Bug 967782

Summary: Review Request: jailkit - A set of utilities to limit Chroot
Product: [Fedora] Fedora Reporter: Christopher Meng <i>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: besser82, dignan.patrick, i, package-review, swelljoe
Target Milestone: ---Flags: besser82: fedora-review-
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-10 11:25:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Makefile shouldn't modify %{_sysconfdir}/shells
none
fix rpmlint: manual-page-warning none

Description Christopher Meng 2013-05-28 10:36:35 UTC
Spec URL: http://cicku.me/jailkit.spec
SRPM URL: http://cicku.me/jailkit-2.16-1.fc20.src.rpm  
Description:
Jailkit is a set of utilities to limit user accounts to specific files using
chroot() and or specific commands. Setting up a chroot shell, a shell limited
to some specific command, or a daemon inside a chroot jail is a lot easier and
can be automated using these utilities.

Jailkit is used in network security appliances from several well known
manufacturers, internet servers from several large enterprise organisations,
servers from internet service providers, as well as many smaller companies and
private users that need to secure cvs, sftp, shell or daemon processes.

Fedora Account System Username: cicku

Comment 1 Björn 'besser82' Esser 2013-05-30 09:57:15 UTC
*** Bug 479546 has been marked as a duplicate of this bug. ***

Comment 2 Björn 'besser82' Esser 2013-05-30 14:27:38 UTC
Created attachment 754886 [details]
Makefile shouldn't modify %{_sysconfdir}/shells

A quick view over the spec-file reveales:

  * Since this is a daemon, spec-file should enable hardened build:
      %global _hardened_build 1

  * There's no need for Requires: python, rpmbuild will pick this up
    automaticly.

  * BuildRequires: autoconf, automake but no autoreconf -vfi during %prep.

  * Makefile alters /etc/shells during build
      use attached patch

  * %post should add `jk_chrootsh` to /etc/shells, using this scriptlet:
      if [ -w %{_sysconfdir}/shells ] && \
         [ "`grep %{_sbindir}/jk_chrootsh %{_sysconfdir}/shells`" == "" ]
      then
        echo "%{_sbindir}/jk_chrootsh" >> %{_sysconfdir}/shells
      fi

  * %postun should remove `jk_chrootsh` from /etc/shells, using sed:
      sed -i -e "/jk_chrootsh/d" %{_sysconfdir}/shells

Comment 3 Björn 'besser82' Esser 2013-05-30 14:29:10 UTC
Created attachment 754887 [details]
fix rpmlint: manual-page-warning

A quick rpmlint reveales (false-positives snipped):

Rpmlint
-------
Checking: jailkit-2.16-1.fc20.x86_64.rpm
jailkit.x86_64: E: summary-too-long Utilities to limit user accounts to specific files using chroot() or specific commands
jailkit.x86_64: W: spelling-error %description -l en_US organisations -> organizations, organization, instigation
jailkit.x86_64: W: non-standard-group Productivity/Security
jailkit.x86_64: E: missing-call-to-setgroups /usr/bin/jk_uchroot
jailkit.x86_64: E: missing-call-to-setgroups /usr/sbin/jk_chrootlaunch
jailkit.x86_64: E: missing-call-to-setgroups /usr/sbin/jk_socketd
jailkit.x86_64: E: setuid-binary /usr/sbin/jk_chrootsh root 04755L
jailkit.x86_64: E: non-standard-executable-perm /usr/sbin/jk_chrootsh 04755L
jailkit.x86_64: E: setuid-binary /usr/bin/jk_uchroot root 04755L
jailkit.x86_64: E: non-standard-executable-perm /usr/bin/jk_uchroot 04755L
jailkit.x86_64: W: manual-page-warning /usr/share/man/man8/jailkit.8.gz 73: warning: macro `Use' not defined
1 packages and 0 specfiles checked; 8 errors, 8 warnings.

Suggested fixes:

  * manual-page-warning
      see attached patch

  * spelling-error
      sed -e "s/organisations/organizations/g"

  * non-standard-group
      Group:	Applications/System

  * summary-too-long
      Summary:	Chroot jail utilities

Please fix and I'll take another shot. In the mean time I'll investigate how to fix the other rpmlint-issues.

Comment 4 Björn 'besser82' Esser 2013-05-30 14:31:35 UTC
Just a fixed typo (forgot the brackets):

* summary-too-long
      Summary:	Chroot() jail utilities

Comment 5 Björn 'besser82' Esser 2013-05-31 05:20:19 UTC
If you want to package for EPEL, too. Make sure to provide SysVInit-stuff and proper conditionals.

see: https://fedoraproject.org/wiki/EPEL:Packaging
     https://fedoraproject.org/wiki/EPEL:Packaging_Autoprovides_and_Requires_Filtering

A suitable sysvinit-script should is provided in src-tarball; just have a look inside it's subdirs...

Comment 6 Christopher Meng 2013-06-10 15:41:06 UTC
NEW SPEC URL: http://cicku.me/jailkit.spec
NEW SRPM URL: http://cicku.me/jailkit-2.16-2.fc20.src.rpm

Comment 7 Björn 'besser82' Esser 2013-10-19 13:43:01 UTC
Both links give me 404...

Comment 8 Christopher Meng 2013-11-10 04:30:40 UTC
NEW SPEC URL: http://cicku.me/jailkit.spec
NEW SRPM URL: http://cicku.me/jailkit-2.16-2.fc21.src.rpm

Comment 9 Joe Cooper 2016-12-05 09:49:10 UTC
Is this still being worked on by anyone? None of the links for the most recent packages under review work, and I'd like to poke at it.

Comment 10 Joe Cooper 2016-12-06 12:12:37 UTC
I've made a stab at packaging this, starting from the package found in the Lux repo (which was itself based on an old Dag Wieers package), since the packages referenced in this ticket are no longer accessible.

I made the changes suggested in this ticket, as best I could figure out, and added setcap on jk_chrootsh (using the %caps macro) so that it actually works. It passes rpmlint without errors/warnings, but I have no idea if it is correct for Fedora or EPEL. But, since there's not currently a functional package for CentOS or Fedora that I could find, I figured someone in the future might find a working package useful. I haven't yet done any testing beyond a basic chroot shell, but that functionality works without any modifications, just following the instructions on the Jailkit site.

http://software.virtualmin.com/bleed/centos/7/SRPMS/jailkit-2.19-1.el7.centos.vm.3.src.rpm