On Mon, 29 Jun 2020 at 09:38:07 +0200, Gonzalo L. Rodriguez wrote: > Anyone? > > On Wed, 15 Jan 2020 at 17:35:47 +0100, Gonzalo L. Rodriguez wrote: > > Hallo, > > > > Update for Jailkit to 2.21: > > > > https://olivier.sessink.nl/jailkit/ > > > > OK? Comments? > > > > Cheers.- > > > > -- > > > > - gonzalo > > > Index: Makefile > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/Makefile,v > > retrieving revision 1.15 > > diff -u -p -r1.15 Makefile > > --- Makefile 12 Jul 2019 20:49:03 -0000 1.15 > > +++ Makefile 15 Jan 2020 16:33:38 -0000 > > @@ -2,7 +2,7 @@ > > > > COMMENT= utilities for jailing a user or process > > > > -DISTNAME= jailkit-2.19 > > +DISTNAME= jailkit-2.21 > > CATEGORIES= security sysutils > > > > HOMEPAGE= http://olivier.sessink.nl/jailkit/ > > @@ -13,6 +13,8 @@ MASTER_SITES= http://olivier.sessink.nl > > PERMIT_PACKAGE= Yes > > > > MODULES= lang/python > > +MODPY_VERSION = ${MODPY_DEFAULT_VERSION_3} > > + > > WANTLIB += c pthread > > > > NO_TEST= Yes > > Index: distinfo > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/distinfo,v > > retrieving revision 1.8 > > diff -u -p -r1.8 distinfo > > --- distinfo 20 Dec 2015 15:43:46 -0000 1.8 > > +++ distinfo 15 Jan 2020 16:33:38 -0000 > > @@ -1,2 +1,2 @@ > > -SHA256 (jailkit-2.19.tar.gz) = /ZYS3Vf0o5q/zeZHxCBhbFyjf1mCuMB6j7XLNSSU/Ig= > > -SIZE (jailkit-2.19.tar.gz) = 142280 > > +SHA256 (jailkit-2.21.tar.gz) = egIOB635OGDFOPDZgZauoz1GG6vbqLs+3fcIHleinBQ= > > +SIZE (jailkit-2.21.tar.gz) = 141341 > > Index: patches/patch-Makefile_in > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-Makefile_in,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-Makefile_in > > --- patches/patch-Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 > > +++ patches/patch-Makefile_in 15 Jan 2020 16:33:38 -0000 > > @@ -2,24 +2,25 @@ $OpenBSD: patch-Makefile_in,v 1.1.1.1 20 > > > > We do not want the packge to manipulate our /etc/shells, use @shell in > > PLIST > > > > ---- Makefile.in.orig Sat Sep 11 15:45:26 2010 > > -+++ Makefile.in Mon Sep 13 08:01:37 2010 > > +Index: Makefile.in > > +--- Makefile.in.orig > > ++++ Makefile.in > > @@ -69,12 +69,12 @@ install: > > @cd man/ && $(MAKE) install > > # test if the jk_chrootsh is already in /etc/shells > > # this previously had @echo but that fails on FreeBSD > > -- if test -w /etc/shells; then \ > > -- if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > > -- echo "appending ${prefix}/sbin/jk_chroots to > > /etc/shells";\ > > -- echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > > -- fi \ > > -- fi > > -+ #if test -w /etc/shells; then \ > > -+ # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > > -+ # echo "appending ${prefix}/sbin/jk_chroots to > > /etc/shells";\ > > -+ # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > > -+ # fi \ > > -+ #fi > > +- #if test -w /etc/shells; then \ > > +- # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > > +- # echo "appending ${prefix}/sbin/jk_chroots to > > /etc/shells";\ > > +- # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > > +- # fi \ > > +- #fi > > ++ if test -w /etc/shells; then \ > > ++ if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ > > ++ echo "appending ${prefix}/sbin/jk_chroots to > > /etc/shells";\ > > ++ echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ > > ++ fi \ > > ++ fi > > > > > > uninstall: > > Index: patches/patch-ini_jk_init_ini > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-ini_jk_init_ini,v > > retrieving revision 1.3 > > diff -u -p -r1.3 patch-ini_jk_init_ini > > --- patches/patch-ini_jk_init_ini 26 Mar 2014 17:38:27 -0000 1.3 > > +++ patches/patch-ini_jk_init_ini 15 Jan 2020 16:33:38 -0000 > > @@ -2,13 +2,14 @@ $OpenBSD: patch-ini_jk_init_ini,v 1.3 20 > > > > fix some default paths in the jail creation configuration file > > > > ---- ini/jk_init.ini.orig Mon Dec 23 06:02:42 2013 > > -+++ ini/jk_init.ini Wed Dec 25 16:04:26 2013 > > +Index: ini/jk_init.ini > > +--- ini/jk_init.ini.orig > > ++++ ini/jk_init.ini > > @@ -2,18 +2,18 @@ > > # this section probably needs adjustment on 64bit systems > > # or non-Linux systems > > comment = common files for all jails that need user/group information > > --paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, > > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, > > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, > > /lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf > > +-paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, > > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, > > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, > > /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, > > /lib/arm-linux-gnueabihf/libnsl*.so.1, /etc/nsswitch.conf, /etc/ld.so.conf > > +paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, > > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, > > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, > > /lib/x86_64-linux-gnu/libnss*.so.2, ${SYSCONFDIR}/nsswitch.conf, > > ${SYSCONFDIR}/ld.so.conf > > # Solaris needs > > -# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, > > /etc/nsswitch.conf > > @@ -16,7 +17,7 @@ fix some default paths in the jail creat > > > > [netbasics] > > comment = common files for all jails that need any internet connectivity > > --paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf, > > /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services > > +-paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, > > /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, > > /etc/protocols, /etc/services > > +paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, > > ${SYSCONFDIR}/resolv.conf, ${SYSCONFDIR}/host.conf, ${SYSCONFDIR}/hosts, > > ${SYSCONFDIR}/protocols, ${SYSCONFDIR}/services > > # on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure > > > > @@ -27,89 +28,3 @@ fix some default paths in the jail creat > > need_logsocket = 1 > > # Solaris does not need logsocket > > # but needs > > -@@ -21,7 +21,7 @@ need_logsocket = 1 > > - > > - [jk_lsh] > > - comment = Jailkit limited shell > > --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini > > -+paths = ${TRUEPREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini > > - users = root > > - groups = root > > - includesections = uidbasics, logbasics > > -@@ -71,14 +71,14 @@ devices = /dev/null > > - > > - [basicshell] > > - comment = bash based shell with several basic utilities > > --paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, > > egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, > > pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, > > /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, > > /usr/lib/locale/en_US.utf8 > > -+paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, > > egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, > > pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, > > ${SYSCONFDIR}/motd, ${SYSCONFDIR}/issue, ${SYSCONFDIR}/bash.bashrc, > > ${SYSCONFDIR}/bashrc, ${SYSCONFDIR}/profile, /usr/lib/locale/en_US.utf8 > > - users = root > > - groups = root > > - includesections = uidbasics > > - > > - [midnightcommander] > > - comment = Midnight Commander > > --paths = mc, mcedit, mcview, /usr/share/mc > > -+paths = mc, mcedit, mcview, ${LOCALBASE}/share/mc > > - includesections = basicshell, terminfo > > - > > - [extendedshell] > > -@@ -88,12 +88,12 @@ includesections = basicshell, midnightcommander, edito > > - > > - [terminfo] > > - comment = terminfo databases, required for example for ncurses or vim > > --paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo > > -+paths = ${SYSCONFDIR}/terminfo, /usr/share/terminfo, /lib/terminfo > > - > > - [editors] > > - comment = vim, joe and nano > > - includesections = terminfo > > --paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim > > -+paths = joe, nano, vi, vim, ${SYSCONFDIR}/vimrc, ${SYSCONFDIR}/joe, > > /usr/share/vim > > - > > - [netutils] > > - comment = several internet utilities like wget, ftp, rsync, scp, ssh > > -@@ -110,7 +110,7 @@ includesections = extendedshell, netutils, apacheutils > > - > > - [openvpn] > > - comment = jail for the openvpn daemon > > --paths = /usr/sbin/openvpn > > -+paths = ${LOCALBASE}/sbin/openvpn > > - users = root,nobody > > - groups = root,nogroup > > - includesections = netbasics > > -@@ -120,7 +120,7 @@ need_logsocket = 1 > > - > > - [apache] > > - comment = the apache webserver, very basic setup, probably too limited > > for you > > --paths = /usr/sbin/apache > > -+paths = ${TRUEPREFIX}/apache > > - users = root, www-data > > - groups = root, www-data > > - includesections = netbasics, uidbasics > > -@@ -131,16 +131,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5, > > /usr/shar > > - > > - [xauth] > > - comment = getting X authentication to work > > --paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf > > -+paths = ${X11BASE}/bin/xauth, ${X11BASE}/lib/X11/rgb.txt > > - > > - [xclients] > > - comment = minimal files for X clients > > --paths = /usr/X11R6/lib/X11/rgb.txt > > -+paths = ${X11BASE}/lib/X11/rgb.txt > > - includesections = xauth > > - > > - [vncserver] > > - comment = the VNC server program > > --paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/ > > -+paths = Xvnc, Xrealvnc, ${X11BASE}/lib/X11/fonts/ > > - includesections = xclients > > - > > - [ping] > > -@@ -149,5 +149,5 @@ paths_w_setuid = /bin/ping > > - > > - #[xterm] > > - #comment = xterm > > --#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo > > -+#paths = ${X11BASE}/bin/xterm, /usr/share/terminfo, ${SYSCONFDIR}/terminfo > > - #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, > > /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4 > > Index: patches/patch-man_Makefile_in > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_Makefile_in,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_Makefile_in > > --- patches/patch-man_Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 > > +++ patches/patch-man_Makefile_in 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp > > $ > > ---- man/Makefile.in.orig Mon Oct 20 00:03:54 2008 > > -+++ man/Makefile.in Mon Oct 20 00:05:31 2008 > > -@@ -21,7 +21,7 @@ SRCS = \ > > +Index: man/Makefile.in > > +--- man/Makefile.in.orig > > ++++ man/Makefile.in > > +@@ -20,7 +20,7 @@ SRCS = \ > > > > @HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.8 > > > > --MANS = $(SRCS:.8=.8.gz) > > -+MANS = $(SRCS) > > +-MANS = $(SRCS) > > ++MANS = $(SRCS:.8=.8.gz) > > > > #%.8.gz : %.8 > > # gzip -9 > $@ < $< > > Index: patches/patch-man_jailkit_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jailkit_8,v > > retrieving revision 1.2 > > diff -u -p -r1.2 patch-man_jailkit_8 > > --- patches/patch-man_jailkit_8 26 Mar 2014 17:38:27 -0000 1.2 > > +++ patches/patch-man_jailkit_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jailkit_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $ > > ---- man/jailkit.8.orig Sat Dec 21 18:05:22 2013 > > -+++ man/jailkit.8 Wed Dec 25 16:01:05 2013 > > +Index: man/jailkit.8 > > +--- man/jailkit.8.orig > > ++++ man/jailkit.8 > > @@ -36,7 +36,7 @@ This section gives summary sketches of the various pro > > > > .BR jk_init > > can be used to quickly create a jail with several files or directories > > needed for a specific task or profile. Creating the same jail over and over > > again is easily automated with jk_init. There are many tasks in > > --.I /etc/jailkit/jk_init.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini > > ++.I /etc/jailkit/jk_init.ini > > predefined that work on Debian or Ubuntu systems. For other platforms you > > might need to update the predefined configuration. For example, you can use > > jk_init to quickly set up a limited shell, a jail to run apache, or a jail > > for just sftp and scp. It will copy the binaries, the required libraries > > (and related symlinks) as well as other files such as /etc/passwd. These > > are all copied into the jail directory so that a jailed process can run > > them. > > > > .BR jk_cp > > @@ -14,18 +15,18 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 > > > > .BR jk_lsh > > is a limited shell that allows only those commands to be executed as > > specified in its configuration file. > > --.I /etc/jailkit/jk_lsh.ini. > > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > > ++.I /etc/jailkit/jk_lsh.ini. > > It is typically started in one of two ways, by specifying it as the > > user's shell or by using the jk_chrootsh program. The first way is > > implemented by specifying jk_lsh as the shell in the user's entry in the > > 'real' > > .I /etc/passwd > > file. In this case, it executes in the normal file system and reads its > > configuration from > > --.I /etc/jailkit/jk_lsh.ini. > > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini. > > ++.I /etc/jailkit/jk_lsh.ini. > > In the second way, jk_lsh is started from within jk_chrootsh by > > specifying it as the shell in the passwd file located inside the JAIL > > directory: > > .I JAIL/etc/passwd, > > in which case it reads its configuration from within the JAIL: > > --.I JAIL/etc/jailkit/jk_lsh.ini. > > -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini. > > +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini. > > ++.I JAIL/etc/jailkit/jk_lsh.ini. > > The latter is the recommended approach for highest security. > > Use this program if you want to deny regular shell access (e.g. logins) > > but you want to allow execution of only one or a few commands such sftp, > > scp, rsync, or cvs. > > > > @@ -33,14 +34,14 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 > > is a utility to give regular users access to the > > .BR chroot(2) > > (change root) system call in a safe way. Which users are allowed in which > > jails is controlled from > > --.I /etc/jailkit/jk_uchroot.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > > ++.I /etc/jailkit/jk_uchroot.ini > > Use this utility for users that can run processes both inside a jail and > > outside a jail. > > > > .BR jk_socketd > > is a daemon that allows logging safely to syslog from within a jail. It > > limits the logging rate based on parameters set in its configuration file: > > --.I /etc/jailkit/jk_socketd.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > > ++.I /etc/jailkit/jk_socketd.ini > > > > .BR jk_chrootlaunch > > is a utility to start a daemon that cannot do a > > @@ -48,20 +49,20 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 > > > > .BR jk_check > > is a jail integrity checker. It checks a jail for some of the potential > > security problems. (Obviously it does not check all possible weaknesses.) > > It reports any setuid and setgid programs, checks for any modified > > programs, checks for world writable directories, and more. It is configured > > by > > --.I /etc/jailkit/jk_check.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini > > ++.I /etc/jailkit/jk_check.ini > > . > > > > .BR jk_list > > -@@ -127,9 +127,9 @@ tail /var/log/daemon.log /var/log/auth.log > > +@@ -129,9 +129,9 @@ journalctl --since=-1h > > .SH FILES > > > > The jailkit configuration files are located in > > --.I /etc/jailkit/ > > -+.I ${SYSCONFDIR}/jailkit/ > > +-.I ${SYSCONFDIR}/jailkit/ > > ++.I /etc/jailkit/ > > Note that in some cases the configuration files must be replicated into > > the JAIL/etc/jailkit directory and edited appropriately. A jk program that > > is run within the jail directory is able to read its configuration from > > only the jailed > > --.I etc/jailkit > > -+.I ${SYSCONFDIR}/jailkit > > +-.I ${SYSCONFDIR}/jailkit > > ++.I etc/jailkit > > directory. > > > > .SH "SEE ALSO" > > Index: patches/patch-man_jk_check_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_check_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_check_8 > > --- patches/patch-man_jk_check_8 20 Sep 2010 07:15:30 -0000 1.1.1.1 > > +++ patches/patch-man_jk_check_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_check_8,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ > > ---- man/jk_check.8.orig Tue Oct 28 12:13:02 2008 > > -+++ man/jk_check.8 Tue Oct 28 12:13:32 2008 > > +Index: man/jk_check.8 > > +--- man/jk_check.8.orig > > ++++ man/jk_check.8 > > @@ -22,7 +22,7 @@ jk_check will run several tests on all files and direc > > -test for matching user information in the jail and on the real system > > > > It will test directories based on the config file > > --.I /etc/jailkit/jk_check.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini > > ++.I /etc/jailkit/jk_check.ini > > but also based on jail patterns (dir/./dir) found in the home directories > > in > > .I /etc/passwd > > > > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_check_8,v 1.1.1.1 > > The help screen > > > > .SH FILES > > --.I /etc/jailkit/jk_check.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini > > ++.I /etc/jailkit/jk_check.ini > > > > .SH "SEE ALSO" > > .BR jailkit(8) > > Index: patches/patch-man_jk_chrootlaunch_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootlaunch_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_chrootlaunch_8 > > --- patches/patch-man_jk_chrootlaunch_8 20 Sep 2010 07:15:30 -0000 > > 1.1.1.1 > > +++ patches/patch-man_jk_chrootlaunch_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_chrootlaunch_8,v 1.1.1.1 2010/09/20 07:15:30 > > sebastia Exp $ > > ---- man/jk_chrootlaunch.8.orig Tue Oct 28 12:13:39 2008 > > -+++ man/jk_chrootlaunch.8 Tue Oct 28 12:35:22 2008 > > +Index: man/jk_chrootlaunch.8 > > +--- man/jk_chrootlaunch.8.orig > > ++++ man/jk_chrootlaunch.8 > > @@ -59,7 +59,7 @@ Suppose you want to start Apache inside a jail. Apache > > > > First we create the jail using > > .BR jk_init(8). > > --The apachectl program is a shell script, it also needs /bin/sh and > > /usr/bin/kill. We also have to copy these into the jail using > > -+The apachectl program is a shell script, it also needs /bin/sh and > > /bin/kill. We also have to copy these into the jail using > > +-The apachectl program is a shell script, it also needs /bin/sh and > > /bin/kill. We also have to copy these into the jail using > > ++The apachectl program is a shell script, it also needs /bin/sh and > > /usr/bin/kill. We also have to copy these into the jail using > > .BR jk_cp(8). > > Apache also needs its modules from /usr/lib/apache, copy those as well. > > Then we can start Apache: > > > > Index: patches/patch-man_jk_chrootsh_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootsh_8,v > > retrieving revision 1.2 > > diff -u -p -r1.2 patch-man_jk_chrootsh_8 > > --- patches/patch-man_jk_chrootsh_8 16 Nov 2015 13:43:40 -0000 1.2 > > +++ patches/patch-man_jk_chrootsh_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,19 +1,20 @@ > > $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 2015/11/16 13:43:40 ajacoutot Exp $ > > ---- man/jk_chrootsh.8.orig Wed Nov 4 22:14:40 2015 > > -+++ man/jk_chrootsh.8 Mon Nov 16 14:41:41 2015 > > +Index: man/jk_chrootsh.8 > > +--- man/jk_chrootsh.8.orig > > ++++ man/jk_chrootsh.8 > > @@ -11,13 +11,13 @@ jk_chrootsh \- a shell that will put the user inside a > > > > jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or > > your ldap store). That user will be put into a changed root. The directory > > where to put the user in is read from the users home directory, the last > > occurring /./ sequence is used to mark the location of the changed root. An > > example line in /etc/passwd would look like > > > > --test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh > > -+test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh > > +-test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh > > ++test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh > > > > In this example the user will be chroot-ed into /home/testchroot > > > > Inside the chroot-ed directory, it will look for /etc/passwd and it will > > execute the shell for the user from that file. For the above example the > > /etc/passwd file inside the jail should have an entry like > > > > --test:x:10000:10000::/home/test:/usr/sbin/jk_lsh > > -+test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh > > +-test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh > > ++test:x:10000:10000::/home/test:/usr/sbin/jk_lsh > > > > Notice that the home directory and the shell are local inside the chroot > > > > @@ -21,8 +22,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 > > system call. Therefore it is setuid root. It will drop its root > > priveleges immediately after making the chroot() system call. Since Jailkit > > 2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems that > > support capabilities, and then the setuid bit can be removed. > > > > By default jk_chrootsh does not copy any environment variables. For some > > functionality, however, environment variables need to be copied (e.g. the > > TERM variable for a functional terminal emulation, or the DISPLAY variable > > for X forwarding). In > > --.I /etc/jailkit/jk_chrootsh.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > > ++.I /etc/jailkit/jk_chrootsh.ini > > the required environment variables can be listed. An example config file > > is shown below. In the example, user bill will get the DISPLAY variable, > > and all users in group jail will get the TERM and PATH variables. > > > > By default jk_chrootsh requires a home directory owned by the user with > > the same group as the primary group from the user, and requires the home > > directory to be non-writable for group and others. You can relax these > > requirements in the configfile as shown below. > > @@ -30,8 +31,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 > > .SH FILES > > > > .I /etc/passwd > > --.I /etc/jailkit/jk_chrootsh.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > > ++.I /etc/jailkit/jk_chrootsh.ini > > > > .SH DIAGNOSTICS > > > > Index: patches/patch-man_jk_cp_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_cp_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_cp_8 > > --- patches/patch-man_jk_cp_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > > +++ patches/patch-man_jk_cp_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,15 +1,16 @@ > > $OpenBSD: patch-man_jk_cp_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > > ---- man/jk_cp.8.orig Tue Oct 28 12:14:36 2008 > > -+++ man/jk_cp.8 Tue Oct 28 12:38:41 2008 > > +Index: man/jk_cp.8 > > +--- man/jk_cp.8.orig > > ++++ man/jk_cp.8 > > @@ -19,9 +19,9 @@ jk_cp -j /home/testchroot /usr/bin/cvs > > > > will copy /usr/bin/cvs to /home/testchroot/usr/bin/cvs, and it will copy > > the libraries used by cvs also to the jail. > > > > --jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox > > -+jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox > > ${LOCALBASE}/mozilla-firefox > > +-jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox > > ${LOCALBASE}/mozilla-firefox > > ++jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox > > > > --will hardlink /usr/bin/firefox and all files in /usr/share/firefox into > > jail /svr/testjail > > -+will hardlink ${LOCALBASE}/bin/firefox and all files in > > ${LOCALBASE}/mozilla-firefox into jail /svr/testjail > > +-will hardlink ${LOCALBASE}/bin/firefox and all files in > > ${LOCALBASE}/mozilla-firefox into jail /svr/testjail > > ++will hardlink /usr/bin/firefox and all files in /usr/share/firefox into > > jail /svr/testjail > > > > .SH OPTIONS > > > > Index: patches/patch-man_jk_init_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_init_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_init_8 > > --- patches/patch-man_jk_init_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > > +++ patches/patch-man_jk_init_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > > ---- man/jk_init.8.orig Sun Feb 7 17:13:06 2010 > > -+++ man/jk_init.8 Tue Sep 14 19:12:38 2010 > > +Index: man/jk_init.8 > > +--- man/jk_init.8.orig > > ++++ man/jk_init.8 > > @@ -14,7 +14,7 @@ jk_init \- a utility to quicky create functional jail > > It is not an easy task to setup a jail (a changed root) in a functional > > way. If you want the user to be able to run cvs for example, it will not > > work to simply copy the cvs binary into the users jail. You will find that > > cvs needs libraries as well. cvs also needs the /dev/null device. Finally > > you need something to start cvs: you need a shell too. And the shell might > > need files like /etc/passwd and /etc/nsswitch.conf. > > > > With jk_init you can automate these tasks. You can create a section in > > the configfile > > --.I /etc/jailkit/jk_init.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini > > ++.I /etc/jailkit/jk_init.ini > > that has all the files, directories and devices, and you can use jk_init > > to setup such a jail with a single command. The default configfile has > > examples for cvs, sftp, scp, rsync and more for Debian and Ubuntu Linux. > > For other operating systems the defaults might need some (minor) updates. > > > > .SH EXAMPLE > > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 > > .sp > > [jk_lsh] > > comment = Jailkit limited shell > > --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini > > -+paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini > > +-paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini > > ++paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini > > users = root > > groups = root > > need_logsocket = 1 > > @@ -23,8 +24,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 > > > > [sftp] > > comment = ssh secure ftp with Jailkit limited shell > > --paths = /usr/lib/sftp-server > > -+paths = /usr/libexec/sftp-server > > +-paths = /usr/libexec/sftp-server > > ++paths = /usr/lib/sftp-server > > includesections = netbasics, uidbasics > > devices = /dev/urandom, /dev/null > > emptydirs = /svr > > @@ -32,8 +33,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 > > The help screen > > > > .SH FILES > > --.I /etc/jailkit/jk_init.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini > > ++.I /etc/jailkit/jk_init.ini > > > > .SH "SEE ALSO" > > .BR jailkit(8) > > Index: patches/patch-man_jk_jailuser_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_jailuser_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_jailuser_8 > > --- patches/patch-man_jk_jailuser_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > > +++ patches/patch-man_jk_jailuser_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_jailuser_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia > > Exp $ > > ---- man/jk_jailuser.8.orig Tue Oct 28 12:16:15 2008 > > -+++ man/jk_jailuser.8 Tue Oct 28 12:40:07 2008 > > +Index: man/jk_jailuser.8 > > +--- man/jk_jailuser.8.orig > > ++++ man/jk_jailuser.8 > > @@ -36,7 +36,7 @@ Move the contents of the home directory inside the jai > > No user interaction. > > .TP > > .BR \-s\ \-\-shell= shell > > --The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh > > -+The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh > > +-The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh > > ++The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh > > > > .SH "SEE ALSO" > > .BR jailkit(8) > > Index: patches/patch-man_jk_lsh_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_lsh_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_lsh_8 > > --- patches/patch-man_jk_lsh_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > > +++ patches/patch-man_jk_lsh_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $ > > ---- man/jk_lsh.8.orig Sun Feb 7 17:13:06 2010 > > -+++ man/jk_lsh.8 Tue Sep 14 19:08:21 2010 > > +Index: man/jk_lsh.8 > > +--- man/jk_lsh.8.orig > > ++++ man/jk_lsh.8 > > @@ -12,7 +12,7 @@ jk_lsh \- a shell that limits the binaries it will exe > > The jailkit limited shell jk_lsh is not an interactive shell. jk_lsh will > > only execute commands that are passed during startup (e.g. /bin/sh -c > > command) and will deny to start all but explicitly allowed commands. All > > other commands, or regular shell access are denied. This can be used to > > restrict an account to a specific use. For example, jk_lsh can be used to > > make rsync-, cvs-, sftp- or scp-only accounts, or even an account that can > > start firefox or opera but nothing else. > > > > The allowed actions are read from > > --.I /etc/jailkit/jk_lsh.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > > ++.I /etc/jailkit/jk_lsh.ini > > If you run jk_lsh inside a changed root jail, make sure jk_lsh.ini is > > present inside that chroot jail. > > > > .SH LIMITATIONS > > @@ -14,25 +15,25 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2 > > .nf > > .sp > > [DEFAULT] > > --executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync > > --paths = /usr/bin/, /usr/lib > > -+executables = /usr/bin/scp, /usr/libexec/sftp-server, > > ${LOCALBASE}/bin/rsync > > -+paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin > > +-executables = /usr/bin/scp, /usr/libexec/sftp-server, > > ${LOCALBASE}/bin/rsync > > +-paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin > > ++executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync > > ++paths = /usr/bin/, /usr/lib > > allow_word_expansion = 1 > > > > [test] > > --executables = /usr/bin/scp, /usr/lib/sftp-server > > --paths = /usr/bin/, /usr/lib > > -+executables = /usr/bin/scp, /usr/libexec/sftp-server > > -+paths = /usr/bin/, /usr/libexec > > +-executables = /usr/bin/scp, /usr/libexec/sftp-server > > +-paths = /usr/bin/, /usr/libexec > > ++executables = /usr/bin/scp, /usr/lib/sftp-server > > ++paths = /usr/bin/, /usr/lib > > allow_word_expansion = 0 > > umask = 002 > > > > [group test] > > --executables = /usr/bin/rsync > > --paths = /usr/bin/ > > -+executables = ${LOCALBASE}/bin/rsync > > -+paths = ${LOCALBASE}/bin/ > > +-executables = ${LOCALBASE}/bin/rsync > > +-paths = ${LOCALBASE}/bin/ > > ++executables = /usr/bin/rsync > > ++paths = /usr/bin/ > > allow_word_expansion = 1 > > environment=TERM=linux,FOO=bar > > .fi > > @@ -40,11 +41,11 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2 > > .BR jk_chrootsh(8) > > > > .SH FILES > > --.I /etc/jailkit/jk_lsh.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini > > ++.I /etc/jailkit/jk_lsh.ini > > .I /etc/passwd > > --.I JAIL/etc/jailkit/jk_lsh.ini > > -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini > > +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini > > ++.I JAIL/etc/jailkit/jk_lsh.ini > > .I JAIL/etc/passwd > > > > .SH DIAGNOSTICS > > Index: patches/patch-man_jk_socketd_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_socketd_8,v > > retrieving revision 1.2 > > diff -u -p -r1.2 patch-man_jk_socketd_8 > > --- patches/patch-man_jk_socketd_8 26 Mar 2014 17:38:27 -0000 1.2 > > +++ patches/patch-man_jk_socketd_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_socketd_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $ > > ---- man/jk_socketd.8.orig Fri Jan 3 18:51:20 2014 > > -+++ man/jk_socketd.8 Wed Dec 25 15:54:12 2013 > > +Index: man/jk_socketd.8 > > +--- man/jk_socketd.8.orig > > ++++ man/jk_socketd.8 > > @@ -18,7 +18,7 @@ jk_socketd \- a daemon to create a rate-limited /dev/l > > .SH DESCRIPTION > > > > The jailkit socket daemon creates a rate-limited /dev/log socket inside a > > jail according to > > --.I /etc/jailkit/jk_socketd.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > > ++.I /etc/jailkit/jk_socketd.ini > > and writes all data eventually to syslog using the real > > .I /dev/log > > Programs like jk_lsh and also many daemons need a /dev/log socket to do > > logging to syslog. > > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_socketd_8,v 1.2 2 > > > > .SH FILES > > > > --.I /etc/jailkit/jk_socketd.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini > > ++.I /etc/jailkit/jk_socketd.ini > > > > .SH DIAGNOSTICS > > > > Index: patches/patch-man_jk_uchroot_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_uchroot_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_uchroot_8 > > --- patches/patch-man_jk_uchroot_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > > +++ patches/patch-man_jk_uchroot_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_uchroot_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia > > Exp $ > > ---- man/jk_uchroot.8.orig Tue Oct 28 12:24:53 2008 > > -+++ man/jk_uchroot.8 Tue Oct 28 12:25:07 2008 > > +Index: man/jk_uchroot.8 > > +--- man/jk_uchroot.8.orig > > ++++ man/jk_uchroot.8 > > @@ -31,7 +31,7 @@ In the above example jk_uchroot is configured not to c > > > > .SH FILES > > > > --.I /etc/jailkit/jk_uchroot.ini > > -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > > +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini > > ++.I /etc/jailkit/jk_uchroot.ini > > > > .SH DIAGNOSTICS > > > > Index: patches/patch-man_jk_update_8 > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_update_8,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 patch-man_jk_update_8 > > --- patches/patch-man_jk_update_8 20 Sep 2010 07:15:31 -0000 1.1.1.1 > > +++ patches/patch-man_jk_update_8 15 Jan 2020 16:33:38 -0000 > > @@ -1,12 +1,13 @@ > > $OpenBSD: patch-man_jk_update_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp > > $ > > ---- man/jk_update.8.orig Sun Feb 7 17:13:06 2010 > > -+++ man/jk_update.8 Tue Sep 14 19:08:21 2010 > > +Index: man/jk_update.8 > > +--- man/jk_update.8.orig > > ++++ man/jk_update.8 > > @@ -44,7 +44,7 @@ hardlinks = 1 > > directories = /usr, /bin, /lib > > > > [/home/otherjail] > > --skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox > > -+skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox > > +-skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox > > ++skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox > > .fi > > > > where the options have the following meaning: > > Index: patches/patch-py_jk_lib_py > > =================================================================== > > RCS file: patches/patch-py_jk_lib_py > > diff -N patches/patch-py_jk_lib_py > > --- patches/patch-py_jk_lib_py 24 Apr 2013 12:47:39 -0000 1.3 > > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > > @@ -1,18 +0,0 @@ > > -$OpenBSD: patch-py_jk_lib_py,v 1.3 2013/04/24 12:47:39 gonzalo Exp $ > > - > > -Fix running jk_init trying to create a jail the first time > > - > > ---- py/jk_lib.py.orig Thu Aug 2 14:55:28 2012 > > -+++ py/jk_lib.py Tue Apr 23 06:35:23 2013 > > -@@ -461,7 +461,10 @@ def create_parent_path(chroot,path,be_verbose=0, copy_ > > - if (stat.S_ISDIR(sb.st_mode)): > > - if (be_verbose): > > - print 'Create directory '+jailpath > > -- os.mkdir(jailpath, 0755) > > -+ try: > > -+ os.mkdir(jailpath, 0755) > > -+ except OSError, (errno,strerror): > > -+ sys.stderr.write('NOTE: Jail directory already > > existed:\n') > > - if (copy_permissions): > > - try: > > - copy_time_and_permissions(origpath, > > jailpath, be_verbose, allow_suid, copy_ownership) > > Index: pkg/PLIST > > =================================================================== > > RCS file: /cvs/ports/security/jailkit/pkg/PLIST,v > > retrieving revision 1.1.1.1 > > diff -u -p -r1.1.1.1 PLIST > > --- pkg/PLIST 20 Sep 2010 07:15:30 -0000 1.1.1.1 > > +++ pkg/PLIST 15 Jan 2020 16:33:38 -0000 > > @@ -3,7 +3,6 @@ > > @bin bin/jk_uchroot > > @mode > > @man man/man8/jailkit.8 > > -@man man/man8/jk_addjailuser.8 > > @man man/man8/jk_check.8 > > @man man/man8/jk_chrootlaunch.8 > > @man man/man8/jk_chrootsh.8 > > @@ -16,7 +15,6 @@ > > @man man/man8/jk_socketd.8 > > @man man/man8/jk_uchroot.8 > > @man man/man8/jk_update.8 > > -sbin/jk_addjailuser > > sbin/jk_check > > @bin sbin/jk_chrootlaunch > > @mode 4755 > > @@ -32,22 +30,23 @@ sbin/jk_list > > @mode > > @bin sbin/jk_socketd > > sbin/jk_update > > -@sample /etc/jailkit/ > > +@sample ${SYSCONFDIR}/jailkit/ > > share/examples/jailkit/ > > share/examples/jailkit/jk_check.ini > > -@sample /etc/jailkit/jk_check.ini > > +@sample ${SYSCONFDIR}/jailkit/jk_check.ini > > share/examples/jailkit/jk_chrootsh.ini > > -@sample /etc/jailkit/jk_chrootsh.ini > > +@sample ${SYSCONFDIR}/jailkit/jk_chrootsh.ini > > share/examples/jailkit/jk_init.ini > > -@sample /etc/jailkit/jk_init.ini > > +@sample ${SYSCONFDIR}/jailkit/jk_init.ini > > share/examples/jailkit/jk_lsh.ini > > -@sample /etc/jailkit/jk_lsh.ini > > +@sample ${SYSCONFDIR}/jailkit/jk_lsh.ini > > share/examples/jailkit/jk_socketd.ini > > -@sample /etc/jailkit/jk_socketd.ini > > +@sample ${SYSCONFDIR}/jailkit/jk_socketd.ini > > share/examples/jailkit/jk_uchroot.ini > > -@sample /etc/jailkit/jk_uchroot.ini > > +@sample ${SYSCONFDIR}/jailkit/jk_uchroot.ini > > share/examples/jailkit/jk_update.ini > > -@sample /etc/jailkit/jk_update.ini > > +@sample ${SYSCONFDIR}/jailkit/jk_update.ini > > share/jailkit/ > > +${MODPY_COMMENT}share/jailkit/${MODPY_PYCACHE}/ > > +share/jailkit/${MODPY_PYCACHE}jk_lib.${MODPY_PYC_MAGIC_TAG}pyc > > share/jailkit/jk_lib.py > > -share/jailkit/jk_lib.pyc > > > -- > > - gonzalo >
So, updated diff merged with the one Aisha sent time ago. Test are welcome. Cheers.- -- - gonzalo
Index: Makefile =================================================================== RCS file: /cvs/ports/security/jailkit/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- Makefile 12 Jul 2019 20:49:03 -0000 1.15 +++ Makefile 29 Jun 2020 12:15:35 -0000 @@ -2,18 +2,21 @@ COMMENT= utilities for jailing a user or process -DISTNAME= jailkit-2.19 +DISTNAME= jailkit-2.21 CATEGORIES= security sysutils -HOMEPAGE= http://olivier.sessink.nl/jailkit/ +HOMEPAGE= https://olivier.sessink.nl/jailkit/ -MASTER_SITES= http://olivier.sessink.nl/jailkit/ +MASTER_SITES= https://olivier.sessink.nl/jailkit/ # BSD - LGPLv2 -PERMIT_PACKAGE= Yes +PERMIT_PACKAGE= Yes MODULES= lang/python -WANTLIB += c pthread + +MODPY_VERSION= ${MODPY_DEFAULT_VERSION_3} + +WANTLIB+= c pthread NO_TEST= Yes @@ -34,9 +37,8 @@ pre-configure: ${SUBST_CMD} ${WRKSRC}/man/$${i}; done post-install: - # recreate the .pyc file, otherwise it would change - # after installation - rm ${PREFIX}/share/jailkit/jk_lib.pyc + # compile the jailkit python files so that they + # are removed correctly when uninstalling ${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py \ ${PREFIX}/share/jailkit Index: distinfo =================================================================== RCS file: /cvs/ports/security/jailkit/distinfo,v retrieving revision 1.8 diff -u -p -r1.8 distinfo --- distinfo 20 Dec 2015 15:43:46 -0000 1.8 +++ distinfo 29 Jun 2020 12:15:35 -0000 @@ -1,2 +1,2 @@ -SHA256 (jailkit-2.19.tar.gz) = /ZYS3Vf0o5q/zeZHxCBhbFyjf1mCuMB6j7XLNSSU/Ig= -SIZE (jailkit-2.19.tar.gz) = 142280 +SHA256 (jailkit-2.21.tar.gz) = egIOB635OGDFOPDZgZauoz1GG6vbqLs+3fcIHleinBQ= +SIZE (jailkit-2.21.tar.gz) = 141341 Index: patches/patch-Makefile_in =================================================================== RCS file: patches/patch-Makefile_in diff -N patches/patch-Makefile_in --- patches/patch-Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,25 +0,0 @@ -$OpenBSD: patch-Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ - -We do not want the packge to manipulate our /etc/shells, use @shell in PLIST - ---- Makefile.in.orig Sat Sep 11 15:45:26 2010 -+++ Makefile.in Mon Sep 13 08:01:37 2010 -@@ -69,12 +69,12 @@ install: - @cd man/ && $(MAKE) install - # test if the jk_chrootsh is already in /etc/shells - # this previously had @echo but that fails on FreeBSD -- if test -w /etc/shells; then \ -- if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ -- echo "appending ${prefix}/sbin/jk_chroots to /etc/shells";\ -- echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ -- fi \ -- fi -+ #if test -w /etc/shells; then \ -+ # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ -+ # echo "appending ${prefix}/sbin/jk_chroots to /etc/shells";\ -+ # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ -+ # fi \ -+ #fi - - - uninstall: Index: patches/patch-ini_jk_init_ini =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-ini_jk_init_ini,v retrieving revision 1.3 diff -u -p -r1.3 patch-ini_jk_init_ini --- patches/patch-ini_jk_init_ini 26 Mar 2014 17:38:27 -0000 1.3 +++ patches/patch-ini_jk_init_ini 29 Jun 2020 12:15:35 -0000 @@ -1,32 +1,10 @@ -$OpenBSD: patch-ini_jk_init_ini,v 1.3 2014/03/26 17:38:27 gonzalo Exp $ +$OpenBSD: patch-ini_jk_init_ini,v 1.4 2020/04/08 18:43:53 aisha Exp $ -fix some default paths in the jail creation configuration file +fix installation directories and default paths in the jail creation configuration file ---- ini/jk_init.ini.orig Mon Dec 23 06:02:42 2013 -+++ ini/jk_init.ini Wed Dec 25 16:04:26 2013 -@@ -2,18 +2,18 @@ - # this section probably needs adjustment on 64bit systems - # or non-Linux systems - comment = common files for all jails that need user/group information --paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf -+paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, ${SYSCONFDIR}/nsswitch.conf, ${SYSCONFDIR}/ld.so.conf - # Solaris needs --# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, /etc/nsswitch.conf -+# paths = ${SYSCONFDIR}/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, ${SYSCONFDIR}/nsswitch.conf - - [netbasics] - comment = common files for all jails that need any internet connectivity --paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services -+paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, ${SYSCONFDIR}/resolv.conf, ${SYSCONFDIR}/host.conf, ${SYSCONFDIR}/hosts, ${SYSCONFDIR}/protocols, ${SYSCONFDIR}/services - # on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure - - [logbasics] - comment = timezone information and log sockets --paths = /etc/localtime -+paths = ${SYSCONFDIR}/localtime - need_logsocket = 1 - # Solaris does not need logsocket - # but needs +Index: ini/jk_init.ini +--- ini/jk_init.ini.orig ++++ ini/jk_init.ini @@ -21,7 +21,7 @@ need_logsocket = 1 [jk_lsh] @@ -68,7 +46,7 @@ fix some default paths in the jail creat [netutils] comment = several internet utilities like wget, ftp, rsync, scp, ssh -@@ -110,7 +110,7 @@ includesections = extendedshell, netutils, apacheutils +@@ -110,17 +110,16 @@ includesections = extendedshell, netutils, apacheutils [openvpn] comment = jail for the openvpn daemon @@ -76,8 +54,10 @@ fix some default paths in the jail creat +paths = ${LOCALBASE}/sbin/openvpn users = root,nobody groups = root,nogroup - includesections = netbasics -@@ -120,7 +120,7 @@ need_logsocket = 1 +-includesections = netbasics + devices = /dev/urandom, /dev/random, /dev/net/tun + includesections = netbasics, uidbasics + need_logsocket = 1 [apache] comment = the apache webserver, very basic setup, probably too limited for you @@ -86,7 +66,7 @@ fix some default paths in the jail creat users = root, www-data groups = root, www-data includesections = netbasics, uidbasics -@@ -131,16 +131,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/shar +@@ -131,16 +130,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/shar [xauth] comment = getting X authentication to work @@ -106,7 +86,7 @@ fix some default paths in the jail creat includesections = xclients [ping] -@@ -149,5 +149,5 @@ paths_w_setuid = /bin/ping +@@ -149,5 +148,5 @@ paths_w_setuid = /bin/ping #[xterm] #comment = xterm Index: patches/patch-man_Makefile_in =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_Makefile_in,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-man_Makefile_in --- patches/patch-man_Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ patches/patch-man_Makefile_in 29 Jun 2020 12:15:35 -0000 @@ -1,7 +1,11 @@ -$OpenBSD: patch-man_Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $ ---- man/Makefile.in.orig Mon Oct 20 00:03:54 2008 -+++ man/Makefile.in Mon Oct 20 00:05:31 2008 -@@ -21,7 +21,7 @@ SRCS = \ +$OpenBSD: patch-man_Makefile_in,v 1.1.1.2 2020/04/08 16:41:32 aisha Exp $ + +fix adding man pages without gzip + +Index: man/Makefile.in +--- man/Makefile.in.orig ++++ man/Makefile.in +@@ -20,7 +20,7 @@ SRCS = \ @HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.8 Index: patches/patch-man_jailkit_8 =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-man_jailkit_8,v retrieving revision 1.2 diff -u -p -r1.2 patch-man_jailkit_8 --- patches/patch-man_jailkit_8 26 Mar 2014 17:38:27 -0000 1.2 +++ patches/patch-man_jailkit_8 29 Jun 2020 12:15:35 -0000 @@ -1,6 +1,10 @@ -$OpenBSD: patch-man_jailkit_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $ ---- man/jailkit.8.orig Sat Dec 21 18:05:22 2013 -+++ man/jailkit.8 Wed Dec 25 16:01:05 2013 +$OpenBSD: patch-man_jailkit_8,v 1.3 2020/04/08 16:38:22 aisha Exp $ + +give proper locations to ini files in the man pages + +Index: man/jailkit.8 +--- man/jailkit.8.orig ++++ man/jailkit.8 @@ -36,7 +36,7 @@ This section gives summary sketches of the various pro .BR jk_init @@ -53,7 +57,7 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014 . .BR jk_list -@@ -127,9 +127,9 @@ tail /var/log/daemon.log /var/log/auth.log +@@ -129,9 +129,9 @@ journalctl --since=-1h .SH FILES The jailkit configuration files are located in Index: patches/patch-py_jk_lib_py =================================================================== RCS file: /cvs/ports/security/jailkit/patches/patch-py_jk_lib_py,v retrieving revision 1.3 diff -u -p -r1.3 patch-py_jk_lib_py --- patches/patch-py_jk_lib_py 24 Apr 2013 12:47:39 -0000 1.3 +++ patches/patch-py_jk_lib_py 29 Jun 2020 12:15:35 -0000 @@ -1,18 +1,73 @@ -$OpenBSD: patch-py_jk_lib_py,v 1.3 2013/04/24 12:47:39 gonzalo Exp $ +$OpenBSD: patch-py_jk_lib_py,v 1.4 2020/04/08 16:36:23 aisha Exp $ -Fix running jk_init trying to create a jail the first time +checks for directory creation, handling edge cases, in initial jail creation +streamlined major/minor handling for creating /dev/ nodes ---- py/jk_lib.py.orig Thu Aug 2 14:55:28 2012 -+++ py/jk_lib.py Tue Apr 23 06:35:23 2013 -@@ -461,7 +461,10 @@ def create_parent_path(chroot,path,be_verbose=0, copy_ +Index: py/jk_lib.py +--- py/jk_lib.py.orig ++++ py/jk_lib.py +@@ -404,7 +404,11 @@ def OLD_create_parent_path(chroot, path, be_verbose=0, + chrootname = resolve_realpath(chroot+directory[:indx],chroot) + if (be_verbose): + print('Creating directory '+chrootname) +- os.mkdir(chrootname, dir_mode) ++ try: ++ os.mkdir(chrootname, dir_mode) ++ except OSError as e: ++ _, stderror = e.args ++ sys.stderr.write('ERROR: failed to make directory "'+chrootname+'": ' + stderror + '\n') + if (copy_permissions): + try: + copy_time_and_permissions(directory[:indx], chrootname, be_verbose, allow_suid, copy_ownership) +@@ -482,7 +486,11 @@ def create_parent_path(chroot,path,be_verbose=0, copy_ if (stat.S_ISDIR(sb.st_mode)): if (be_verbose): - print 'Create directory '+jailpath -- os.mkdir(jailpath, 0755) + print('Create directory '+jailpath) +- os.mkdir(jailpath, dir_mode) + try: -+ os.mkdir(jailpath, 0755) -+ except OSError, (errno,strerror): -+ sys.stderr.write('NOTE: Jail directory already existed:\n') ++ os.mkdir(jailpath, dir_mode) ++ except OSError as e: ++ _, stderror = e.args ++ sys.stderr.write('ERROR: failed to make directory "'+jailpath+'": ' + stderror + '\n') if (copy_permissions): try: copy_time_and_permissions(origpath, jailpath, be_verbose, allow_suid, copy_ownership) +@@ -515,7 +523,11 @@ def copy_dir_with_permissions_and_owner(srcdir,dstdir, + try: + if (be_verbose): + print('Creating directory'+dstdir) +- os.mkdir(dstdir) ++ try: ++ os.mkdir(dstdir, dir_mode) ++ except OSError as e: ++ _, stderror = e.args ++ sys.stderr.write('ERROR: failed to make directory "'+dstdir+'": ' + stderror + '\n') + copy_time_and_permissions(srcdir, dstdir, be_verbose, allow_suid=0, copy_ownership=1) + except (IOError, OSError) as e: + _, strerror = e.args +@@ -575,22 +587,10 @@ def copy_device(chroot, path, be_verbose=1, retain_own + if (os.path.exists(chrootpath)): + print('Device '+chrootpath+' does exist already') + return +- sb = os.stat(path) ++ sb = os.lstat(path) + try: +- if (sys.platform[:5] == 'linux'): +- major = sb.st_rdev / 256 #major = st_rdev divided by 256 (8bit reserved for the minor number) +- minor = sb.st_rdev % 256 #minor = remainder of st_rdev divided by 256 +- elif (sys.platform == 'sunos5'): +- if (sys.maxint == 2147483647): +- major = sb.st_rdev / 262144 #major = st_rdev divided by 256 (18 bits reserved for the minor number) +- minor = sb.st_rdev % 262144 #minor = remainder of st_rdev divided by 256 +- else: +- #64 bit solaris has 32 bit minor/32bit major +- major = sb.st_rdev / 2147483647 +- minor = sb.st_rdev % 2147483647 +- else: +- major = sb.st_rdev / 256 #major = st_rdev divided by 256 +- minor = sb.st_rdev % 256 #minor = remainder of st_rdev divided by 256 ++ major=os.major(sb.st_rdev) ++ minor=os.minor(sb.st_rdev) + if (stat.S_ISCHR(sb.st_mode)): + mode = 'c' + elif (stat.S_ISBLK(sb.st_mode)): Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/jailkit/pkg/PLIST,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 PLIST --- pkg/PLIST 20 Sep 2010 07:15:30 -0000 1.1.1.1 +++ pkg/PLIST 29 Jun 2020 12:15:35 -0000 @@ -3,7 +3,6 @@ @bin bin/jk_uchroot @mode @man man/man8/jailkit.8 -@man man/man8/jk_addjailuser.8 @man man/man8/jk_check.8 @man man/man8/jk_chrootlaunch.8 @man man/man8/jk_chrootsh.8 @@ -16,7 +15,6 @@ @man man/man8/jk_socketd.8 @man man/man8/jk_uchroot.8 @man man/man8/jk_update.8 -sbin/jk_addjailuser sbin/jk_check @bin sbin/jk_chrootlaunch @mode 4755 @@ -32,22 +30,24 @@ sbin/jk_list @mode @bin sbin/jk_socketd sbin/jk_update -@sample /etc/jailkit/ +@sample ${SYSCONFDIR}/jailkit/ share/examples/jailkit/ share/examples/jailkit/jk_check.ini -@sample /etc/jailkit/jk_check.ini +@sample ${SYSCONFDIR}/jailkit/jk_check.ini share/examples/jailkit/jk_chrootsh.ini -@sample /etc/jailkit/jk_chrootsh.ini +@sample ${SYSCONFDIR}/jailkit/jk_chrootsh.ini share/examples/jailkit/jk_init.ini -@sample /etc/jailkit/jk_init.ini +@sample ${SYSCONFDIR}/jailkit/jk_init.ini share/examples/jailkit/jk_lsh.ini -@sample /etc/jailkit/jk_lsh.ini +@sample ${SYSCONFDIR}/jailkit/jk_lsh.ini share/examples/jailkit/jk_socketd.ini -@sample /etc/jailkit/jk_socketd.ini +@sample ${SYSCONFDIR}/jailkit/jk_socketd.ini share/examples/jailkit/jk_uchroot.ini -@sample /etc/jailkit/jk_uchroot.ini +@sample ${SYSCONFDIR}/jailkit/jk_uchroot.ini share/examples/jailkit/jk_update.ini -@sample /etc/jailkit/jk_update.ini +@sample ${SYSCONFDIR}/jailkit/jk_update.ini share/jailkit/ +${MODPY_COMMENT}share/jailkit/${MODPY_PYCACHE}/ +share/jailkit/${MODPY_PYCACHE}jk_lib.${MODPY_PYC_MAGIC_TAG}pyc share/jailkit/jk_lib.py share/jailkit/jk_lib.pyc