Bug 479546 (jailkit)

Summary: Review Request: jailkit - Jailkit limits user accounts to specific files and/or commands
Product: [Fedora] Fedora Reporter: Patrick Dignan <dignan.patrick>
Component: Package ReviewAssignee: Mamoru TASAKA <mtasaka>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: besser82, dale, dignan.patrick, fedora-package-review, mtasaka, notting
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-21 14:35:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Patrick Dignan 2009-01-11 04:03:54 UTC
Spec URL: http://users.wpi.edu/~dignan/jailkit.spec
SRPM URL: http://users.wpi.edu/~dignan/jailkit-2.5-1.fc10.src.rpm
Jailkit is a set of utilities to limit user accounts to specific files using 
chroot() and or specific commands. Setting up a chroot shell, a shell limited 
to some specific command, or a daemon inside a chroot jail is a lot easier and 
can be automated using these utilities.

Jailkit is used in network security appliances from several well known 
manufacturers, internet servers from several large enterprise organisations, 
servers from internet service providers, as well as many smaller companies and 
private users that need to secure cvs, sftp, shell or daemon processes.

Builds in Koji in F8, F9, F10, and F11.
rpmlint output:
[dignan@localhost rpmbuild]$ rpmlint RPMS/i386/jailkit-2.5-1.fc10.i386.rpm 
jailkit.i386: E: setuid-binary /usr/sbin/jk_chrootsh root 04755
jailkit.i386: E: non-standard-executable-perm /usr/sbin/jk_chrootsh 04755
jailkit.i386: E: setuid-binary /usr/bin/jk_uchroot root 04755
jailkit.i386: E: non-standard-executable-perm /usr/bin/jk_uchroot 04755
jailkit.i386: E: setuid-binary /usr/sbin/jk_procmailwrapper root 04755
jailkit.i386: E: non-standard-executable-perm /usr/sbin/jk_procmailwrapper 04755
1 packages and 0 specfiles checked; 6 errors, 0 warnings.
[dignan@localhost rpmbuild]$ rpmlint RPMS/i386/jailkit-debuginfo-2.5-1.fc10.i386.rpm 
1 packages and 0 specfiles checked; 0 errors, 0 warnings.
[dignan@localhost rpmbuild]$ rpmlint SRPMS/jailkit-2.5-1.fc10.src.rpm 
1 packages and 0 specfiles checked; 0 errors, 0 warnings.

The program requires that those binaries have the setuid bit set.  Since the program deals with chroot that makes sense to me.

I am looking for a sponsor.

Comment 1 Mamoru TASAKA 2009-01-14 17:16:33 UTC
Well, some notes:

* License
  - The License tag should be "LGPLv2+".

* BuildRequires
  - Would you check if "automake, autoconf" is needed for

* optflags
  - Would you check if 'CC="gcc %{optflags}"' is really

* Documents
  - The file "INSTALL.txt" is usually for people who
    compiles and installs the software by him/herself and
    not for people using rpm binary.

  - Files under %_mandir are automatically regarded as

Well, as this package deals with security issues, I will
anyway wait for one week or so before I approve this package
to see if who knows how to deal with security software
will post some comments on this bug.

Comment 2 Mamoru TASAKA 2009-01-14 17:32:35 UTC

Comment 3 Patrick Dignan 2009-01-15 04:24:02 UTC
Alright, made the modifications you requested and uploaded on updated version

Spec file: http://users.wpi.edu/~dignan/jailkit.spec
Source RPM: http://users.wpi.edu/~dignan/jailkit-2.5-2.fc10.src.rpm

As usual, I have moved the older versions into an archive they can be found here:

Spec File: http://users.wpi.edu/~dignan/archive/jailkit/2.5-1/jailkit.spec
Source RPM: http://users.wpi.edu/~dignan/archive/jailkit/2.5-1/jailkit-2.5-1.fc10.src.rpm

Turns out, neither autoconf nor automake were needed.  The same goes for optflags, since it was built using autotools.  I removed INSTALL.txt from the docs and I took the %doc tag off the %_mandir files.

Thank you for all the help!

Comment 4 Dale Bewley 2009-01-15 04:25:45 UTC
I should have checked here first. I spent a good part of the afternoon creating a rpm for this package. I didn't finish it or test it yet, but I'll go ahead and post mine so you can see if it is of use to you. 

* http://bewley.net/linux/rpms/jailkit/

It is a bit different.  It includes a init script for jk_socketd and adds jk_chrootsh to /etc/shells. Also automake and autoconf are not required.

Comment 5 Dale Bewley 2009-01-15 21:38:46 UTC
I fixed a couple bugs. The /etc/shells is now handled properly, and I've added a patch to jk_init.ini. Scp needs /dev/null, but that was missing. That should be reported upstream. I don't have a bug account with them yet.

* http://bewley.net/linux/rpms/jailkit/jailkit.spec

Comment 6 Patrick Dignan 2009-01-15 22:16:30 UTC
I'll do what I can to merge the two spec files and add your patches.  Perhaps it would be best that we co-maintain this package?

Comment 7 Dale Bewley 2009-01-16 00:06:39 UTC
I didn't mean to hijack anything, but I've been needing to finish this RPM ASAP for myself anyway and wanted to contribute what I had.

I'd be happy to co-maintain, but this would be my first package submission and I haven't gone through all the motions to get into koji and cvs etc.

Comment 8 Patrick Dignan 2009-01-16 04:07:33 UTC
I'm not sure how that works, I'll ask around, in the meantime I'll work on getting it Fedora-ready.

Comment 9 Mamoru TASAKA 2009-01-16 17:04:01 UTC
(As I said in my comment 1, anyway I will postpone approving
 this package until Jan 21 to see if someone knowing security issues
 well may post some comments on this bug)

Comment 10 Mamoru TASAKA 2009-01-25 08:13:00 UTC
Okay, as no one else seems to write security related advice
on this bug, I will restart to review this bug.

To Patrick: Would you check the spec file by Dale and
merge it (if you want), and re-upload your srpm/spec?

Comment 11 Patrick Dignan 2009-01-25 09:36:08 UTC
Alright, I've looked at his spec file and patches, and mostly the changes look good to me.  One thing I'm going to try is using sed instead of this code:

if [ "$1" = 0 ] ; then
    if [ -f %{_sysconfdir}/shells ] ; then
        TmpFile=`/bin/mktemp %{_tmppath}/.jk_chrootshrpmXXXXXX`
        grep -v '^%{_sbindir}/jk_chrootsh$' %{_sysconfdir}/shells > $TmpFile
        cp -f $TmpFile %{_sysconfdir}/shells
        rm -f $TmpFile

I'll test something like

sed 's:^%{_sbindir}/jk_chrootsh$::g' %{_sysconfdir}/shells

but I'm not sure if that would make sed a BuildReq, if so I'd just stick with Dale's implementation.  

Other than the %preun %post %postun and the accompanying patches, his spec is pretty much the same as mine (or at least provides the same functions).  So I'll add those things to mine and test it tomorrow hopefully.

Comment 12 Patrick Dignan 2009-01-26 06:42:36 UTC
I've made these modifications and just want to do a run through before I upload  the changes again.

Comment 13 Mamoru TASAKA 2009-02-06 15:23:20 UTC

Comment 14 Patrick Dignan 2009-02-06 15:47:12 UTC
Sorry, I've been very busy with school work and applying for internships.  I also need to see what should be done about the config files.  The default config file requires a number of programs, and uses absolute paths to them, so I'm going through and seeing which are common programs, and using sed to replace the paths with whatever %bindir (for example) is.

Comment 15 Mamoru TASAKA 2009-03-01 16:01:45 UTC
ping again?

Comment 16 Patrick Dignan 2009-03-01 18:35:43 UTC
Sorry, finishing up classes here, I'm going to be on break after this week, so I expect to have this finished during my time off.

Do you have any comments on what I should do about the config files as described in my comment above?

Comment 17 Dale Bewley 2009-03-01 22:13:31 UTC
I think checking the hardcoded paths in the configs is a good idea. I found 78 executables in jk_init.ini and did a quick check on one system. I  didn't have all those packages installed, but most paths seem right. I know at least a couple are wrong, vi, nice, xauth...

# for f in `grep bin jk_init.ini |sed -e 's/^executables = //' -e 's/,/\n/g' -e 's/ //g' -e 's/^#.*//'|sort -u `; do ls $f; done|grep 'No such'
ls: cannot access /bin/uncompress: No such file or directory
ls: cannot access /usb/bin/joe: No such file or directory
ls: cannot access /usb/bin/whoami: No such file or directory
ls: cannot access /usr/bin/lynx: No such file or directory
ls: cannot access /usr/bin/mc: No such file or directory
ls: cannot access /usr/bin/mcedit: No such file or directory
ls: cannot access /usr/bin/mcview: No such file or directory
ls: cannot access /usr/bin/nice: No such file or directory
ls: cannot access /usr/bin/sort: No such file or directory
ls: cannot access /usr/bin/vi: No such file or directory
ls: cannot access /usr/bin/X11/xauth: No such file or directory
ls: cannot access /usr/bin/Xrealvnc: No such file or directory
ls: cannot access /usr/sbin/apache: No such file or directory
ls: cannot access /usr/sbin/jk_lsh: No such file or directory

If you put your latest changes online, I can probably find the time to finish it up pretty soon if you like.

Comment 18 Patrick Dignan 2009-03-02 03:22:27 UTC

Here's the latest specfile, hopefully you can have some luck with it, I'm not sure yet whether we should require all the packages listed in the default config or what, but I definitely think we should use sed to replace the binary locations.

Comment 19 Mamoru TASAKA 2009-03-04 18:01:18 UTC
Please provide the whole srpm. I can find any of the patches
mentiones in the spec file nowhere.

Some notes:

* Initscripts convension
  - Please use %_initrddir instead of %_sysconfdir/init.d

  - Please add Requires(post) or so:

  - Please consider to "condrestart" at %posun

* %changelog
  - I suggest to put one line between each %changelog entry like
* Sat Jan 25 2009 Patrick Dignan <dignan.patrick at, gmail.com> 2.5-3
- Added 3 patches from Dale Bewley and changed that postun to use sed

* Sat Jan 10 2009 Patrick Dignan <dignan.patrick at, gmail.com> 2.5-2
- Removed INSTALL.txt
- Fixed the doc files
- Removed explicit call to enable Fedora specific compiler options

* Sat Jan 10 2009 Patrick Dignan <dignan.patrick at, gmail.com> 2.5-1
- Initial Fedora build
    This is useful when using Fedora CVS system.

Comment 20 Mamoru TASAKA 2009-03-26 14:25:42 UTC

Comment 21 Patrick Dignan 2009-03-27 01:45:27 UTC

I thought Dale wanted to pick up the packaging for this?  If not I'll try to finish it up soon!

Comment 22 Mamoru TASAKA 2009-04-04 16:35:37 UTC
Patrick, for now would you try to finish this review request
(i.e. upload the new srpm)?

Comment 23 Mamoru TASAKA 2009-04-18 16:00:43 UTC

Comment 24 Mamoru TASAKA 2009-04-30 16:41:41 UTC
ping again?

Comment 25 Mamoru TASAKA 2009-05-09 16:41:29 UTC
I will close this bug as NOTABUG if no response is received
from anyone within one week.

Comment 26 Mamoru TASAKA 2009-05-21 14:35:55 UTC
Once closing.

If someone wants to import this package into Fedora, please
file a new review request and mark this as a duplicate of
the new one, thank you.

Comment 27 Björn 'besser82' Esser 2013-05-30 09:57:15 UTC

*** This bug has been marked as a duplicate of bug 967782 ***