From 77d0681d14e1264b6199362a39985319aa15387a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 00:30:48 +0200 Subject: [PATCH] refactor init and update subcommands --- lib/bkctld-init | 37 ++++++++++------------ lib/bkctld-update | 16 ++++++---- lib/config | 81 ++++++++++++++++++++++++++++++++++++++++++++++- lib/mkjail | 44 ------------------------- 4 files changed, 106 insertions(+), 72 deletions(-) delete mode 100755 lib/mkjail diff --git a/lib/bkctld-init b/lib/bkctld-init index 8364c2f..bf54d21 100755 --- a/lib/bkctld-init +++ b/lib/bkctld-init @@ -7,30 +7,25 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] && error "${jail} : trying to create existant jail" +jail_path=$(jail_path "${jail_name}") -mkdir -p "${CONFDIR}" "${JAILDIR}" -sshd_config="${TPLDIR}/sshd_config" -inctpl="${TPLDIR}/inc.tpl" -[ -f "${LOCALTPLDIR}/sshd_config" ] && sshd_config="${LOCALTPLDIR}/sshd_config" -[ -f "${LOCALTPLDIR}/inc.tpl" ] && inctpl="${LOCALTPLDIR}/inc.tpl" +test -d "${jail_path}" && error "${jail_name} : jail already exists." -rootdir=$(dirname "${JAILDIR}") -rootdir_inode=$(stat --format=%i "${rootdir}") -jaildir_inode=$(stat --format=%i "${JAILDIR}") -if [ "${rootdir_inode}" -eq 256 ] || [ "${jaildir_inode}" -eq 256 ]; then - /bin/btrfs subvolume create "${JAILDIR}/${jail}" +# Create config and jails directory +mkdir --parents "${CONFDIR}" "${JAILDIR}" + + +if is_btrfs "$(dirname "${JAILDIR}")" || is_btrfs "${JAILDIR}"; then + /bin/btrfs subvolume create "${jail_path}" else - mkdir -p "${JAILDIR}/${jail}" + mkdir --parents "${jail_path}" fi -. "${LIBDIR}/mkjail" -info "4 - Copie default sshd_config" -install -m 0640 "${sshd_config}" "${JAILDIR}/${jail}/${SSHD_CONFIG}" -info "5 - Copie default inc configuration" -install -m 0640 "${inctpl}" "${CONFDIR}/${jail}" -"${LIBDIR}/bkctld-port" "${jail}" auto -notice "${jail} : created jail" + +setup_jail_chroot "${jail_name}" +setup_jail_config "${jail_name}" + +notice "${jail_name} : jail has been created" diff --git a/lib/bkctld-update b/lib/bkctld-update index 9d80102..c803bb7 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -7,12 +7,16 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to update inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" +jail_path=$(jail_path "${jail_name}") -. "${LIBDIR}/mkjail" -notice "${jail} : updated jail" +[ -d "${jail_path}" ] || error "${jail_name} : trying to update inexistant jail" + +"${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" + +setup_jail_chroot "${jail_name}" + +notice "${jail_name} : jail has been updated." diff --git a/lib/config b/lib/config index 00d9ff8..ffacac0 100755 --- a/lib/config +++ b/lib/config @@ -10,10 +10,10 @@ BACKUP_DISK="${BACKUP_DISK:-}" JAILDIR="${JAILDIR:-/backup/jails}" INCDIR="${INCDIR:-/backup/incs}" TPLDIR="${TPLDIR:-/usr/share/bkctld}" +LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" LOCKDIR="${LOCKDIR:-/run/lock/bkctld}" INDEX_DIR="${INDEX_DIR:-/backup/index}" IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}" -LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" SSHD_PID="${SSHD_PID:-/run/sshd.pid}" SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}" AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}" @@ -139,3 +139,82 @@ jail_check_policy_file() { echo "" fi } + +setup_jail_chroot() { + jail_name=$1 + + jail_path=$(jail_path "${jail_name}") + + passwd="${TPLDIR}/passwd" + shadow="${TPLDIR}/shadow" + group="${TPLDIR}/group" + sshrc="${TPLDIR}/sshrc" + [ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd" + [ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow" + [ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" + [ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" + + cd "${jail_path}" || error "Failed to change directory to ${jail_path}." + umask 077 + + info "1 - Creating the chroot" + rm -rf bin lib lib64 run usr var/run etc/ssh/*key + mkdir -p ./dev + mkdir -p ./proc + mkdir -p ./usr/bin + mkdir -p ./usr/sbin + mkdir -p ./usr/lib ./usr/lib/x86_64-linux-gnu ./usr/lib/openssh ./usr/lib64 + mkdir -p ./etc/ssh + mkdir -p ./var/log + mkdir -p ./run/sshd + # shellcheck disable=SC2174 + mkdir -p ./root/.ssh --mode 0700 + # shellcheck disable=SC2174 + mkdir -p ./var/backup --mode 0700 + ln -s ./usr/bin ./bin + ln -s ./usr/lib ./lib + ln -s ./usr/lib64 ./lib64 + ln -s --target-directory=./var ../run + touch ./var/log/lastlog ./var/log/wtmp ./run/utmp + + info "2 - Copying essential files" + [ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key ./etc/ssh + [ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key ./etc/ssh + [ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key ./etc/ssh + touch "./${AUTHORIZED_KEYS}" + chmod 600 "./${AUTHORIZED_KEYS}" + cp "${passwd}" ./etc + cp "${shadow}" ./etc + cp "${group}" ./etc + cp "${sshrc}" ./etc/ssh + + info "3 - Copying binaries" + cp -f /lib/ld-linux.so.2 ./lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 ./lib64 + cp /lib/x86_64-linux-gnu/libnss* ./lib/x86_64-linux-gnu + + for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do + cp -f "${dbin}" "./${dbin}"; + for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do + cp -p "${lib}" "./${lib}" + done + done +} + +setup_jail_config() { + jail_name=$1 + + jail_path=$(jail_path "${jail_name}") + + sshd_config="${TPLDIR}/sshd_config" + test -f "${LOCALTPLDIR}/sshd_config" && sshd_config="${LOCALTPLDIR}/sshd_config" + + info "4 - Copie default sshd_config" + install -m 0640 "${sshd_config}" "${jail_path}/${SSHD_CONFIG}" + + inctpl="${TPLDIR}/inc.tpl" + test -f "${LOCALTPLDIR}/inc.tpl" && inctpl="${LOCALTPLDIR}/inc.tpl" + + info "5 - Copie default inc configuration" + install -m 0640 "${inctpl}" "${jail_path}" + "${LIBDIR}/bkctld-port" "${jail_name}" auto +} diff --git a/lib/mkjail b/lib/mkjail deleted file mode 100755 index e21374d..0000000 --- a/lib/mkjail +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -passwd="${TPLDIR}/passwd" -shadow="${TPLDIR}/shadow" -group="${TPLDIR}/group" -sshrc="${TPLDIR}/sshrc" -[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd" -[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow" -[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" -[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" -umask 077 - -info "1 - Creating the chroot" -cd "${JAILDIR}/${jail}" -rm -rf bin lib lib64 run usr var/run etc/ssh/*key -mkdir -p dev proc -mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64 -mkdir -p etc/ssh var/log run/sshd -mkdir -p root/.ssh var/backup -m 0700 -ln -s usr/bin bin -ln -s usr/lib lib -ln -s usr/lib64 lib64 -ln -st var ../run -touch var/log/lastlog var/log/wtmp run/utmp - -info "2 - Copying essential files" -[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key etc/ssh -[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key etc/ssh -[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key etc/ssh -cp "${passwd}" etc -cp "${shadow}" etc -cp "${group}" etc -cp "${sshrc}" etc/ssh - -info "3 - Copying binaries" -cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64 -cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu - -for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do - cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}"; - for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do - cp -p "${lib}" "${JAILDIR}/${jail}/${lib}" - done -done