On Mon, 29 Jun 2020 at 09:38:07 +0200, Gonzalo L. Rodriguez wrote:
> Anyone?
>
> On Wed, 15 Jan 2020 at 17:35:47 +0100, Gonzalo L. Rodriguez wrote:
> > Hallo,
> >
> > Update for Jailkit to 2.21:
> >
> > https://olivier.sessink.nl/jailkit/
> >
> > OK? Comments?
> >
> > Cheers.-
> >
> > --
> >
> > - gonzalo
>
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/Makefile,v
> > retrieving revision 1.15
> > diff -u -p -r1.15 Makefile
> > --- Makefile 12 Jul 2019 20:49:03 -0000 1.15
> > +++ Makefile 15 Jan 2020 16:33:38 -0000
> > @@ -2,7 +2,7 @@
> >
> > COMMENT= utilities for jailing a user or process
> >
> > -DISTNAME= jailkit-2.19
> > +DISTNAME= jailkit-2.21
> > CATEGORIES= security sysutils
> >
> > HOMEPAGE= http://olivier.sessink.nl/jailkit/
> > @@ -13,6 +13,8 @@ MASTER_SITES= http://olivier.sessink.nl
> > PERMIT_PACKAGE= Yes
> >
> > MODULES= lang/python
> > +MODPY_VERSION = ${MODPY_DEFAULT_VERSION_3}
> > +
> > WANTLIB += c pthread
> >
> > NO_TEST= Yes
> > Index: distinfo
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/distinfo,v
> > retrieving revision 1.8
> > diff -u -p -r1.8 distinfo
> > --- distinfo 20 Dec 2015 15:43:46 -0000 1.8
> > +++ distinfo 15 Jan 2020 16:33:38 -0000
> > @@ -1,2 +1,2 @@
> > -SHA256 (jailkit-2.19.tar.gz) = /ZYS3Vf0o5q/zeZHxCBhbFyjf1mCuMB6j7XLNSSU/Ig=
> > -SIZE (jailkit-2.19.tar.gz) = 142280
> > +SHA256 (jailkit-2.21.tar.gz) = egIOB635OGDFOPDZgZauoz1GG6vbqLs+3fcIHleinBQ=
> > +SIZE (jailkit-2.21.tar.gz) = 141341
> > Index: patches/patch-Makefile_in
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-Makefile_in,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-Makefile_in
> > --- patches/patch-Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1
> > +++ patches/patch-Makefile_in 15 Jan 2020 16:33:38 -0000
> > @@ -2,24 +2,25 @@ $OpenBSD: patch-Makefile_in,v 1.1.1.1 20
> >
> > We do not want the packge to manipulate our /etc/shells, use @shell in
> > PLIST
> >
> > ---- Makefile.in.orig Sat Sep 11 15:45:26 2010
> > -+++ Makefile.in Mon Sep 13 08:01:37 2010
> > +Index: Makefile.in
> > +--- Makefile.in.orig
> > ++++ Makefile.in
> > @@ -69,12 +69,12 @@ install:
> > @cd man/ && $(MAKE) install
> > # test if the jk_chrootsh is already in /etc/shells
> > # this previously had @echo but that fails on FreeBSD
> > -- if test -w /etc/shells; then \
> > -- if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \
> > -- echo "appending ${prefix}/sbin/jk_chroots to
> > /etc/shells";\
> > -- echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\
> > -- fi \
> > -- fi
> > -+ #if test -w /etc/shells; then \
> > -+ # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \
> > -+ # echo "appending ${prefix}/sbin/jk_chroots to
> > /etc/shells";\
> > -+ # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\
> > -+ # fi \
> > -+ #fi
> > +- #if test -w /etc/shells; then \
> > +- # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \
> > +- # echo "appending ${prefix}/sbin/jk_chroots to
> > /etc/shells";\
> > +- # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\
> > +- # fi \
> > +- #fi
> > ++ if test -w /etc/shells; then \
> > ++ if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \
> > ++ echo "appending ${prefix}/sbin/jk_chroots to
> > /etc/shells";\
> > ++ echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\
> > ++ fi \
> > ++ fi
> >
> >
> > uninstall:
> > Index: patches/patch-ini_jk_init_ini
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-ini_jk_init_ini,v
> > retrieving revision 1.3
> > diff -u -p -r1.3 patch-ini_jk_init_ini
> > --- patches/patch-ini_jk_init_ini 26 Mar 2014 17:38:27 -0000 1.3
> > +++ patches/patch-ini_jk_init_ini 15 Jan 2020 16:33:38 -0000
> > @@ -2,13 +2,14 @@ $OpenBSD: patch-ini_jk_init_ini,v 1.3 20
> >
> > fix some default paths in the jail creation configuration file
> >
> > ---- ini/jk_init.ini.orig Mon Dec 23 06:02:42 2013
> > -+++ ini/jk_init.ini Wed Dec 25 16:04:26 2013
> > +Index: ini/jk_init.ini
> > +--- ini/jk_init.ini.orig
> > ++++ ini/jk_init.ini
> > @@ -2,18 +2,18 @@
> > # this section probably needs adjustment on 64bit systems
> > # or non-Linux systems
> > comment = common files for all jails that need user/group information
> > --paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2,
> > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1,
> > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1,
> > /lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf
> > +-paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2,
> > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1,
> > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1,
> > /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2,
> > /lib/arm-linux-gnueabihf/libnsl*.so.1, /etc/nsswitch.conf, /etc/ld.so.conf
> > +paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2,
> > /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1,
> > /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1,
> > /lib/x86_64-linux-gnu/libnss*.so.2, ${SYSCONFDIR}/nsswitch.conf,
> > ${SYSCONFDIR}/ld.so.conf
> > # Solaris needs
> > -# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1,
> > /etc/nsswitch.conf
> > @@ -16,7 +17,7 @@ fix some default paths in the jail creat
> >
> > [netbasics]
> > comment = common files for all jails that need any internet connectivity
> > --paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf,
> > /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services
> > +-paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2,
> > /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts,
> > /etc/protocols, /etc/services
> > +paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2,
> > ${SYSCONFDIR}/resolv.conf, ${SYSCONFDIR}/host.conf, ${SYSCONFDIR}/hosts,
> > ${SYSCONFDIR}/protocols, ${SYSCONFDIR}/services
> > # on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure
> >
> > @@ -27,89 +28,3 @@ fix some default paths in the jail creat
> > need_logsocket = 1
> > # Solaris does not need logsocket
> > # but needs
> > -@@ -21,7 +21,7 @@ need_logsocket = 1
> > -
> > - [jk_lsh]
> > - comment = Jailkit limited shell
> > --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
> > -+paths = ${TRUEPREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > - users = root
> > - groups = root
> > - includesections = uidbasics, logbasics
> > -@@ -71,14 +71,14 @@ devices = /dev/null
> > -
> > - [basicshell]
> > - comment = bash based shell with several basic utilities
> > --paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo,
> > egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv,
> > pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat,
> > /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile,
> > /usr/lib/locale/en_US.utf8
> > -+paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo,
> > egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv,
> > pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat,
> > ${SYSCONFDIR}/motd, ${SYSCONFDIR}/issue, ${SYSCONFDIR}/bash.bashrc,
> > ${SYSCONFDIR}/bashrc, ${SYSCONFDIR}/profile, /usr/lib/locale/en_US.utf8
> > - users = root
> > - groups = root
> > - includesections = uidbasics
> > -
> > - [midnightcommander]
> > - comment = Midnight Commander
> > --paths = mc, mcedit, mcview, /usr/share/mc
> > -+paths = mc, mcedit, mcview, ${LOCALBASE}/share/mc
> > - includesections = basicshell, terminfo
> > -
> > - [extendedshell]
> > -@@ -88,12 +88,12 @@ includesections = basicshell, midnightcommander, edito
> > -
> > - [terminfo]
> > - comment = terminfo databases, required for example for ncurses or vim
> > --paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo
> > -+paths = ${SYSCONFDIR}/terminfo, /usr/share/terminfo, /lib/terminfo
> > -
> > - [editors]
> > - comment = vim, joe and nano
> > - includesections = terminfo
> > --paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim
> > -+paths = joe, nano, vi, vim, ${SYSCONFDIR}/vimrc, ${SYSCONFDIR}/joe,
> > /usr/share/vim
> > -
> > - [netutils]
> > - comment = several internet utilities like wget, ftp, rsync, scp, ssh
> > -@@ -110,7 +110,7 @@ includesections = extendedshell, netutils, apacheutils
> > -
> > - [openvpn]
> > - comment = jail for the openvpn daemon
> > --paths = /usr/sbin/openvpn
> > -+paths = ${LOCALBASE}/sbin/openvpn
> > - users = root,nobody
> > - groups = root,nogroup
> > - includesections = netbasics
> > -@@ -120,7 +120,7 @@ need_logsocket = 1
> > -
> > - [apache]
> > - comment = the apache webserver, very basic setup, probably too limited
> > for you
> > --paths = /usr/sbin/apache
> > -+paths = ${TRUEPREFIX}/apache
> > - users = root, www-data
> > - groups = root, www-data
> > - includesections = netbasics, uidbasics
> > -@@ -131,16 +131,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5,
> > /usr/shar
> > -
> > - [xauth]
> > - comment = getting X authentication to work
> > --paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
> > -+paths = ${X11BASE}/bin/xauth, ${X11BASE}/lib/X11/rgb.txt
> > -
> > - [xclients]
> > - comment = minimal files for X clients
> > --paths = /usr/X11R6/lib/X11/rgb.txt
> > -+paths = ${X11BASE}/lib/X11/rgb.txt
> > - includesections = xauth
> > -
> > - [vncserver]
> > - comment = the VNC server program
> > --paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
> > -+paths = Xvnc, Xrealvnc, ${X11BASE}/lib/X11/fonts/
> > - includesections = xclients
> > -
> > - [ping]
> > -@@ -149,5 +149,5 @@ paths_w_setuid = /bin/ping
> > -
> > - #[xterm]
> > - #comment = xterm
> > --#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
> > -+#paths = ${X11BASE}/bin/xterm, /usr/share/terminfo, ${SYSCONFDIR}/terminfo
> > - #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4,
> > /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
> > Index: patches/patch-man_Makefile_in
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_Makefile_in,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_Makefile_in
> > --- patches/patch-man_Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1
> > +++ patches/patch-man_Makefile_in 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp
> > $
> > ---- man/Makefile.in.orig Mon Oct 20 00:03:54 2008
> > -+++ man/Makefile.in Mon Oct 20 00:05:31 2008
> > -@@ -21,7 +21,7 @@ SRCS = \
> > +Index: man/Makefile.in
> > +--- man/Makefile.in.orig
> > ++++ man/Makefile.in
> > +@@ -20,7 +20,7 @@ SRCS = \
> >
> > @HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.8
> >
> > --MANS = $(SRCS:.8=.8.gz)
> > -+MANS = $(SRCS)
> > +-MANS = $(SRCS)
> > ++MANS = $(SRCS:.8=.8.gz)
> >
> > #%.8.gz : %.8
> > # gzip -9 > $@ < $<
> > Index: patches/patch-man_jailkit_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jailkit_8,v
> > retrieving revision 1.2
> > diff -u -p -r1.2 patch-man_jailkit_8
> > --- patches/patch-man_jailkit_8 26 Mar 2014 17:38:27 -0000 1.2
> > +++ patches/patch-man_jailkit_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jailkit_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $
> > ---- man/jailkit.8.orig Sat Dec 21 18:05:22 2013
> > -+++ man/jailkit.8 Wed Dec 25 16:01:05 2013
> > +Index: man/jailkit.8
> > +--- man/jailkit.8.orig
> > ++++ man/jailkit.8
> > @@ -36,7 +36,7 @@ This section gives summary sketches of the various pro
> >
> > .BR jk_init
> > can be used to quickly create a jail with several files or directories
> > needed for a specific task or profile. Creating the same jail over and over
> > again is easily automated with jk_init. There are many tasks in
> > --.I /etc/jailkit/jk_init.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini
> > ++.I /etc/jailkit/jk_init.ini
> > predefined that work on Debian or Ubuntu systems. For other platforms you
> > might need to update the predefined configuration. For example, you can use
> > jk_init to quickly set up a limited shell, a jail to run apache, or a jail
> > for just sftp and scp. It will copy the binaries, the required libraries
> > (and related symlinks) as well as other files such as /etc/passwd. These
> > are all copied into the jail directory so that a jailed process can run
> > them.
> >
> > .BR jk_cp
> > @@ -14,18 +15,18 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014
> >
> > .BR jk_lsh
> > is a limited shell that allows only those commands to be executed as
> > specified in its configuration file.
> > --.I /etc/jailkit/jk_lsh.ini.
> > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini.
> > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini.
> > ++.I /etc/jailkit/jk_lsh.ini.
> > It is typically started in one of two ways, by specifying it as the
> > user's shell or by using the jk_chrootsh program. The first way is
> > implemented by specifying jk_lsh as the shell in the user's entry in the
> > 'real'
> > .I /etc/passwd
> > file. In this case, it executes in the normal file system and reads its
> > configuration from
> > --.I /etc/jailkit/jk_lsh.ini.
> > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini.
> > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini.
> > ++.I /etc/jailkit/jk_lsh.ini.
> > In the second way, jk_lsh is started from within jk_chrootsh by
> > specifying it as the shell in the passwd file located inside the JAIL
> > directory:
> > .I JAIL/etc/passwd,
> > in which case it reads its configuration from within the JAIL:
> > --.I JAIL/etc/jailkit/jk_lsh.ini.
> > -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini.
> > +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini.
> > ++.I JAIL/etc/jailkit/jk_lsh.ini.
> > The latter is the recommended approach for highest security.
> > Use this program if you want to deny regular shell access (e.g. logins)
> > but you want to allow execution of only one or a few commands such sftp,
> > scp, rsync, or cvs.
> >
> > @@ -33,14 +34,14 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014
> > is a utility to give regular users access to the
> > .BR chroot(2)
> > (change root) system call in a safe way. Which users are allowed in which
> > jails is controlled from
> > --.I /etc/jailkit/jk_uchroot.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini
> > ++.I /etc/jailkit/jk_uchroot.ini
> > Use this utility for users that can run processes both inside a jail and
> > outside a jail.
> >
> > .BR jk_socketd
> > is a daemon that allows logging safely to syslog from within a jail. It
> > limits the logging rate based on parameters set in its configuration file:
> > --.I /etc/jailkit/jk_socketd.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini
> > ++.I /etc/jailkit/jk_socketd.ini
> >
> > .BR jk_chrootlaunch
> > is a utility to start a daemon that cannot do a
> > @@ -48,20 +49,20 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014
> >
> > .BR jk_check
> > is a jail integrity checker. It checks a jail for some of the potential
> > security problems. (Obviously it does not check all possible weaknesses.)
> > It reports any setuid and setgid programs, checks for any modified
> > programs, checks for world writable directories, and more. It is configured
> > by
> > --.I /etc/jailkit/jk_check.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini
> > ++.I /etc/jailkit/jk_check.ini
> > .
> >
> > .BR jk_list
> > -@@ -127,9 +127,9 @@ tail /var/log/daemon.log /var/log/auth.log
> > +@@ -129,9 +129,9 @@ journalctl --since=-1h
> > .SH FILES
> >
> > The jailkit configuration files are located in
> > --.I /etc/jailkit/
> > -+.I ${SYSCONFDIR}/jailkit/
> > +-.I ${SYSCONFDIR}/jailkit/
> > ++.I /etc/jailkit/
> > Note that in some cases the configuration files must be replicated into
> > the JAIL/etc/jailkit directory and edited appropriately. A jk program that
> > is run within the jail directory is able to read its configuration from
> > only the jailed
> > --.I etc/jailkit
> > -+.I ${SYSCONFDIR}/jailkit
> > +-.I ${SYSCONFDIR}/jailkit
> > ++.I etc/jailkit
> > directory.
> >
> > .SH "SEE ALSO"
> > Index: patches/patch-man_jk_check_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_check_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_check_8
> > --- patches/patch-man_jk_check_8 20 Sep 2010 07:15:30 -0000 1.1.1.1
> > +++ patches/patch-man_jk_check_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_check_8,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $
> > ---- man/jk_check.8.orig Tue Oct 28 12:13:02 2008
> > -+++ man/jk_check.8 Tue Oct 28 12:13:32 2008
> > +Index: man/jk_check.8
> > +--- man/jk_check.8.orig
> > ++++ man/jk_check.8
> > @@ -22,7 +22,7 @@ jk_check will run several tests on all files and direc
> > -test for matching user information in the jail and on the real system
> >
> > It will test directories based on the config file
> > --.I /etc/jailkit/jk_check.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini
> > ++.I /etc/jailkit/jk_check.ini
> > but also based on jail patterns (dir/./dir) found in the home directories
> > in
> > .I /etc/passwd
> >
> > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_check_8,v 1.1.1.1
> > The help screen
> >
> > .SH FILES
> > --.I /etc/jailkit/jk_check.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_check.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_check.ini
> > ++.I /etc/jailkit/jk_check.ini
> >
> > .SH "SEE ALSO"
> > .BR jailkit(8)
> > Index: patches/patch-man_jk_chrootlaunch_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootlaunch_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_chrootlaunch_8
> > --- patches/patch-man_jk_chrootlaunch_8 20 Sep 2010 07:15:30 -0000
> > 1.1.1.1
> > +++ patches/patch-man_jk_chrootlaunch_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_chrootlaunch_8,v 1.1.1.1 2010/09/20 07:15:30
> > sebastia Exp $
> > ---- man/jk_chrootlaunch.8.orig Tue Oct 28 12:13:39 2008
> > -+++ man/jk_chrootlaunch.8 Tue Oct 28 12:35:22 2008
> > +Index: man/jk_chrootlaunch.8
> > +--- man/jk_chrootlaunch.8.orig
> > ++++ man/jk_chrootlaunch.8
> > @@ -59,7 +59,7 @@ Suppose you want to start Apache inside a jail. Apache
> >
> > First we create the jail using
> > .BR jk_init(8).
> > --The apachectl program is a shell script, it also needs /bin/sh and
> > /usr/bin/kill. We also have to copy these into the jail using
> > -+The apachectl program is a shell script, it also needs /bin/sh and
> > /bin/kill. We also have to copy these into the jail using
> > +-The apachectl program is a shell script, it also needs /bin/sh and
> > /bin/kill. We also have to copy these into the jail using
> > ++The apachectl program is a shell script, it also needs /bin/sh and
> > /usr/bin/kill. We also have to copy these into the jail using
> > .BR jk_cp(8).
> > Apache also needs its modules from /usr/lib/apache, copy those as well.
> > Then we can start Apache:
> >
> > Index: patches/patch-man_jk_chrootsh_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_chrootsh_8,v
> > retrieving revision 1.2
> > diff -u -p -r1.2 patch-man_jk_chrootsh_8
> > --- patches/patch-man_jk_chrootsh_8 16 Nov 2015 13:43:40 -0000 1.2
> > +++ patches/patch-man_jk_chrootsh_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,19 +1,20 @@
> > $OpenBSD: patch-man_jk_chrootsh_8,v 1.2 2015/11/16 13:43:40 ajacoutot Exp $
> > ---- man/jk_chrootsh.8.orig Wed Nov 4 22:14:40 2015
> > -+++ man/jk_chrootsh.8 Mon Nov 16 14:41:41 2015
> > +Index: man/jk_chrootsh.8
> > +--- man/jk_chrootsh.8.orig
> > ++++ man/jk_chrootsh.8
> > @@ -11,13 +11,13 @@ jk_chrootsh \- a shell that will put the user inside a
> >
> > jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or
> > your ldap store). That user will be put into a changed root. The directory
> > where to put the user in is read from the users home directory, the last
> > occurring /./ sequence is used to mark the location of the changed root. An
> > example line in /etc/passwd would look like
> >
> > --test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh
> > -+test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh
> > +-test:x:10000:10000::/home/testchroot/./home/test:${PREFIX}/sbin/jk_chrootsh
> > ++test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh
> >
> > In this example the user will be chroot-ed into /home/testchroot
> >
> > Inside the chroot-ed directory, it will look for /etc/passwd and it will
> > execute the shell for the user from that file. For the above example the
> > /etc/passwd file inside the jail should have an entry like
> >
> > --test:x:10000:10000::/home/test:/usr/sbin/jk_lsh
> > -+test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh
> > +-test:x:10000:10000::/home/test:${PREFIX}/sbin/jk_lsh
> > ++test:x:10000:10000::/home/test:/usr/sbin/jk_lsh
> >
> > Notice that the home directory and the shell are local inside the chroot
> >
> > @@ -21,8 +22,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2
> > system call. Therefore it is setuid root. It will drop its root
> > priveleges immediately after making the chroot() system call. Since Jailkit
> > 2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems that
> > support capabilities, and then the setuid bit can be removed.
> >
> > By default jk_chrootsh does not copy any environment variables. For some
> > functionality, however, environment variables need to be copied (e.g. the
> > TERM variable for a functional terminal emulation, or the DISPLAY variable
> > for X forwarding). In
> > --.I /etc/jailkit/jk_chrootsh.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini
> > ++.I /etc/jailkit/jk_chrootsh.ini
> > the required environment variables can be listed. An example config file
> > is shown below. In the example, user bill will get the DISPLAY variable,
> > and all users in group jail will get the TERM and PATH variables.
> >
> > By default jk_chrootsh requires a home directory owned by the user with
> > the same group as the primary group from the user, and requires the home
> > directory to be non-writable for group and others. You can relax these
> > requirements in the configfile as shown below.
> > @@ -30,8 +31,8 @@ $OpenBSD: patch-man_jk_chrootsh_8,v 1.2
> > .SH FILES
> >
> > .I /etc/passwd
> > --.I /etc/jailkit/jk_chrootsh.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_chrootsh.ini
> > ++.I /etc/jailkit/jk_chrootsh.ini
> >
> > .SH DIAGNOSTICS
> >
> > Index: patches/patch-man_jk_cp_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_cp_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_cp_8
> > --- patches/patch-man_jk_cp_8 20 Sep 2010 07:15:31 -0000 1.1.1.1
> > +++ patches/patch-man_jk_cp_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,15 +1,16 @@
> > $OpenBSD: patch-man_jk_cp_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $
> > ---- man/jk_cp.8.orig Tue Oct 28 12:14:36 2008
> > -+++ man/jk_cp.8 Tue Oct 28 12:38:41 2008
> > +Index: man/jk_cp.8
> > +--- man/jk_cp.8.orig
> > ++++ man/jk_cp.8
> > @@ -19,9 +19,9 @@ jk_cp -j /home/testchroot /usr/bin/cvs
> >
> > will copy /usr/bin/cvs to /home/testchroot/usr/bin/cvs, and it will copy
> > the libraries used by cvs also to the jail.
> >
> > --jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox
> > -+jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox
> > ${LOCALBASE}/mozilla-firefox
> > +-jk_cp -k -j /svr/testjail ${LOCALBASE}/bin/firefox
> > ${LOCALBASE}/mozilla-firefox
> > ++jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox
> >
> > --will hardlink /usr/bin/firefox and all files in /usr/share/firefox into
> > jail /svr/testjail
> > -+will hardlink ${LOCALBASE}/bin/firefox and all files in
> > ${LOCALBASE}/mozilla-firefox into jail /svr/testjail
> > +-will hardlink ${LOCALBASE}/bin/firefox and all files in
> > ${LOCALBASE}/mozilla-firefox into jail /svr/testjail
> > ++will hardlink /usr/bin/firefox and all files in /usr/share/firefox into
> > jail /svr/testjail
> >
> > .SH OPTIONS
> >
> > Index: patches/patch-man_jk_init_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_init_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_init_8
> > --- patches/patch-man_jk_init_8 20 Sep 2010 07:15:31 -0000 1.1.1.1
> > +++ patches/patch-man_jk_init_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_init_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $
> > ---- man/jk_init.8.orig Sun Feb 7 17:13:06 2010
> > -+++ man/jk_init.8 Tue Sep 14 19:12:38 2010
> > +Index: man/jk_init.8
> > +--- man/jk_init.8.orig
> > ++++ man/jk_init.8
> > @@ -14,7 +14,7 @@ jk_init \- a utility to quicky create functional jail
> > It is not an easy task to setup a jail (a changed root) in a functional
> > way. If you want the user to be able to run cvs for example, it will not
> > work to simply copy the cvs binary into the users jail. You will find that
> > cvs needs libraries as well. cvs also needs the /dev/null device. Finally
> > you need something to start cvs: you need a shell too. And the shell might
> > need files like /etc/passwd and /etc/nsswitch.conf.
> >
> > With jk_init you can automate these tasks. You can create a section in
> > the configfile
> > --.I /etc/jailkit/jk_init.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini
> > ++.I /etc/jailkit/jk_init.ini
> > that has all the files, directories and devices, and you can use jk_init
> > to setup such a jail with a single command. The default configfile has
> > examples for cvs, sftp, scp, rsync and more for Debian and Ubuntu Linux.
> > For other operating systems the defaults might need some (minor) updates.
> >
> > .SH EXAMPLE
> > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1
> > .sp
> > [jk_lsh]
> > comment = Jailkit limited shell
> > --paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
> > -+paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > +-paths = ${PREFIX}/sbin/jk_lsh, ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > ++paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
> > users = root
> > groups = root
> > need_logsocket = 1
> > @@ -23,8 +24,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1
> >
> > [sftp]
> > comment = ssh secure ftp with Jailkit limited shell
> > --paths = /usr/lib/sftp-server
> > -+paths = /usr/libexec/sftp-server
> > +-paths = /usr/libexec/sftp-server
> > ++paths = /usr/lib/sftp-server
> > includesections = netbasics, uidbasics
> > devices = /dev/urandom, /dev/null
> > emptydirs = /svr
> > @@ -32,8 +33,8 @@ $OpenBSD: patch-man_jk_init_8,v 1.1.1.1
> > The help screen
> >
> > .SH FILES
> > --.I /etc/jailkit/jk_init.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_init.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_init.ini
> > ++.I /etc/jailkit/jk_init.ini
> >
> > .SH "SEE ALSO"
> > .BR jailkit(8)
> > Index: patches/patch-man_jk_jailuser_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_jailuser_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_jailuser_8
> > --- patches/patch-man_jk_jailuser_8 20 Sep 2010 07:15:31 -0000 1.1.1.1
> > +++ patches/patch-man_jk_jailuser_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_jailuser_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia
> > Exp $
> > ---- man/jk_jailuser.8.orig Tue Oct 28 12:16:15 2008
> > -+++ man/jk_jailuser.8 Tue Oct 28 12:40:07 2008
> > +Index: man/jk_jailuser.8
> > +--- man/jk_jailuser.8.orig
> > ++++ man/jk_jailuser.8
> > @@ -36,7 +36,7 @@ Move the contents of the home directory inside the jai
> > No user interaction.
> > .TP
> > .BR \-s\ \-\-shell= shell
> > --The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh
> > -+The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh
> > +-The shell to use inside the jail. Defaults to ${PREFIX}/sbin/jk_lsh
> > ++The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh
> >
> > .SH "SEE ALSO"
> > .BR jailkit(8)
> > Index: patches/patch-man_jk_lsh_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_lsh_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_lsh_8
> > --- patches/patch-man_jk_lsh_8 20 Sep 2010 07:15:31 -0000 1.1.1.1
> > +++ patches/patch-man_jk_lsh_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp $
> > ---- man/jk_lsh.8.orig Sun Feb 7 17:13:06 2010
> > -+++ man/jk_lsh.8 Tue Sep 14 19:08:21 2010
> > +Index: man/jk_lsh.8
> > +--- man/jk_lsh.8.orig
> > ++++ man/jk_lsh.8
> > @@ -12,7 +12,7 @@ jk_lsh \- a shell that limits the binaries it will exe
> > The jailkit limited shell jk_lsh is not an interactive shell. jk_lsh will
> > only execute commands that are passed during startup (e.g. /bin/sh -c
> > command) and will deny to start all but explicitly allowed commands. All
> > other commands, or regular shell access are denied. This can be used to
> > restrict an account to a specific use. For example, jk_lsh can be used to
> > make rsync-, cvs-, sftp- or scp-only accounts, or even an account that can
> > start firefox or opera but nothing else.
> >
> > The allowed actions are read from
> > --.I /etc/jailkit/jk_lsh.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > ++.I /etc/jailkit/jk_lsh.ini
> > If you run jk_lsh inside a changed root jail, make sure jk_lsh.ini is
> > present inside that chroot jail.
> >
> > .SH LIMITATIONS
> > @@ -14,25 +15,25 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2
> > .nf
> > .sp
> > [DEFAULT]
> > --executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync
> > --paths = /usr/bin/, /usr/lib
> > -+executables = /usr/bin/scp, /usr/libexec/sftp-server,
> > ${LOCALBASE}/bin/rsync
> > -+paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin
> > +-executables = /usr/bin/scp, /usr/libexec/sftp-server,
> > ${LOCALBASE}/bin/rsync
> > +-paths = /usr/bin/, /usr/libexec, ${LOCALBASE}/bin
> > ++executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync
> > ++paths = /usr/bin/, /usr/lib
> > allow_word_expansion = 1
> >
> > [test]
> > --executables = /usr/bin/scp, /usr/lib/sftp-server
> > --paths = /usr/bin/, /usr/lib
> > -+executables = /usr/bin/scp, /usr/libexec/sftp-server
> > -+paths = /usr/bin/, /usr/libexec
> > +-executables = /usr/bin/scp, /usr/libexec/sftp-server
> > +-paths = /usr/bin/, /usr/libexec
> > ++executables = /usr/bin/scp, /usr/lib/sftp-server
> > ++paths = /usr/bin/, /usr/lib
> > allow_word_expansion = 0
> > umask = 002
> >
> > [group test]
> > --executables = /usr/bin/rsync
> > --paths = /usr/bin/
> > -+executables = ${LOCALBASE}/bin/rsync
> > -+paths = ${LOCALBASE}/bin/
> > +-executables = ${LOCALBASE}/bin/rsync
> > +-paths = ${LOCALBASE}/bin/
> > ++executables = /usr/bin/rsync
> > ++paths = /usr/bin/
> > allow_word_expansion = 1
> > environment=TERM=linux,FOO=bar
> > .fi
> > @@ -40,11 +41,11 @@ $OpenBSD: patch-man_jk_lsh_8,v 1.1.1.1 2
> > .BR jk_chrootsh(8)
> >
> > .SH FILES
> > --.I /etc/jailkit/jk_lsh.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > ++.I /etc/jailkit/jk_lsh.ini
> > .I /etc/passwd
> > --.I JAIL/etc/jailkit/jk_lsh.ini
> > -+.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini
> > +-.I JAIL${SYSCONFDIR}/jailkit/jk_lsh.ini
> > ++.I JAIL/etc/jailkit/jk_lsh.ini
> > .I JAIL/etc/passwd
> >
> > .SH DIAGNOSTICS
> > Index: patches/patch-man_jk_socketd_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_socketd_8,v
> > retrieving revision 1.2
> > diff -u -p -r1.2 patch-man_jk_socketd_8
> > --- patches/patch-man_jk_socketd_8 26 Mar 2014 17:38:27 -0000 1.2
> > +++ patches/patch-man_jk_socketd_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_socketd_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $
> > ---- man/jk_socketd.8.orig Fri Jan 3 18:51:20 2014
> > -+++ man/jk_socketd.8 Wed Dec 25 15:54:12 2013
> > +Index: man/jk_socketd.8
> > +--- man/jk_socketd.8.orig
> > ++++ man/jk_socketd.8
> > @@ -18,7 +18,7 @@ jk_socketd \- a daemon to create a rate-limited /dev/l
> > .SH DESCRIPTION
> >
> > The jailkit socket daemon creates a rate-limited /dev/log socket inside a
> > jail according to
> > --.I /etc/jailkit/jk_socketd.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini
> > ++.I /etc/jailkit/jk_socketd.ini
> > and writes all data eventually to syslog using the real
> > .I /dev/log
> > Programs like jk_lsh and also many daemons need a /dev/log socket to do
> > logging to syslog.
> > @@ -14,8 +15,8 @@ $OpenBSD: patch-man_jk_socketd_8,v 1.2 2
> >
> > .SH FILES
> >
> > --.I /etc/jailkit/jk_socketd.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_socketd.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_socketd.ini
> > ++.I /etc/jailkit/jk_socketd.ini
> >
> > .SH DIAGNOSTICS
> >
> > Index: patches/patch-man_jk_uchroot_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_uchroot_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_uchroot_8
> > --- patches/patch-man_jk_uchroot_8 20 Sep 2010 07:15:31 -0000 1.1.1.1
> > +++ patches/patch-man_jk_uchroot_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_uchroot_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia
> > Exp $
> > ---- man/jk_uchroot.8.orig Tue Oct 28 12:24:53 2008
> > -+++ man/jk_uchroot.8 Tue Oct 28 12:25:07 2008
> > +Index: man/jk_uchroot.8
> > +--- man/jk_uchroot.8.orig
> > ++++ man/jk_uchroot.8
> > @@ -31,7 +31,7 @@ In the above example jk_uchroot is configured not to c
> >
> > .SH FILES
> >
> > --.I /etc/jailkit/jk_uchroot.ini
> > -+.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini
> > +-.I ${SYSCONFDIR}/jailkit/jk_uchroot.ini
> > ++.I /etc/jailkit/jk_uchroot.ini
> >
> > .SH DIAGNOSTICS
> >
> > Index: patches/patch-man_jk_update_8
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/patches/patch-man_jk_update_8,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 patch-man_jk_update_8
> > --- patches/patch-man_jk_update_8 20 Sep 2010 07:15:31 -0000 1.1.1.1
> > +++ patches/patch-man_jk_update_8 15 Jan 2020 16:33:38 -0000
> > @@ -1,12 +1,13 @@
> > $OpenBSD: patch-man_jk_update_8,v 1.1.1.1 2010/09/20 07:15:31 sebastia Exp
> > $
> > ---- man/jk_update.8.orig Sun Feb 7 17:13:06 2010
> > -+++ man/jk_update.8 Tue Sep 14 19:08:21 2010
> > +Index: man/jk_update.8
> > +--- man/jk_update.8.orig
> > ++++ man/jk_update.8
> > @@ -44,7 +44,7 @@ hardlinks = 1
> > directories = /usr, /bin, /lib
> >
> > [/home/otherjail]
> > --skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox
> > -+skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox
> > +-skips = ${LOCALBASE}/mozilla-firefox, ${LOCALBASE}/bin/firefox
> > ++skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox
> > .fi
> >
> > where the options have the following meaning:
> > Index: patches/patch-py_jk_lib_py
> > ===================================================================
> > RCS file: patches/patch-py_jk_lib_py
> > diff -N patches/patch-py_jk_lib_py
> > --- patches/patch-py_jk_lib_py 24 Apr 2013 12:47:39 -0000 1.3
> > +++ /dev/null 1 Jan 1970 00:00:00 -0000
> > @@ -1,18 +0,0 @@
> > -$OpenBSD: patch-py_jk_lib_py,v 1.3 2013/04/24 12:47:39 gonzalo Exp $
> > -
> > -Fix running jk_init trying to create a jail the first time
> > -
> > ---- py/jk_lib.py.orig Thu Aug 2 14:55:28 2012
> > -+++ py/jk_lib.py Tue Apr 23 06:35:23 2013
> > -@@ -461,7 +461,10 @@ def create_parent_path(chroot,path,be_verbose=0, copy_
> > - if (stat.S_ISDIR(sb.st_mode)):
> > - if (be_verbose):
> > - print 'Create directory '+jailpath
> > -- os.mkdir(jailpath, 0755)
> > -+ try:
> > -+ os.mkdir(jailpath, 0755)
> > -+ except OSError, (errno,strerror):
> > -+ sys.stderr.write('NOTE: Jail directory already
> > existed:\n')
> > - if (copy_permissions):
> > - try:
> > - copy_time_and_permissions(origpath,
> > jailpath, be_verbose, allow_suid, copy_ownership)
> > Index: pkg/PLIST
> > ===================================================================
> > RCS file: /cvs/ports/security/jailkit/pkg/PLIST,v
> > retrieving revision 1.1.1.1
> > diff -u -p -r1.1.1.1 PLIST
> > --- pkg/PLIST 20 Sep 2010 07:15:30 -0000 1.1.1.1
> > +++ pkg/PLIST 15 Jan 2020 16:33:38 -0000
> > @@ -3,7 +3,6 @@
> > @bin bin/jk_uchroot
> > @mode
> > @man man/man8/jailkit.8
> > -@man man/man8/jk_addjailuser.8
> > @man man/man8/jk_check.8
> > @man man/man8/jk_chrootlaunch.8
> > @man man/man8/jk_chrootsh.8
> > @@ -16,7 +15,6 @@
> > @man man/man8/jk_socketd.8
> > @man man/man8/jk_uchroot.8
> > @man man/man8/jk_update.8
> > -sbin/jk_addjailuser
> > sbin/jk_check
> > @bin sbin/jk_chrootlaunch
> > @mode 4755
> > @@ -32,22 +30,23 @@ sbin/jk_list
> > @mode
> > @bin sbin/jk_socketd
> > sbin/jk_update
> > -@sample /etc/jailkit/
> > +@sample ${SYSCONFDIR}/jailkit/
> > share/examples/jailkit/
> > share/examples/jailkit/jk_check.ini
> > -@sample /etc/jailkit/jk_check.ini
> > +@sample ${SYSCONFDIR}/jailkit/jk_check.ini
> > share/examples/jailkit/jk_chrootsh.ini
> > -@sample /etc/jailkit/jk_chrootsh.ini
> > +@sample ${SYSCONFDIR}/jailkit/jk_chrootsh.ini
> > share/examples/jailkit/jk_init.ini
> > -@sample /etc/jailkit/jk_init.ini
> > +@sample ${SYSCONFDIR}/jailkit/jk_init.ini
> > share/examples/jailkit/jk_lsh.ini
> > -@sample /etc/jailkit/jk_lsh.ini
> > +@sample ${SYSCONFDIR}/jailkit/jk_lsh.ini
> > share/examples/jailkit/jk_socketd.ini
> > -@sample /etc/jailkit/jk_socketd.ini
> > +@sample ${SYSCONFDIR}/jailkit/jk_socketd.ini
> > share/examples/jailkit/jk_uchroot.ini
> > -@sample /etc/jailkit/jk_uchroot.ini
> > +@sample ${SYSCONFDIR}/jailkit/jk_uchroot.ini
> > share/examples/jailkit/jk_update.ini
> > -@sample /etc/jailkit/jk_update.ini
> > +@sample ${SYSCONFDIR}/jailkit/jk_update.ini
> > share/jailkit/
> > +${MODPY_COMMENT}share/jailkit/${MODPY_PYCACHE}/
> > +share/jailkit/${MODPY_PYCACHE}jk_lib.${MODPY_PYC_MAGIC_TAG}pyc
> > share/jailkit/jk_lib.py
> > -share/jailkit/jk_lib.pyc
>
>
> --
>
> - gonzalo
>
So, updated diff merged with the one Aisha sent time ago.
Test are welcome.
Cheers.-
--
- gonzalo
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/jailkit/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- Makefile 12 Jul 2019 20:49:03 -0000 1.15
+++ Makefile 29 Jun 2020 12:15:35 -0000
@@ -2,18 +2,21 @@
COMMENT= utilities for jailing a user or process
-DISTNAME= jailkit-2.19
+DISTNAME= jailkit-2.21
CATEGORIES= security sysutils
-HOMEPAGE= http://olivier.sessink.nl/jailkit/
+HOMEPAGE= https://olivier.sessink.nl/jailkit/
-MASTER_SITES= http://olivier.sessink.nl/jailkit/
+MASTER_SITES= https://olivier.sessink.nl/jailkit/
# BSD - LGPLv2
-PERMIT_PACKAGE= Yes
+PERMIT_PACKAGE= Yes
MODULES= lang/python
-WANTLIB += c pthread
+
+MODPY_VERSION= ${MODPY_DEFAULT_VERSION_3}
+
+WANTLIB+= c pthread
NO_TEST= Yes
@@ -34,9 +37,8 @@ pre-configure:
${SUBST_CMD} ${WRKSRC}/man/$${i}; done
post-install:
- # recreate the .pyc file, otherwise it would change
- # after installation
- rm ${PREFIX}/share/jailkit/jk_lib.pyc
+ # compile the jailkit python files so that they
+ # are removed correctly when uninstalling
${MODPY_BIN} ${MODPY_LIBDIR}/compileall.py \
${PREFIX}/share/jailkit
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/jailkit/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- distinfo 20 Dec 2015 15:43:46 -0000 1.8
+++ distinfo 29 Jun 2020 12:15:35 -0000
@@ -1,2 +1,2 @@
-SHA256 (jailkit-2.19.tar.gz) = /ZYS3Vf0o5q/zeZHxCBhbFyjf1mCuMB6j7XLNSSU/Ig=
-SIZE (jailkit-2.19.tar.gz) = 142280
+SHA256 (jailkit-2.21.tar.gz) = egIOB635OGDFOPDZgZauoz1GG6vbqLs+3fcIHleinBQ=
+SIZE (jailkit-2.21.tar.gz) = 141341
Index: patches/patch-Makefile_in
===================================================================
RCS file: patches/patch-Makefile_in
diff -N patches/patch-Makefile_in
--- patches/patch-Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,25 +0,0 @@
-$OpenBSD: patch-Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $
-
-We do not want the packge to manipulate our /etc/shells, use @shell in PLIST
-
---- Makefile.in.orig Sat Sep 11 15:45:26 2010
-+++ Makefile.in Mon Sep 13 08:01:37 2010
-@@ -69,12 +69,12 @@ install:
- @cd man/ && $(MAKE) install
- # test if the jk_chrootsh is already in /etc/shells
- # this previously had @echo but that fails on FreeBSD
-- if test -w /etc/shells; then \
-- if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \
-- echo "appending ${prefix}/sbin/jk_chroots to
/etc/shells";\
-- echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\
-- fi \
-- fi
-+ #if test -w /etc/shells; then \
-+ # if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \
-+ # echo "appending ${prefix}/sbin/jk_chroots to
/etc/shells";\
-+ # echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\
-+ # fi \
-+ #fi
-
-
- uninstall:
Index: patches/patch-ini_jk_init_ini
===================================================================
RCS file: /cvs/ports/security/jailkit/patches/patch-ini_jk_init_ini,v
retrieving revision 1.3
diff -u -p -r1.3 patch-ini_jk_init_ini
--- patches/patch-ini_jk_init_ini 26 Mar 2014 17:38:27 -0000 1.3
+++ patches/patch-ini_jk_init_ini 29 Jun 2020 12:15:35 -0000
@@ -1,32 +1,10 @@
-$OpenBSD: patch-ini_jk_init_ini,v 1.3 2014/03/26 17:38:27 gonzalo Exp $
+$OpenBSD: patch-ini_jk_init_ini,v 1.4 2020/04/08 18:43:53 aisha Exp $
-fix some default paths in the jail creation configuration file
+fix installation directories and default paths in the jail creation
configuration file
---- ini/jk_init.ini.orig Mon Dec 23 06:02:42 2013
-+++ ini/jk_init.ini Wed Dec 25 16:04:26 2013
-@@ -2,18 +2,18 @@
- # this section probably needs adjustment on 64bit systems
- # or non-Linux systems
- comment = common files for all jails that need user/group information
--paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2,
/lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1,
/lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1,
/lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf
-+paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2,
/lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1,
/lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1,
/lib/x86_64-linux-gnu/libnss*.so.2, ${SYSCONFDIR}/nsswitch.conf,
${SYSCONFDIR}/ld.so.conf
- # Solaris needs
--# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1,
/etc/nsswitch.conf
-+# paths = ${SYSCONFDIR}/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1,
${SYSCONFDIR}/nsswitch.conf
-
- [netbasics]
- comment = common files for all jails that need any internet connectivity
--paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf,
/etc/host.conf, /etc/hosts, /etc/protocols, /etc/services
-+paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2,
${SYSCONFDIR}/resolv.conf, ${SYSCONFDIR}/host.conf, ${SYSCONFDIR}/hosts,
${SYSCONFDIR}/protocols, ${SYSCONFDIR}/services
- # on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure
-
- [logbasics]
- comment = timezone information and log sockets
--paths = /etc/localtime
-+paths = ${SYSCONFDIR}/localtime
- need_logsocket = 1
- # Solaris does not need logsocket
- # but needs
+Index: ini/jk_init.ini
+--- ini/jk_init.ini.orig
++++ ini/jk_init.ini
@@ -21,7 +21,7 @@ need_logsocket = 1
[jk_lsh]
@@ -68,7 +46,7 @@ fix some default paths in the jail creat
[netutils]
comment = several internet utilities like wget, ftp, rsync, scp, ssh
-@@ -110,7 +110,7 @@ includesections = extendedshell, netutils, apacheutils
+@@ -110,17 +110,16 @@ includesections = extendedshell, netutils, apacheutils
[openvpn]
comment = jail for the openvpn daemon
@@ -76,8 +54,10 @@ fix some default paths in the jail creat
+paths = ${LOCALBASE}/sbin/openvpn
users = root,nobody
groups = root,nogroup
- includesections = netbasics
-@@ -120,7 +120,7 @@ need_logsocket = 1
+-includesections = netbasics
+ devices = /dev/urandom, /dev/random, /dev/net/tun
+ includesections = netbasics, uidbasics
+ need_logsocket = 1
[apache]
comment = the apache webserver, very basic setup, probably too limited for you
@@ -86,7 +66,7 @@ fix some default paths in the jail creat
users = root, www-data
groups = root, www-data
includesections = netbasics, uidbasics
-@@ -131,16 +131,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/shar
+@@ -131,16 +130,16 @@ paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/shar
[xauth]
comment = getting X authentication to work
@@ -106,7 +86,7 @@ fix some default paths in the jail creat
includesections = xclients
[ping]
-@@ -149,5 +149,5 @@ paths_w_setuid = /bin/ping
+@@ -149,5 +148,5 @@ paths_w_setuid = /bin/ping
#[xterm]
#comment = xterm
Index: patches/patch-man_Makefile_in
===================================================================
RCS file: /cvs/ports/security/jailkit/patches/patch-man_Makefile_in,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-man_Makefile_in
--- patches/patch-man_Makefile_in 20 Sep 2010 07:15:30 -0000 1.1.1.1
+++ patches/patch-man_Makefile_in 29 Jun 2020 12:15:35 -0000
@@ -1,7 +1,11 @@
-$OpenBSD: patch-man_Makefile_in,v 1.1.1.1 2010/09/20 07:15:30 sebastia Exp $
---- man/Makefile.in.orig Mon Oct 20 00:03:54 2008
-+++ man/Makefile.in Mon Oct 20 00:05:31 2008
-@@ -21,7 +21,7 @@ SRCS = \
+$OpenBSD: patch-man_Makefile_in,v 1.1.1.2 2020/04/08 16:41:32 aisha Exp $
+
+fix adding man pages without gzip
+
+Index: man/Makefile.in
+--- man/Makefile.in.orig
++++ man/Makefile.in
+@@ -20,7 +20,7 @@ SRCS = \
@HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.8
Index: patches/patch-man_jailkit_8
===================================================================
RCS file: /cvs/ports/security/jailkit/patches/patch-man_jailkit_8,v
retrieving revision 1.2
diff -u -p -r1.2 patch-man_jailkit_8
--- patches/patch-man_jailkit_8 26 Mar 2014 17:38:27 -0000 1.2
+++ patches/patch-man_jailkit_8 29 Jun 2020 12:15:35 -0000
@@ -1,6 +1,10 @@
-$OpenBSD: patch-man_jailkit_8,v 1.2 2014/03/26 17:38:27 gonzalo Exp $
---- man/jailkit.8.orig Sat Dec 21 18:05:22 2013
-+++ man/jailkit.8 Wed Dec 25 16:01:05 2013
+$OpenBSD: patch-man_jailkit_8,v 1.3 2020/04/08 16:38:22 aisha Exp $
+
+give proper locations to ini files in the man pages
+
+Index: man/jailkit.8
+--- man/jailkit.8.orig
++++ man/jailkit.8
@@ -36,7 +36,7 @@ This section gives summary sketches of the various pro
.BR jk_init
@@ -53,7 +57,7 @@ $OpenBSD: patch-man_jailkit_8,v 1.2 2014
.
.BR jk_list
-@@ -127,9 +127,9 @@ tail /var/log/daemon.log /var/log/auth.log
+@@ -129,9 +129,9 @@ journalctl --since=-1h
.SH FILES
The jailkit configuration files are located in
Index: patches/patch-py_jk_lib_py
===================================================================
RCS file: /cvs/ports/security/jailkit/patches/patch-py_jk_lib_py,v
retrieving revision 1.3
diff -u -p -r1.3 patch-py_jk_lib_py
--- patches/patch-py_jk_lib_py 24 Apr 2013 12:47:39 -0000 1.3
+++ patches/patch-py_jk_lib_py 29 Jun 2020 12:15:35 -0000
@@ -1,18 +1,73 @@
-$OpenBSD: patch-py_jk_lib_py,v 1.3 2013/04/24 12:47:39 gonzalo Exp $
+$OpenBSD: patch-py_jk_lib_py,v 1.4 2020/04/08 16:36:23 aisha Exp $
-Fix running jk_init trying to create a jail the first time
+checks for directory creation, handling edge cases, in initial jail creation
+streamlined major/minor handling for creating /dev/ nodes
---- py/jk_lib.py.orig Thu Aug 2 14:55:28 2012
-+++ py/jk_lib.py Tue Apr 23 06:35:23 2013
-@@ -461,7 +461,10 @@ def create_parent_path(chroot,path,be_verbose=0, copy_
+Index: py/jk_lib.py
+--- py/jk_lib.py.orig
++++ py/jk_lib.py
+@@ -404,7 +404,11 @@ def OLD_create_parent_path(chroot, path, be_verbose=0,
+ chrootname =
resolve_realpath(chroot+directory[:indx],chroot)
+ if (be_verbose):
+ print('Creating directory '+chrootname)
+- os.mkdir(chrootname, dir_mode)
++ try:
++ os.mkdir(chrootname, dir_mode)
++ except OSError as e:
++ _, stderror = e.args
++ sys.stderr.write('ERROR: failed to make
directory "'+chrootname+'": ' + stderror + '\n')
+ if (copy_permissions):
+ try:
+
copy_time_and_permissions(directory[:indx], chrootname, be_verbose, allow_suid,
copy_ownership)
+@@ -482,7 +486,11 @@ def create_parent_path(chroot,path,be_verbose=0, copy_
if (stat.S_ISDIR(sb.st_mode)):
if (be_verbose):
- print 'Create directory '+jailpath
-- os.mkdir(jailpath, 0755)
+ print('Create directory '+jailpath)
+- os.mkdir(jailpath, dir_mode)
+ try:
-+ os.mkdir(jailpath, 0755)
-+ except OSError, (errno,strerror):
-+ sys.stderr.write('NOTE: Jail directory already
existed:\n')
++ os.mkdir(jailpath, dir_mode)
++ except OSError as e:
++ _, stderror = e.args
++ sys.stderr.write('ERROR: failed to make
directory "'+jailpath+'": ' + stderror + '\n')
if (copy_permissions):
try:
copy_time_and_permissions(origpath,
jailpath, be_verbose, allow_suid, copy_ownership)
+@@ -515,7 +523,11 @@ def copy_dir_with_permissions_and_owner(srcdir,dstdir,
+ try:
+ if (be_verbose):
+ print('Creating directory'+dstdir)
+- os.mkdir(dstdir)
++ try:
++ os.mkdir(dstdir, dir_mode)
++ except OSError as e:
++ _, stderror = e.args
++ sys.stderr.write('ERROR: failed to make directory
"'+dstdir+'": ' + stderror + '\n')
+ copy_time_and_permissions(srcdir, dstdir, be_verbose,
allow_suid=0, copy_ownership=1)
+ except (IOError, OSError) as e:
+ _, strerror = e.args
+@@ -575,22 +587,10 @@ def copy_device(chroot, path, be_verbose=1, retain_own
+ if (os.path.exists(chrootpath)):
+ print('Device '+chrootpath+' does exist already')
+ return
+- sb = os.stat(path)
++ sb = os.lstat(path)
+ try:
+- if (sys.platform[:5] == 'linux'):
+- major = sb.st_rdev / 256 #major = st_rdev divided by
256 (8bit reserved for the minor number)
+- minor = sb.st_rdev % 256 #minor = remainder of st_rdev
divided by 256
+- elif (sys.platform == 'sunos5'):
+- if (sys.maxint == 2147483647):
+- major = sb.st_rdev / 262144 #major = st_rdev
divided by 256 (18 bits reserved for the minor number)
+- minor = sb.st_rdev % 262144 #minor = remainder
of st_rdev divided by 256
+- else:
+- #64 bit solaris has 32 bit minor/32bit major
+- major = sb.st_rdev / 2147483647
+- minor = sb.st_rdev % 2147483647
+- else:
+- major = sb.st_rdev / 256 #major = st_rdev divided by 256
+- minor = sb.st_rdev % 256 #minor = remainder of st_rdev
divided by 256
++ major=os.major(sb.st_rdev)
++ minor=os.minor(sb.st_rdev)
+ if (stat.S_ISCHR(sb.st_mode)):
+ mode = 'c'
+ elif (stat.S_ISBLK(sb.st_mode)):
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/jailkit/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 20 Sep 2010 07:15:30 -0000 1.1.1.1
+++ pkg/PLIST 29 Jun 2020 12:15:35 -0000
@@ -3,7 +3,6 @@
@bin bin/jk_uchroot
@mode
@man man/man8/jailkit.8
-@man man/man8/jk_addjailuser.8
@man man/man8/jk_check.8
@man man/man8/jk_chrootlaunch.8
@man man/man8/jk_chrootsh.8
@@ -16,7 +15,6 @@
@man man/man8/jk_socketd.8
@man man/man8/jk_uchroot.8
@man man/man8/jk_update.8
-sbin/jk_addjailuser
sbin/jk_check
@bin sbin/jk_chrootlaunch
@mode 4755
@@ -32,22 +30,24 @@ sbin/jk_list
@mode
@bin sbin/jk_socketd
sbin/jk_update
-@sample /etc/jailkit/
+@sample ${SYSCONFDIR}/jailkit/
share/examples/jailkit/
share/examples/jailkit/jk_check.ini
-@sample /etc/jailkit/jk_check.ini
+@sample ${SYSCONFDIR}/jailkit/jk_check.ini
share/examples/jailkit/jk_chrootsh.ini
-@sample /etc/jailkit/jk_chrootsh.ini
+@sample ${SYSCONFDIR}/jailkit/jk_chrootsh.ini
share/examples/jailkit/jk_init.ini
-@sample /etc/jailkit/jk_init.ini
+@sample ${SYSCONFDIR}/jailkit/jk_init.ini
share/examples/jailkit/jk_lsh.ini
-@sample /etc/jailkit/jk_lsh.ini
+@sample ${SYSCONFDIR}/jailkit/jk_lsh.ini
share/examples/jailkit/jk_socketd.ini
-@sample /etc/jailkit/jk_socketd.ini
+@sample ${SYSCONFDIR}/jailkit/jk_socketd.ini
share/examples/jailkit/jk_uchroot.ini
-@sample /etc/jailkit/jk_uchroot.ini
+@sample ${SYSCONFDIR}/jailkit/jk_uchroot.ini
share/examples/jailkit/jk_update.ini
-@sample /etc/jailkit/jk_update.ini
+@sample ${SYSCONFDIR}/jailkit/jk_update.ini
share/jailkit/
+${MODPY_COMMENT}share/jailkit/${MODPY_PYCACHE}/
+share/jailkit/${MODPY_PYCACHE}jk_lib.${MODPY_PYC_MAGIC_TAG}pyc
share/jailkit/jk_lib.py
share/jailkit/jk_lib.pyc
