/Jc@sddkZddkZddkZddkZddkZddkZddkZdZddZddZ dZ dZ dZ d Z d Zd Zdddd Zd ZdddddZddZddZddddZdddZdddddgdZddddddgdZdZddZdZdZdZddZdS(iNcCsIy/ti|d}|djo || SnWntj onXdS(Nt/i(tstringtrindext ValueErrortNone(tpathtindx((s/usr/share/jailkit/jk_lib.pyt nextpathup(s icCsyti|}Wn@tj o4|djotiid|dndSnXti|tipSti |tiotiid|dntiid|ddSnti d d joX|ti djp |ti t id ijo tiid|d d SqtnI|ti djp|ti djo tiid|d d Sn|titi@p|titi@o tiid|ddSndS(NisERROR: cannot lstat() s isERROR: s2 is a symlink, please point to the real directory s is not a directory! iitbsdtwheels is not owned by root:wheel! s is not owned by root:root! s is writable by group or others!ii(tostlstattOSErrortsyststderrtwritetstattS_ISDIRtST_MODEtS_ISLNKtplatformtST_UIDtST_GIDtgrptgetgrnamtgr_gidtS_IWOTHtS_IWGRP(Rt failquiettstatbuf((s/usr/share/jailkit/jk_lib.pyt path_is_safe4s,  4 (*c Cstii|}t||}|djo|Snx:dD]2}t|d |d }|djo|Sq=q=Wt|}xB|djo4t|d }|d jo|Snt|}qWd S(s]tests if path is a safe jail, not writable, no writable /etc/ and /lib, return 1 if all is OKitlibtetctusrtvartbintdevtproctsbinR Rii( slibR R!svarR#R$sprocR&ssysN(R RtabspathRRR(RRtretvaltsubdtnpath((s/usr/share/jailkit/jk_lib.pytchroot_is_safeOs"      cCs7ti|}|tititiB@odSndS(sAreturns 1 if the file is setuid or setgid, returns 0 if it is notii(R R RRtS_ISUIDtS_ISGID(RR((s/usr/share/jailkit/jk_lib.pyttest_suid_sgidbsc CsOtid djo7t|ddddddddtid|ndS( Nitlinuxs/etc/itcopy_permissionst allow_suidtcopy_ownerships ldconfig -r (R Rtcreate_parent_pathR tsystem(tjail((s/usr/share/jailkit/jk_lib.pytgen_library_cacheis"cCsg}tid|}|di}xt|djoti|}t|djo|ddjo|ddjo|Sq|ddjo*|ddjo|d d jo|Sq|dd joqt|d jo&|ddjo|d d joqt|d joEtii|do||dg7}qd|dd|GHqt|djoR|dddjo=tii|do||dg7}qd|dGHqd|d GHnd|d GH|di}q,W|S(s;returns a list of libraries that the executable depends on sldd iit staticallytlinkedtnotitdynamicit executableslinux-gate.so.1itfounds!ldd returns non existing library s for Rs$WARNING: failed to parse ldd output i(R tpopen3treadlinetlenRtsplitRtexists(R;R(tpdtlinetsubl((s/usr/share/jailkit/jk_lib.pytlddlist_libraries_linuxos6"35( cCsg}d}tid|}|di}xtt|djo`ti|}t|djo|d|djoq|ddjo2t|djo|dd jo d }qqt|d jo|djo=tii|d o||d g7}qod |d GHq|d jo=tii|do||dg7}qod |dGHqd GHqd|d GHnd|d GH|di}q2W|S(s;returns a list of libraries that the executable depends on isldd iit:tStartiitNameiis!ldd returns non existing library s1unknown mode, please report this bug in jk_lib.pys$WARNING: failed to parse ldd output i(R R=R>R?RR@RRA(R;R(tmodeRBRCRD((s/usr/share/jailkit/jk_lib.pytlddlist_libraries_openbsds8$     cCsg}tid|}|di}xZt|djoFti|}t|djot|djo'|dt|d |djoqqt|djo*|ddjo|dd jo|Sqqt|djo=tii|do||dg7}q9d |dGHqqd |d d GHn5|t|d |djond |d d GH|di}q,W|S(s;returns a list of libraries that the executable depends on sldd iiRFiiR9iR:s!ldd returns non existing library s%WARNING: failed to parse ldd output "it"(R R=R>R?RR@RRA(R;R(RBRCRD((s/usr/share/jailkit/jk_lib.pytlddlist_libraries_freebsds*65cCstid djot|Snhtid djot|SnFtid djot|Sn$t|}|dddg7}|SdS( NiR/itopenbsdtfreebsds/usr/libexec/ld.sos/usr/libexec/ld-elf.so.1s/libexec/ld-elf.so.1(R RRERJRL(R;R(((s/usr/share/jailkit/jk_lib.pytlddlist_librariess cCsti|}ti|ti}|p<|titiB@o#d|GH|ti@ti@}qhnti||ti||ti|ti f|o%ti ||ti |ti ndS(Ns,removing setuid and setgid permissions from ( R RtS_IMODERR,R-tchmodtutimetST_ATIMEtST_MTIMEtchownRR(tsrctdstt be_verboseR1R2tsbufRI((s/usr/share/jailkit/jk_lib.pytcopy_time_and_permissionss $cCsS|}xFtii| o1|djp |dj otii|}q W|S(ssThis function tests if a directory exists, if not tries the parent etc. etc. until it finds a directory that existsRt(R RRAtdirname(Rttmp((s/usr/share/jailkit/jk_lib.pytreturn_existing_base_directorys /ic Cs4|}|ddjo|d }ntii||odSnt||}t|t|}ti|d|d} x| djo|d| jo | }n|od||| GHnti||| d|o|y&t|| ||| |||Wqet j oC\} } t i i d|| d||| d | d qeXn| }ti|d|d} qW|od||GHnti||d|otyt||||||Wq0t j oC\} } t i i d|| d||| d | d q0XndS( sucreates the directory and all its parents id needed. copy_ownership can only be used if copy permissions is also usediRNisCreating directory is2ERROR: failed to copy time/permissions/owner from s to s: s ( R RRAR^R?RtfindtmkdirRZR R RR( tchrootRRXR0R1R2t directoryR]toldindxRterrnotstrerror((s/usr/share/jailkit/jk_lib.pyR3s<  &=c CsyA|o d|GHnti|t|||ddddWnMttfj o;\}}tiid|d|d|d dSnXx>ti|D]-\}}}x|D]}|o%d |d |d|d |GHnyPt i |d ||d |t|d ||d ||ddddWqttfj oK\}}tiid |d |d|d |d|d dSqXqWx.|D]&}t |d ||d ||qWqWdS( NsCreating directoryR1iR2is)ERROR: copying directory and permissions s to s: s sCopying Rs$ERROR: copying file and permissions ( R R`RZtIOErrorR R RRtwalktshutiltcopyfilet#move_dir_with_permissions_and_owner( tsrcdirtdstdirRXRdRetroottdirstfilestname((s/usr/share/jailkit/jk_lib.pyt#copy_dir_with_permissions_and_owners0   ( % 08 (cCst|||}|djos|djo d|GHnyti|Wqttfj o/\}}tiid|d|dqXnd|d|GHdS(Nis!Removing original home directory sERROR: failed to remove s: s sNot everything was copied to s, keeping the old directory (RqRhtrmtreeR RfR RR(RkRlRXR(RdRe((s/usr/share/jailkit/jk_lib.pyRj1s   )cCsd}|djo=yti||d}WqPd|d|dGHqPXn|djoy0ti||t|||ddd|Wqttfj o7\}}tii d|d|d |d qXnd S( sKcopies/links the file and the permissions, except any setuid or setgid bitsiisLinking s to s failed, will revert to copyingR1R2s$ERROR: copying file and permissions s: s N( R tlinkRhRiRZRfR R RR(RVRWRXt try_hardlinkt retain_ownertdo_normal_copyRdRe((s/usr/share/jailkit/jk_lib.pytcopy_with_permissions>s    c Cst|tii||ddddddtii||od||dGHdSnti|}y|id}|id}ti|io d }n/ti |io d }nd |d GHdS|djod ||GHnti ti dd||t |t |t |}t |||ddd|Wn3d|dGHd|dGHd|dGHdGHnXdS(NR0iR1iR2sDevice s does exist alreadyitctbs WARNING, s# is not a character or block devicesCreating device tmknodsFailed to create device s(, this is a know problem with python 2.1s use "ls -l s6" to find out the mode, major and minor for the devices use "mknod s' mode major minor" to create the devices<use chmod and chown to set the permissions as found by ls -l(R3R RR\RARtst_rdevtS_ISCHRtst_modetS_ISBLKtspawnlptP_WAITtstrRZ( RaRRXRutsbtmajortminorRItret((s/usr/share/jailkit/jk_lib.pyt copy_deviceOs..      :!   c Cs!d }xti|D]} tii|| } yti| } ti| ioJt|| d|ddddd|t || ||||||}n|tii|| f7}Wqt j o,} t i i d| d| id qXqWt||||||||}|S( sRcopies a directory and the permissions recursive, except any setuid or setgid bitsRXR0iR1iR2s)ERROR: failed to investigate source file s: s ((R tlistdirRtjoinR RRR}R3tcopy_dir_recursiveR R RRRetcopy_binaries_and_libs( Ratdirtforce_overwriteRXt check_libsRtRut handledfilestfiles2tentryR]RYte((s/usr/share/jailkit/jk_lib.pyRjs%% ,!c Cs|ddjo|d }nxs|D]k} | |joq&nyti| } Wntj o} | idjo|djorti| } t| djo4t|| |||d|d|ddd |}q |od | d GHq q4|od | d GHq4q&tii d| d| i dq&nXyti|| } d}WnVtj oJ} | idjo d}qtii d|| d| i dnX|djo;|o4t i | i  o |od|| dGHqq&|o|ot i| i o|od|| dGHnyti|| Wqtj o<} tii d|| d| i d|| dqXqt i | i od|| dGHqqt i | i oq|od|| dGHq&q&nt|tii| |ddddd|t i| i oti| }d|| d|GHyti||| Wntj onX|i| |ddjotii| d|}nt||g||||||}nt i | i o%t|| ||||||}nt i| i o`|od| d|| GHnd | d|| GHt| || ||||i| nVt i| i pt i| i ot|| ||ntii d!| d"t i| t i}|o|ti| d#djp5ti| d$djp|t i t i!Bt i"B@o.t#| }t||||d||}q&q&W|S(%s>copies a list of executables and their libraries to the chrootiRiiiRtRuttry_glob_matchingRsSource file(s) s do not exists Source file s does not exists)ERROR: failed to investigate source file s: s s.ERROR: failed to investigate destination file R[s" already exists, will not touch itsDestination file s$ exists, will delete to force updatesERROR: failed to delete s cannot overwrite sDestination dir s existsR0R1R2sCreating symlink s to sTrying to link sCopying sFailed to find how to copy s= into a chroot jail, please report to the Jailkit developers Rs.so($R R R RdtglobR?RR RRReRRR}tS_ISREGtunlinkR3RR\RtreadlinktsymlinktappendRRwR|R~RRPRRR_tS_IXUSRtS_IXGRPtS_IXOTHRO(Rat binarieslistRRXRRtRuRRtfileRRRtchrootsbtchrootfile_existstrealfileRItlibs((s/usr/share/jailkit/jk_lib.pyRs  4#  ,(<. (%&U &cCsfg}|i||oI|i||}x4ti|dD]}|ti|g7}q>Wn|S(sretrieves a comma separated option from the configparser and splits it into a list, returning an empty list if it does not existt,(t has_optiontgetRR@tstrip(t cfgparsert sectionnamet optionnameR(tinputstrR]((s/usr/share/jailkit/jk_lib.pytconfig_get_option_as_liststERRORcCs*dGH|d|GH|ti|dS(NR[s: (R texit(texitnotmessaget usagefuncttype((s/usr/share/jailkit/jk_lib.pyt clean_exits cCsyt|d}Wn dSnX|i}xlt|djoXti|d}t||jo#|||jo|idSn|i}q0WdS(NtriRFi(topenR>R?RR@tclose(titemtnumtfilenametfdRCtpwstruct((s/usr/share/jailkit/jk_lib.pyttest_numitem_exists $ cCst|d|S(Ni(R(tusert passwdfile((s/usr/share/jailkit/jk_lib.pyttest_user_existscCst|d|S(Ni(R(tgroupt groupfile((s/usr/share/jailkit/jk_lib.pyttest_group_existsc CsV|ddjo|d }nt|d|ddddddtidd !d jo`t|d d it|d d it|dd it|dd inatii|d pt|d d}n t|d d}|i}xt |djot i |d}t |djo|d|jp|d|jo~|od|dd|d GHny|i |dWnt j onXy|i |dWqt j oqXqn|i}qW|iddt |djotd d}|i}xt |djot i |d}t |djo|d|jp|d|jo[|i||od|dd|d GHn|d|jo||dg7}qqn|i}q6W|in|itii|dpt|dd}n t|dd}|i}xt |djot i |d}t |djo|d|jp|d|jo~|od|dd|dGHny|i |dWnt j onXy|i |dWq@t j oq@XqDn|i}qhW|iddt |djotdd}|i}xt |djot i |d}t |djo[|d|jp|d|jo5|i||od|dd|dGHq%q)n|i}qW|in|idS(NiRs/etc/R0iR1R2iiRs /etc/passwdtas /etc/spwd.dbs /etc/pwd.dbs/etc/master.passwdtwsr+RFiisuser s exists in Rs writing user s to s /etc/groupsgroup swriting group (R3R RRRR RtisfileR>R?RR@tremoveRtseekR( RatuserstgroupsRXtfd2RCRRt groupstruct((s/usr/share/jailkit/jk_lib.pytinit_passwd_and_groups" "  "   "  " %(tos.pathR RR RRhRRRR+R.R6RERJRLRORZR^R3RqRjRwRRRRRRRRR(((s/usr/share/jailkit/jk_lib.pys s<            " #   $  \