From 3bd4294cfb322b962d7d6775bab99489c389ec85 Mon Sep 17 00:00:00 2001 From: Victor Laborie Date: Thu, 17 Aug 2017 14:53:40 -0400 Subject: [PATCH 1/7] Fix jail cleaning when not running --- bkctld | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/bkctld b/bkctld index aed29ad..f9cadd5 100755 --- a/bkctld +++ b/bkctld @@ -41,21 +41,17 @@ check_jail() { check_jail_on() { jail=$1 - if [ -f ${JAILDIR}/${jail}/${SSHD_PID} ]; then - pid=$(cat ${JAILDIR}/${jail}/${SSHD_PID}) - ps -p $pid > /dev/null - if [ $? -eq 0 ]; then - exit 0 - else - rm ${JAILDIR}/${jail}/${SSHD_PID} - umount --lazy --recursive ${JAILDIR}/${jail}/dev - umount --lazy ${JAILDIR}/${jail}/proc/ - exit 1 - fi - else - exit 1 + return=1 + if [ -f ${JAILDIR}/${jail}/${SSHD_PID} ]; then + pid=$(cat ${JAILDIR}/${jail}/${SSHD_PID}) + ps -p $pid > /dev/null && return=0 fi - echo $status + if [ "$return" -eq 1 ]; then + rm -f ${JAILDIR}/${jail}/${SSHD_PID} + grep -q "${JAILDIR}/${jail}/proc" /proc/mounts && umount --lazy ${JAILDIR}/${jail}/proc/ + grep -q "${JAILDIR}/${jail}/dev" /proc/mounts && umount --lazy --recursive ${JAILDIR}/${jail}/dev + fi + exit "$return" } ## get functions : get info on jail From ea5362ca2a20816e0591ee66ea33d3bdb9cd2434 Mon Sep 17 00:00:00 2001 From: Victor Laborie Date: Thu, 17 Aug 2017 14:55:09 -0400 Subject: [PATCH 2/7] Add mount check when starting jail --- bkctld | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/bkctld b/bkctld index f9cadd5..65d8f6a 100755 --- a/bkctld +++ b/bkctld @@ -289,25 +289,25 @@ sub_start() { echo "Start jail $jail" cd "${JAILDIR}/${jail}" - mount -t proc "proc-${jail}" proc - mount -nt tmpfs "dev-${jail}" dev - mknod -m 622 dev/console c 5 1 - mknod -m 666 dev/null c 1 3 - mknod -m 666 dev/zero c 1 5 - mknod -m 666 dev/ptmx c 5 2 - mknod -m 666 dev/tty c 5 0 - mknod -m 444 dev/random c 1 8 - mknod -m 444 dev/urandom c 1 9 + grep -q "${JAILDIR}/${jail}/proc" /proc/mounts || mount -t proc "proc-${jail}" proc + grep -q "${JAILDIR}/${jail}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail}" dev + [ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 + [ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 + [ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 + [ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 + [ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 + [ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 + [ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 chown root:tty dev/console dev/ptmx dev/tty - ln -s proc/self/fd dev/fd - ln -s proc/self/fd/0 dev/stdin - ln -s proc/self/fd/1 dev/stdout - ln -s proc/self/fd/2 dev/stderr - ln -s proc/kcore dev/core - mkdir dev/pts - mkdir dev/shm - mount -t devpts -o gid=4,mode=620 none dev/pts - mount -t tmpfs none dev/shm + ln -fs proc/self/fd dev/fd + ln -fs proc/self/fd/0 dev/stdin + ln -fs proc/self/fd/1 dev/stdout + ln -fs proc/self/fd/2 dev/stderr + ln -fs proc/kcore dev/core + mkdir -p dev/pts + mkdir -p dev/shm + grep -q "${JAILDIR}/${jail}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts + grep -q "${JAILDIR}/${jail}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm chroot "${JAILDIR}/${jail}" /usr/sbin/sshd -E /var/log/authlog } From 2f8b655fa6ec35a05da522ac35650186b89fad16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Fri, 18 Aug 2017 14:41:15 +0200 Subject: [PATCH 3/7] Use -e instead of -f when checking for Keyfile Why? Because we can use FD in place of regular files. Like this: root@backup:~# bkctld key test <(echo "ssh-rsa AA...") Update test : key = /dev/fd/63 --- bkctld | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bkctld b/bkctld index 65d8f6a..c05f310 100755 --- a/bkctld +++ b/bkctld @@ -106,7 +106,7 @@ set_port() { set_key() { jail=$1 keyfile=$2 - if [ -f $keyfile ]; then + if [ -e $keyfile ]; then cat $keyfile > ${JAILDIR}/${jail}/${AUTHORIZED_KEYS} chmod 600 ${JAILDIR}/${jail}/${AUTHORIZED_KEYS} else From 985c72194a48568d376a4cff2cecf865262873c5 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 22 Aug 2017 17:03:21 +0200 Subject: [PATCH 4/7] Fix /var/run to /run symlink --- bkctld | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bkctld b/bkctld index c05f310..ed486d0 100755 --- a/bkctld +++ b/bkctld @@ -171,7 +171,7 @@ mk_jail() { ln -s usr/bin bin ln -s usr/lib lib ln -s usr/lib64 lib64 - ln -s run var/run + ln -st var ../run touch var/log/lastlog var/log/wtmp run/utmp echo "2 - Copying essential files" From 9606b23d97ccf600e8b22fc5f77ef7eaed8e83f1 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 22 Aug 2017 18:15:14 +0200 Subject: [PATCH 5/7] Update lastlog even on non interactive ssh (eg. with rsync) --- bkctld | 5 ++++- tpl/sshrc | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 tpl/sshrc diff --git a/bkctld b/bkctld index ed486d0..362315e 100755 --- a/bkctld +++ b/bkctld @@ -157,9 +157,11 @@ mk_jail() { passwd="${TPLDIR}/passwd" shadow="${TPLDIR}/shadow" group="${TPLDIR}/group" + sshrc="${TPLDIR}/sshrc" [ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd" [ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow" [ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" + [ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" umask 077 echo "1 - Creating the chroot" @@ -181,12 +183,13 @@ mk_jail() { cp "$passwd" etc cp "$shadow" etc cp "$group" etc + cp "$sshrc" etc/ssh echo "3 - Copying binaries" cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64 cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu - for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/sbin/sshd /usr/lib/openssh/sftp-server; do + for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/sbin/sshd /usr/lib/openssh/sftp-server; do cp -f $dbin ${JAILDIR}/${jail}/$dbin; for lib in $(ldd $dbin | grep -Eo "/.*so.[0-9\.]+"); do cp -p $lib ${JAILDIR}/${jail}/$lib diff --git a/tpl/sshrc b/tpl/sshrc new file mode 100644 index 0000000..1fea72d --- /dev/null +++ b/tpl/sshrc @@ -0,0 +1,2 @@ +#!/bin/sh +/usr/bin/lastlog -Su root From fc7229fe9fbc99db5a96b2143b248d93043b3667 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 29 Aug 2017 17:31:40 +0200 Subject: [PATCH 6/7] Clean jail before creating it --- bkctld | 1 + 1 file changed, 1 insertion(+) diff --git a/bkctld b/bkctld index 362315e..5c99fed 100755 --- a/bkctld +++ b/bkctld @@ -166,6 +166,7 @@ mk_jail() { echo "1 - Creating the chroot" cd "${JAILDIR}/${jail}" + rm -rf bin lib lib64 run usr var/run etc/ssh/*key mkdir -p dev proc mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64 mkdir -p etc/ssh var/log run/sshd From dbea4d46b1bbf173572c0b99a02a6717d57acaee Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 30 Aug 2017 17:19:35 +0200 Subject: [PATCH 7/7] Use touch instead of lastlog in sshrc Because lastlog -S doesn't work on Debian Jessie lastlog: invalid option -- 'S' --- bkctld | 2 +- tpl/sshrc | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bkctld b/bkctld index 5c99fed..13b3e75 100755 --- a/bkctld +++ b/bkctld @@ -190,7 +190,7 @@ mk_jail() { cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64 cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu - for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/sbin/sshd /usr/lib/openssh/sftp-server; do + for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do cp -f $dbin ${JAILDIR}/${jail}/$dbin; for lib in $(ldd $dbin | grep -Eo "/.*so.[0-9\.]+"); do cp -p $lib ${JAILDIR}/${jail}/$lib diff --git a/tpl/sshrc b/tpl/sshrc index 1fea72d..78266bb 100644 --- a/tpl/sshrc +++ b/tpl/sshrc @@ -1,2 +1,5 @@ #!/bin/sh -/usr/bin/lastlog -Su root + +# lastlog -S isn't available in login package on Debian Jessie (need Debian Stretch or superior) +#/usr/bin/lastlog -Su root +/usr/bin/touch /var/log/lastlog