Spec URL: http://users.wpi.edu/~dignan/jailkit.spec SRPM URL: http://users.wpi.edu/~dignan/jailkit-2.5-1.fc10.src.rpm Description: Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities. Jailkit is used in network security appliances from several well known manufacturers, internet servers from several large enterprise organisations, servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes. Builds in Koji in F8, F9, F10, and F11. rpmlint output: [dignan@localhost rpmbuild]$ rpmlint RPMS/i386/jailkit-2.5-1.fc10.i386.rpm jailkit.i386: E: setuid-binary /usr/sbin/jk_chrootsh root 04755 jailkit.i386: E: non-standard-executable-perm /usr/sbin/jk_chrootsh 04755 jailkit.i386: E: setuid-binary /usr/bin/jk_uchroot root 04755 jailkit.i386: E: non-standard-executable-perm /usr/bin/jk_uchroot 04755 jailkit.i386: E: setuid-binary /usr/sbin/jk_procmailwrapper root 04755 jailkit.i386: E: non-standard-executable-perm /usr/sbin/jk_procmailwrapper 04755 1 packages and 0 specfiles checked; 6 errors, 0 warnings. [dignan@localhost rpmbuild]$ rpmlint RPMS/i386/jailkit-debuginfo-2.5-1.fc10.i386.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. [dignan@localhost rpmbuild]$ rpmlint SRPMS/jailkit-2.5-1.fc10.src.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. The program requires that those binaries have the setuid bit set. Since the program deals with chroot that makes sense to me. I am looking for a sponsor.
Well, some notes: * License - The License tag should be "LGPLv2+". * BuildRequires - Would you check if "automake, autoconf" is needed for BuildRequires? * optflags - Would you check if 'CC="gcc %{optflags}"' is really needed? * Documents - The file "INSTALL.txt" is usually for people who compiles and installs the software by him/herself and not for people using rpm binary. - Files under %_mandir are automatically regarded as %doc. Well, as this package deals with security issues, I will anyway wait for one week or so before I approve this package to see if who knows how to deal with security software will post some comments on this bug.
Removing NEEDSPONSOR.
Alright, made the modifications you requested and uploaded on updated version Spec file: http://users.wpi.edu/~dignan/jailkit.spec Source RPM: http://users.wpi.edu/~dignan/jailkit-2.5-2.fc10.src.rpm As usual, I have moved the older versions into an archive they can be found here: Spec File: http://users.wpi.edu/~dignan/archive/jailkit/2.5-1/jailkit.spec Source RPM: http://users.wpi.edu/~dignan/archive/jailkit/2.5-1/jailkit-2.5-1.fc10.src.rpm Turns out, neither autoconf nor automake were needed. The same goes for optflags, since it was built using autotools. I removed INSTALL.txt from the docs and I took the %doc tag off the %_mandir files. Thank you for all the help!
I should have checked here first. I spent a good part of the afternoon creating a rpm for this package. I didn't finish it or test it yet, but I'll go ahead and post mine so you can see if it is of use to you. * http://bewley.net/linux/rpms/jailkit/ It is a bit different. It includes a init script for jk_socketd and adds jk_chrootsh to /etc/shells. Also automake and autoconf are not required.
I fixed a couple bugs. The /etc/shells is now handled properly, and I've added a patch to jk_init.ini. Scp needs /dev/null, but that was missing. That should be reported upstream. I don't have a bug account with them yet. * http://bewley.net/linux/rpms/jailkit/jailkit.spec
I'll do what I can to merge the two spec files and add your patches. Perhaps it would be best that we co-maintain this package?
I didn't mean to hijack anything, but I've been needing to finish this RPM ASAP for myself anyway and wanted to contribute what I had. I'd be happy to co-maintain, but this would be my first package submission and I haven't gone through all the motions to get into koji and cvs etc.
I'm not sure how that works, I'll ask around, in the meantime I'll work on getting it Fedora-ready.
(As I said in my comment 1, anyway I will postpone approving this package until Jan 21 to see if someone knowing security issues well may post some comments on this bug)
Okay, as no one else seems to write security related advice on this bug, I will restart to review this bug. To Patrick: Would you check the spec file by Dale and merge it (if you want), and re-upload your srpm/spec?
Alright, I've looked at his spec file and patches, and mostly the changes look good to me. One thing I'm going to try is using sed instead of this code: if [ "$1" = 0 ] ; then if [ -f %{_sysconfdir}/shells ] ; then TmpFile=`/bin/mktemp %{_tmppath}/.jk_chrootshrpmXXXXXX` grep -v '^%{_sbindir}/jk_chrootsh$' %{_sysconfdir}/shells > $TmpFile cp -f $TmpFile %{_sysconfdir}/shells rm -f $TmpFile fi fi I'll test something like sed 's:^%{_sbindir}/jk_chrootsh$::g' %{_sysconfdir}/shells but I'm not sure if that would make sed a BuildReq, if so I'd just stick with Dale's implementation. Other than the %preun %post %postun and the accompanying patches, his spec is pretty much the same as mine (or at least provides the same functions). So I'll add those things to mine and test it tomorrow hopefully.
I've made these modifications and just want to do a run through before I upload the changes again.
ping?
Sorry, I've been very busy with school work and applying for internships. I also need to see what should be done about the config files. The default config file requires a number of programs, and uses absolute paths to them, so I'm going through and seeing which are common programs, and using sed to replace the paths with whatever %bindir (for example) is.
ping again?
Sorry, finishing up classes here, I'm going to be on break after this week, so I expect to have this finished during my time off. Do you have any comments on what I should do about the config files as described in my comment above?
I think checking the hardcoded paths in the configs is a good idea. I found 78 executables in jk_init.ini and did a quick check on one system. I didn't have all those packages installed, but most paths seem right. I know at least a couple are wrong, vi, nice, xauth... # for f in `grep bin jk_init.ini |sed -e 's/^executables = //' -e 's/,/\n/g' -e 's/ //g' -e 's/^#.*//'|sort -u `; do ls $f; done|grep 'No such' ls: cannot access /bin/uncompress: No such file or directory ls: cannot access /usb/bin/joe: No such file or directory ls: cannot access /usb/bin/whoami: No such file or directory ls: cannot access /usr/bin/lynx: No such file or directory ls: cannot access /usr/bin/mc: No such file or directory ls: cannot access /usr/bin/mcedit: No such file or directory ls: cannot access /usr/bin/mcview: No such file or directory ls: cannot access /usr/bin/nice: No such file or directory ls: cannot access /usr/bin/sort: No such file or directory ls: cannot access /usr/bin/vi: No such file or directory ls: cannot access /usr/bin/X11/xauth: No such file or directory ls: cannot access /usr/bin/Xrealvnc: No such file or directory ls: cannot access /usr/sbin/apache: No such file or directory ls: cannot access /usr/sbin/jk_lsh: No such file or directory If you put your latest changes online, I can probably find the time to finish it up pretty soon if you like.
http://users.wpi.edu/~dignan/archive/jailkit/2.5-3/jailkit.spec Here's the latest specfile, hopefully you can have some luck with it, I'm not sure yet whether we should require all the packages listed in the default config or what, but I definitely think we should use sed to replace the binary locations.
Please provide the whole srpm. I can find any of the patches mentiones in the spec file nowhere. Some notes: * Initscripts convension - Please use %_initrddir instead of %_sysconfdir/init.d https://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_on_the_filesystem - Please add Requires(post) or so: https://fedoraproject.org/wiki/Packaging/SysVInitScript#Initscripts_in_spec_file_scriptlets - Please consider to "condrestart" at %posun * %changelog - I suggest to put one line between each %changelog entry like ------------------------------------------------------------------- * Sat Jan 25 2009 Patrick Dignan <dignan.patrick at, gmail.com> 2.5-3 - Added 3 patches from Dale Bewley and changed that postun to use sed * Sat Jan 10 2009 Patrick Dignan <dignan.patrick at, gmail.com> 2.5-2 - Removed INSTALL.txt - Fixed the doc files - Removed explicit call to enable Fedora specific compiler options * Sat Jan 10 2009 Patrick Dignan <dignan.patrick at, gmail.com> 2.5-1 - Initial Fedora build -------------------------------------------------------------------- This is useful when using Fedora CVS system.
Pong. I thought Dale wanted to pick up the packaging for this? If not I'll try to finish it up soon!
Patrick, for now would you try to finish this review request (i.e. upload the new srpm)?
I will close this bug as NOTABUG if no response is received from anyone within one week.
Once closing. If someone wants to import this package into Fedora, please file a new review request and mark this as a duplicate of the new one, thank you.
*** This bug has been marked as a duplicate of bug 967782 ***