Initial jailkit playbook

329c3ca2 · jurgenhaas · 329c3ca2 · 329c3ca2 · 329c3ca2 · 329c3ca2
Commit 329c3ca2 authored 9 years ago by jurgenhaas
--- a/defaults/main.yml
+++ b/defaults/main.yml
+jailroot: /jails
+jailusers: []
--- a/tasks/initjail.yml
+++ b/tasks/initjail.yml
+---
+# file: roles/jailkit/tasks/initjail.yml
+
+- name: "Create Jail Directory"
+  file:
+    path='{{ jailroot }}/{{ item.jail.name }}'
+    state='directory'
+    owner='root'
+    group='root'
+    mode='755'
+  register: jail_available
+
+- name: "Init Jail"
+  shell: jk_init -j {{ jailroot }}/{{ item.jail.name }} -k extendedshell git jk_lsh rsync scp sftp ssh xterm
+  when: jail_available|changed
+
+- name: "Copy Tools"
+  shell: jk_cp -j {{ jailroot }}/{{ item.jail.name }} -k /bin/bash /usr/bin/groups /etc/group /usr/bin/tput
+  when: jail_available|changed
+
+- name: "Create Apache User"
+  user:
+    name='{{ item.jail.name }}'
+    shell='/bin/false'
+    group='{{ item.jail.name }}'
+    groups='www-data'
+  when: jail_available|changed
+
+- name: "Apply Apache User to Jail"
+  shell: jk_jailuser -m -j {{ jailroot }}/{{ item.jail.name }} {{ item.jail.name }}
+  when: jail_available|changed
--- a/tasks/initjailusers.yml
+++ b/tasks/initjailusers.yml
+---
+# file: roles/jailkit/tasks/initjailusers.yml
+
+- name: "Create user"
+  user:
+    name='{{ item }}'
+    shell='/bin/bash'
+
+- name: "Get User ID"
+  shell: id -u {{ item }}
+  register: userid
+
+- set_fact: outer_loop="{{ item }}"
+
+- name: "Add User To Jail /etc/passwd"
+  lineinfile:
+    dest='{{ jailroot }}/{{ item.jail.name }}/etc/passwd'
+    state=present
+    regexp='^{{ outer_loop }}:'
+    line='{{ outer_loop }}:x:{{ userid.stdout }}:0::/home/{{ outer_loop }}:/bin/bash'
+  with_items: drupal_settings
+  when: item.jail is defined
--- a/tasks/install.yml
+++ b/tasks/install.yml
+---
+# file: roles/jailkit/tasks/install.yml
+
+- name: "Make sure an empty directory /tmp/jailkit exists"
+  file:
+    path='/tmp/jailkit'
+    state='{{ item }}'
+  with_items:
+    - absent
+    - directory
+
+- name: "Download JailKit sources"
+  unarchive:
+    src='http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz'
+    dest='/tmp/jailkit'
+    copy=no
+
+- name: "Compile JailKit"
+  shell: "{{ item }} chdir=/tmp/jailkit/jailkit-2.17"
+  with_items:
+    - ./configure
+    - make
+    - make install
--- a/tasks/main.yml
+++ b/tasks/main.yml
+# See http://olivier.sessink.nl/jailkit
+
+---
+# file: roles/jailkit/tasks/main.yml
+
+- name: "Check JailKit Requirement"
+  shell: ls /usr/sbin/jk_init
+  register: jailkit_available
+  failed_when: false
+
+- include: install.yml
+  when: jailkit_available is defined and jailkit_available.stdout != '/usr/sbin/jk_init'
+
+- name: "Create Jail Root Directory"
+  file:
+    path='{{ jailroot }}'
+    state='directory'
+    owner='root'
+    group='root'
+    mode='755'
+
+- include: initjail.yml
+  with_items: drupal_settings
+  when: item.jail is defined
+
+- include: initjailusers.yml
+  with_items: jailusers
+
+- name: "Assign Jails To Users"
+  template:
+    src='jk_uchroot.ini'
+    dest='/etc/jailkit/jk_uchroot.ini'
+    owner=root
+    group=root
+    mode='644'
+
+- name: "Update Config"
+  template:
+    src='jk_update.ini'
+    dest='/etc/jailkit/jk_update.ini'
+    owner=root
+    group=root
+    mode='644'
+
+- name: "Socket Config"
+  template:
+    src='jk_socketd.ini'
+    dest='/etc/jailkit/jk_socketd.ini'
+    owner=root
+    group=root
+    mode='644'
+
+- name: "Update Jails"
+  shell: jk_update -j {{ jailroot }}/{{ item.jail.name }} -k
+  with_items: drupal_settings
+  when: item.jail is defined
--- a/templates/jk_check.ini
+++ b/templates/jk_check.ini
+[/home/testchroot]
+# jk_check does not run any tests in this directory (useful for proc filesystem)
+# be careful!! there is I repeat NO SINGLE TEST in this directory
+#ignorepatheverywhere = 
+
+# jk_check compares files if they are equal to their counterparts in the real system,
+# using md5sum(). In the specified directories it will not test if files are equal
+# it will still test for world writable directories and setuid files
+ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc
+
+# jk_check tests directory permissions, if you deliberately made some directories writable
+# for group or others, or you don't care, specify them here
+ignorewritableforgroup = /home/testchroot/home
+ignorewritableforothers = /home/testchroot/home/tmp
+
+# jk_check tests for setuid root and setgid root files
+# if you deliberately have such files specify them here
+ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
+ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
+ignoresetuidexecuteforothers = 
+
--- a/templates/jk_chrootsh.ini
+++ b/templates/jk_chrootsh.ini
+## example for a user
+#[test]
+#env= DISPLAY, XAUTHORITY
+#
+##example for a group, there should be only 1 space inbetween the words!
+#[group users]
+#env = DISPLAY, XAUTHORITY
+#
\ No newline at end of file
--- a/templates/jk_init.ini
+++ b/templates/jk_init.ini
+[uidbasics]
+# this section probably needs adjustment on 64bit systems
+# or non-Linux systems
+comment = common files for all jails that need user/group information
+paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf
+
+[netbasics]
+comment = common files for all jails that need any internet connectivity
+paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services
+
+[logbasics]
+comment = timezone information and log sockets
+paths = /etc/localtime
+need_logsocket = 1
+
+[jk_lsh]
+comment = Jailkit limited shell
+paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
+users = root
+groups = root
+includesections = uidbasics, logbasics
+
+[limitedshell]
+comment = alias for jk_lsh
+includesections = jk_lsh
+
+[cvs]
+comment = Concurrent Versions System
+paths = cvs
+devices = /dev/null
+
+[git]
+comment = Fast Version Control System
+paths = /usr/bin/git*, /usr/lib/git-core, /usr/bin/basename, /bin/uname
+includesections = editors, perl
+
+[scp]
+comment = ssh secure copy
+paths = scp
+includesections = netbasics, uidbasics
+devices = /dev/urandom
+
+[sftp]
+comment = ssh secure ftp
+paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server
+includesections = netbasics, uidbasics
+devices = /dev/urandom, /dev/null
+
+[ssh]
+comment = ssh secure shell
+paths = ssh
+includesections = netbasics, uidbasics
+devices = /dev/urandom, /dev/tty, /dev/null
+
+[rsync]
+paths = rsync
+includesections = netbasics, uidbasics
+
+[procmail]
+comment = procmail mail delivery
+paths = procmail, /bin/sh
+devices = /dev/null
+
+[basicshell]
+comment = bash based shell with several basic utilities
+paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
+users = root
+groups = root
+includesections = uidbasics
+
+[midnightcommander]
+comment = Midnight Commander
+paths = mc, mcedit, mcview, /usr/share/mc
+includesections = basicshell, terminfo
+
+[extendedshell]
+comment = bash shell including things like awk, bzip, tail, less
+paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami
+includesections = basicshell, midnightcommander, editors
+
+[terminfo]
+comment = terminfo databases, required for example for ncurses or vim
+paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo
+
+[editors]
+comment = vim, joe and nano
+includesections = terminfo
+paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim
+
+[netutils]
+comment = several internet utilities like wget, ftp, rsync, scp, ssh
+paths = wget, lynx, ftp, host, rsync, smbclient
+includesections = netbasics, ssh, sftp, scp
+
+[apacheutils]
+comment = htpasswd utility
+paths = htpasswd
+
+[extshellplusnet]
+comment = alias for extendedshell + netutils + apacheutils
+includesections = extendedshell, netutils, apacheutils
+
+[openvpn]
+comment = jail for the openvpn daemon
+paths = /usr/sbin/openvpn
+users = root,nobody
+groups = root,nogroup
+devices = /dev/urandom, /dev/random, /dev/net/tun
+includesections = netbasics, uidbasics
+need_logsocket = 1
+
+[apache]
+comment = the apache webserver, very basic setup, probably too limited for you
+paths = /usr/sbin/apache
+users = root, www-data
+groups = root, www-data
+includesections = netbasics, uidbasics
+
+[perl]
+comment = the perl interpreter and libraries
+paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
+
+[xauth]
+comment = getting X authentication to work
+paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
+
+[xclients]
+comment = minimal files for X clients
+paths = /usr/X11R6/lib/X11/rgb.txt
+includesections = xauth
+
+[vncserver]
+comment = the VNC server program
+paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
+includesections = xclients
+
+[ping]
+comment = Ping program
+paths_w_setuid = /bin/ping
+
+[xterm]
+comment = xterm
+paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
+devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
--- a/templates/jk_lsh.ini
+++ b/templates/jk_lsh.ini
+## example for a user
+#[test]
+#paths= /usr/lib/
+#executables= /usr/lib/sftp-server
+#allow_word_expansion = 0
+#umask = 002
+#
+##example for a group, there should be only 1 space inbetween the words!
+#[group users]
+#paths = /usr/bin
+#executables = /usr/bin/cvs
+#allow_word_expansion = 0
+#environment= HELIX_PATH=/opt/RealPlayer/, TMP=/tmp/
--- a/templates/jk_socketd.ini
+++ b/templates/jk_socketd.ini
+{% for item in drupal_settings %}
+{% if item.jail is defined %}
+[{{ jailroot }}/{{ item.jail.name }}/dev/log]
+base=512
+peak=2048
+interval=10
+
+{% endif %}
+{% endfor %}
--- a/templates/jk_uchroot.ini
+++ b/templates/jk_uchroot.ini
+{% for user in jailusers %}
+[{{ user }}]
+allowed_jails ={% for item in drupal_settings %}{% if item.jail is defined and user in item.jail.users %} , {{ jailroot }}/{{ item.jail.name }}{% endif %}{% endfor %}
+
+skip_injail_passwd_check = 1
+
+{% endfor %}
--- a/templates/jk_update.ini
+++ b/templates/jk_update.ini
+{% for item in drupal_settings %}
+{% if item.jail is defined %}
+[{{ jailroot }}/{{ item.jail.name }}]
+skips =
+hardlinks = 1
+directories =
+
+{% endif %}
+{% endfor %}