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > ++.I /etc/jailkit/jk_lsh.ini. > It is typically started in one of two ways, by specifying it as the user's > shell or by using the jk_chrootsh program. The first way is implemented by > specifying jk_lsh as the shell in the user's entry in the 'real' > .I /etc/passwd > file. In this case, it executes in the normal file system and reads its > configuration from > --.I /etc/jailkit/jk_lsh.ini. > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > ++.I /etc/jailkit/jk_lsh.ini. > In the second way, jk_lsh is started from within jk_chrootsh by specifying > it as the shell in the passwd file located inside the JAIL directory: > .I JAIL/etc/passwd, > in which case it reads its configuration from within the JAIL: > --.I JAIL/etc/jailkit/jk_lsh.ini. > -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini. > +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini. > ++.I JAIL/etc/jailkit/jk_lsh.ini. > The latter is the recommended approach for highest security. > Use this program if you want to deny regular shell access (e.g. logins) but > you want to allow execution of only one or a few commands such sftp, scp, > rsync, or cvs. > > @@ -33,14 +34,14 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 > is a utility to give regular users access to the > .BR chroot(2) > (change root) system call in a safe way. Which users are allowed in which > jails is controlled from > --.I /etc/jailkit/jk_uchroot.ini > -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > ++.I /etc/jailkit/jk_uchroot.ini > Use this utility for users that can run processes both inside a jail and > outside a jail. > > .BR jk_socketd > is a daemon that allows logging safely to syslog from within a jail. It > limits the logging rate based on parameters set in its configuration file: > --.I /etc/jailkit/jk_socketd.ini > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > ++.I /etc/jailkit/jk_socketd.ini > > .BR jk_chrootlaunch > is a utility to start a daemon that cannot do a > @@ -48,20 +49,20 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 > > .BR jk_check > is a jail integrity checker. It checks a jail for some of the potential > security problems. (Obviously it does not check all possible weaknesses.) It > reports any setuid and setgid programs, checks for any modified programs, > checks for world writable directories, and more. It is configured by > --.I /etc/jailkit/jk_check.ini > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini > ++.I /etc/jailkit/jk_check.ini > . > > .BR jk_list > -@@ -127,9 +127,9 @@ tail /var/log/daemon.log /var/log/auth.log > +@@ -129,9 +129,9 @@ journalctl --since=-1h > .SH FILES > > The jailkit configuration files are located in > --.I /etc/jailkit/ > -+.I ${SYSCONFDIR}/jailkit/ > +-.I ${SYSCONFDIR}/jailkit/ > ++.I /etc/jailkit/ > Note that in some cases the configuration files must be replicated into the > JAIL/etc/jailkit directory and edited appropriately. A jk program that is run > within the jail directory is able to read its configuration from only the > jailed > --.I etc/jailkit > -+.I ${SYSCONFDIR}/jailkit > +-.I ${SYSCONFDIR}/jailkit > ++.I etc/jailkit > directory. > > .SH "SEE ALSO" > Index: patches/patch-man_jk_check_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_check_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_check_8 > --- patches/patch-man_jk_check_8 20 Sep 2010 07:15:30 -0000 1.1.1.1 > +++ patches/patch-man_jk_check_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_check_8,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ > ---- man/jk_check.8.orig Tue Oct 28 12:13:02 2008 > -+++ man/jk_check.8 Tue Oct 28 12:13:32 2008 > +Index: man/jk_check.8 > +--- man/jk_check.8.orig > ++++ man/jk_check.8 > @@ -22,7 +22,7 @@ jk_check will run several tests on all files and direc > -test for matching user information in the jail and on the real system > > It will test directories based on the config file > --.I /etc/jailkit/jk_check.ini > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini > ++.I /etc/jailkit/jk_check.ini > but also based on jail patterns (dir/./dir) found in the home directories > in > .I /etc/passwd > > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_check_8,v 1.1.1.1 > The help screen > > .SH FILES > --.I /etc/jailkit/jk_check.ini > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini > ++.I /etc/jailkit/jk_check.ini > > .SH "SEE ALSO" > .BR jailkit(8) > Index: patches/patch-man_jk_chrootlaunch_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootlaunch_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_chrootlaunch_8 > --- patches/patch-man_jk_chrootlaunch_8 20 Sep 2010 07:15:30 -0000 > 1.1.1.1 > +++ patches/patch-man_jk_chrootlaunch_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_chrootlaunch_8,v 1.1.1.1 2010/09/20 07:15:30 sebastia > Exp $ > ---- man/jk_chrootlaunch.8.orig Tue Oct 28 12:13:39 2008 > -+++ man/jk_chrootlaunch.8 Tue Oct 28 12:35:22 2008 > +Index: man/jk_chrootlaunch.8 > +--- man/jk_chrootlaunch.8.orig > ++++ man/jk_chrootlaunch.8 > @@ -59,7 +59,7 @@ Suppose you want to start Apache inside a jail. Apache > > First we create the jail using > .BR jk_init(8). > --The apachectl program is a shell script, it also needs /bin/sh and > /usr/bin/kill. We also have to copy these into the jail using > -+The apachectl program is a shell script, it also needs /bin/sh and > /bin/kill. We also have to copy these into the jail using > +-The apachectl program is a shell script, it also needs /bin/sh and > /bin/kill. We also have to copy these into the jail using > ++The apachectl program is a shell script, it also needs /bin/sh and > /usr/bin/kill. We also have to copy these into the jail using > .BR jk_cp(8). > Apache also needs its modules from /usr/lib/apache, copy those as well. > Then we can start Apache: > > Index: patches/patch-man_jk_chrootsh_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootsh_8,v > retrieving revision 1.2 > diff -u -p -r1.2 patch-man_jk_chrootsh_8 > --- patches/patch-man_jk_chrootsh_8 16 Nov 2015 13:43:40 -0000 1.2 > +++ patches/patch-man_jk_chrootsh_8 15 Jan 2020 16:33:38 -0000 > @@ -1,19 +1,20 @@ > $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 2015/11/16 13:43:40 ajacoutot Exp $ > ---- man/jk_chrootsh.8.orig Wed Nov 4 22:14:40 2015 > -+++ man/jk_chrootsh.8 Mon Nov 16 14:41:41 2015 > +Index: man/jk_chrootsh.8 > +--- man/jk_chrootsh.8.orig > ++++ man/jk_chrootsh.8 > @@ -11,13 +11,13 @@ jk_chrootsh \- a shell that will put the user inside a > > jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or your > ldap store). That user will be put into a changed root. The directory where > to put the user in is read from the users home directory, the last occurring > /./ sequence is used to mark the location of the changed root. An example > line in /etc/passwd would look like > > --test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh > -+test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh > +-test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh > ++test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh > > In this example the user will be chroot-ed into /home/testchroot > > Inside the chroot-ed directory, it will look for /etc/passwd and it will > execute the shell for the user from that file. For the above example the > /etc/passwd file inside the jail should have an entry like > > --test:x:10000:10000::/home/test:/usr/sbin/jk_lsh > -+test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh > +-test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh > ++test:x:10000:10000::/home/test:/usr/sbin/jk_lsh > > Notice that the home directory and the shell are local inside the chroot > > @@ -21,8 +22,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 > system call. Therefore it is setuid root. It will drop its root priveleges > immediately after making the chroot() system call. Since Jailkit 2.8 > jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems that > support capabilities, and then the setuid bit can be removed. > > By default jk_chrootsh does not copy any environment variables. For some > functionality, however, environment variables need to be copied (e.g. the > TERM variable for a functional terminal emulation, or the DISPLAY variable > for X forwarding). In > --.I /etc/jailkit/jk_chrootsh.ini > -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > ++.I /etc/jailkit/jk_chrootsh.ini > the required environment variables can be listed. An example config file is > shown below. In the example, user bill will get the DISPLAY variable, and all > users in group jail will get the TERM and PATH variables. > > By default jk_chrootsh requires a home directory owned by the user with the > same group as the primary group from the user, and requires the home > directory to be non-writable for group and others. You can relax these > requirements in the configfile as shown below. > @@ -30,8 +31,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 > .SH FILES > > .I /etc/passwd > --.I /etc/jailkit/jk_chrootsh.ini > -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > ++.I /etc/jailkit/jk_chrootsh.ini > > .SH DIAGNOSTICS > > Index: patches/patch-man_jk_cp_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_cp_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_cp_8 > --- patches/patch-man_jk_cp_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > +++ patches/patch-man_jk_cp_8 15 Jan 2020 16:33:38 -0000 > @@ -1,15 +1,16 @@ > $OpenBSD: patch-man_jk_cp_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > ---- man/jk_cp.8.orig Tue Oct 28 12:14:36 2008 > -+++ man/jk_cp.8 Tue Oct 28 12:38:41 2008 > +Index: man/jk_cp.8 > +--- man/jk_cp.8.orig > ++++ man/jk_cp.8 > @@ -19,9 +19,9 @@ jk_cp -j /home/testchroot /usr/bin/cvs > > will copy /usr/bin/cvs to /home/testchroot/usr/bin/cvs, and it will copy > the libraries used by cvs also to the jail. > > --jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox > -+jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox > ${LOCALBASE}/mozilla-firefox > +-jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox > ${LOCALBASE}/mozilla-firefox > ++jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox > > --will hardlink /usr/bin/firefox and all files in /usr/share/firefox into > jail /svr/testjail > -+will hardlink ${LOCALBASE}/bin/firefox and all files in > ${LOCALBASE}/mozilla-firefox into jail /svr/testjail > +-will hardlink ${LOCALBASE}/bin/firefox and all files in > ${LOCALBASE}/mozilla-firefox into jail /svr/testjail > ++will hardlink /usr/bin/firefox and all files in /usr/share/firefox into > jail /svr/testjail > > .SH OPTIONS > > Index: patches/patch-man_jk_init_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_init_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_init_8 > --- patches/patch-man_jk_init_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > +++ patches/patch-man_jk_init_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > ---- man/jk_init.8.orig Sun Feb 7 17:13:06 2010 > -+++ man/jk_init.8 Tue Sep 14 19:12:38 2010 > +Index: man/jk_init.8 > +--- man/jk_init.8.orig > ++++ man/jk_init.8 > @@ -14,7 +14,7 @@ jk_init \- a utility to quicky create functional jail > It is not an easy task to setup a jail (a changed root) in a functional > way. If you want the user to be able to run cvs for example, it will not work > to simply copy the cvs binary into the users jail. You will find that cvs > needs libraries as well. cvs also needs the /dev/null device. Finally you > need something to start cvs: you need a shell too. And the shell might need > files like /etc/passwd and /etc/nsswitch.conf. > > With jk_init you can automate these tasks. You can create a section in the > configfile > --.I /etc/jailkit/jk_init.ini > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini > ++.I /etc/jailkit/jk_init.ini > that has all the files, directories and devices, and you can use jk_init to > setup such a jail with a single command. The default configfile has examples > for cvs, sftp, scp, rsync and more for Debian and Ubuntu Linux. For other > operating systems the defaults might need some (minor) updates. > > .SH EXAMPLE > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 > .sp > [jk_lsh] > comment = Jailkit limited shell > --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini > -+paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini > +-paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini > ++paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini > users = root > groups = root > need_logsocket = 1 > @@ -23,8 +24,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 > > [sftp] > comment = ssh secure ftp with Jailkit limited shell > --paths = /usr/lib/sftp-server > -+paths = /usr/libexec/sftp-server > +-paths = /usr/libexec/sftp-server > ++paths = /usr/lib/sftp-server > includesections = netbasics, uidbasics > devices = /dev/urandom, /dev/null > emptydirs = /svr > @@ -32,8 +33,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 > The help screen > > .SH FILES > --.I /etc/jailkit/jk_init.ini > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini > ++.I /etc/jailkit/jk_init.ini > > .SH "SEE ALSO" > .BR jailkit(8) > Index: patches/patch-man_jk_jailuser_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_jailuser_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_jailuser_8 > --- patches/patch-man_jk_jailuser_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > +++ patches/patch-man_jk_jailuser_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_jailuser_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp > $ > ---- man/jk_jailuser.8.orig Tue Oct 28 12:16:15 2008 > -+++ man/jk_jailuser.8 Tue Oct 28 12:40:07 2008 > +Index: man/jk_jailuser.8 > +--- man/jk_jailuser.8.orig > ++++ man/jk_jailuser.8 > @@ -36,7 +36,7 @@ Move the contents of the home directory inside the jai > No user interaction. > .TP > .BR \-s\ \-\-shell= shell > --The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh > -+The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh > +-The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh > ++The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh > > .SH "SEE ALSO" > .BR jailkit(8) > Index: patches/patch-man_jk_lsh_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_lsh_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_lsh_8 > --- patches/patch-man_jk_lsh_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > +++ patches/patch-man_jk_lsh_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > ---- man/jk_lsh.8.orig Sun Feb 7 17:13:06 2010 > -+++ man/jk_lsh.8 Tue Sep 14 19:08:21 2010 > +Index: man/jk_lsh.8 > +--- man/jk_lsh.8.orig > ++++ man/jk_lsh.8 > @@ -12,7 +12,7 @@ jk_lsh \- a shell that limits the binaries it will exe > The jailkit limited shell jk_lsh is not an interactive shell. jk_lsh will > only execute commands that are passed during startup (e.g. /bin/sh -c > command) and will deny to start all but explicitly allowed commands. All > other commands, or regular shell access are denied. This can be used to > restrict an account to a specific use. For example, jk_lsh can be used to > make rsync-, cvs-, sftp- or scp-only accounts, or even an account that can > start firefox or opera but nothing else. > > The allowed actions are read from > --.I /etc/jailkit/jk_lsh.ini > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > ++.I /etc/jailkit/jk_lsh.ini > If you run jk_lsh inside a changed root jail, make sure jk_lsh.ini is > present inside that chroot jail. > > .SH LIMITATIONS > @@ -14,25 +15,25 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2 > .nf > .sp > [DEFAULT] > --executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync > --paths = /usr/bin/, /usr/lib > -+executables = /usr/bin/scp, /usr/libexec/sftp-server, ${LOCALBASE}/bin/rsync > -+paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin > +-executables = /usr/bin/scp, /usr/libexec/sftp-server, ${LOCALBASE}/bin/rsync > +-paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin > ++executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync > ++paths = /usr/bin/, /usr/lib > allow_word_expansion = 1 > > [test] > --executables = /usr/bin/scp, /usr/lib/sftp-server > --paths = /usr/bin/, /usr/lib > -+executables = /usr/bin/scp, /usr/libexec/sftp-server > -+paths = /usr/bin/, /usr/libexec > +-executables = /usr/bin/scp, /usr/libexec/sftp-server > +-paths = /usr/bin/, /usr/libexec > ++executables = /usr/bin/scp, /usr/lib/sftp-server > ++paths = /usr/bin/, /usr/lib > allow_word_expansion = 0 > umask = 002 > > [group test] > --executables = /usr/bin/rsync > --paths = /usr/bin/ > -+executables = ${LOCALBASE}/bin/rsync > -+paths = ${LOCALBASE}/bin/ > +-executables = ${LOCALBASE}/bin/rsync > +-paths = ${LOCALBASE}/bin/ > ++executables = /usr/bin/rsync > ++paths = /usr/bin/ > allow_word_expansion = 1 > environment=TERM=linux,FOO=bar > .fi > @@ -40,11 +41,11 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2 > .BR jk_chrootsh(8) > > .SH FILES > --.I /etc/jailkit/jk_lsh.ini > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > ++.I /etc/jailkit/jk_lsh.ini > .I /etc/passwd > --.I JAIL/etc/jailkit/jk_lsh.ini > -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini > +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini > ++.I JAIL/etc/jailkit/jk_lsh.ini > .I JAIL/etc/passwd > > .SH DIAGNOSTICS > Index: patches/patch-man_jk_socketd_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_socketd_8,v > retrieving revision 1.2 > diff -u -p -r1.2 patch-man_jk_socketd_8 > --- patches/patch-man_jk_socketd_8 26 Mar 2014 17:38:27 -0000 1.2 > +++ patches/patch-man_jk_socketd_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_socketd_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $ > ---- man/jk_socketd.8.orig Fri Jan 3 18:51:20 2014 > -+++ man/jk_socketd.8 Wed Dec 25 15:54:12 2013 > +Index: man/jk_socketd.8 > +--- man/jk_socketd.8.orig > ++++ man/jk_socketd.8 > @@ -18,7 +18,7 @@ jk_socketd \- a daemon to create a rate-limited /dev/l > .SH DESCRIPTION > > The jailkit socket daemon creates a rate-limited /dev/log socket inside a > jail according to > --.I /etc/jailkit/jk_socketd.ini > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > ++.I /etc/jailkit/jk_socketd.ini > and writes all data eventually to syslog using the real > .I /dev/log > Programs like jk_lsh and also many daemons need a /dev/log socket to do > logging to syslog. > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_socketd_8,v 1.2 2 > > .SH FILES > > --.I /etc/jailkit/jk_socketd.ini > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > ++.I /etc/jailkit/jk_socketd.ini > > .SH DIAGNOSTICS > > Index: patches/patch-man_jk_uchroot_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_uchroot_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_uchroot_8 > --- patches/patch-man_jk_uchroot_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > +++ patches/patch-man_jk_uchroot_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_uchroot_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > ---- man/jk_uchroot.8.orig Tue Oct 28 12:24:53 2008 > -+++ man/jk_uchroot.8 Tue Oct 28 12:25:07 2008 > +Index: man/jk_uchroot.8 > +--- man/jk_uchroot.8.orig > ++++ man/jk_uchroot.8 > @@ -31,7 +31,7 @@ In the above example jk_uchroot is configured not to c > > .SH FILES > > --.I /etc/jailkit/jk_uchroot.ini > -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > ++.I /etc/jailkit/jk_uchroot.ini > > .SH DIAGNOSTICS > > Index: patches/patch-man_jk_update_8 > =================================================================== > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_update_8,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 patch-man_jk_update_8 > --- patches/patch-man_jk_update_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > +++ patches/patch-man_jk_update_8 15 Jan 2020 16:33:38 -0000 > @@ -1,12 +1,13 @@ > $OpenBSD: patch-man_jk_update_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > ---- man/jk_update.8.orig Sun Feb 7 17:13:06 2010 > -+++ man/jk_update.8 Tue Sep 14 19:08:21 2010 > +Index: man/jk_update.8 > +--- man/jk_update.8.orig > ++++ man/jk_update.8 > @@ -44,7 +44,7 @@ hardlinks = 1 > directories = /usr, /bin, /lib > > [/home/otherjail] > --skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox > -+skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox > +-skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox > ++skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox > .fi > > where the options have the following meaning: > Index: patches/patch-py_jk_lib_py > =================================================================== > RCS file: patches/patch-py_jk_lib_py > diff -N patches/patch-py_jk_lib_py > --- patches/patch-py_jk_lib_py 24 Apr 2013 12:47:39 -0000 1.3 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,18 +0,0 @@ > -$OpenBSD: patch-py_jk_lib_py,v 1.3 2013/04/24 12:47:39 gonzalo Exp $ > - > -Fix running jk_init trying to create a jail the first time > - > ---- py/jk_lib.py.orig Thu Aug 2 14:55:28 2012 > -+++ py/jk_lib.py Tue Apr 23 06:35:23 2013 > -@@ -461,7 +461,10 @@ def create_parent_path(chroot,path,be_verbose=0, copy_ > - if (stat.S_ISDIR(sb.st_mode)): > - if (be_verbose): > - print 'Create directory '+jailpath > -- os.mkdir(jailpath, 0755) > -+ try: > -+ os.mkdir(jailpath, 0755) > -+ except OSError, (errno,strerror): > -+ sys.stderr.write('NOTE: Jail directory already > existed:\n') > - if (copy_permissions): > - try: > - copy_time_and_permissions(origpath, > jailpath, be_verbose, allow_suid, copy_ownership) > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/security/jailkit/pkg/PLIST,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 PLIST > --- pkg/PLIST 20 Sep 2010 07:15:30 -0000 1.1.1.1 > +++ pkg/PLIST 15 Jan 2020 16:33:38 -0000 > @@ -3,7 +3,6 @@ > @bin bin/jk_uchroot > @mode > @man man/man8/jailkit.8 > -@man man/man8/jk_addjailuser.8 > @man man/man8/jk_check.8 > @man man/man8/jk_chrootlaunch.8 > @man man/man8/jk_chrootsh.8 > @@ -16,7 +15,6 @@ > @man man/man8/jk_socketd.8 > @man man/man8/jk_uchroot.8 > @man man/man8/jk_update.8 > -sbin/jk_addjailuser > sbin/jk_check > @bin sbin/jk_chrootlaunch > @mode 4755 > @@ -32,22 +30,23 @@ sbin/jk_list > @mode > @bin sbin/jk_socketd > sbin/jk_update > -@sample /etc/jailkit/ > +@sample ${SYSCONFDIR}/jailkit/ > share/examples/jailkit/ > share/examples/jailkit/jk_check.ini > -@sample /etc/jailkit/jk_check.ini > +@sample ${SYSCONFDIR}/jailkit/jk_check.ini > share/examples/jailkit/jk_chrootsh.ini > -@sample /etc/jailkit/jk_chrootsh.ini > +@sample ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > share/examples/jailkit/jk_init.ini > -@sample /etc/jailkit/jk_init.ini > +@sample ${SYSCONFDIR}/jailkit/jk_init.ini > share/examples/jailkit/jk_lsh.ini > -@sample /etc/jailkit/jk_lsh.ini > +@sample ${SYSCONFDIR}/jailkit/jk_lsh.ini > share/examples/jailkit/jk_socketd.ini > -@sample /etc/jailkit/jk_socketd.ini > +@sample ${SYSCONFDIR}/jailkit/jk_socketd.ini > share/examples/jailkit/jk_uchroot.ini > -@sample /etc/jailkit/jk_uchroot.ini > +@sample ${SYSCONFDIR}/jailkit/jk_uchroot.ini > share/examples/jailkit/jk_update.ini > -@sample /etc/jailkit/jk_update.ini > +@sample ${SYSCONFDIR}/jailkit/jk_update.ini > share/jailkit/ > +${MODPY_COMMENT}share/jailkit/${MODPY_PYCACHE}/ > +share/jailkit/${MODPY_PYCACHE}jk_lib.${MODPY_PYC_MAGIC_TAG}pyc > share/jailkit/jk_lib.py > -share/jailkit/jk_lib.pyc -- - gonzalo
