@Pc @sddlZddlZddlZddlZddlZddlZddlZiZdZ ddZ ddZ dZ dZ dZd Zd Zd Zd dd Zd ddZddddZdZdddddZdZdZdZdddddZddZddZdddddZdddZddddddgdZdddddddgdZ dZ!ddZ"d Z#d!Z$d"Z%dd#Z&d$Z'd%Z(dS(&iNcCs<tj|d}|dkr8tj|t|<}n|S(N(t statcachetgettNonetostlstat(tpathtret((s jk_lib.pyt cachedlstat+s icCsyt|}Wn9tk rK|dkrGtjjd|dndSXtjddkr|tjdks|tjt j dj krtjjd|d dSnB|tjdks|tjdkrtjjd|d dS|tj tj @s|tj tj@rMtj|tj  rMtjjd|d d Stj|tj stj|tj rtj|}|G|GH|d dkrtjjd|ddSqtjjd|ddSndS(NisERROR: cannot lstat() s iitbsdtwheelsERROR: s is not owned by root:wheel! s is not owned by root:root! s is writable by group or others!iisusr/s2 is a symlink, please point to the real directory is is not a directory! i(RtOSErrortsyststderrtwritetplatformtstattST_UIDtST_GIDtgrptgetgrnamtgr_gidtST_MODEtS_IWOTHtS_IWGRPtS_ISLNKtS_ISDIRRtreadlink(Rt failquiettstatbufttarget((s jk_lib.pyt path_is_safe=s4  2&? cCstjj|}t||}|dkr1|Sx5d D]-}t|d |d }|dkr8|Sq8Wtjj|}xA|d krt|d }|d kr|Stjj|}q~Wd S(s]tests if path is a safe jail, not writable, no writable /etc/ and /lib, return 1 if all is OKitetctusrtvartbintdevtproctsbinR t/ii(RR svarsbinR#R$R%ssys(RRtabspathRtdirname(RRtretvaltsubdtnpath((s jk_lib.pytchroot_is_safe]s    cCs/t|}|tjtjtjB@r+dSdS(sAreturns 1 if the file is setuid or setgid, returns 0 if it is notii(RRRtS_ISUIDtS_ISGID(RR((s jk_lib.pyttest_suid_sgidqs c CsMtjd dkrIt|ddddddddtjd|ndS( Nitlinuxs/etcitcopy_permissionst allow_suidtcopy_ownerships ldconfig -r (R Rtcreate_parent_pathRtsystem(tjail((s jk_lib.pytgen_library_cachexs"c Csg}tjd|dtdtjdtjdtjdt}|jj}xt|dkrtj|}t|dkr|ddkr|d d kr|S|dd kr|d d kr|ddkr|S|ddks|ddkrqt|dkr5|d d kr5|ddkr5qt|dkrt j j |d rq||d g7}qd|d d|GHqt|d kr|dddkrt j j |dr||dg7}qd|dGHqd|d GHn d|d GH|jj}qRW|S(s;returns a list of libraries that the executable depends on sldd tshelltstdintstdoutR t close_fdsit staticallyitlinkedtnotitdynamicit executableslinux-gate.so.1slinux-vdso.so.1itfounds!ldd returns non existing library s for R&s$WARNING: failed to parse ldd output i( t subprocesstPopentTruetPIPER:treadlinetlentstringtsplitRRtexists(R@R)tptlinetsubl((s jk_lib.pytlddlist_libraries_linux~s4: 0 2& c Csg}d}tjd|dtdtjdtjdtjdt}|jj}x^t|dkrtj|}t|dkr|d|d krq|dd krt|d kr|d d krd}qqt|dkr|dkr8t j j |dr(||dg7}qd|dGHq|dkr~t j j |d rn||d g7}qd|d GHqdGHqd|d GHn d|d GH|jj}qXW|S(s;returns a list of libraries that the executable depends on isldd R8R9R:R R;it:tStartiitNameiis!ldd returns non existing library s1unknown mode, please report this bug in jk_lib.pys$WARNING: failed to parse ldd output i( RBRCRDRER:RFRGRHRIRRRJ(R@R)tmodeRKRLRM((s jk_lib.pytlddlist_libraries_openbsds6:"    c Csg}tjd|dtdtjdtjdtjdt}|jj}xEt|dkrtj|}t|dkrRt|dkr|dt|d |d krqt|d kr|d d kr|d dkr|St|d kr>t j j |d r.||d g7}qOd|d GHqd|d dGHn2|t|d |d krsnd|d dGH|jj}qRW|S(s;returns a list of libraries that the executable depends on sldd R8R9R:R R;iiROiiR>iR?s!ldd returns non existing library s%WARNING: failed to parse ldd output "it"( RBRCRDRER:RFRGRHRIRRRJ(R@R)RKRLRM((s jk_lib.pytlddlist_libraries_freebsds(:42cCstjd dkrt|Stjd dkr:t|Stjd dkrWt|Stjd dkrt|}|dg7}|St|}|dd d g7}|SdS( NiR0itopenbsdtfreebsdtsunoss /lib/ld.so.1s/usr/libexec/ld.sos/usr/libexec/ld-elf.so.1s/libexec/ld-elf.so.1(R RRNRSRU(R@R)((s jk_lib.pytlddlist_librariess      tc Csf|dkrdSt|}d}|s?|d}|d }nd}d}x|D]}tjj||}t|}tj|jrR|d7}tj|} | ddkrtjj || }qOtjj tjjtjj || } t |dkrF| t | |krFt j jd| dtdn| }qRqRWtjj||S( NR&RZiiisERROR: symlink s points outside jail, ABORT sSymlink points outside jail(t split_pathRRtjoinRRRtst_modeRtnormpathR(RGR R R t Exception( Rtchroott include_filetspathtbasenameRt doscountertentrytsbtrealpathttmp((s jk_lib.pytresolve_realpaths.       -(  c Cst|}|r!d}|}n$tjj|}tjj|}d}x5|dkr|dkrt|}tj|jrM|d7}tj |}|ddkr||}|ddkrJ|d }qJqytjj tjj tjj||} |dkrD| | |krDt j jd| dtd n| }n,tjj|d|}tjj|}d }qNWd|S( sNwill return the same path that contains not a single symlink directory elementRZiR&idiisERROR: symlink s points outside jail, ABORT sSymlink points outside jailN(RGRRRcR(RRRR]RR^R\R R R R_R( RR`Rat chrootlentdonepathttodopathRdRfRgRh((s jk_lib.pytOLDresolve_realpaths2     -   cCstj|}tj|tj}|sd|tjtjB@rdd|GH|tj@tj@}qdntj||tj|tjf|rtj ||tj |tj ntj ||dS(Ns,removing setuid and setgid permissions from ( RRtS_IMODERR-R.tutimetST_ATIMEtST_MTIMEtchownRRtchmod(tsrctdstt be_verboseR2R3tsbufRR((s jk_lib.pytcopy_time_and_permissions5s $$cCsO|}xBtjj| rJ|dkp1|dk rJtjj|}q W|S(ssThis function tests if a directory exists, if not tries the parent etc. etc. until it finds a directory that existsR&RZ(RRRJR((RRh((s jk_lib.pyt!OLDreturn_existing_base_directoryJs/icCs}|}|ddkr#|d }ny-t|||}tjj|rOdSWnt|| k rlnXt||} t| t|} tj|d| d} | dkrt|} nx| dkrx| d| kr| } n7yt || } Wn>tk rC\}} t j j d|| d| dPnXt j| jrctj|| }t||| |}|rd|d |GHnytj||WnHtk r\}} |d krqt j j d ||| dnX|d dkr%t||||||q tj|| d}t|||d |||||nt j| jr t||| |}|rd |GHntj|d|r yt|| ||||Wqtk r\}} t j j d|| d |d| dqXq n| } | t|krAd} qtj|d| d} | dkrt|} qqWdS(sucreates the directory and all its parents id needed. copy_ownership can only be used if copy permissions is also usediR&NisERROR: failed to lstat(s):s sCreating symlink s to is ERROR: failed to create symlink isCreating directory is2ERROR: failed to copy time/permissions/owner from s: (RiRRRJR treturn_existing_base_directoryRGRHtfindRR R R RRR]RtsymlinkR4trfindRtmkdirRx(R`RRvR1R2R3t directorytchrootdirectoryterrnotstrerrorRhtoldindxtindxRftrealfilet chrootnametindx2((s jk_lib.pytOLD_create_parent_pathQsj   $ $( 6  cCsad}d}xN|D]F}|dks1|dkr>||7}n|dkrSd}qd}qW|S(NRZiR&i((tinstringt outstringtslashti((s jk_lib.pytfix_double_slashess     cCscg}ttjj|}x>|dkr^|jdtjj|tjj|}q!W|S(NR&i(RRRR^tinsertRcR((RRtnext((s jk_lib.pyR[s cCs?t|dkrdSd}x|D]}|d|7}q#W|S(NiR&RZ(RG(RbRRe((s jk_lib.pyt join_paths  cCst|}|}d}x}|t|krtjj|||} tjj| s\Pnt| |d} tjj| sPn| }|d7}qWxe|t|krt|d|d!} tjj|||} yt| } Wn:t k r)\}}t j j d| d|ddSXtj| jr|rNd| GHntj| d|ryt| | |||Wqt k r\}}t j j dtt d td |dqXqn tj| jrtj| }|rd | d |GHntj|| |dd krEt||||||} qtjjtjjtjj| |} t|dkr| t| |krt j j d | dtdn| t|}t||||||} n| }|d7}qW|S(NiisERROR: failed to lstat(s):s sCreate directory is2ERROR: failed to copy time/permissions/owner from s to s: sCreating symlink R&sERROR: symlink s points outside jail, ABORT sSymlink points outside jail(R[RGRRR\RJRiRRR R R R RRRR]R~RxRRRRRR|R4R^R(R_(R`RRvR1R2R3Rbt existpathRttmp1RhtorigpathtjailpathRfRRR((s jk_lib.pyR4sZ   6-( c Csy?|rd|GHntj|t|||ddddWnHttfk r\}}tjjd|d|d|d dSXx7tj|D]&\}}}x|D]}|rd |d |d|d |GHnyPt j |d ||d |t|d ||d ||ddddWqttfk r\}}tjjd |d |d|d |d|d dSXqWx.|D]&}t |d ||d ||qWqWdS( NsCreating directoryR2iR3is)ERROR: copying directory and permissions s to s: s sCopying R&s$ERROR: copying file and permissions ( RR~RxtIOErrorR R R R twalktshutiltcopyfilet#move_dir_with_permissions_and_owner( tsrcdirtdstdirRvRRtroottdirstfilestname((s jk_lib.pyt#copy_dir_with_permissions_and_owners*   ( $ 08  (cCst|||}|dkr|dkr6d|GHnytj|Wqttfk r\}}tjjd|d|dqXnd|d|GHdS(Nis!Removing original home directory sERROR: failed to remove s: s sNot everything was copied to s, keeping the old directory (RRtrmtreeR RR R R (RRRvR)RR((s jk_lib.pyRs   'c Csd}|dkrNytj||d}WqNd|d|dGHqNXn|dkry0tj||t|||d|d|Wqttfk r\}}tjj d|d|d |d qXnd S( sXcopies/links the file and the permissions (and possibly ownership and setuid/setgid bitsiisLinking s to s failed, will revert to copyingR2R3s$ERROR: copying file and permissions s: s N( RtlinkRRRxRR R R R ( RtRuRvt try_hardlinkR2t retain_ownertdo_normal_copyRR((s jk_lib.pytcopy_with_permissionss    c Cst|tjj||ddddddt|||}tjj|rdd|dGHdStj|}yXtjd d kr|j d }|j d }nrtjd krtj d kr|j d }|j d }q|j d }|j d }n|j d }|j d }tj |j r3d}n,tj |j rNd}nd|dGHdS|dkr{d||GHntjtjdd|t|t|t|} t||ddd|Wn3d|dGHd|dGHd|dGHdGHnXdS(NR1iR2iR3sDevice s does exist alreadyiR0itsunos5iitctbs WARNING, s# is not a character or block devicesCreating device tmknodsFailed to create device s(, this is a know problem with python 2.1s use "ls -l s6" to find out the mode, major and minor for the devices use "mknod s' mode major minor" to create the devices<use chmod and chown to set the permissions as found by ls -l(R4RRR(RiRJRR Rtst_rdevtmaxinttS_ISCHRR]tS_ISBLKtspawnlptP_WAITtstrRx( R`RRvRt chrootpathRftmajortminorRRR((s jk_lib.pyt copy_device!sB.          6   c  Cs d } xtj|D]} tjj|| } yt| } tj| jrt|| d|ddd|d|t || ||||||| }n| tjj|| f7} Wqt k r} t j j d| d| jdqXqWt|| ||||||| }|S( sbcopies a directory and the permissions recursively, possibly with ownership and setuid/setgid bitsRvR1iR2R3s)ERROR: failed to investigate source file s: s ((RtlistdirRR\RRRR]R4tcopy_dir_recursiveR R R R Rtcopy_binaries_and_libs(R`tdirtforce_overwriteRvt check_libsRR2Rt handledfilestfiles2ReRhRwte((s jk_lib.pyRIs %' +$c Cs|ddkr|d }nxu|D]m} | | kr<q$nyt| } Wntk r(} | jdkr|dkrtj| } t| dkrt|| |||d|d|ddd | } q|rd | d GHqq"|r"d | d GHq"q$tjjd| d| j dq$nXt |t j j | |ddd|d|tt j j|d| |}yt|}d}WnRtk r} | jdkrd}qtjjd|| d| j dnX|dkr#|r#tj|j r#|rd|dGHqq$|r |rtj|jr|rWd|dGHnyt j|Wqtk r} tjjd|td| j d|tdqXqtj|jrd|dGHqq tj|jrq |r$d|dGHq$q$nt |t j j | |ddd|d|tj| jr t j| }y%d|d|GHt j||Wntk rnX| j| |ddkrt j jt j jt j j | |}nt||g||||||| } ntj| jrBt|| ||||||| } ntj| jr|rnd| d|GHnd | d|GHt| |||||| j| nRtj| jstj| jrt|| ||ntjjd!| d"tj | tj!}|r$t"j#| d#dksat"j#| d$dksa|tj$tj%Btj&B@r$t'| }t||||d|d | } q$q$W| S(%s>copies a list of executables and their libraries to the chrootiR&iiiRRttry_glob_matchingRsSource file(s) s do not exists Source file s does not exists)ERROR: failed to investigate source file s: s R1R2R3s.ERROR: failed to investigate destination file RZs" already exists, will not touch itsDestination file s$ exists, will delete to force updatesERROR: failed to delete s cannot force update sDestination dir s existssCreating symlink s to sTrying to link sCopying sFailed to find how to copy s= into a chroot jail, please report to the Jailkit developers tlibs.so((RR RtglobRGRR R R RR4RRR(RiR^RRR]tS_ISREGtunlinktrfileRRR|tappendR\RRRRRRnRRHR{tS_IXUSRtS_IXGRPtS_IXOTHRY(R`t binarieslistRRvRRR2RRRtfileRfRRt chrootrfiletchrootsbtchrootfile_existsRRRtlibs((s jk_lib.pyRjs    3#.#   +%:.  0*'$Q (cCsdg}|j||r`|j||}x3tj|dD]}|tj|g7}q=Wn|S(sretrieves a comma separated option from the configparser and splits it into a list, returning an empty list if it does not existt,(t has_optionRRHRItstrip(t cfgparsert sectionnamet optionnameR)tinputstrRh((s jk_lib.pytconfig_get_option_as_lists tERRORcCs*dGH|d|GH|tj|dS(NRZs: (R texit(texitnotmessaget usagefuncttype((s jk_lib.pyt clean_exits cCsyt|d}WndSX|j}xdt|dkrtj|d}t||kr|||kr|jdS|j}q-WdS(NtriROi(topenRFRGRHRItclose(titemtnumtfilenametfdRLtpwstruct((s jk_lib.pyttest_numitem_exists " cCst|d|S(Ni(R(tusert passwdfile((s jk_lib.pyttest_user_existscCst|d|S(Ni(R(tgroupt groupfile((s jk_lib.pyttest_group_existsc Cs|ddkr|d }nt|d|ddddddtjdd !d krt|d d jt|d d jt|dd jt|dd jnDtjj|d st|d d}nt|d d}|j}xt |dkrt j |d}t |dkr|d|ksX|d|kr|rzd|dd|d GHny|j |dWnt k rnXy|j |dWqt k rqXqn|j}qW|jddt |dkrtd d}|j}xt |dkrt j |d}t |dkr|d|ksx|d|kr|j||rd|dd|d GHn|d|kr||dg7}qqn|j}q"W|jn|jtjj|ds$t|dd}nt|dd}|j}xt |dkr%t j |d}t |dkr|d|ks|d|kr|rd|dd|dGHny|j |dWnt k rnXy|j |dWqt k rqXqn|j}qFW|jddt |dkrtdd}|j}xt |dkrt j |d}t |dkr|d|ks|d|kr|j||rd|dd|dGHqqn|j}qfW|jn|jdS(NiR&s/etc/R1iR2R3iiRs /etc/passwdtas /etc/spwd.dbs /etc/pwd.dbs/etc/master.passwdtwsr+ROiisuser s exists in Rs writing user s to s /etc/groupsgroup swriting group (R4R RRRRRtisfileRFRGRHRItremovet ValueErrortseekR ( R`tuserstgroupsRvtfd2RLRRt groupstruct((s jk_lib.pytinit_passwd_and_groups "                  " cCsmtjd}tj|d}xE|D]=}tjj||}tjj|r(tjj|Sq(WdS(NtPATHRO( RtgetenvRHRIRR\RJR'R(Rt search_pathtpathsRtjoined((s jk_lib.pytfind_file_in_pathEs cCs]g}xP|D]H}|ddkr3|j|q t|}|r |j|q q W|S(NiR&(RR(Rtpaths2Rhttmp2((s jk_lib.pytfind_files_in_pathNs  ()tos.pathRRHR RRRRBRRRR,R/R7RNRSRURYRiRmRxRyRRR[RR4RRRRRRRRRRRRRR(((s jk_lib.pyt sN            & &    A  <  (!!c     S