code clarification
This commit is contained in:
parent
092b204be2
commit
b141daca29
|
|
@ -18,22 +18,23 @@ jail_path=$(jail_path "${jail_name}")
|
|||
test -d "${jail_path}" || error "${jail_name}: jail is missing."
|
||||
|
||||
if [ -z "${ip}" ]; then
|
||||
# parse IP addresses from AllowUsers directives in sshd config
|
||||
grep -E "^AllowUsers" "${jail_path}/${SSHD_CONFIG}" | grep -Eo "root@[^ ]+" | while read allow; do
|
||||
echo "${allow}" | cut -d'@' -f2
|
||||
done
|
||||
else
|
||||
if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then
|
||||
ips="0.0.0.0/0"
|
||||
new_ips="0.0.0.0/0"
|
||||
else
|
||||
ips=$("${LIBDIR}/bkctld-ip" "${jail_name}")
|
||||
ips=$(echo "${ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq)
|
||||
existing_ips=$("${LIBDIR}/bkctld-ip" "${jail_name}")
|
||||
new_ips=$(echo "${existing_ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq)
|
||||
fi
|
||||
allow="AllowUsers"
|
||||
for ip in $ips; do
|
||||
allow="${allow} root@${ip}"
|
||||
allow_users="AllowUsers"
|
||||
for ip in ${new_ips}; do
|
||||
allow_users="${allow_users} root@${ip}"
|
||||
done
|
||||
sed -i "s~^AllowUsers .*~${allow}~" "${jail_path}/${SSHD_CONFIG}"
|
||||
notice "${jail_name}: update ip => ${ip}"
|
||||
sed -i "s~^AllowUsers .*~${allow_users}~" "${jail_path}/${SSHD_CONFIG}"
|
||||
notice "${jail_name}: IP whitelist updated to ${ip}"
|
||||
"${LIBDIR}/bkctld-reload" "${jail_name}"
|
||||
"${LIBDIR}/bkctld-firewall" "${jail_name}"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -17,31 +17,36 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing."
|
|||
|
||||
"${LIBDIR}/bkctld-is-on" "${jail_name}" && exit 0
|
||||
|
||||
cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}."
|
||||
# Prepare the chroot
|
||||
(
|
||||
cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}."
|
||||
|
||||
grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc
|
||||
grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev
|
||||
[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1
|
||||
[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3
|
||||
[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5
|
||||
[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2
|
||||
[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0
|
||||
[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8
|
||||
[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9
|
||||
chown root:tty dev/console dev/ptmx dev/tty
|
||||
ln -fs proc/self/fd dev/fd
|
||||
ln -fs proc/self/fd/0 dev/stdin
|
||||
ln -fs proc/self/fd/1 dev/stdout
|
||||
ln -fs proc/self/fd/2 dev/stderr
|
||||
ln -fs proc/kcore dev/core
|
||||
mkdir -p dev/pts
|
||||
mkdir -p dev/shm
|
||||
grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts
|
||||
grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm
|
||||
grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc
|
||||
grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev
|
||||
[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1
|
||||
[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3
|
||||
[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5
|
||||
[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2
|
||||
[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0
|
||||
[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8
|
||||
[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9
|
||||
chown root:tty dev/console dev/ptmx dev/tty
|
||||
ln -fs proc/self/fd dev/fd
|
||||
ln -fs proc/self/fd/0 dev/stdin
|
||||
ln -fs proc/self/fd/1 dev/stdout
|
||||
ln -fs proc/self/fd/2 dev/stderr
|
||||
ln -fs proc/kcore dev/core
|
||||
mkdir -p dev/pts
|
||||
mkdir -p dev/shm
|
||||
grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts
|
||||
grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm
|
||||
)
|
||||
|
||||
# Start SSH in the chroot
|
||||
chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start sshd"
|
||||
pidfile="${jail_path}/${SSHD_PID}"
|
||||
|
||||
# Wait for SSH to be up
|
||||
for try in $(seq 1 10); do
|
||||
test -f "${pidfile}" || sleep 0.3
|
||||
done
|
||||
|
|
|
|||
|
|
@ -7,20 +7,23 @@
|
|||
# shellcheck source=./includes
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"
|
||||
|
||||
jail="${1:?}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
jail_name="${1:?}"
|
||||
if [ ! -n "${jail_name}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all"
|
||||
[ -d "${JAILDIR}/${jail_name}" ] || error "${jail_name} : jail is missing.\nUse '$0 status [all]' to get the status of all jails."
|
||||
|
||||
inc="0"
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
day=$(grep -c "day" "${CONFDIR}/${jail}")
|
||||
month=$(grep -c "month" "${CONFDIR}/${jail}")
|
||||
inc="${day}/${month}"
|
||||
incs_policy="0"
|
||||
if [ -f "${CONFDIR}/${jail_name}" ]; then
|
||||
days=$(grep -c "day" "${CONFDIR}/${jail_name}")
|
||||
months=$(grep -c "month" "${CONFDIR}/${jail_name}")
|
||||
incs_policy="${days}/${months}"
|
||||
fi
|
||||
|
||||
status="OFF"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && status="ON "
|
||||
port=$("${LIBDIR}/bkctld-port" "${jail}")
|
||||
ip=$("${LIBDIR}/bkctld-ip" "${jail}"|xargs|tr -s ' ' ',')
|
||||
echo "${jail} ${status} ${port} ${inc} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }'
|
||||
"${LIBDIR}/bkctld-is-on" "${jail_name}" && status="ON "
|
||||
|
||||
port=$("${LIBDIR}/bkctld-port" "${jail_name}")
|
||||
ip=$("${LIBDIR}/bkctld-ip" "${jail_name}" | xargs | tr -s ' ' ',')
|
||||
|
||||
echo "${jail_name} ${status} ${port} ${incs_policy} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }'
|
||||
|
|
|
|||
Loading…
Reference in a new issue