Bug 967782
Summary: | Review Request: jailkit - A set of utilities to limit Chroot | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christopher Meng <i> | ||||||
Component: | Package Review | Assignee: | Nobody's working on this, feel free to take it <nobody> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | rawhide | CC: | besser82, dignan.patrick, i, package-review, swelljoe | ||||||
Target Milestone: | --- | Flags: | besser82:
fedora-review-
|
||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2017-04-10 11:25:42 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Christopher Meng
2013-05-28 10:36:35 UTC
*** Bug 479546 has been marked as a duplicate of this bug. *** Created attachment 754886 [details]
Makefile shouldn't modify %{_sysconfdir}/shells
A quick view over the spec-file reveales:
* Since this is a daemon, spec-file should enable hardened build:
%global _hardened_build 1
* There's no need for Requires: python, rpmbuild will pick this up
automaticly.
* BuildRequires: autoconf, automake but no autoreconf -vfi during %prep.
* Makefile alters /etc/shells during build
use attached patch
* %post should add `jk_chrootsh` to /etc/shells, using this scriptlet:
if [ -w %{_sysconfdir}/shells ] && \
[ "`grep %{_sbindir}/jk_chrootsh %{_sysconfdir}/shells`" == "" ]
then
echo "%{_sbindir}/jk_chrootsh" >> %{_sysconfdir}/shells
fi
* %postun should remove `jk_chrootsh` from /etc/shells, using sed:
sed -i -e "/jk_chrootsh/d" %{_sysconfdir}/shells
Created attachment 754887 [details]
fix rpmlint: manual-page-warning
A quick rpmlint reveales (false-positives snipped):
Rpmlint
-------
Checking: jailkit-2.16-1.fc20.x86_64.rpm
jailkit.x86_64: E: summary-too-long Utilities to limit user accounts to specific files using chroot() or specific commands
jailkit.x86_64: W: spelling-error %description -l en_US organisations -> organizations, organization, instigation
jailkit.x86_64: W: non-standard-group Productivity/Security
jailkit.x86_64: E: missing-call-to-setgroups /usr/bin/jk_uchroot
jailkit.x86_64: E: missing-call-to-setgroups /usr/sbin/jk_chrootlaunch
jailkit.x86_64: E: missing-call-to-setgroups /usr/sbin/jk_socketd
jailkit.x86_64: E: setuid-binary /usr/sbin/jk_chrootsh root 04755L
jailkit.x86_64: E: non-standard-executable-perm /usr/sbin/jk_chrootsh 04755L
jailkit.x86_64: E: setuid-binary /usr/bin/jk_uchroot root 04755L
jailkit.x86_64: E: non-standard-executable-perm /usr/bin/jk_uchroot 04755L
jailkit.x86_64: W: manual-page-warning /usr/share/man/man8/jailkit.8.gz 73: warning: macro `Use' not defined
1 packages and 0 specfiles checked; 8 errors, 8 warnings.
Suggested fixes:
* manual-page-warning
see attached patch
* spelling-error
sed -e "s/organisations/organizations/g"
* non-standard-group
Group: Applications/System
* summary-too-long
Summary: Chroot jail utilities
Please fix and I'll take another shot. In the mean time I'll investigate how to fix the other rpmlint-issues.
Just a fixed typo (forgot the brackets): * summary-too-long Summary: Chroot() jail utilities If you want to package for EPEL, too. Make sure to provide SysVInit-stuff and proper conditionals. see: https://fedoraproject.org/wiki/EPEL:Packaging https://fedoraproject.org/wiki/EPEL:Packaging_Autoprovides_and_Requires_Filtering A suitable sysvinit-script should is provided in src-tarball; just have a look inside it's subdirs... NEW SPEC URL: http://cicku.me/jailkit.spec NEW SRPM URL: http://cicku.me/jailkit-2.16-2.fc20.src.rpm Both links give me 404... NEW SPEC URL: http://cicku.me/jailkit.spec NEW SRPM URL: http://cicku.me/jailkit-2.16-2.fc21.src.rpm Is this still being worked on by anyone? None of the links for the most recent packages under review work, and I'd like to poke at it. I've made a stab at packaging this, starting from the package found in the Lux repo (which was itself based on an old Dag Wieers package), since the packages referenced in this ticket are no longer accessible. I made the changes suggested in this ticket, as best I could figure out, and added setcap on jk_chrootsh (using the %caps macro) so that it actually works. It passes rpmlint without errors/warnings, but I have no idea if it is correct for Fedora or EPEL. But, since there's not currently a functional package for CentOS or Fedora that I could find, I figured someone in the future might find a working package useful. I haven't yet done any testing beyond a basic chroot shell, but that functionality works without any modifications, just following the instructions on the Jailkit site. http://software.virtualmin.com/bleed/centos/7/SRPMS/jailkit-2.19-1.el7.centos.vm.3.src.rpm |