From b141daca291c65a90309b4ec0abc4ca437fabd46 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 23:33:54 +0200 Subject: [PATCH] code clarification --- lib/bkctld-ip | 17 +++++++++-------- lib/bkctld-start | 45 +++++++++++++++++++++++++-------------------- lib/bkctld-status | 27 +++++++++++++++------------ 3 files changed, 49 insertions(+), 40 deletions(-) diff --git a/lib/bkctld-ip b/lib/bkctld-ip index e102755..ba029f5 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -18,22 +18,23 @@ jail_path=$(jail_path "${jail_name}") test -d "${jail_path}" || error "${jail_name}: jail is missing." if [ -z "${ip}" ]; then + # parse IP addresses from AllowUsers directives in sshd config grep -E "^AllowUsers" "${jail_path}/${SSHD_CONFIG}" | grep -Eo "root@[^ ]+" | while read allow; do echo "${allow}" | cut -d'@' -f2 done else if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then - ips="0.0.0.0/0" + new_ips="0.0.0.0/0" else - ips=$("${LIBDIR}/bkctld-ip" "${jail_name}") - ips=$(echo "${ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq) + existing_ips=$("${LIBDIR}/bkctld-ip" "${jail_name}") + new_ips=$(echo "${existing_ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq) fi - allow="AllowUsers" - for ip in $ips; do - allow="${allow} root@${ip}" + allow_users="AllowUsers" + for ip in ${new_ips}; do + allow_users="${allow_users} root@${ip}" done - sed -i "s~^AllowUsers .*~${allow}~" "${jail_path}/${SSHD_CONFIG}" - notice "${jail_name}: update ip => ${ip}" + sed -i "s~^AllowUsers .*~${allow_users}~" "${jail_path}/${SSHD_CONFIG}" + notice "${jail_name}: IP whitelist updated to ${ip}" "${LIBDIR}/bkctld-reload" "${jail_name}" "${LIBDIR}/bkctld-firewall" "${jail_name}" fi diff --git a/lib/bkctld-start b/lib/bkctld-start index 03481f9..6ffcec5 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -17,31 +17,36 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing." "${LIBDIR}/bkctld-is-on" "${jail_name}" && exit 0 -cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." +# Prepare the chroot +( + cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." -grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc -grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev -[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 -[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 -[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 -[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 -[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 -[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 -[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 -chown root:tty dev/console dev/ptmx dev/tty -ln -fs proc/self/fd dev/fd -ln -fs proc/self/fd/0 dev/stdin -ln -fs proc/self/fd/1 dev/stdout -ln -fs proc/self/fd/2 dev/stderr -ln -fs proc/kcore dev/core -mkdir -p dev/pts -mkdir -p dev/shm -grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts -grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm + grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc + grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev + [ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 + [ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 + [ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 + [ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 + [ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 + [ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 + [ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 + chown root:tty dev/console dev/ptmx dev/tty + ln -fs proc/self/fd dev/fd + ln -fs proc/self/fd/0 dev/stdin + ln -fs proc/self/fd/1 dev/stdout + ln -fs proc/self/fd/2 dev/stderr + ln -fs proc/kcore dev/core + mkdir -p dev/pts + mkdir -p dev/shm + grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts + grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm +) +# Start SSH in the chroot chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start sshd" pidfile="${jail_path}/${SSHD_PID}" +# Wait for SSH to be up for try in $(seq 1 10); do test -f "${pidfile}" || sleep 0.3 done diff --git a/lib/bkctld-status b/lib/bkctld-status index 52d297a..c8777e1 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -7,20 +7,23 @@ # shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:?}" -if [ ! -n "${jail}" ]; then +jail_name="${1:?}" +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all" +[ -d "${JAILDIR}/${jail_name}" ] || error "${jail_name} : jail is missing.\nUse '$0 status [all]' to get the status of all jails." -inc="0" -if [ -f "${CONFDIR}/${jail}" ]; then - day=$(grep -c "day" "${CONFDIR}/${jail}") - month=$(grep -c "month" "${CONFDIR}/${jail}") - inc="${day}/${month}" +incs_policy="0" +if [ -f "${CONFDIR}/${jail_name}" ]; then + days=$(grep -c "day" "${CONFDIR}/${jail_name}") + months=$(grep -c "month" "${CONFDIR}/${jail_name}") + incs_policy="${days}/${months}" fi + status="OFF" -"${LIBDIR}/bkctld-is-on" "${jail}" && status="ON " -port=$("${LIBDIR}/bkctld-port" "${jail}") -ip=$("${LIBDIR}/bkctld-ip" "${jail}"|xargs|tr -s ' ' ',') -echo "${jail} ${status} ${port} ${inc} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }' +"${LIBDIR}/bkctld-is-on" "${jail_name}" && status="ON " + +port=$("${LIBDIR}/bkctld-port" "${jail_name}") +ip=$("${LIBDIR}/bkctld-ip" "${jail_name}" | xargs | tr -s ' ' ',') + +echo "${jail_name} ${status} ${port} ${incs_policy} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }'