-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathzjail
executable file
·340 lines (289 loc) · 8.55 KB
/
zjail
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
#!/bin/bash
#
# Setup a jailed environment
#
usage() {
echo "$0 [-d jail-dir] [-h jail-hostname] [-i jail-ip] [-f jail-run-file] [-c jail-command] [-v] [-T]"
echo " -d jail-dir is where to build the jail"
echo " -n jail-name is to name a jail. default is '1'"
echo " -h jail-hostname is the hostname to put into the jail /etc/hostname"
echo " -i jail-ip is an ip address to ensure that is listened on"
echo " -f jail-run-file is the initial file to execute when entering jail"
echo " -c jail-command is the initial command to run when entering jail"
echo " -v verbose mode"
echo " -T teardown the jail instead of creating/re-entering it."
echo " -y skip acknowledgement on actions"
echo ""
echo "When leaving a jail you get the option to tear it down."
echo "When not tearing it down you can re-enter it by using the"
echo "-d flag to specify the path of the jail."
}
SCRIPTNAME=$0
JAILCMDFILE=
JAILCMD=
JAILNAME="1"
VERBOSE=
TEARDOWN=
FORCE=
show_info() {
if [ -z "$JAILHOME" ] ; then
echo "Status : not in jail"
else
echo "Status : jailed"
echo "Jail home : $JAILHOME"
if [ -z "$JAILIP" ]; then
echo "Jail IP : using base systems"
else
echo "Jail IP : $JAILIP"
fi
if [ -z "$JAILHOSTNAME" ]; then
echo "Jail Hostname : using base systems"
else
echo "Jail Hostname : $JAILHOSTNAME"
fi
fi
}
while getopts "d:h:i:c:f:n:vTsy" OPT
do
case $OPT in
# w ) CMD=$OPTARG; FILENAME="PIMSLogList.txt"; TARGET="logfiles"; ;;
d ) JAILHOME=$OPTARG ;;
h ) JAILHOSTNAME=$OPTARG ; JAILHOSTNAME_CL=$OPTARG ;;
i ) JAILIP=$OPTARG ; JAILIP_CL=$OPTARG;;
f ) JAILCMDFILE=$OPTARG ;;
c ) JAILCMD=$OPTARG ;;
n ) JAILNAME=$OPTARG ;;
v ) VERBOSE=1 ;;
T ) TEARDOWN=1 ;;
s ) show_info ; exit 0 ;;
y ) FORCE=1 ;;
? ) usage; exit 0 ;;
* ) echo "Invalid option '$OPT'"; usage; exit -1 ;;
esac
done
shift $(($OPTIND - 1))
if [ -e "/etc/zjail" ]; then
echo "Cannot goto jail when already in a jail. Exit current jail first."
exit -1
fi
if [ -z "$USER" ]; then
echo "Please set USER environment variable"
exit -1
fi
if [ -z "$JAILHOME" ] ; then
if [ -z "$USER" ] ; then
echo "Must set jail-dir with -d or set $USER environment variable"
exit -1;
fi
JAILHOME=/zjail/${USER}/${JAILNAME}
JAILHOME_ROOT=/zjail/${USER}
else
JAILHOME=${JAILHOME}/${JAILNAME}
JAILHOME_ROOT=${JAILHOME}
fi
if [ "$1" = "list" ]; then
JD=`ls -1 $JAILHOME_ROOT`
if [ \( -e $JAILHOME_ROOT \) -a \( "$JD" != "" \) ]; then
echo "Jail name:"
ls -1 "$JAILHOME_ROOT" | while read T; do echo " $T"; done
else
echo "No active jail(s)"
fi
exit 0
fi
if [ ! -e "$JAILHOME" ] ; then
sudo mkdir -p "$JAILHOME"
fi
JAILHOME=`readlink -f $JAILHOME`
REENTERING=`mount | grep "$JAILHOME"`
if [ -z "$REENTERING" ] ; then
if [ -z "$FORCE" ]; then
echo "Using jail home as '$JAILHOME' ( ctrl-c and use -? for help )"
echo "Do you want to create a new jail in '$JAILHOME' (y/N)?"
read SEL
if [ \( "$SEL" != "y" \) -a \( "$SEL" != "Y" \) ] ; then echo "Aborting as requested."; exit 0 ; fi
fi
fi
linkfiles() {
# Use bind for common directories that are not written
# to
DIRS="bin emul lib lib32 lib64 opt proc sbin sys"
for i in $DIRS ; do
if [ ! -z "$VERBOSE" ] ; then echo "Binding /$i $JAILHOME/$i"; fi
sudo mkdir -p $JAILHOME/$i
sudo mount --bind /$i $JAILHOME/$i
done
# dev has submounts
if [ ! -z "$VERBOSE" ] ; then echo "Binding /dev $JAILHOME/dev recursively"; fi
sudo mkdir -p $JAILHOME/dev
sudo mount --rbind /dev $JAILHOME/dev
# tmpfs is a submount
#if [ ! -z "$VERBOSE" ] ; then echo "Binding / $JAILHOME/dev recursively"; fi
#sudo mkdir -p $JAILHOME/dev
#sudo mount --bind /dev $JAILHOME/dev
# Use a unionfs for "overriding" already installed packages
# without deleting them from base system
DIRS="etc usr var tmp root home"
for i in $DIRS ; do
RW=${JAILHOME}/unionfs/$i
RO=/$i
sudo mkdir -p $RW
sudo mkdir -p ${JAILHOME}/$i
if [ ! -z "$VERBOSE" ] ; then echo "Unionfs rw=$RW ro=$RO to $JAILHOME/$i"; fi
if [ "$i" = "tmp" ] ; then sudo chmod a+rwx $RW; fi
if [ "$i" = "var" ] ; then sudo chmod a+rwx $RW; fi
sudo mount -t aufs -o br=${RW}=rw:${RO}=ro none ${JAILHOME}/$i
done
}
unlinkfiles() {
#
# Get the bound dirs and unlink after asking if it is ok
#
if [ ! -z "$VERBOSE" ] ; then echo "Unmounting:"; fi
mount | grep "$JAILHOME" | cut -d' ' -f 3 | while read i ; do
if [ ! -z "$VERBOSE" ] ; then echo "$i"; fi
echo "$i" | grep "/dev"
if [ "$?" = "0" ]; then
# The dev mount need /dev/pts and /dev/shm submount
# umounting first
if ! sudo umount "$i/pts" ; then
echo "Error umounting $i/pts -> aborting"
exit -1
fi
if ! sudo umount "$i/shm" ; then
echo "Error umounting $i/shm -> aborting"
exit -1
fi
fi
if ! sudo umount "$i" ; then
echo "Error umounting $i -> aborting"
exit -1
fi
done
return 0;
}
changesetup() {
# Set hostname and ip and make sure that eth0 is listening on that
# ip
sudo mkdir -p "$JAILHOME/etc/zjail"
if [ ! -z "$JAILHOSTNAME" ] ; then
sudo /bin/bash -c "echo '$JAILHOSTNAME' > $JAILHOME/etc/hostname"
if [ ! -z "$VERBOSE" ] ; then echo "Changed jail hostname to $JAILHOSTNAME"; fi
sudo /bin/bash -c "echo '$JAILHOSTNAME' > $JAILHOME/etc/zjail/hostname"
fi
if [ ! -z "$JAILIP" ] ; then
# Check if we're already listening on the IP
TMP=`ip addr | sed -ne'/^...eth0/,/^[^ ]/ p' | grep $JAILIP`
if [ -z "$TMP" ]; then
# Not listening... go listen
sudo ip addr add $JAILIP/24 dev eth0
if [ ! -z "$VERBOSE" ] ; then echo "Startet listening on $JAILIP"; fi
else
if [ ! -z "$VERBOSE" ] ; then echo "Already listening on $JAILIP"; fi
fi
sudo /bin/bash -c "echo '$JAILIP' > $JAILHOME/etc/zjail/ip"
fi
}
go_to_jail() {
if [ ! -z "$VERBOSE" ] ; then
echo "chroot to $JAILHOME and running $JAILCMD"
fi
if [ ! -z "$REENTERING" ] ; then
JAILIP=
if [ -e "$JAILHOME/etc/zjail/ip" ]; then
JAILIP=`cat "$JAILHOME/etc/zjail/ip"`
fi
JAILHOSTNAME=
if [ -e "$JAILHOME/etc/zjail/hostname" ]; then
JAILHOSTNAME=`cat "$JAILHOME/etc/zjail/hostname"`
fi
fi
FI=`cat <<EOF
if [ -f /etc/bash.bashrh ]; then . /etc/bash.bashrc; fi
if [ -f ~/.bashrh ]; then . ~/.bashrc; fi
export JAILIP=$JAILIP
export JAILHOME=$JAILHOME
export JAILHOSTNAME=$JAILHOSTNAME
$JAILCMD
EOF`
TMPFILE=`tempfile`
TMPFILEABS="${JAILHOME}/${TMPFILE}"
echo "$FI" > $TMPFILEABS
if [ ! -z "$JAILCMDFILE" ] ; then
echo ". $JAILCMDFILE" >> $TMPFILEABS
fi
#screen -R -D sudo chroot $JAILHOME /bin/su -c "cd '$PWD'; /bin/bash --init-file $TMPFILE -i" $USER
sudo chroot $JAILHOME /bin/su -c "cd '$PWD'; /bin/bash --init-file $TMPFILE -i;" $USER
return $?
}
setup_home() {
sudo mkdir -p $JAILHOME
}
teardown_home() {
if [ -z "$JAILHOME" ]; then
echo "No tearing down because jail home is '' (empty)"
exit -1
fi
sudo rm -rf "$JAILHOME/unionfs"
sudo rm -rf "$JAILHOME/etc/zjail"
ls -1 "$JAILHOME/" | while read D ; do
RMD="${JAILHOME}/${D}"
if ! sudo rmdir $RMD ; then
echo "Error removing dir $RMD -> aborting"
exit -1
fi
done
if ! sudo rmdir "$JAILHOME" ; then
echo "Error removing dir $JAILHOME -> aborting"
exit -1
fi
}
setup() {
if [ ! -z "$REENTERING" ] ; then
echo "Jail already exist -> re-entering"
if [ ! -z "$JAILHOSTNAME_CL" ]; then
echo "Ignoring command line jail hostname (only allowed on jail creation)"
fi
if [ ! -z "$JAILIP_CL" ]; then
echo "Ignoring command line jail IP (only allowed on jail creation)"
fi
return 0
fi
setup_home
linkfiles
changesetup
}
teardown() {
unlinkfiles
teardown_home
}
if [ ! -z "$TEARDOWN" ] ; then
if [ -z "$FORCE" ]; then
echo "Really teardown jail $JAILHOME (y/N)?"
read SEL
if [ \( "$SEL" != "y" \) -a \( "$SEL" != "Y" \) ] ; then exit 0; fi
fi
echo "Tearing down jail $JAILHOME"
teardown
exit 0
fi
setup
go_to_jail
exit $?
if [ -z "$FORCE" ]; then
echo "Should I teardown jail in $JAILHOME (y/N)?"
if [ ! -z "$VERBOSE" ] ; then
mount | grep "$JAILHOME" | cut -d' ' -f 3 | while read i ; do
echo $i
done
echo "Really (y/N)?"
fi
read SEL
if [ \( "$SEL" != "y" \) -a \( "$SEL" != "Y" \) ] ; then
echo "Not tearing down jail."
echo "Run '$SCRIPTNAME -d $JAILHOME' to re-enter jail.";
echo "Run '$SCRIPTNAME -T -d $JAILHOME' to tear down jail.";
exit 0 ;
fi
fi
teardown