Move chroot creation to jailkit
This commit is contained in:
175
etc/jailkit/jk_init.ini
Normal file
175
etc/jailkit/jk_init.ini
Normal file
@ -0,0 +1,175 @@
|
||||
[uidbasics]
|
||||
# this section probably needs adjustment on 64bit systems
|
||||
# or non-Linux systems
|
||||
comment = common files for all jails that need user/group information
|
||||
paths = /lib/libnsl.so.*, /lib64/libnsl.so.*, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.*, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.*, /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, /lib/arm-linux-gnueabihf/libnsl*.so.*, /etc/nsswitch.conf, /etc/ld.so.conf
|
||||
# Solaris needs
|
||||
# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, /etc/nsswitch.conf
|
||||
|
||||
[netbasics]
|
||||
comment = common files for all jails that need any internet connectivity
|
||||
paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services
|
||||
# on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure
|
||||
|
||||
[logbasics]
|
||||
comment = timezone information and log sockets
|
||||
paths = /etc/localtime
|
||||
need_logsocket = 1
|
||||
# Solaris does not need logsocket
|
||||
# but needs
|
||||
# devices = /dev/log, /dev/conslog
|
||||
|
||||
[jk_lsh]
|
||||
comment = Jailkit limited shell
|
||||
paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
|
||||
users = root
|
||||
groups = root
|
||||
includesections = uidbasics, logbasics
|
||||
|
||||
[limitedshell]
|
||||
comment = alias for jk_lsh
|
||||
includesections = jk_lsh
|
||||
|
||||
[cvs]
|
||||
comment = Concurrent Versions System
|
||||
paths = cvs
|
||||
devices = /dev/null
|
||||
|
||||
[git]
|
||||
comment = Fast Version Control System
|
||||
paths = /usr/bin/git*, /usr/lib/git-core, /usr/share/git-core, /usr/bin/basename, /bin/uname, /usr/bin/pager
|
||||
includesections = editors, perl
|
||||
|
||||
[scp]
|
||||
comment = ssh secure copy
|
||||
paths = scp
|
||||
includesections = netbasics, uidbasics
|
||||
devices = /dev/urandom, /dev/null
|
||||
|
||||
[sftp]
|
||||
comment = ssh secure ftp
|
||||
paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server
|
||||
includesections = netbasics, uidbasics
|
||||
devices = /dev/urandom, /dev/null
|
||||
# on solaris
|
||||
#paths = /usr/lib/ssh/sftp-server
|
||||
|
||||
[ssh]
|
||||
comment = ssh secure shell
|
||||
paths = ssh
|
||||
includesections = netbasics, uidbasics
|
||||
devices = /dev/urandom, /dev/tty, /dev/null
|
||||
|
||||
[rsync]
|
||||
paths = rsync
|
||||
includesections = netbasics, uidbasics
|
||||
|
||||
[procmail]
|
||||
comment = procmail mail delivery
|
||||
paths = procmail, /bin/sh
|
||||
devices = /dev/null
|
||||
|
||||
[basicshell]
|
||||
comment = bash based shell with several basic utilities
|
||||
paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
|
||||
users = root
|
||||
groups = root
|
||||
includesections = uidbasics
|
||||
|
||||
[interactiveshell]
|
||||
comment = for ssh access to a full shell
|
||||
includesections = uidbasics, basicshell, terminfo, editors, extendedshell
|
||||
|
||||
[midnightcommander]
|
||||
comment = Midnight Commander
|
||||
paths = mc, mcedit, mcview, /usr/share/mc
|
||||
includesections = basicshell, terminfo
|
||||
|
||||
[extendedshell]
|
||||
comment = bash shell including things like awk, bzip, tail, less
|
||||
paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami
|
||||
includesections = basicshell, midnightcommander, editors
|
||||
|
||||
[terminfo]
|
||||
comment = terminfo databases, required for example for ncurses or vim
|
||||
paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo
|
||||
|
||||
[editors]
|
||||
comment = vim, joe and nano
|
||||
includesections = terminfo
|
||||
paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim
|
||||
|
||||
[netutils]
|
||||
comment = several internet utilities like wget, ftp, rsync, scp, ssh
|
||||
paths = wget, lynx, ftp, host, rsync, smbclient
|
||||
includesections = netbasics, ssh, sftp, scp
|
||||
|
||||
[apacheutils]
|
||||
comment = htpasswd utility
|
||||
paths = htpasswd
|
||||
|
||||
[extshellplusnet]
|
||||
comment = alias for extendedshell + netutils + apacheutils
|
||||
includesections = extendedshell, netutils, apacheutils
|
||||
|
||||
[openvpn]
|
||||
comment = jail for the openvpn daemon
|
||||
paths = /usr/sbin/openvpn
|
||||
users = root,nobody
|
||||
groups = root,nogroup
|
||||
#includesections = netbasics
|
||||
devices = /dev/urandom, /dev/random, /dev/net/tun
|
||||
includesections = netbasics, uidbasics
|
||||
need_logsocket = 1
|
||||
|
||||
[apache]
|
||||
comment = the apache webserver, very basic setup, probably too limited for you
|
||||
paths = /usr/sbin/apache
|
||||
users = root, www-data
|
||||
groups = root, www-data
|
||||
includesections = netbasics, uidbasics
|
||||
|
||||
[perl]
|
||||
comment = the perl interpreter and libraries
|
||||
paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
|
||||
|
||||
[xauth]
|
||||
comment = getting X authentication to work
|
||||
paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
|
||||
|
||||
[xclients]
|
||||
comment = minimal files for X clients
|
||||
paths = /usr/X11R6/lib/X11/rgb.txt
|
||||
includesections = xauth
|
||||
|
||||
[vncserver]
|
||||
comment = the VNC server program
|
||||
paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
|
||||
includesections = xclients
|
||||
|
||||
[ping]
|
||||
comment = Ping program
|
||||
paths_w_setuid = /bin/ping
|
||||
|
||||
#[xterm]
|
||||
#comment = xterm
|
||||
#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
|
||||
#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
|
||||
|
||||
[php]
|
||||
comment = the php interpreter and libraries
|
||||
paths = /usr/bin/php*, composer, /usr/bin/phar*, env, /usr/lib/php, /usr/share/php, /usr/share/php*, /usr/share/zoneinfo, /usr/share/ca-certificates, /etc/ssl/certs, /usr/lib/ssl/certs, /etc/localtime
|
||||
includesections = netbasics
|
||||
|
||||
[locales]
|
||||
comment = all translations
|
||||
paths = /usr/lib/locale, /usr/share/i18n, /etc/default/locale, /etc/locale.alias
|
||||
|
||||
[custom_hosting]
|
||||
comment = custom giftGRÜN configuration
|
||||
includesections = php, git, netutils, interactiveshell, locales
|
||||
devices = /dev/zero, /dev/random
|
||||
paths = base32, base64, basenc, brotli, cksum, comm, csplit, curl, dirname, dir, expand, expr, factor, fmt, fold, gpg, id, install, join, link, mysql, mysqldump, mysqlcheck, nl, nohup, numfmt, od, openssl, paste, pr, printenv, printf, ptx, readlink, realpath, seq, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, shred, shuf, split, stat, stdbuf, sum, test, tee, timeout, tput, truncate, tsort, unexpand, uniq, unlink, unxz, unzip, vdir, which, xargs, xz, zip, zopfli, nologin, /etc/bash_completion, /etc/bash_completion.d, /usr/share/bash-completion, /etc/profile.d, /etc/ld.so.conf.d, /etc/hostname
|
||||
emptydirs = /var/run/mysqld, /tmp
|
||||
users = root, www-data
|
||||
groups = root, www-data
|
||||
Reference in New Issue
Block a user