[PC-BSD Commits] r4781 - pcbsd/trunk/system-overlay/usr/PCBSD/portjail
svn at pcbsd.org
svn at pcbsd.org
Mon Oct 26 11:26:59 PST 2009
Author: kris
Date: 2009-10-26 12:26:59 -0700 (Mon, 26 Oct 2009)
New Revision: 4781
Modified:
pcbsd/trunk/system-overlay/usr/PCBSD/portjail/portjail.sh
Log:
Updated the portjail to used more secure sed replacements, and added a new "run" command which lets you create
icons / commands in your regular system to execute something in the ports jail
Modified: pcbsd/trunk/system-overlay/usr/PCBSD/portjail/portjail.sh
===================================================================
--- pcbsd/trunk/system-overlay/usr/PCBSD/portjail/portjail.sh 2009-10-26 18:57:53 UTC (rev 4780)
+++ pcbsd/trunk/system-overlay/usr/PCBSD/portjail/portjail.sh 2009-10-26 19:26:59 UTC (rev 4781)
@@ -10,9 +10,35 @@
MANPATH=/usr/local/man
export MANPATH
+display_help()
+{
+ echo "PC-BSD Port Jail Management"
+ echo "--------------------------------"
+ echo "Usage:"
+ echo " portjail start - Starts the jail, root only"
+ echo " portjail stop - Stops the jail, root only"
+ echo " portjail console - Starts a shell session within the jail"
+ echo " portjail run <cmd> - Runs the specified command within the jail"
+
+};
+
+
+# if we are called without a flag, warn the user and exit
+if [ -z "$1" ]
+then
+ display_help
+ exit 1
+fi
+
if [ "$1" = "start" ]
then
+ if [ "`id -u`" != "0" ]
+ then
+ echo "Error: You must be root to start the ports jail"
+ exit 1
+ fi
+
# Create some hard-links for the portjail
rm ${PJDIR}/etc/resolv.conf >/dev/null 2>/dev/null
ln /etc/resolv.conf ${PJDIR}/etc/resolv.conf
@@ -33,12 +59,8 @@
# Configure NAT with PF
- TMPFILE=`mktemp /tmp/.pf-tmp.XXXXXX`
- cat /etc/pf.conf | grep -v "from lo1:network to any" > ${TMPFILE}
- mv ${TMPFILE} /etc/pf.conf
- chmod 644 /etc/pf.conf
+ sed -i -e '/from lo1:network to any/d' /etc/pf.conf
- echo "scrub in all" >/etc/.pflo1tmp
TMPIF=`ifconfig -l`
for i in ${TMPIF}
do
@@ -50,7 +72,6 @@
done
rm /etc/.pftmp.conf >/dev/null 2>/dev/null
- rm /etc/.pflo1tmp >/dev/null 2>/dev/null
/etc/rc.d/pf restart >/dev/null 2>/dev/null
# Make sure we remove our cleartmp rc.d script, causes issues
@@ -60,18 +81,12 @@
fi
# Add the hostname to the portjails /etc/hosts file, to prevent sendmail warnings
- TMPFILE=`mktemp /tmp/.hosts-tmp.XXXXXX`
- cat ${PJDIR}/etc/hosts | grep -v "127.0.0.1" > ${TMPFILE}
- echo "127.0.0.1 localhost localhost.my.domain ${PJHOST}" >> ${TMPFILE}
- mv ${TMPFILE} ${PJDIR}/etc/hosts
- chmod 644 ${PJDIR}/etc/hosts
+ sed -i -e '/127.0.0.1/d' ${PJDIR}/etc/hosts
+ echo "127.0.0.1 localhost localhost.my.domain ${PJHOST}" >>${PJDIR}/etc/hosts
# Make sure the /etc/rc.conf HOSTNAME values match
- TMPFILE=`mktemp /tmp/.rc-tmp.XXXXXX`
- cat ${PJDIR}/etc/rc.conf | grep -v "hostname=" > ${TMPFILE}
- echo "hostname=\"$PJHOST\"" >> ${TMPFILE}
- mv ${TMPFILE} ${PJDIR}/etc/rc.conf
- chmod 644 ${PJDIR}/etc/rc.conf
+ sed -i -e '/hostname=/d' ${PJDIR}/etc/rc.conf
+ echo "hostname=\"$PJHOST\"" >> ${PJDIR}/etc/rc.conf
mount_nullfs /tmp ${PJDIR}/tmp
mount_nullfs /usr/home ${PJDIR}/usr/home
@@ -82,6 +97,12 @@
elif [ "$1" = "stop" ]
then
+ if [ "`id -u`" != "0" ]
+ then
+ echo "Error: You must be root to stop the ports jail"
+ exit 1
+ fi
+
# Stop the Jail
jexec portjail /bin/sh /etc/rc.shutdown
jail -r portjail
@@ -92,15 +113,26 @@
ifconfig lo1 destroy
# Cleanup /etc/pf.conf
- TMPFILE=`mktemp /tmp/.pf-tmp.XXXXXX`
- cat /etc/pf.conf | grep -v "from lo1:network to any" > $TMPFILE
- mv $TMPFILE /etc/pf.conf
- chmod 644 /etc/pf.conf
+ sed -i -e '/from lo1:network to any/d' /etc/pf.conf
elif [ "$1" = "console" ]
then
DBUS_SESSION_BUS_ADDRESS="" ; export DBUS_SESSION_BUS_ADDRESS
PJID=`jls | grep "${PJDIR}" | tr -s " " | awk '{ print $1 }'`
/usr/local/sbin/jailme $PJID /bin/csh
+
+elif [ "$1" = "run" ]
+then
+
+ if [ -z "$2" ]
+ then
+ echo "Error: No command specified!"
+ exit 1
+ fi
+
+ DBUS_SESSION_BUS_ADDRESS="" ; export DBUS_SESSION_BUS_ADDRESS
+ PJID=`jls | grep "${PJDIR}" | tr -s " " | awk '{ print $1 }'`
+ /usr/local/sbin/jailme $PJID $2
+
fi
More information about the Commits
mailing list