jailkit-2.21/0000755000175000017500000000000013544213117012772 5ustar olivierolivierjailkit-2.21/configure.ac0000644000175000017500000001246713544213044015271 0ustar olivierolivier# Jailkit # configure.ac - the autoconf file # #Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013, 2014, 2015, 2016, 2017, 2018, 2019 Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # # AC_INIT([jailkit],[2.21],[https://savannah.nongnu.org/bugs/?group=jailkit]) AC_SUBST([PACKAGE], AC_PACKAGE_NAME) AC_DEFINE_UNQUOTED([PACKAGE], "AC_PACKAGE_NAME", [The package name.]) AC_SUBST([VERSION], AC_PACKAGE_VERSION) AC_DEFINE_UNQUOTED([VERSION], "AC_PACKAGE_VERSION", [The package version.]) AC_PREFIX_DEFAULT([/usr]) dnl does this make sense? if test "$prefix" = "NONE"; then sysconfdir="/etc" AC_MSG_NOTICE([config files will be in /etc/jailkit/]) fi AC_CONFIG_SRCDIR([src/jk_socketd.c]) AC_CONFIG_HEADER([src/config.h]) AC_GNU_SOURCE AC_PROG_CC AC_ISC_POSIX AC_C_INLINE AC_PROG_INSTALL if test "$CC" = "gcc" ; then CFLAGS="$CFLAGS -Wall -pipe" fi dnl ************************ dnl Check for standard headers dnl ************************ AC_HEADER_STDC dnl ************************ dnl Checks for header files. dnl ************************ AC_CHECK_HEADERS([errno.h stdio.h ctype.h getopt.h math.h time.h sys/socket.h pthread.h pwd.h wordexp.h liberty.h strings.h]) AC_CHECK_FUNCS([strnlen wordexp clearenv get_current_dir_name]) AC_CHECK_FUNCS( [strndup],, AC_CHECK_LIB([iberty], [strndup]) ) AC_CHECK_FUNCS( [mempcpy],, AC_CHECK_LIB([iberty], [mempcpy]) ) AC_CHECK_FUNCS( [stpcpy],, AC_CHECK_LIB([iberty], [stpcpy]) ) # Check if -pthread is available # if not try -lpthread OLDCFLAGS=$CFLAGS OLDLDFLAGS=$LDFLAGS CFLAGS="$CFLAGS -pthread" LDFLAGS="$LDFLAGS -pthread" AC_MSG_CHECKING([for pthread support]) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [#include void *g(void *d) { return NULL; }], [pthread_t t; pthread_create(&t,NULL,g,NULL);])], [AC_MSG_RESULT([use -pthread])] , CFLAGS=$OLDCFLAGS LDFLAGS=$OLDLDFLAGS [AC_CHECK_LIB( [pthread], [pthread_create],, AC_CHECK_LIB( [c_r], [pthread_create],, AC_MSG_ERROR([libpthread not found]) ) )] ) # solaris has -lsocket or -lxnet for various socket functions AC_CHECK_FUNCS( [recvfrom],, AC_CHECK_LIB([xnet], [recvfrom]) ) AC_CHECK_FUNCS( [send],, AC_CHECK_LIB([socket], [send]) ) # solaris needs -lrt or -lposix4 for nanosleep() AC_CHECK_FUNCS( [nanosleep],, AC_CHECK_LIB( [posix4], [nanosleep],, AC_CHECK_LIB( [rt], [nanosleep],, AC_MSG_ERROR(nanosleep not found) ) ) ) # FreeBSD has a gnugetopt library for this # Solaris might have libiberty AC_CHECK_FUNCS( [getopt_long],, AC_CHECK_LIB( [gnugetopt], [getopt_long],, AC_CHECK_LIB( [iberty], [getopt_long],, AC_MSG_ERROR(getopt_long not found) ) ) ) AC_CHECK_HEADERS([sys/capability.h]) AC_CHECK_FUNCS( [cap_get_proc],, AC_CHECK_LIB([cap], [cap_get_proc], AC_DEFINE(HAVE_CAP_GET_PROC) LDFLAGS="$LDFLAGS -lcap", ) ) dnl you should maybe add AC_ARG_VAR for every AC_PATH_PROG to allow users dnl to specify the binary path if it is not in PATH AC_ARG_VAR( [PYTHONINTERPRETER], [The `python' binary with path. Use it to define or override the location of `python'.] ) AC_PATH_PROG([PYTHONINTERPRETER], [python], [no]) if test "x$PYTHONINTERPRETER" = "xno" ; then AC_MSG_ERROR([python not found please install python]) fi AC_SUBST(PYTHONINTERPRETER) AC_MSG_CHECKING([for up to date python]) echo -n "checking for up to date python... " if $PYTHONINTERPRETER -c 'i=1;i+=1' >/dev/null 2>&1 ; then AC_MSG_RESULT([ok]) else AC_MSG_RESULT([failed]) AC_MSG_ERROR([your python version is too old, please install python 2 or newer]) fi AC_ARG_VAR( [PROCMAILPATH], [The `procmail' binary with path. Use it to define or override the location of `procmail'.] ) AC_PATH_PROG([PROCMAILPATH], [procmail], [no]) if test "x$PROCMAILPATH" != "xno" ; then AC_DEFINE_UNQUOTED([PROCMAILPATH], "$PROCMAILPATH", [The procmail path.]) AC_SUBST([HAVEPROCMAIL_TRUE], []) else AC_SUBST([HAVEPROCMAIL_TRUE], [#]) fi AC_CONFIG_FILES([Makefile src/Makefile py/Makefile man/Makefile]) AC_OUTPUT jailkit-2.21/extra/0000755000175000017500000000000013544213117014115 5ustar olivierolivierjailkit-2.21/extra/jailkit.fedora0000644000175000017500000000151211014242661016721 0ustar olivierolivier#!/bin/bash # # start/stop jailkit logging daemon. # # chkconfig: - 60 40 # description: chroot() jail wrapping utilities . /etc/rc.d/init.d/functions JK_SOCKETD=/usr/sbin/jk_socketd lockfile=/var/lock/subsys/jailkit pidfile=/var/run/jailkit.pid start() { echo -n "Starting JailKit: " daemon --pidfile=${pidfile} ${JK_SOCKETD} RETVAL=$? echo [ "$RETVAL" = 0 ] && touch ${lockfile} return $RETVAL } stop() { echo -n "Stopping JailKit: " killproc -p ${pidfile} -d 10 ${JK_SOCKETD} RETVAL=$? echo [ "$RETVAL" = 0 ] && rm -f ${lockfile} ${pidfile} return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; reload) stop start ;; status) status ${JK_SOCKETD} RETVAL=$? ;; *) echo "Usage: $0 {start|stop|restart|status|reload}" exit 1 ;; esac exit 0 jailkit-2.21/extra/jailkit.suse0000644000175000017500000000740510415757306016462 0ustar olivierolivier#! /bin/sh # # init.d/jailkit # # and symbolic its link # # /usr/sbin/rcjailkit # # System startup script for the inet daemon # ### BEGIN INIT INFO # Provides: jailkit # Required-Start: $network # Required-Stop: $network # X-UnitedLinux-Should-Start: jk_socketd # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Start the jk_socketd daemon. ### END INIT INFO JAILKIT_BIN=/usr/sbin/jk_socketd test -x $JAILKIT_BIN || exit 5 # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status . /etc/rc.status # First reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - misc error # 2 - invalid or excess args # 3 - unimplemented feature (e.g. reload) # 4 - insufficient privilege # 5 - program not installed # 6 - program not configured # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are # considered a success. case "$1" in start) echo -n "Starting JAILKIT services. (jk_socketd)" ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. # startproc should return 0, even if service is # already running to match LSB spec. startproc $JAILKIT_BIN # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down jk_socketd:" ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. killproc -QUIT $JAILKIT_BIN # Remember status and be verbose rc_status -v ;; try-restart) ## Stop the service and if this succeeds (i.e. the ## service was running before), start it again. $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart. echo -n "Reload service jk_socketd" ## if it supports it: killproc -HUP $JAILKIT_BIN rc_status -v ;; reload) ## Like force-reload, but if daemon does not support ## signalling, do nothing (!) # If it supports signalling: echo -n "Reload JAILKIT services (jk_socketd)." killproc -HUP $JAILKIT_BIN rc_status -v ;; status) echo -n "Checking for service jk_socketd: " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Status has a slightly different for the status command: # 0 - service running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running # NOTE: checkproc returns LSB compliant status values. checkproc $JAILKIT_BIN rc_status -v ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload| reload}" exit 1 esac rc_exitjailkit-2.21/extra/jailkit.spec0000644000175000017500000000426712006554140016425 0ustar olivierolivier# $Id: jailkit.spec,v 1.1 2012/08/02 19:43:28 oli4 Exp $ # Authority: dag Summary: Utilities to limit user accounts to specific files using chroot() Name: jailkit Version: 2.15 Release: 1.n247 License: Open Source Group: System Environment/Base URL: http://olivier.sessink.nl/jailkit/ Packager: Dag Wieers Vendor: Dag Apt Repository, http://dag.wieers.com/apt/ Source: http://olivier.sessink.nl/jailkit/jailkit-%{version}.tar.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: python %description Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities. Jailkit has been in use for a while on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. %prep %setup -n %{name}-%{version} ### Disable broken Makefile :( %{__perl} -pi.orig -e 's|>>||g' Makefile.in %build %configure %{__make} %{?_smp_mflags} %install %{__rm} -rf %{buildroot} %{__make} install DESTDIR="%{buildroot}" \ iniprefix="%{_sysconfdir}/jailkit/" \ prefix="%{_prefix}" %{__install} -Dp -m0755 extra/jailkit.centos %{buildroot}%{_initrddir}/jailkit #%post #cat /etc/shells | grep -v jk_chrootsh >/etc/shells #echo "/usr/bin/jk_chrootsh" >> /etc/shells #/sbin/chkconfig --add jailkit #%postun #cat /etc/shells | grep -v jk_chrootsh >/etc/shells %clean %{__rm} -rf %{buildroot} %files %defattr(-, root, root, 0755) %{_sbindir}/* %{_bindir}/* %{_datadir}/jailkit/ %doc %{_mandir}/man8/* %config(noreplace) %{_sysconfdir}/jailkit %config %{_initrddir}/jailkit %changelog * Mon Jul 16 2012 Jane Doe - 2.15-1 - Updated to release 2.15. * Tue Sep 12 2006 Dag Wieers - 2.1-1 - 4260+/thias - Updated to release 2.1. * Sun Mar 19 2006 Dag Wieers - 2.0-1 - Updated to release 2.0. * Fri May 20 2005 Dag Wieers - 1.3-1 - Initial package. (using DAR) jailkit-2.21/extra/jailkit.centos0000644000175000017500000000152511014242660016757 0ustar olivierolivier#!/bin/bash # # start/stop jailkit logging daemon. # # chkconfig: - 60 40 # description: chroot() jail wrapping utilities . /etc/rc.d/init.d/functions JK_SOCKETD=/usr/sbin/jk_socketd lockfile=/var/lock/subsys/jailkit pidfile=/var/run/jailkit.pid start() { echo -n "Starting JailKit: " daemon ${JK_SOCKETD} RETVAL=$? touch ${pidfile} pidof ${JK_SOCKETD} > ${pidfile} echo [ "$RETVAL" = 0 ] && touch ${lockfile} return $RETVAL } stop() { echo -n "Stopping JailKit: " killproc ${JK_SOCKETD} RETVAL=$? echo [ "$RETVAL" = 0 ] && rm -f ${lockfile} ${pidfile} return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; reload) stop start ;; status) status ${JK_SOCKETD} RETVAL=$? ;; *) echo "Usage: $0 {start|stop|restart|status|reload}" exit 1 ;; esac exit 0 jailkit-2.21/extra/jailkit0000644000175000017500000000157111623661206015475 0ustar olivierolivier#!/bin/sh ### BEGIN INIT INFO # Provides: jailkit # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start jk_socketd at boot time # Description: Enable jk_socketd ### END INIT INFO # # start/stop jailkit logging daemon. # # chkconfig: 2345 60 40 # description: chroot() jail wrapping utilities JK_SOCKETD=/usr/sbin/jk_socketd test -x ${JK_SOCKETD} || exit 0 case "$1" in start) echo -n "Starting jailkit:" echo -n " jk_socketd" ${JK_SOCKETD} echo " done." ;; stop) echo -n "Stopping jailkit:" echo -n " jk_socketd" killall ${JK_SOCKETD} echo " done." ;; restart) $0 stop $0 start ;; force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|force-reload}" exit 1 ;; esac exit 0 jailkit-2.21/COPYRIGHT0000644000175000017500000006201211764212014014263 0ustar olivierolivierFor all files in Jailkit except src/wordexp.c and src/wordexp.h the following licence for use applies: ------------ Copyright (C) 2003 - 2012 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------ The file src/jk_lsh.c is additionally available under the Library-GPL licence as written below. Additionally means that you can EITHER use LGPL licence as described below OR the modified BSD licence as described above, OR you use both exactly as in this file. You CANNOT use some (not all) of the LGPL clauses and some of the modified BSD licence clauses. The files src/wordexp.c and src/wordexp.h are Copyright (C) 1997, 1998, 1999 Free Software Foundation, Inc. with some changes Copyright (C) 2003, 2004, 2005, 2006 Olivier Sessink and are only available under the Library-GPL licence as written below. These files (wordexp.c and wordexp.h) are only used on platforms on which the wordexp() function is not available. ------------- GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights. Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library. Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. GNU LIBRARY GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS jailkit-2.21/src/0000755000175000017500000000000013544213117013561 5ustar olivierolivierjailkit-2.21/src/jk_chrootlaunch.c0000644000175000017500000002063012132064727017106 0ustar olivierolivier/* * the jailkit chroot() launcher * this program does a chroot(), changes uid and gid and then executes the daemon * * I tried to merge some of the ideas from chrsh by Aaron D. Gifford, * start-stop-daemon from Marek Michalkiewicz and suexec by the Apache * group in this utility * Copyright (c) 2003, 2004, 2005, 2006 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include #include #include #include #include #include #include #include #ifdef HAVE_GETOPT_H #include #endif #ifdef HAVE_LIBERTY_H #include #endif #include #include #include "jk_lib.h" #include "config.h" #define PROGRAMNAME "jk_chrootlaunch" static int parse_uid(char *tmpstr) { struct passwd *pw=NULL; if (!tmpstr) return -1; if (tmpstr && tmpstr[0] >= '0' && tmpstr[0] <= '9') { int tmp = strtol(tmpstr, NULL, 10); if (tmp >= 0) { pw = getpwuid(tmp); if (!pw) { syslog(LOG_ERR, "abort, user '%s' does not exist (interpreted as uid %d)",tmpstr,tmp); exit(1); } } else { syslog(LOG_ERR, "abort, user '%s' is a negative uid (interpreted as %d)",tmpstr,tmp); exit(1); } } else { pw = getpwnam(tmpstr); if (!pw) { syslog(LOG_ERR, "abort, user %s does not exist",tmpstr); exit(1); } } return pw->pw_uid; } static int parse_gid(char *tmpstr) { struct group *gr=NULL; if (!tmpstr) return -1; if (tmpstr && tmpstr[0] >= '0' && tmpstr[0] <= '9') { int tmp = strtol(tmpstr, NULL, 10); if (tmp >= 0) { gr = getgrgid(tmp); if (!gr) { syslog(LOG_ERR, "abort, group '%s' does not exist (interpreted as gid %d)",tmpstr,tmp); exit(1); } } else { syslog(LOG_ERR, "abort, group '%s' is a negative gid (interpreted as %d)",tmpstr,tmp); exit(1); } } else { gr = getgrnam(tmpstr); if (!gr) { syslog(LOG_ERR, "abort, group %s does not exist",tmpstr); exit(1); } } return gr->gr_gid; } /* tests the jail and executable, if they exists etc. returns a newly allocated executable relative to the chroot, so it can be used during exec() */ static char *test_jail_and_exec(char *jail, char *exec) { struct stat sbuf; char *tmpstr, *retval; if (!jail) { syslog(LOG_ERR,"abort, a jaildir must be specified on the commandline"); exit(21); } if (!exec) { syslog(LOG_ERR,"abort, an executable must be specified on the commandline"); exit(23); } if (jail[0] != '/') { syslog(LOG_ERR,"abort, jail '%s' not accepted, the jail must be an absolute path", jail); exit(27); } /* test the jail existance */ if (!basicjailissafe(jail)) { syslog(LOG_ERR, "abort, jail directory %s is not a safe jail, check ownership and permissions",jail); exit(25); } /* test the executable, first we test if the executable was specified relative in the jail or absolute */ if (strncmp(jail,exec,strlen(jail))==0) { /* the exec contains the path of the jail, so it was absolute */ tmpstr = strdup(exec); } else { /* the executable was specified as relative path to the jail, combine them together */ tmpstr = malloc0((strlen(exec)+strlen(jail)+1)*sizeof(char)); tmpstr = strcat(strcat(tmpstr, jail), exec); } if (lstat(tmpstr, &sbuf) == 0) { if (S_ISLNK(sbuf.st_mode)) { syslog(LOG_ERR, "abort, executable %s is a symlink", tmpstr); exit(29); } if (S_ISREG(sbuf.st_mode) && (sbuf.st_mode & (S_ISUID | S_ISGID))) { syslog(LOG_ERR, "abort, executable %s is setuid/setgid file", tmpstr); exit(29); } if (sbuf.st_mode & (S_IWGRP | S_IWOTH)) { syslog(LOG_ERR, "abort, executable %s is writable for group or others", tmpstr); exit(29); } if (sbuf.st_uid != 0 || sbuf.st_gid != 0) { syslog(LOG_ERR, "abort, executable %s is not owned root:root",tmpstr); exit(29); } } else { syslog(LOG_ERR, "abort, could not get properties for executable %s: %s",tmpstr,strerror(errno)); exit(29); } retval = strdup(&tmpstr[strlen(jail)]); free(tmpstr); return retval; } static void print_usage() { printf(PACKAGE" "VERSION"\nUsage: "PROGRAMNAME" -j jaildir [-u user] [-g group] [-p pidfile] -x executable -- [executable options]\n"); printf("\t-p|--pidfile pidfile\n"); printf("\t-j|--jail jaildir\n"); printf("\t-x|--exec executable\n"); printf("\t-u|--user username|uid\n"); printf("\t-g|--group group|gid\n"); printf("\t-h|--help\n"); printf(PROGRAMNAME" logs all errors to syslog, for diagnostics check your logfiles\n"); } int main (int argc, char **argv) { char *pidfile=NULL, *jail=NULL, *exec=NULL; int uid=-1,gid=-1; unsigned int i; char **newargv; openlog(PROGRAMNAME, LOG_PID, LOG_DAEMON); { int c=0; char *tuser=NULL, *tgroup=NULL, *texec=NULL; while (c != -1) { int option_index = 0; static struct option long_options[] = { {"pidfile", required_argument, NULL, 'p'}, {"jail", required_argument, NULL, 'j'}, {"exec", required_argument, NULL, 'x'}, {"user", required_argument, NULL, 'u'}, {"group", required_argument, NULL, 'g'}, {"help", no_argument, NULL, 'h'}, {"version", no_argument, NULL, 'V'}, {NULL, 0, NULL, 0} }; c = getopt_long(argc, argv, "j:p:u:g:x:hv",long_options, &option_index); switch (c) { case 'j': jail = ending_slash(optarg); break; case 'p': pidfile = strdup(optarg); break; case 'u': tuser = strdup(optarg); break; case 'g': tgroup = strdup(optarg); break; case 'x': texec = strdup(optarg); break; case 'h': case 'V': print_usage(); exit(1); } } uid = parse_uid(tuser); gid = parse_gid(tgroup); exec = test_jail_and_exec(jail,texec); /* construct the new argv from all leftover options */ newargv = malloc0((2 + argc - optind)*sizeof(char *)); newargv[0] = exec; c = 1; while (optind < argc) { newargv[c] = strdup(argv[optind]); c++; optind++; } free(tuser); free(tgroup); free(texec); } if (pidfile) { FILE *pidfilefd = fopen(pidfile, "w"); int pid = getpid(); if (pidfilefd && fprintf(pidfilefd, "%d",pid)>=0) { fclose(pidfilefd); } else { syslog(LOG_NOTICE, "failed to write PID into %s", pidfile); } } /* open file descriptors can be used to break out of a chroot, so we close all of them, except for stdin,stdout and stderr */ #ifdef OPEN_MAX i = OPEN_MAX; #elif defined(NOFILE) i = NOFILE; #else i = getdtablesize(); #endif while (--i > 2) { while (close(i) != 0 && errno == EINTR); } if (chdir(jail)) { syslog(LOG_ERR, "abort, could not change directory chdir() to the jail %s: %s", jail,strerror(errno)); exit(33); } if (chroot(jail)) { syslog(LOG_ERR, "abort, could not change root chroot() to the jail %s: %s", jail,strerror(errno)); exit(35); } if (gid != -1 && setgid(gid)<0) { syslog(LOG_ERR, "abort, could not setgid %d: %s", gid,strerror(errno)); exit(37); } if (uid != -1 && setuid(uid)<0) { syslog(LOG_ERR, "abort, could not setuid %d: %s", uid,strerror(errno)); exit(39); } syslog(LOG_NOTICE,"executing %s in jail %s",exec,jail); execv(exec, newargv); syslog(LOG_ERR, "error: failed to execute %s in jail %s: %s",exec,jail,strerror(errno)); exit(31); } jailkit-2.21/src/passwdparsertester.c0000644000175000017500000000074710644525412017704 0ustar olivierolivier#include #include #include #include "passwdparser.h" int main(int argc, char **argv) { struct passwd *pw1; /* pw1 = internal_getpwuid("passwdparsertester.test", 10); pw1 = internal_getpwuid("passwdparsertester.test", 20);*/ pw1 = internal_getpwuid("passwdparsertester.test", 100); if (pw1) { printf("found user %s with shell %s and home %s\n",pw1->pw_name, pw1->pw_shell, pw1->pw_dir); } else { printf("found nothing\n"); } return 0; } jailkit-2.21/src/iniparser.c0000644000175000017500000002373112670500446015732 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, 2016 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include /* isspace() */ #include /* fseek() */ #include /* malloc() */ #include /* memset() */ #include /* fcntl() */ /*#define DEBUG*/ #ifdef DEBUG #include #endif #include "jk_lib.h" #include "iniparser.h" Tiniparser *new_iniparser(char *filename) { FILE *tmp; tmp = fopen(filename, "r"); if (tmp) { Tiniparser *ip = malloc(sizeof(Tiniparser)); ip->filename = strdup(filename); ip->fd = tmp; /* set close-on-exec so this file descriptor will not be passed to the a process after an exec() call */ fcntl(fileno(ip->fd), F_SETFD, FD_CLOEXEC); DEBUG_MSG("new_iniparser, ip=%p for filename %s\n",ip,filename); return ip; } return NULL; } void iniparser_close(Tiniparser *ip) { DEBUG_MSG("close fd\n"); fclose(ip->fd); DEBUG_MSG("free filename=%p\n",ip->filename); free(ip->filename); DEBUG_MSG("free ip=%p\n",ip->filename); free(ip); DEBUG_MSG("done\n"); } char *iniparser_next_section(Tiniparser *ip, char *buf, int buflen) { int sectionNameChar=0, sectionStart=0; unsigned short int inComment = 0; char prevch='\0', ch; DEBUG_MSG("iniparser_next_section, looking for next section..\n"); while (!feof(ip->fd)){ ch=fgetc(ip->fd); if (ch == '#' && (prevch == '\n' || prevch=='\0')) { DEBUG_MSG("Comment start (%c)\n",ch); inComment = 1; } else if (ch == '\n' && inComment == 1) { DEBUG_MSG("Comment stop (%c)\n",ch); inComment = 0; } else if (inComment == 1) { /* do nothing if in comment */ /*DEBUG_MSG("do nothing, we're in a comment (%c)\n",ch);*/ } else if (!sectionStart && ch=='[') { DEBUG_MSG("Section begins (%c)\n",ch); sectionStart=1; } else if (sectionStart && ch != ']') { buf[sectionNameChar] = ch; sectionNameChar++; DEBUG_MSG("added '%c' to sectionname\n",ch); } else if (sectionStart && sectionNameChar != 0 && ch==']') { buf[sectionNameChar] = '\0'; DEBUG_MSG("iniparser_next_section, found '%c', sectionStart=%d, found [%s]\n", ch,sectionStart,buf); return buf; } prevch = ch; } return NULL; } /* test if section 'section' is available, and leaves the filepointer at the end of the section name */ unsigned short int iniparser_has_section(Tiniparser *ip, const char *section) { char buffer[256], *found; fseek(ip->fd,0,SEEK_SET); DEBUG_MSG("iniparser_has_section, looking for %s from position %d\n",section,0); while ((found = iniparser_next_section(ip, buffer, 256))) { DEBUG_MSG("comparing %s and %s\n",section,found); if (strcmp(found, section)==0) { DEBUG_MSG("iniparser_has_section, return 1\n"); return 1; } } return 0; } int iniparser_get_string_at_position(Tiniparser*ip, const char *section, const char *key, long position, char *buffer, int bufferlen) { char ch='\0', prevch='\0'; unsigned int sectionNameChar=0, keyNameChar=0, bufferChar=0; unsigned short int inSection=0, sectionStart=0, foundKey=0, inComment=0, inWrongKey=0; DEBUG_MSG("iniparser_get_string_at_position, looking for key %s in section %s, starting at pos %ld\n",key,section,position); if (fseek(ip->fd,position,SEEK_SET) != 0) { DEBUG_MSG("there was an error seeking to %ld, current position=%ld, reset to zero\n",position,ftell(ip->fd)); fseek(ip->fd, 0, SEEK_SET); } DEBUG_MSG("current position of the stream is %ld\n",ftell(ip->fd)); while (!feof(ip->fd)){ prevch = ch; ch=fgetc(ip->fd); if (inComment == 1) { if (ch == '\n') { DEBUG_MSG("end of comment found\n"); inComment = 0; } continue; } else if (ch == '#' && (prevch == '\n' || prevch == '\0')) { DEBUG_MSG("inComment!\n"); inComment = 1; continue; } if (!inSection) { if (!sectionStart && ch=='['){ if (inSection){ /* found nothing */ break; } DEBUG_MSG("Section begins. Looking for [%s]\n", section); sectionStart=1; } else if (sectionStart && ch==section[sectionNameChar]){ DEBUG_MSG("Matched section name character: %c\n", ch); sectionNameChar++; } else if (sectionStart && sectionNameChar != 0 && ch==']'){ DEBUG_MSG("Found section name end, inSection=%d, found [%s]\n",inSection,section); sectionStart=0; inSection=1; sectionNameChar=0; DEBUG_MSG("The correct section %s is now found, now we continue with the key %s\n", section, key); } else if (sectionStart){ DEBUG_MSG("Oops, wrong section, %c is not in position %d of %s\n", ch,sectionNameChar,section); sectionStart=0; sectionNameChar=0; } } else if (inWrongKey/* && inSection is implied */) { if (ch == '\n') { DEBUG_MSG("inWrongKey, found end of line!\n"); inWrongKey = 0; foundKey=0; keyNameChar=0; } else { /*DEBUG_MSG("inWrongKey, found %c, pass till end of line\n",ch);*/ } } else if (!foundKey /* && inSection is implied */) { if (ch==key[keyNameChar]){ DEBUG_MSG("Found a valid letter of the key: %c on position %d of %s, continue to test if next character is also valid\n", ch,keyNameChar,key); keyNameChar++; } else if (isspace(ch)) { /* *before* the key, and *after* the key, before the '=' there can be spaces */ DEBUG_MSG("found a space, we ignore spaces when we are looking for the key\n"); } else if (keyNameChar != 0 && ch == '='){ DEBUG_MSG("Character %c, found the key %s, set foundKey to 1\n", ch,key); foundKey=1; } else if (ch=='\n'){ DEBUG_MSG("End of line, start looking again for %s\n", key); inWrongKey=0; keyNameChar=0; } else if (ch=='[') { DEBUG_MSG("Found the start of a new section, abort, the key does not exist\n"); buffer[0]='\0'; return -1; } else { DEBUG_MSG("if all else fails: %c must be a character that is not on position %d of key %s, set inWrongKey\n",ch,keyNameChar,key); inWrongKey=1; } } else if (foundKey /* && inSection is implied */) { if (bufferChar < bufferlen){ if (ch != '\n') { DEBUG_MSG("Insection, found the key, getting the content for the key: %c\n", ch); buffer[bufferChar++]=ch; } else { DEBUG_MSG("found a newline: the end of the content of the key! "); buffer[bufferChar]='\0'; DEBUG_MSG("return '%s'\n",buffer); return bufferChar; } } else { DEBUG_MSG("Hit the buffer max, EOM, done w/ key %s=\n", key); break; } } else { DEBUG_MSG("unhandled character %c ?\n",ch); } prevch = ch; } buffer[bufferChar]='\0'; DEBUG_MSG("iniparser_get_string_at_position, end-of-file, bufferChar=%d\n",bufferChar); return bufferChar; } int iniparser_get_int_at_position(Tiniparser *ip, const char *section, const char *key, long position, int defaultval) { char data[25]; int ret=defaultval; memset(data, 0, 25); if (iniparser_get_string_at_position(ip, section, key, position, data, 25)==-1){ return defaultval; } strip_string(data); sscanf(data, "%u", &ret); return ret; } int iniparser_get_octalint_at_position(Tiniparser *ip, const char *section, const char *key, long position, int defaultval) { char data[25]; int ret=defaultval; memset(data, 0, 25); if (iniparser_get_string_at_position(ip, section, key, position, data, 25)==-1){ return defaultval; } strip_string(data); sscanf(data, "%o", &ret); return ret; } float iniparser_get_float_at_position(Tiniparser *ip, const char *section, const char *key, long position, float defaultval) { float ret = defaultval; char data[25]; memset(data, 0, 25); if (iniparser_get_string_at_position(ip, section, key, position, data, 25)==-1){ DEBUG_MSG("iniparser_get_float_at_position, no string found\n"); return 0.0; } strip_string(data); sscanf(data, "%f", &ret); return ret; } /* int iniparser_value_len(Tiniparser *ip, const char *section, const char *key){ char ch; unsigned int sectionNameChar=0, keyNameChar=0; unsigned int valueLength=0; unsigned short int inSection=0, sectionStart=0, foundKey=0; while (!feof(ip->fd)){ ch=fgetc(ip->fd); if (!sectionStart && ch=='['){ if (inSection){ break; } sectionStart=1; } else if (sectionStart && ch==section[sectionNameChar]){ sectionNameChar++; } else if (sectionStart && sectionNameChar != 0 && ch==']'){ sectionStart=0; inSection=1; sectionNameChar=0; } else if (sectionStart){ sectionStart=0; sectionNameChar=0; } if (inSection && !foundKey && ch==key[keyNameChar]){ keyNameChar++; } else if (inSection && !foundKey && keyNameChar != 0 && ch == '='){ foundKey=1; } else if (inSection && keyNameChar != 0 && !foundKey){ foundKey=0; keyNameChar=0; } else if (inSection && foundKey && (ch==13 || ch==10 || ch==';')){ foundKey=0; break; } else if (inSection && foundKey){ valueLength++; } } return valueLength; } */ jailkit-2.21/src/iniparsertester.c0000644000175000017500000000430410632460575017160 0ustar olivierolivier/* just test code */ #include "iniparser.h" #include int main (int argc, char **argv) { Tiniparser *parser=NULL; parser = new_iniparser("iniparsertester.ini"); if (parser) { unsigned long nextitempos=0; char buffer[1024]; if (iniparser_has_section(parser, "nextitem")) { nextitempos = iniparser_get_position(parser) - strlen("nextitem") - 2; } if (iniparser_get_string(parser, "lastitem", "string1", buffer, 1024) > 0) { printf("%s",buffer); } if (iniparser_get_string(parser, "myitem", "string1", buffer, 1024) > 0) { printf("%s",buffer); } if (iniparser_get_string_at_position(parser, "nextitem", "string1", nextitempos, buffer, 1024) > 0) { /* does not exist */ printf("(does not exist: %s)",buffer); } if (iniparser_get_string_at_position(parser, "nextitem", "string2", nextitempos, buffer, 1024) > 0) { printf("%s",buffer); } printf(" %d ",iniparser_get_int(parser, "myitem", "key1")); /* 1 */ /* the next one is fake */ if (iniparser_get_string_at_position(parser, "alsoitem", "key2", nextitempos, buffer, 1024) > 0) { printf("(does not exist: %s)",buffer); } printf(" %d ",iniparser_get_int(parser, "nextitem", "key2")); /* 2 */ printf(" %d ",iniparser_get_int(parser, "myitem", "key2")); /* 3 */ printf(" %d ",iniparser_get_int(parser, "lastitem", "key1")); /* 4 */ if (iniparser_get_string(parser, "nextitem", "key1", buffer, 1024) > 0) { printf("(does not exist: %s)",buffer); } printf(" %d ",iniparser_get_int(parser, "lastitem", "key2")); /* 5 */ printf(" %d ",iniparser_get_int(parser, "alsoitem", "key3")); /* 6 */ printf(" %d ",iniparser_get_int(parser, "lastitem", "key3")); /* 7 */ if (iniparser_get_string(parser, "myitem", "key3", buffer, 1024) > 0) { printf("(does not exist: %s)",buffer); } printf(" %d ",iniparser_get_int(parser, "lastitem", "key4")); /* 8 */ printf(" %d ",iniparser_get_int(parser, "myitem", "key5")); /* 9 */ printf(" %d ",iniparser_get_int(parser, "alsoitem", "key10")); /* 10 */ printf("\n"); /* 1 */ printf(" %f ",iniparser_get_float_at_position(parser, "alsoitem", "keyfloat", 0)); /* 0.1 */ printf("\n"); /* 1 */ } else { printf("no testfile found\n"); } return 0; } jailkit-2.21/src/config.h.in0000644000175000017500000000704211222373205015603 0ustar olivierolivier/* src/config.h.in. Generated from configure.ac by autoheader. */ /* Define to 1 if you have the `clearenv' function. */ #undef HAVE_CLEARENV /* Define to 1 if you have the header file. */ #undef HAVE_CTYPE_H /* Define to 1 if you have the header file. */ #undef HAVE_ERRNO_H /* Define to 1 if you have the header file. */ #undef HAVE_GETOPT_H /* Define to 1 if you have the `getopt_long' function. */ #undef HAVE_GETOPT_LONG /* Define to 1 if you have the `get_current_dir_name' function. */ #undef HAVE_GET_CURRENT_DIR_NAME /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have the `c_r' library (-lc_r). */ #undef HAVE_LIBC_R /* Define to 1 if you have the header file. */ #undef HAVE_LIBERTY_H /* Define to 1 if you have the `gnugetopt' library (-lgnugetopt). */ #undef HAVE_LIBGNUGETOPT /* Define to 1 if you have the `iberty' library (-liberty). */ #undef HAVE_LIBIBERTY /* Define to 1 if you have the `pthread' library (-lpthread). */ #undef HAVE_LIBPTHREAD /* Define to 1 if you have the header file. */ #undef HAVE_MATH_H /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 if you have the `mempcpy' function. */ #undef HAVE_MEMPCPY /* Define to 1 if you have the header file. */ #undef HAVE_PTHREAD_H /* Define to 1 if you have the header file. */ #undef HAVE_PWD_H /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDIO_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `stpcpy' function. */ #undef HAVE_STPCPY /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the `strndup' function. */ #undef HAVE_STRNDUP /* Define to 1 if you have the `strnlen' function. */ #undef HAVE_STRNLEN /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the `wordexp' function. */ #undef HAVE_WORDEXP /* Define to 1 if you have the header file. */ #undef HAVE_WORDEXP_H #undef HAVE_SYS_CAPABILITY_H #undef HAVE_CAP_GET_PROC /* The package name. */ #undef PACKAGE /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the version of this package. */ #undef PACKAGE_VERSION /* The procmail path. */ #undef PROCMAILPATH /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* The package version. */ #undef VERSION /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # undef _GNU_SOURCE #endif /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif jailkit-2.21/src/jk_lsh.c0000644000175000017500000002375412670500447015216 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013, 2015, 2016 Olivier Sessink All rights reserved. This file is available under two licences, at your own choice -------- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------- This software is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. */ /* * Limited shell, will only execute files that are configured in /etc/jailkit/jk_lsh.ini */ #include "config.h" #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_WORDEXP_H #include #else #include "wordexp.h" /* needed to link wordexp.o with the executable */ int libc_argc; char **libc_argv; #endif #define PROGRAMNAME "jk_lsh" #define CONFIGFILE INIPREFIX"/jk_lsh.ini" /* #define DEBUG */ #include "jk_lib.h" #include "iniparser.h" /* doesn't compile on FreeBSD without this */ extern char **environ; static int executable_is_allowed(Tiniparser *parser, const char *section, const char *executable, int position) { int klen; char **arr, **tmp; char buffer[1024]; klen = iniparser_get_string_at_position(parser, section, "executables",position, buffer, 1024); if (!klen) { syslog(LOG_ERR, "section %s does not have a key executables", section); exit(5); } arr = tmp = explode_string(buffer, ','); while (tmp && *tmp) { DEBUG_MSG("comparing '%s' and '%s'\n",*tmp,executable); if (strcmp(*tmp,executable)==0) { free_array(arr); return 1; } tmp++; } free_array(arr); return 0; } static char *expand_executable_w_path(const char *executable, char **allowed_paths) { DEBUG_LOG("expand_executable_w_path, executable=%s",executable); if (executable[0] == '/' && file_exists(executable)) { return strdup(executable); } if (!allowed_paths) { return NULL; } else { char **path = allowed_paths; int elen = strlen(executable); while (*path) { char *newpath; int tlen = strlen(*path); newpath = malloc((elen+tlen+2)*sizeof(char)); memset(newpath, 0, (elen+tlen+2)*sizeof(char)); newpath = strncpy(newpath, *path, tlen); if (*(*path+tlen-1) != '/') { newpath = strcat(newpath, "/"); DEBUG_LOG("newpath=%s",newpath); } newpath = strncat(newpath, executable, elen); if (file_exists(newpath)) { DEBUG_MSG("file %s exists\n",newpath); return newpath; } free(newpath); path++; } } syslog(LOG_ERR,"the requested executable %s is not found\n",executable); return NULL; } /* returns a NULL terminated array of strings */ char **expand_newargv(char *string) { wordexp_t p; wordexp(string, &p, 0); return p.we_wordv; } int main (int argc, char **argv) { Tiniparser *parser; const char *section; unsigned int section_pos, umaskval; struct passwd *pw; char *new, buffer[1024], *tmp=NULL, *user=NULL; char **paths = NULL; char ** newargv; struct group *gr; char *groupsec=NULL; int retval; char *logstring; DEBUG_MSG(PROGRAMNAME" version "VERSION", started\n"); #ifndef HAVE_WORDEXP_H libc_argc = argc; libc_argv = argv; #endif /* open the log facility */ openlog(PROGRAMNAME, LOG_PID, LOG_AUTH); syslog(LOG_INFO, PROGRAMNAME" version "VERSION", started"); DEBUG_MSG(PROGRAMNAME" log started\n"); tmp = getenv("USER"); if (tmp && strlen(tmp)) { user = strdup(tmp); } if (user) { pw = getpwnam(user); } else { pw = getpwuid(getuid()); } if (!pw) { if (user) syslog(LOG_ERR, "cannot find user info for USER %s: %s", user, strerror(errno)); else syslog(LOG_ERR, "cannot find user info for uid %u: %s", getuid(), strerror(errno)); DEBUG_MSG(PROGRAMNAME" cannot find user name for uid %u: %s", getuid(), strerror(errno)); exit(2); } if (user && pw->pw_uid != getuid()) { syslog(LOG_ERR, "abort, running as UID %d, but environment variable USER %s has UID %d", getuid(), user, pw->pw_uid); exit(2); } gr = getgrgid(getgid()); if (!gr || !gr->gr_name || gr->gr_name[0]=='\0') { syslog(LOG_ERR, "cannot find group name for gid %u: %s", getuid(), strerror(errno)); DEBUG_MSG(PROGRAMNAME" cannot find group name for uid %u: %s", getuid(), strerror(errno)); exit(3); } /* the last argument should be the commandstring, and the one before should be -c before that there could be an argument like --login that we simply ignore */ if (argc < 3 || strcmp(argv[argc - 2],"-c")!=0) { char *requeststring = implode_array(argv,argc," "); DEBUG_MSG("WARNING: user %s (%u) tried to get an interactive shell session (%s), which is never allowed by jk_lsh\n", pw->pw_name, getuid(),requeststring); syslog(LOG_ERR, "WARNING: user %s (%u) tried to get an interactive shell session (%s), which is never allowed by jk_lsh", pw->pw_name, getuid(),requeststring); free(requeststring); exit(7); } /* start the config parser */ parser = new_iniparser(CONFIGFILE); if (!parser) { syslog(LOG_ERR, "configfile "CONFIGFILE" is not available"); DEBUG_MSG(PROGRAMNAME" configfile missing\n"); exit(1); } /* check if this user has a section. asprintf() is a GNU extension which is not available on Solaris */ groupsec = strcat(strcpy(malloc0(strlen(gr->gr_name)+7), "group "), gr->gr_name); if (iniparser_has_section(parser, pw->pw_name)) { section = pw->pw_name; } else if (iniparser_has_section(parser, groupsec)) { section = groupsec; } else if (iniparser_has_section(parser, "DEFAULT")) { section = "DEFAULT"; } else { syslog(LOG_ERR, "did neither find a section '%s', nor 'group %s' nor 'DEFAULT' in configfile "CONFIGFILE, pw->pw_name, gr->gr_name); exit(3); } section_pos = iniparser_get_position(parser) - strlen(section) - 2; section_pos = section_pos >= 0 ? section_pos : 0; DEBUG_MSG("using section %s\n",section); DEBUG_MSG("setting umask\n"); umaskval = iniparser_get_octalint_at_position(parser, section, "umask", section_pos, 0000); if (umaskval != -1) { mode_t oldumask; oldumask = umask(umaskval); /*syslog(LOG_DEBUG, "changing umask from 0%o to 0%o", oldumask, umaskval);*/ } if (iniparser_get_string_at_position(parser, section, "environment", section_pos, buffer, 1024) > 0) { char **envs, **tmp; envs = explode_string(buffer, ','); tmp = envs; while (*tmp) { char **keyval = explode_string(*tmp, '='); if (keyval[0] && keyval[1] && keyval[2]==NULL) { setenv(keyval[0],keyval[1],1); } free_array(keyval); tmp++; } free_array(envs); } DEBUG_MSG("exploding string '%s'\n",argv[argc-1]); if (iniparser_get_int_at_position(parser, section, "allow_word_expansion", section_pos, 0)) { newargv = expand_newargv(argv[argc-1]); } else { newargv = explode_string(argv[argc-1], ' '); } if (iniparser_get_string_at_position(parser, section, "paths", section_pos, buffer, 1024) > 0) { DEBUG_LOG("paths, buffer=%s\n",buffer); paths = explode_string(buffer, ','); } else { DEBUG_LOG("no key paths found\n"); } DEBUG_LOG("paths=%p, newargv[0]=%s",paths,newargv[0]); new = expand_executable_w_path(newargv[0], paths); free_array(paths); if (new) { free(newargv[0]); newargv[0] = new; } if (!executable_is_allowed(parser, section, newargv[0],section_pos)) { char *logstring; logstring = implode_array(newargv,-1," "); DEBUG_MSG("WARNING: user %s (%u) tried to run '%s'\n", pw->pw_name, getuid(),newargv[0]); syslog(LOG_ERR, "WARNING: user %s (%u) tried to run '%s', which is not allowed according to "CONFIGFILE, pw->pw_name, getuid(),logstring); free(logstring); exit(4); } iniparser_close(parser); logstring = implode_array(newargv,-1," "); DEBUG_MSG("executing command '%s' for user %s (%u)\n", logstring,pw->pw_name, getuid()); syslog(LOG_INFO, "executing command '%s' for user %s (%u)", logstring,pw->pw_name, getuid()); free(logstring); retval = execve(newargv[0],newargv,environ); DEBUG_MSG("errno=%d, error=%s\n",errno,strerror(errno)); DEBUG_MSG("execve() command '%s' returned %d\n", newargv[0], retval); syslog(LOG_ERR, "WARNING: running %s failed for user %s (%u): %s", newargv[0],pw->pw_name, getuid(), strerror(retval)); syslog(LOG_ERR, "WARNING: check the permissions and libraries for %s", newargv[0]); return retval; } jailkit-2.21/src/passwdparser.c0000644000175000017500000001275612616474671016473 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, 2015 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* #define DEBUG */ #include "config.h" #include #include #include #include #include /* memset() */ #include /* bzero() */ #include #include "utils.h" #ifdef DEBUG #define DEBUG_MSG printf #else #define DEBUG_MSG(args...) /**/ #endif static char *field_from_line(const char *line, int field) { int pos=0, fcount=0, fstart=0; while (1) { if (line[pos]==':') { if (field == fcount) { /* found the end of the field */ return strndup(line+fstart,pos-fstart); } else { fcount++; fstart = pos+1; } } else if (line[pos] == '\0') { if (fcount == field) return strndup(line+fstart,pos-fstart); return NULL; } pos ++; } return NULL; /* should not get to this line */ } static int int_field_from_line(const char *line, int field) { char *tmp; int retval; tmp = field_from_line(line, field); if (tmp) { retval = atoi(tmp); free(tmp); return retval; } return -1; } #define BLOCKSIZE 1024 static char * find_line(const char *filename, const char *fcont, int fnum) { FILE *fp; char buf[BLOCKSIZE+1]; char *prev, *next, *retline=NULL; size_t num; int restlen=0; /* printf("searching for %s in field %d\n",fcont,fnum);*/ fp = fopen(filename,"r"); if (fp == NULL) { return NULL; } /* set close-on-exec so this file descriptor will not be passed to the a process after an exec() call */ fcntl(fileno(fp), F_SETFD, FD_CLOEXEC); bzero(buf, (BLOCKSIZE+1)*sizeof(char)); restlen = num = fread(buf, 1, BLOCKSIZE, fp); DEBUG_MSG("read %d bytes from %s\n",num,filename); prev = buf; while (num || restlen) { /* continue the loop if we either expect more bytes from the file (represented by num) or there are bytes in the block left (represented by restlen) */ DEBUG_MSG("num=%d, restlen=%d, prev=%p\n",num,restlen,prev); next = strchr(prev, '\n'); if (next || num==0) { char *field; if (next) *next = '\0'; DEBUG_MSG("line: %s\n",prev); field = field_from_line(prev,fnum); DEBUG_MSG("field=%s, we are looking for %s\n",field,fcont); if (field && strcmp(field,fcont)==0) { /* we found the line */ retline = strdup(prev); /* printf("retline: %s\n",retline);*/ } if (field) free(field); if (retline) { DEBUG_MSG("found a line, returning %s\n",retline); return retline; } if (next) { *next = '\n'; prev = next+1; } else { restlen = 0; } } else { restlen = restlen-(prev-buf); DEBUG_MSG("prev=%p,buf=%p,num=%d,restlen=%d\n",prev,buf,num,restlen); if (restlen > 0) { /* no more newlines, move the */ DEBUG_MSG("moving %d bytes to the beginning of the block\n",restlen); memmove(buf, prev, restlen); } else { DEBUG_MSG("*** can restlen be < 0 ????????? restlen=%d\n",restlen); } DEBUG_MSG("reading next block\n"); num = fread(buf+restlen, 1, BLOCKSIZE-restlen, fp); DEBUG_MSG("read %d bytes from %s\n",num,filename); restlen += num; DEBUG_MSG("setting byte buf[%d] to \\0\n",restlen); buf[restlen] = '\0'; prev = buf; } } DEBUG_MSG("returning NULL\n"); return NULL; } struct passwd *internal_getpwuid(const char *filename, uid_t uid) { static struct passwd retpw; char find[11], *line; /* max unsigned int is 4294967295 which is 10 characters, and 11 for the \0 character */ snprintf(find,11,"%u",(unsigned int)uid); line = find_line(filename, find, 2); if (line) { retpw.pw_name = field_from_line(line, 0); retpw.pw_gid = int_field_from_line(line, 3); retpw.pw_dir = field_from_line(line, 5); retpw.pw_shell = field_from_line(line, 6); if (retpw.pw_name == NULL || retpw.pw_gid == -1 || retpw.pw_shell == NULL || retpw.pw_dir == NULL || strlen(retpw.pw_name)<1 || strlen(retpw.pw_dir)<1 || strlen(retpw.pw_shell)<1) { if (retpw.pw_name) free(retpw.pw_name); if (retpw.pw_dir) free(retpw.pw_dir); if (retpw.pw_shell) free(retpw.pw_shell); return NULL; } retpw.pw_uid = uid; retpw.pw_gecos = NULL; /* not required */ retpw.pw_passwd = NULL; /* not required */ return &retpw; } return NULL; } jailkit-2.21/src/wordexp.h0000644000175000017500000000502310103527126015416 0ustar olivierolivier/* Copyright (C) 1991, 1992, 1996, 1997, 1998 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with the GNU C Library; see the file COPYING.LIB. If not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifndef _WORDEXP_H #define _WORDEXP_H 1 /* #include */ /* __BEGIN_DECLS */ /* Bits set in the FLAGS argument to `wordexp'. */ enum { WRDE_DOOFFS = (1 << 0), /* Insert PWORDEXP->we_offs NULLs. */ WRDE_APPEND = (1 << 1), /* Append to results of a previous call. */ WRDE_NOCMD = (1 << 2), /* Don't do command substitution. */ WRDE_REUSE = (1 << 3), /* Reuse storage in PWORDEXP. */ WRDE_SHOWERR = (1 << 4), /* Don't redirect stderr to /dev/null. */ WRDE_UNDEF = (1 << 5), /* Error for expanding undefined variables. */ __WRDE_FLAGS = (WRDE_DOOFFS | WRDE_APPEND | WRDE_NOCMD | WRDE_REUSE | WRDE_SHOWERR | WRDE_UNDEF) }; /* Structure describing a word-expansion run. */ typedef struct { int we_wordc; /* Count of words matched. */ char **we_wordv; /* List of expanded words. */ int we_offs; /* Slots to reserve in `we_wordv'. */ } wordexp_t; /* Possible nonzero return values from `wordexp'. */ enum { #ifdef __USE_XOPEN WRDE_NOSYS = -1, /* Never used since we support `wordexp'. */ #endif WRDE_NOSPACE = 1, /* Ran out of memory. */ WRDE_BADCHAR, /* A metachar appears in the wrong place. */ WRDE_BADVAL, /* Undefined var reference with WRDE_UNDEF. */ WRDE_CMDSUB, /* Command substitution with WRDE_NOCMD. */ WRDE_SYNTAX /* Shell syntax error. */ }; /* Do word expansion of WORDS into PWORDEXP. */ extern int wordexp (__const char *__restrict __words, wordexp_t *__restrict __pwordexp, int __flags); /* Free the storage allocated by a `wordexp' call. */ extern void wordfree (wordexp_t *__wordexp); /* __END_DECLS */ #endif /* wordexp.h */ jailkit-2.21/src/jk_lib.h0000644000175000017500000000541212133725323015166 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef __JK_LIB_H #define __JK_LIB_H #include "config.h" #ifdef DEBUG #define DEBUG_MSG printf #else #define DEBUG_MSG(args...) /**/ #endif #ifdef DEBUG #define DEBUG_LOG(args...) syslog(LOG_DEBUG, args) #else #define DEBUG_LOG(args...) /**/ #endif #ifndef HAVE_MALLOC0 #define malloc0(size) memset(malloc(size),0,size) #define HAVE_MALLOC0 #endif /* HAVE_MALLOC0 */ #define TESTPATH_NOREGPATH 1 // (0000 0001) #define TESTPATH_GROUPW 2 // (0000 0010) #define TESTPATH_OTHERW 4 // (0000 0100) #define TESTPATH_SETUID 8 // (0000 1000) #define TESTPATH_SETGID 16 // (0001 0000) #define TESTPATH_OWNER 32 // (0010 0000) #define TESTPATH_GROUP 64 // (0100 0000) int file_exists(const char *path); char *implode_array(char **arr, int arrlen, const char *delimiter); char *ending_slash(const char *src); int testsafepath(const char *path, int owner, int group); int basicjailissafe(const char *path); int dirs_equal(const char *dir1, const char *dir2); int getjaildir(const char *oldhomedir, char **jaildir, char **newhomedir); char *strip_string(char * string); int count_char(const char *string, char lookfor); char **explode_string(const char *string, char delimiter); int count_array(char **arr); void free_array(char **arr); #endif /* __JK_LIB_H */ jailkit-2.21/src/iniparser.h0000644000175000017500000000241512670500447015734 0ustar olivierolivier#ifndef __INI_PARSER_H #define __INI_PARSER_H #include typedef struct { char *filename; FILE *fd; } Tiniparser; #define iniparser_rewind(ip) fseek(ip->fd, 0L, SEEK_SET) #define iniparser_get_position(ip) ftell(ip->fd) #define iniparser_set_position(ip, position) fseek(ip->fd, position, SEEK_SET) #define iniparser_get_string(ip,section,key,buffer,buflen) iniparser_get_string_at_position(ip,section,key,0L,buffer,buflen) #define iniparser_get_int(ip,section,key) iniparser_get_int_at_position(ip,section,key,0L) Tiniparser *new_iniparser(char *filename); void iniparser_close(Tiniparser *ip); int iniparser_get_string_at_position(Tiniparser*ip, const char *section, const char *key, long position, char *buffer, int bufferlen); int iniparser_get_int_at_position(Tiniparser *ip, const char *section, const char *key, long position, int defaultval); int iniparser_get_octalint_at_position(Tiniparser *ip, const char *section, const char *key, long position, int defaultval); float iniparser_get_float_at_position(Tiniparser *ip, const char *section, const char *key, long position, float defaultval); char *iniparser_next_section(Tiniparser *ip, char *buf, int buflen); unsigned short int iniparser_has_section(Tiniparser *ip, const char *section); #endif /* __INI_PARSER_H */ jailkit-2.21/src/iniparsertester.ini0000644000175000017500000000065010426741536017515 0ustar olivierolivier # just some comment # [alsoitem] key1 = 2 key3=5 # the above item is invalid, it does not have a section [myitem] key1 = 1 # string1 = 2 key2= 3 key5 = 9 string1 = 1 [alsoitem] key3 = 6 #key1=2 keyfloat = 0.1 key10 = 10 [nextitem] key2 = 2 string2= to 10 [lastitem] key4=8 # key3=6 key2 = 5 key1 = 4 key3 = 7 string1 = count from string1 = this one is double jailkit-2.21/src/jk_socketd.c0000644000175000017500000004206112670505425016055 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2016 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* #define DEBUG */ #include "config.h" #include #include /* socket() */ #include /* socket() */ #include /* times() */ #include /* sysconf(), getopt() */ #ifdef HAVE_GETOPT_H #include #endif #ifdef HAVE_LIBERTY_H #include #endif #include /* nanosleep() */ #include /* malloc() */ #include /* strcpy() */ #include /* fcntl() */ #include /* DEBUG_MSG() */ #include /* errno */ #include /* struct sockaddr_un */ #include /* gettimeofday() */ #include /* syslog() */ #include /* signal() */ #include /* getpwnam() */ #include /* chmod() */ #define PROGRAMNAME "jk_socketd" #define CONFIGFILE INIPREFIX"/jk_socketd.ini" #define MAX_SOCKETS 128 #define CHECKTIME 100000 /* 0.1 seconds */ #define FULLSECOND 1000000 #define MILLISECOND 1000 #define MICROSECOND 1 #include "jk_lib.h" #include "iniparser.h" typedef struct { pthread_t thread; char *outpath; char *inpath; unsigned int normrate; unsigned int peakrate; unsigned int roundtime; int outsocket; int insocket; unsigned short int lastwaspeak; /* the previous round was a peakround */ struct timeval lasttime; /* last time the socket was checked */ struct timeval lastreset; /* last time that lastsize was set to zero */ unsigned int lastsize; /* bytes since lastreset */ } Tsocketlink; /* the only global variable */ unsigned short int do_clean_exit = 0; static void close_socketlink(Tsocketlink *sl) { close(sl->insocket); shutdown(sl->insocket,2); free(sl->inpath); free(sl); } /*static void clean_exit(int numsockets, Tsocketlink **sl) { unsigned int i; for (i=0;ioutsocket = outsocket; sl->inpath = strdup(inpath); sl->normrate = normrate; sl->peakrate = peakrate; sl->roundtime = roundtime; sl->insocket = socket(PF_UNIX, SOCK_DGRAM, 0); /* DEBUG_MSG("new_socketlink, insocketserver %s at %d\n", sl->inpath, sl->insocket);*/ strncpy(serv_addr.sun_path, sl->inpath, sizeof(serv_addr.sun_path)); serv_addr.sun_family = PF_UNIX; unlink(sl->inpath); ret = bind(sl->insocket, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); if (ret != 0 || chmod(sl->inpath, 0666)) { DEBUG_MSG("bind returned erno %d: %s\n",errno, strerror(errno)); syslog(LOG_CRIT, "while opening %s: %s", sl->inpath, strerror(errno)); if (nodetach) printf("while opening %s: %s\n",sl->inpath,strerror(errno)); close_socketlink(sl); return NULL; } /* flags = fcntl(sl->insocket, F_GETFL, 0); fcntl(sl->insocket, F_SETFL, O_NONBLOCK|flags);*/ gettimeofday(&sl->lastreset,NULL); return sl; } static void sleepround(long microseconds, int debug) { if (microseconds > 0) { struct timespec sleeptime; sleeptime.tv_sec = microseconds / FULLSECOND; sleeptime.tv_nsec = (microseconds % FULLSECOND)*1000; DEBUG_MSG("sleepround, sleeping %d milliseconds\n", (int)(microseconds / MILLISECOND)); nanosleep(&sleeptime, NULL); /*pthread_delay_np(&sleeptime);*/ } } /* return time difference in micro-seconds */ long timediff(struct timeval start, struct timeval end) { return (long) (end.tv_sec - start.tv_sec) * FULLSECOND + (end.tv_usec - start.tv_usec); } #define BUFSIZE 512 static void socketlink_handle(Tsocketlink *sl) { while (do_clean_exit == 0) { char *buf[BUFSIZE]; int numbytes; numbytes = recvfrom(sl->insocket, &buf, BUFSIZE, 0, NULL, 0); /* numbytes = read(sl->insocket, &buf, BUFSIZE); */ if (numbytes < 0) { DEBUG_MSG("recvfrom error %d: %s\n", errno, strerror(errno)); } else if (numbytes > 0) { int ret = send(sl->outsocket, &buf, numbytes, 0); if (ret == -1) { DEBUG_MSG("send error %d: %s\n", errno, strerror(errno)); syslog(LOG_CRIT, "failed to write log message, error %d: %s",errno,strerror(errno)); } else if (ret != numbytes) { syslog(LOG_WARNING, "failed to write complete log message, message was %d bytes, delivered %d bytes",numbytes, ret); } /* write(sl->outsocket, &buf, numbytes); */ gettimeofday(&sl->lasttime,NULL); sl->lastsize += numbytes; DEBUG_MSG("lastsize=%d\n",sl->lastsize); if (sl->lastsize > sl->peakrate) { /* size is over the peakrate, mark this round as peak, and sleep the rest of the second */ DEBUG_MSG("sleep, we're over peakrate!! (size=%d)\n",sl->lastsize); syslog(LOG_WARNING, "device %s is over the peak limit (%d bytes/s)", sl->inpath, (unsigned int)((unsigned long)sl->peakrate * (unsigned long)1000000 / (unsigned long)sl->roundtime)); sleepround(sl->roundtime - timediff(sl->lastreset, sl->lasttime),1); sl->lastsize = 0; gettimeofday(&sl->lastreset,NULL); sl->lastwaspeak = 1; DEBUG_MSG("reset all to zero, peak=1\n"); } else if (sl->lastsize > sl->normrate) { /* size is over the normal size, check if the time is also over the normal time */ if (timediff(sl->lastreset, sl->lasttime) > sl->roundtime) { /* we will reset, the time is over a second */ DEBUG_MSG("time is over a second (timediff=%ld), reset all to zero, peak=1\n", timediff(sl->lastreset, sl->lasttime)); sl->lastsize = 0; gettimeofday(&sl->lastreset,NULL); sl->lastwaspeak = 1; } else { DEBUG_MSG("timediff = %ld\n",timediff(sl->lastreset, sl->lasttime)); /* it is under a second, this is a peak, what to do now? */ if (sl->lastwaspeak) { /* lastround was a peak, so this one is not allowed to be a peak, sleeping!! */ DEBUG_MSG("sleep, previous was a peak and we're over the normal rate (size=%d)!\n", sl->lastsize); syslog(LOG_WARNING, "device %s is over the normal limit (%d bytes/s), directly after a peak", sl->inpath, (sl->normrate * 1000000 / sl->roundtime)); sleepround(sl->roundtime - timediff(sl->lastreset, sl->lasttime),1); sl->lastsize = 0; gettimeofday(&sl->lastreset,NULL); sl->lastwaspeak = 1; DEBUG_MSG("reset all to zero, peak=1\n"); } else { /* lastround was not a peak, so this round is allowed to be a peak */ DEBUG_MSG("detected a new peak (size=%d)!\n", sl->lastsize); } } } else if (timediff(sl->lastreset, sl->lasttime) > sl->roundtime) { DEBUG_MSG("time is over a second (timediff=%ld), reset all to zero, peak=0\n", timediff(sl->lastreset, sl->lasttime)); sl->lastsize = 0; gettimeofday(&sl->lastreset,NULL); sl->lastwaspeak = 0; } } } } /* static void sigterm_handler(int signal) { DEBUG_MSG("sigterm_handler, called\n"); exit(1); if (do_clean_exit != 1) { syslog(LOG_NOTICE, "got signal %d, exiting", signal); do_clean_exit = 1; / *raise(SIGTERM);* / } }*/ static void usage() { printf(PROGRAMNAME" version "VERSION", usage:\n\n"); printf(" -n|--nodetach do not detach from the terminal, useful for debugging\n"); printf(" -p pidfile|--pidfile=pidfile write PID to file pidfile\n"); printf(" -h|--help this help screen\n\n"); printf(" --socket=/path/to/socket do not read ini file, create specific socket\n"); printf(" --base=integer message rate limit (in bytes) per interval\n"); printf(" --peak=integer message rate limit peak (in bytes)\n"); printf(" (--peek supported for backwards compatibility)"); printf(" --interval=float message rate limit interval\n\n"); } static unsigned short int have_socket(char *path, Tsocketlink **sl, unsigned int size) { unsigned int i; for (i=0;iinpath, path)==0) return 1; } return 0; } int main(int argc, char**argv) { Tsocketlink *sl[MAX_SOCKETS]; /* struct timeval startround, endround;*/ unsigned int numsockets = 0; int outsocket; unsigned int i; unsigned short int nodetach = 0; char *m_socket = NULL; char *pidfile = NULL; FILE *pidfilefd = NULL; unsigned int m_base=511, m_peak=2048; float m_interval=10.0; /* signal(SIGINT, sigterm_handler); signal(SIGTERM, sigterm_handler);*/ { int c; while (1) { int option_index = 0; static struct option long_options[] = { {"pidfile", required_argument, NULL, 0}, {"nodetach", no_argument, NULL, 0}, {"help", no_argument, NULL, 0}, {"socket", required_argument, NULL, 0}, {"base", required_argument, NULL, 0}, {"interval", required_argument, NULL, 0}, {"peak", required_argument, NULL, 0}, {"peek", required_argument, NULL, 0}, {NULL, 0, NULL, 0} }; c = getopt_long(argc, argv, "p:nh",long_options, &option_index); if (c == -1) break; switch (c) { case 0: switch (option_index) { case 0: pidfile = strdup(optarg); break; case 1: nodetach = 1; break; case 2: usage(); exit(0); case 3: m_socket = strdup(optarg); break; case 4: m_base = atoi(optarg); break; case 5: m_interval = (float)atof(optarg); break; case 6: m_peak = atoi(optarg); break; case 7: /* for backwards compatibility */ m_peak = atoi(optarg); break; } break; case 'p': pidfile = strdup(optarg); break; case 'n': nodetach = 1; break; case 'h': usage(); exit(0); } } } openlog(PROGRAMNAME, LOG_PID, LOG_DAEMON); outsocket = socket(AF_UNIX, SOCK_DGRAM, 0); DEBUG_MSG("outsocket at %d\n", outsocket); { struct sockaddr client_addr; strncpy(client_addr.sa_data, "/dev/log", sizeof(client_addr.sa_data)); client_addr.sa_family = AF_UNIX; if (connect(outsocket, &client_addr, sizeof(client_addr)) != 0) { /*DEBUG_MSG("connect returned erno %d: %s\n",errno, strerror(errno));*/ outsocket = socket(AF_UNIX, SOCK_STREAM, 0); if (connect(outsocket, &client_addr, sizeof(client_addr)) != 0) { syslog(LOG_CRIT, "version "VERSION", while connecting to /dev/log: %s", strerror(errno)); if (nodetach) printf("version "VERSION", while connecting to /dev/log: %s\n",strerror(errno) ); exit(1); } } if (nodetach) printf("opened /dev/log\n"); } if (!m_socket) { char buf[1024], *tmp; Tiniparser *ip = new_iniparser(CONFIGFILE); if (!ip) { syslog(LOG_CRIT, "version "VERSION", abort, could not parse configfile "CONFIGFILE); if (nodetach) printf("version "VERSION", abort, could not parse configfile "CONFIGFILE"\n"); exit(11); } while ((tmp = iniparser_next_section(ip, buf, 1024))) { if (!have_socket(tmp, sl, numsockets)) { unsigned int base=511, peak=2048; float interval=5.0; long prevpos, secpos; if (numsockets == MAX_SOCKETS) { syslog(LOG_NOTICE, "Warning: jk_socketd is compiled to support maximum %d sockets and more sockets are requested, not all sockets are opened!",MAX_SOCKETS); if (nodetach) printf("Warning: jk_socketd is compiled to support maximum %d sockets and more sockets are requested, not all sockets are opened!\n",MAX_SOCKETS); break; } prevpos = iniparser_get_position(ip); secpos = prevpos - strlen(tmp)-4; DEBUG_MSG("secpos=%ld, prevpos=%ld\n",secpos,prevpos); base = iniparser_get_int_at_position(ip, tmp, "base", secpos, 511); peak = iniparser_get_int_at_position(ip, tmp, "peak", secpos, 2048); interval = iniparser_get_float_at_position(ip, tmp, "interval", secpos, 5.0); iniparser_set_position(ip, secpos); if (10 > base || base > 1000000) { base = 511; } if (100 > peak || peak > 10000000 || peak < base) { peak = 2048; } if (0.01 > interval || interval > 60.0) interval = 5.0; sl[numsockets] = new_socketlink(outsocket, tmp, base, peak, (int)(interval*1000000.0), nodetach); if (sl[numsockets]) { syslog(LOG_NOTICE, "version "VERSION", listening on socket %s with rates [%d:%d]/%f",tmp,base,peak,interval); if (nodetach) printf("version "VERSION", listening on socket %s with rates [%d:%d]/%f\n",tmp,base,peak,interval); numsockets++; } else { if (nodetach) printf("version "VERSION", failed to create socket %s\n",tmp); } DEBUG_MSG("setting position to %ld\n",prevpos); iniparser_set_position(ip, prevpos); } else { syslog(LOG_NOTICE, "version "VERSION", socket %s is mentioned multiple times in config file",tmp); if (nodetach) printf("version "VERSION", socket %s is mentioned multiple times in config file\n",tmp); } } } else { unsigned int base=m_base, peak=m_peak; float interval=m_interval; if (10 > base || base > 1000000) base = 511; if (100 > peak || peak > 10000000 || peak < base) peak = 2048; if (0.01 > interval || m_interval > 60.0) interval = 5.0; sl[numsockets] = new_socketlink(outsocket, m_socket, base, peak, (int)(interval*1000000.0), nodetach); if (sl[numsockets]) { syslog(LOG_NOTICE, "version "VERSION", listening on socket %s with rates [%d:%d]/%f",m_socket,base,peak,interval); if (nodetach) printf("version "VERSION", listening on socket %s with rates [%d:%d]/%f\n",m_socket,base,peak,interval); numsockets++; } else { if (nodetach) printf("version "VERSION",failed to create socket %s\n",m_socket); } } if (numsockets == 0) { int uid = getuid(); if (uid!=0) { printf("version "VERSION", you are not root. \n"); syslog(LOG_ERR,"version "VERSION", ran by user other than root with UID %u",uid); } printf("version "VERSION", no valid sockets specified in configfile "CONFIGFILE" or on commandline, nothing to do, exiting...\n"); syslog(LOG_ERR,"version "VERSION", no sockets valid specified in configfile "CONFIGFILE" or on commandline, nothing to do, exiting..."); exit(1); } if (pidfile) pidfilefd = fopen(pidfile, "w"); /* now chroot() to some root:root dir without binaries, and change to nobody:nogroup */ { struct passwd *pw = getpwnam("nobody"); int ret; char *path = INIPREFIX; if (!pw) { syslog(LOG_ERR, "cannot get UID and GID for user nobody"); if (nodetach) printf("cannot get UID and GID for user nobody"); } ret = testsafepath(path, 0,0); if (ret != 0) { syslog(LOG_ERR, "abort, path %s is not owned root:root or does not have 0644 permissions\n",path); exit(53); } if (!(chdir(path)==0 && chroot(path)==0)) { syslog(LOG_ERR, "failed to chroot to "INIPREFIX); if (nodetach) printf("failed to chroot to "INIPREFIX); } if (pw) { if (setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) { syslog(LOG_ERR, "failed to change to user nobody (uid=%d, gid=%d)", pw->pw_uid, pw->pw_gid); if (nodetach) printf("failed to change to user nobody (uid=%d, gid=%d)\n", pw->pw_uid, pw->pw_gid); } } } if (!nodetach) { /* detach and set the detached process as the new process group leader */ if (fork() != 0) { DEBUG_MSG("exit process %d\n", getpid()); exit(0); } DEBUG_MSG("after fork(), process id %d continues\n", getpid()); setsid(); } if (pidfile) { if (pidfilefd) { /* we should do this using fscanf(pidfilefd,"%d", getpid()) */ char buf[32]; unsigned int size; size = snprintf(buf, 32, "%d", getpid()); fwrite(buf, size, sizeof(char), pidfilefd); fclose(pidfilefd); } else { syslog(LOG_NOTICE, "failed to write pid to %s", pidfile); } } /* use sl[0] for the main process */ for (i=1;ithread, NULL,(void*)&socketlink_handle, (void*) sl[i]); DEBUG_MSG("created thread %i for %s\n",i,sl[i]->inpath); } DEBUG_MSG("main thread starting work on socket\n"); socketlink_handle(sl[0]); /* DEBUG_MSG("pause() for process %d\n",getpid()); pause(); DEBUG_MSG("before clean_exit\n"); clean_exit(numsockets,sl); DEBUG_MSG("after clean_exit\n"); if (nodetach) printf("caught signal, exiting\n");*/ exit(0); } jailkit-2.21/src/jk_uchroot.c0000644000175000017500000003360212670500454016102 0ustar olivierolivier/* * the jailkit chroot() shell * this program does a safe chroot() and then executes the shell * that the user has within that new root (according to newroot/etc/passwd) * * I tried to merge some of the ideas from chrsh by Aaron D. Gifford, * start-stop-daemon from Marek Michalkiewicz and suexec by the Apache * group in this shell * Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2015, 2016 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_GETOPT_H #include #endif #ifdef HAVE_LIBERTY_H #include #endif #ifdef HAVE_SYS_CAPABILITY_H #include #endif /*#define DEBUG*/ #ifdef DEBUG #define DEBUG_MSG printf #else #define DEBUG_MSG(args...) /**/ #endif #define PROGRAMNAME "jk_uchroot" #define CONFIGFILE INIPREFIX"/jk_uchroot.ini" #include "jk_lib.h" #include "utils.h" #include "iniparser.h" #include "passwdparser.h" /* doesn't compile on FreeBSD without this */ extern char **environ; static void print_usage() { printf(PACKAGE" "VERSION"\nUsage: "PROGRAMNAME" -j jaildir -x executable -- [executable options]\n"); printf("\t-j|--jail jaildir\n"); printf("\t-x|--exec executable\n"); printf("\t-h|--help\n"); printf(PROGRAMNAME" logs all errors to syslog, for diagnostics check your logfiles\n"); } static int have_capabilities(void) { #ifdef HAVE_CAP_GET_PROC cap_t caps = cap_get_proc(); if (caps) { cap_flag_value_t value_p; cap_get_flag(caps, CAP_SYS_CHROOT, CAP_EFFECTIVE,&value_p); cap_free(caps); return (value_p); } #endif /*HAVE_CAP_GET_PROC*/ return 0; } /* check basics */ /* parse arguments */ /* parse configfile */ /* check user info */ /* check jail */ /* do chroot call */ int main(int argc, char **argv) { char *jail = NULL; char *user = NULL; char *executable = NULL; struct passwd *pw=NULL; struct group *gr=NULL; Tiniparser *parser=NULL; char **newargv=NULL; char **allowed_jails = NULL; unsigned int skip_injail_passwd_check=0; unsigned int i; char *tmp; unsigned int use_capabilities=0; openlog(PROGRAMNAME, LOG_PID, LOG_AUTH); /* check if it us that the user wants */ { char *tmp = strrchr(argv[0], '/'); if (!tmp) { tmp = argv[0]; } else { tmp++; } if (strcmp(tmp, PROGRAMNAME) && (tmp[0] != '-' || strcmp(&tmp[1], PROGRAMNAME))) { DEBUG_MSG("wrong name, tmp=%s, &tmp[1]=%s\n", tmp, &tmp[1]); syslog(LOG_ERR, "abort, "PROGRAMNAME" is called as %s", argv[0]); exit(1); } } /* now test if we are setuid root (the effective user id must be 0, and the real user id > 0 */ #ifndef DEVELOPMENT if (geteuid() != 0) { if (have_capabilities()) { use_capabilities=1; } else { syslog(LOG_ERR, "abort, effective user ID is not 0, possibly "PROGRAMNAME" is not setuid root"); exit(11); } } #endif if (getuid() == 0) { syslog(LOG_ERR, "abort, "PROGRAMNAME" is run by root, which does not make sense because user root can use the chroot utility"); exit(12); } DEBUG_MSG("get user info\n"); /* get user info based on the users name and not on the uid. this enables support for systems with multiple users with the same user id*/ tmp = getenv("USER"); if (tmp && strlen(tmp)) { user = strdup(tmp); } if (user) { pw = getpwnam(user); } else { pw = getpwuid(getuid()); } if (!pw) { syslog(LOG_ERR, "abort, failed to get user information for user ID %u: %s, check /etc/passwd", getuid(), strerror(errno)); exit(13); } if (!pw->pw_name || strlen(pw->pw_name)==0) { syslog(LOG_ERR, "abort, got an empty username for user ID %u: %s, check /etc/passwd", getuid(), strerror(errno)); exit(13); } if (user && strcmp(user,pw->pw_name)!=0) { syslog(LOG_ERR, "abort, asked for user %s, got user info for %s", user, pw->pw_name); exit(13); } if (pw->pw_uid != getuid()) { syslog(LOG_ERR, "abort, started by user ID %u, got user info %s with user ID %u,", getuid(), pw->pw_name, pw->pw_uid); exit(13); } gr = getgrgid(getgid()); if (!gr) { syslog(LOG_ERR, "abort, failed to get group information for group ID %u: %s, check /etc/group", getgid(), strerror(errno)); exit(13); } { int c=0; int len; char *execplusjailpath; while (c != -1) { int option_index = 0; static struct option long_options[] = { {"jail", required_argument, NULL, 'j'}, {"executable", required_argument, NULL, 'x'}, {"help", no_argument, NULL, 'h'}, {"version", no_argument, NULL, 'V'}, {NULL, 0, NULL, 0} }; c = getopt_long(argc, argv, "j:x:hv",long_options, &option_index); switch (c) { case 'j': jail = ending_slash(optarg); DEBUG_MSG("argument jail='%s', ending_slash returned '%s'\n",optarg,jail); break; case 'x': executable = strdup(optarg); break; case 'h': case 'V': print_usage(); exit(1); } } /* construct the new argv from all leftover options */ newargv = malloc0((2 + argc - optind)*sizeof(char *)); newargv[0] = executable; c = 1; while (optind < argc) { newargv[c] = strdup(argv[optind]); c++; optind++; } if (jail == NULL) { printf("ERROR: No jail path specified. Use -j or --jail\n"); print_usage(); exit(1); } if (executable == NULL) { printf("ERROR: No executable path specified. Use -x or --executable\n"); print_usage(); exit(1); } len = strlen(jail)+strlen(executable)+2; execplusjailpath = malloc(len+1); snprintf(execplusjailpath, len, "%s/%s",jail, executable); if (!file_exists(execplusjailpath)) { printf("ERROR: Executable path %s does not exist or is not a regular file\n", execplusjailpath); print_usage(); exit(1); } free(execplusjailpath); } /* make sure the jailkit config directory is owned root:root and not writable for others */ if ( (testsafepath(INIPREFIX, 0, 0) &~TESTPATH_GROUPW) != 0 ) { syslog(LOG_ERR, "abort, jailkit configuration directory "INIPREFIX" is not safe; it should be owned 0:0 and not writable for others"); exit(14); } parser = new_iniparser(CONFIGFILE); if (parser) { /* first check for a section specific for this user, then for a group section, else a DEFAULT section */ char *groupsec, *section=NULL, buffer[1024]; /* openbsd complains if this is <1024 */ groupsec = strcat(strcpy(malloc0(strlen(gr->gr_name)+7), "group "), gr->gr_name); if (iniparser_has_section(parser, pw->pw_name)) { section = strdup(pw->pw_name); } else if (iniparser_has_section(parser, groupsec)) { section = groupsec; } else if (iniparser_has_section(parser, "DEFAULT")) { section = strdup("DEFAULT"); } if (section != groupsec) free(groupsec); if (section) { /* from this section, retrieve the options - which jails are allowed - which shell to use - if the user has to be in /etc/passwd (only if shell is given) */ unsigned int pos = iniparser_get_position(parser) - strlen(section) - 2; if (iniparser_get_string_at_position(parser, section, "allowed_jails", pos, buffer, 1024) > 0) { DEBUG_MSG("found allowed_jails=%s\n",buffer); allowed_jails = explode_string(buffer, ','); } skip_injail_passwd_check = iniparser_get_int_at_position(parser, section, "skip_injail_passwd_check", pos, 0); free(section); } else { DEBUG_MSG("no relevant section found in configfile\n"); } if (allowed_jails == NULL) { syslog(LOG_ERR,"abort, no relevant section for user %s (%u) or group %s (%u) or DEFAULT found in "CONFIGFILE, pw->pw_name,getuid(),gr->gr_name,getgid()); exit(1); } iniparser_close(parser); } else { DEBUG_MSG("no configfile "CONFIGFILE" ??\n"); syslog(LOG_ERR,"abort, no config file "CONFIGFILE); exit(1); } #ifdef OPEN_MAX i = OPEN_MAX; #elif defined(NOFILE) i = NOFILE; #else i = getdtablesize(); #endif while (--i > 2) { while (close(i) != 0 && errno == EINTR); } /* now make sure file descriptors 0 1 and 2 are valid before we (or a child) starts writing to it */ while (1) { int fd; fd = open("/dev/null", O_RDWR); if (fd < 0) exit(10); if (fd > 2) { close(fd); break; } } /* check if the requested jail is allowed */ { unsigned int allowed = 0; /* 'jail' has an ending slash */ for (i=0;allowed_jails[i]!=NULL&&!allowed;i++) { allowed = dirs_equal(jail,allowed_jails[i]); DEBUG_MSG("allowed=%d after testing '%s' with '%s'\n",allowed,jail,allowed_jails[i]); } if (allowed!=1) { syslog(LOG_ERR,"abort, user %s (%u) is not allowed in jail %s",pw->pw_name, getuid(),jail); exit(21); } } /* test the jail */ if (!basicjailissafe(jail)) { syslog(LOG_ERR, "abort, jail %s is not safe, check ownership and permissions for the jail inclusing system directories such as /etc, /lib, /usr, /dev, /sbin, and /bin", jail); exit(53); } if (chdir(jail) != 0) { syslog(LOG_ERR, "abort, chdir(%s) failed: %s",jail,strerror(errno)); exit(19); } else { char test[1024]; /* test if it really succeeded */ if (getcwd(test, 1024)==NULL || !dirs_equal(jail, test)) { syslog(LOG_ERR, "abort, the current dir is %s after chdir(%s), but it should be %s",test,jail,jail); exit(21); } } syslog(LOG_INFO, "entering jail %s for user %s (%u) in order to execute %s", jail, pw->pw_name, getuid(), executable); /* do the chroot() call */ if (chroot(jail)) { syslog(LOG_ERR, "abort, chroot(%s) failed: %s", jail, strerror(errno)); exit(33); } if (use_capabilities) { #ifdef HAVE_CAP_GET_PROC cap_t caps; cap_value_t capv[1]; /* drop chroot capability, should we drop all other capabilities that may be used to escape from the jail too ? */ if ((caps = cap_get_proc()) == NULL) { syslog(LOG_ERR, "abort, failed to retrieve current capabilities: %s", strerror(errno)); exit(101); } capv[0] = CAP_SYS_CHROOT; /* other capabilities that should/could be dropped: CAP_SETPCAP, CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_PTRACE, CAP_SYS_ADMIN */ if (cap_set_flag(caps, CAP_PERMITTED, 1, capv, CAP_CLEAR)) { syslog(LOG_ERR, "abort, failed to set PERMITTED capabilities: %s", strerror(errno)); exit(102); } if (cap_set_flag(caps, CAP_EFFECTIVE, 1, capv, CAP_CLEAR)) { syslog(LOG_ERR, "abort, failed to set effective capabilities: %s", strerror(errno)); exit(103); } if (cap_set_flag(caps, CAP_INHERITABLE, 1, capv, CAP_CLEAR)) { syslog(LOG_ERR, "abort, failed to set INHERITABLE capabilities: %s", strerror(errno)); exit(104); } if (cap_set_proc(caps)) { syslog(LOG_ERR, "abort, failed to apply new capabilities: %s", strerror(errno)); exit(105); } #else /* we should never get here */ exit(333); #endif } else { /* drop all privileges, we first have to setgid(), then we call setuid() */ if (setgid(getgid())) { syslog(LOG_ERR, "abort, failed to set effective group ID %u: %s", getgid(), strerror(errno)); exit(34); } if (setuid(getuid())) { syslog(LOG_ERR, "abort, failed to set effective user ID %u: %s", getuid(), strerror(errno)); exit(36); } } if (!skip_injail_passwd_check){ char *oldpw_name,*oldgr_name; oldpw_name = strdup(pw->pw_name); oldgr_name = strdup(gr->gr_name); if (user) { pw = getpwnam(user); } else { pw = getpwuid(getuid()); } if (!pw) { syslog(LOG_ERR, "abort, failed to get user information in the jail for user ID %u: %s, check %s/etc/passwd",getuid(),strerror(errno),jail); exit(35); } DEBUG_MSG("got %s as pw_dir\n",pw->pw_dir); if (pw->pw_uid != getuid()) { syslog(LOG_ERR, "abort, got user information in the jail for user ID %u instead of user ID %u, check %s/etc/passwd",pw->pw_uid,getuid(),jail); exit(35); } gr = getgrgid(getgid()); if (!gr) { syslog(LOG_ERR, "abort, failed to get group information in the jail for group ID %u: %s, check %s/etc/group",getgid(),strerror(errno),jail); exit(35); } if (strcmp(pw->pw_name, oldpw_name)!=0) { syslog(LOG_ERR, "abort, username %s differs from jail username %s for user ID %u, check /etc/passwd and %s/etc/passwd", oldpw_name, pw->pw_name, getuid(), jail); exit(37); } if (strcmp(gr->gr_name, oldgr_name)!=0) { syslog(LOG_ERR, "abort, groupname %s differs from jail groupname %s for group ID %u, check /etc/passwd and %s/etc/passwd", oldgr_name, gr->gr_name, getgid(), jail); exit(37); } free(oldpw_name); free(oldgr_name); } /* now execute the jailed shell */ execv(executable, newargv); /* normally we wouldn't come to this bit of code */ syslog(LOG_ERR, "ERROR: failed to execute %s for user %s (%u), check the permissions and libraries of %s%s",executable,pw->pw_name,getuid(),jail,executable); free(jail); exit(111); } jailkit-2.21/src/passwdparsertester.test0000644000175000017500000000034310644630025020426 0ustar olivierolivierroot:x:0:0:root:/root:/bin/bash test:x:1000:1000:Mijn user die heel veel data hier heeft:/home/test:/bin/bash test2:x:10007:10300:test2:/home/test2:/bin/bash jaja!:x:100:10200:gevonden! regel zonder newline:/home/jaja:/bin/bashjailkit-2.21/src/jk_lib.c0000644000175000017500000002044312304661422015161 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /*#define DEBUG*/ #include "config.h" #include #include #include #include #include #include #include #include #include #include "jk_lib.h" #include "utils.h" int file_exists(const char *path) { /* where is this function used? access() is more light than stat() but it does not equal a 'file exist', but 'file exists and can be accessed' */ struct stat sb; if (stat(path, &sb) == -1 && errno == ENOENT) { return 0; } if (!S_ISREG(sb.st_mode)) { return 0; } return 1; } /* creates a string from an array of strings, with the delimiter inbetween use arrlen -1 if the array is NULL terminated. the strings should all be '\0' terminated*/ char *implode_array(char **arr, int arrlen, const char *delimiter) { int count=0,i=0,reqsize=1, delsize=strlen(delimiter); char **tmp = arr; char *retval; /* find required memory length */ while (*tmp && (count != arrlen)) { count++; reqsize += delsize + strlen(*tmp); tmp++; } retval = malloc(reqsize*sizeof(char)); retval[0] = '\0'; for (i=0;i 4 (minimum then is /a/./ ) * we start at the end so if there are multiple /path/./path2/./path3 the user will be jailed in the most minimized path */ while (i > 4) { /* DEBUG_MSG("oldhomedir[%d]=%c\n",i,oldhomedir[i]);*/ if (oldhomedir[i] == '/' && oldhomedir[i-1] == '.' && oldhomedir[i-2] == '/') { DEBUG_MSG("&oldhomedir[%d]=%s\n",i,&oldhomedir[i]); *jaildir = strndup(oldhomedir, i-2); *newhomedir = strdup(&oldhomedir[i]); return 1; } i--; } return 0; } char *strip_string(char * string) { int numstartspaces=0, endofcontent=strlen(string)-1; while (isspace(string[numstartspaces]) && numstartspaces < endofcontent) numstartspaces++; while (isspace(string[endofcontent]) && endofcontent > numstartspaces) endofcontent--; if (numstartspaces != 0) memmove(string, &string[numstartspaces], (endofcontent - numstartspaces+1)*sizeof(char)); string[(endofcontent - numstartspaces+1)] = '\0'; return string; } int count_char(const char *string, char lookfor) { int count=0; while (*string != '\0') { if (*string == lookfor) count++; string++; } DEBUG_LOG("count_char, returning %d\n",count); return count; } char **explode_string(const char *string, char delimiter) { char **arr; const char *tmp = string; int cur= 0; int size = ((count_char(string, delimiter) + 2)*sizeof(char*)); arr = malloc(size); DEBUG_LOG("exploding string '%s', arr=%p with size %d, sizeof(char*)=%d\n",string,arr,size,sizeof(char*)); while (tmp) { char *tmp2 = strchr(tmp, delimiter); if (tmp2) { arr[cur] = strip_string(strndup(tmp, (tmp2-tmp))); } else { arr[cur] = strip_string(strdup(tmp)); } if (strlen(arr[cur])==0) { free(arr[cur]); } else { DEBUG_LOG("found string '%s' at %p\n",arr[cur], arr[cur]); cur++; } tmp = (tmp2) ? tmp2+1 : NULL; } arr[cur] = NULL; DEBUG_MSG("exploding string, returning %p\n",arr); return arr; } int count_array(char **arr) { char **tmp = arr; DEBUG_MSG("count_array, started for %p\n",arr); while (*tmp) tmp++; return (tmp-arr); } void free_array(char **arr) { char **tmp = arr; if (!arr) return; while (*tmp) { free(*tmp); tmp++; } free(arr); } jailkit-2.21/src/Makefile.in0000644000175000017500000001022412132062335015621 0ustar olivierolivier#Copyright (c) 2003, 2004, 2005, 2006, Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # prefix = @prefix@ exec_prefix = @exec_prefix@ bindir = @bindir@ sbindir = @sbindir@ sysconfdir = @sysconfdir@ iniprefix = ${sysconfdir}/jailkit INSTALL = @INSTALL@ CC = @CC@ CFLAGS = @CFLAGS@ -DINIPREFIX=\"$(iniprefix)\" LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ LDLIBS = @LIBS@ BINARIES = jk_socketd jk_lsh jk_chrootsh jk_chrootlaunch jk_uchroot @HAVEPROCMAIL_TRUE@BINARIES += jk_procmailwrapper SRCS = \ jk_socketd.c \ iniparser.c \ jk_lsh.c \ jk_uchroot.c \ jk_chrootsh.c \ jk_lib.c \ jk_chrootlaunch.c \ jk_procmailwrapper.c \ utils.c \ wordexp.c \ passwdparser.c @HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.c HAVEPROCMAIL_TRUE=@HAVEPROCMAIL_TRUE@ OBJS = $(SRCS:.c=.o) all: ${BINARIES} jk_chrootlaunch: jk_chrootlaunch.o jk_lib.o utils.o $(CC) $(DEFS) -o $@ jk_chrootlaunch.o jk_lib.o utils.o $(LDFLAGS) $(LIBS) jk_socketd: jk_socketd.o jk_lib.o utils.o iniparser.o $(CC) $(DEFS) -o $@ jk_socketd.o jk_lib.o utils.o iniparser.o $(LDFLAGS) $(LIBS) jk_lsh: jk_lsh.o iniparser.o jk_lib.o utils.o wordexp.o $(CC) $(DEFS) -o $@ jk_lsh.o iniparser.o jk_lib.o utils.o wordexp.o $(LDFLAGS) $(LIBS) jk_chrootsh: jk_chrootsh.o iniparser.o jk_lib.o utils.o passwdparser.o $(CC) $(DEFS) -o $@ jk_chrootsh.o iniparser.o jk_lib.o utils.o passwdparser.o $(LDFLAGS) $(LIBS) jk_uchroot: jk_uchroot.o iniparser.o jk_lib.o utils.o $(CC) $(DEFS) -o $@ jk_uchroot.o iniparser.o jk_lib.o utils.o $(LDFLAGS) $(LIBS) jk_procmailwrapper: jk_procmailwrapper.o jk_lib.o utils.o $(CC) $(DEFS) -o $@ jk_procmailwrapper.o jk_lib.o utils.o $(LDFLAGS) $(LIBS) clean: rm -f ${BINARIES} rm -f *.o rm -f *~ distclean: clean rm -f Makefile config.h install: ${BINARIES} ${INSTALL} -d -m 755 ${DESTDIR}${prefix} ${INSTALL} -d -m 755 ${DESTDIR}${prefix}/bin ${INSTALL} -d -m 755 ${DESTDIR}${prefix}/sbin ${INSTALL} -m 0755 jk_socketd ${DESTDIR}${prefix}/sbin/ ${INSTALL} -m 0755 jk_chrootlaunch ${DESTDIR}${prefix}/sbin/ ${INSTALL} -m 0755 jk_lsh ${DESTDIR}${prefix}/sbin/ ${INSTALL} -m 4755 jk_chrootsh ${DESTDIR}${prefix}/sbin/ ${INSTALL} -m 4755 jk_uchroot ${DESTDIR}${prefix}/bin/ if [ -z "@HAVEPROCMAIL_TRUE@" ]; then \ ${INSTALL} -m 4755 jk_procmailwrapper ${DESTDIR}${prefix}/sbin/ ;\ fi uninstall: rm -f ${prefix}/sbin/jk_socketd rm -f ${prefix}/sbin/jk_chrootlaunch rm -f ${prefix}/sbin/jk_lsh rm -f ${prefix}/sbin/jk_chrootsh rm -f ${prefix}/bin/jk_uchroot rm -f ${prefix}/sbin/jk_procmailwrapper iniparsertester: iniparser.o iniparsertester.o jk_lib.o $(CC) $(DEFS) -o iniparsertester iniparsertester.o iniparser.o jk_lib.o $(LDFLAGS) $(LIBS) passwdparsertester: passwdparser.o passwdparsertester.o $(CC) $(DEFS) -o passwdparsertester passwdparsertester.o passwdparser.o $(LDFLAGS) $(LIBS) jailkit-2.21/src/passwdparser.h0000644000175000017500000000317010644525412016453 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, 2006, 2007, Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef __PASSWDPARSER_H #define __PASSWDPARSER_H struct passwd *internal_getpwuid(char *filename, uid_t uid); #endif /* PASSWDPARSER */ jailkit-2.21/src/jk_chrootsh.c0000644000175000017500000004576212670500447016264 0ustar olivierolivier/* * the jailkit chroot() shell * this program does a safe chroot() and then executes the shell * that the user has within that new root (according to newroot/etc/passwd) * * I tried to merge some of the ideas from chrsh by Aaron D. Gifford, * start-stop-daemon from Marek Michalkiewicz and suexec by the Apache * group in this shell * Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2013, 2014, 2015, 2016 Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_SYS_CAPABILITY_H #include #endif /* #define DEBUG */ #ifdef DEBUG #define DEBUG_MSG printf #else #define DEBUG_MSG(args...) /**/ #endif #define PROGRAMNAME "jk_chrootsh" #define CONFIGFILE INIPREFIX"/jk_chrootsh.ini" #include "jk_lib.h" #include "utils.h" #include "iniparser.h" #include "passwdparser.h" /* doesn't compile on FreeBSD without this */ extern char **environ; /* typedef struct { char *key; char *value; } Tsavedenv; static Tsavedenv *savedenv_new(const char *key) { Tsavedenv *savedenv; char *val = getenv(key); if (!val) return NULL; savedenv = malloc(sizeof(Tsavedenv)); savedenv->key = strdup(key); savedenv->value = strdup(val); return savedenv; } static void savedenv_restore(Tsavedenv *savedenv) { if (savedenv) { setenv(savedenv->key, savedenv->value, 1); DEBUG_MSG("restored %s=%s\n",savedenv->key, savedenv->value); } } static void savedenv_free(Tsavedenv *savedenv) { if (savedenv) { free(savedenv->key); free(savedenv->value); free(savedenv); } } */ static int in_array(char **haystack, char * needle, int needlelen) { if (haystack && needle) { char **tmp = haystack; while (*tmp) { if (strlen(*tmp)==needlelen && strncmp(*tmp, needle, needlelen)==0) return 1; tmp++; } } return 0; } static void unset_environ_except(char **except) { char **tmp = environ; if (environ == NULL || *tmp==NULL || except==NULL || *except==NULL) { clearenv(); return; } while (*tmp) { char* pos = strchr(*tmp, '='); if (pos == NULL) { /* invalid environment variable, are we being hacked? clear them all! */ clearenv(); return; } if (!in_array(except, *tmp, pos-*tmp)) { char *key = strndup(*tmp, pos-*tmp); unsetenv(key); free(key); tmp = environ; continue; } tmp++; } } static int have_capabilities(void) { #ifdef HAVE_CAP_GET_PROC cap_t caps = cap_get_proc(); if (caps) { cap_flag_value_t value_p; cap_get_flag(caps, CAP_SYS_CHROOT, CAP_EFFECTIVE,&value_p); cap_free(caps); return (value_p); } #endif /*HAVE_CAP_GET_PROC*/ return 0; } void signal_handler(int signum) { syslog(LOG_ERR, "abort, received signal %s (%d)", strsignal(signum),signum); exit(666); } int main (int argc, char **argv) { unsigned int i; unsigned int use_capabilities=0; int ret; char **newargv; char *user=NULL, *tmp=NULL; struct passwd *pw=NULL; struct group *gr=NULL; unsigned long ngroups_max=NGROUPS_MAX; unsigned long ngroups=0; gid_t *gids; struct passwd *intpw=NULL; /* for internal_getpwuid() */ char *jaildir=NULL, *newhome=NULL, *shell=NULL; Tiniparser *parser=NULL; char **envs=NULL; unsigned int relax_home_group_permissions=0; unsigned int relax_home_other_permissions=0; unsigned int relax_home_group=0; unsigned int relax_home_owner=0; unsigned int injail_login_shell=0; char *injail_shell=NULL; unsigned int skip_injail_passwd_check=0; DEBUG_MSG(PROGRAMNAME", started\n"); /* open the log facility */ openlog(PROGRAMNAME, LOG_PID, LOG_AUTH); /* attach signal handler */ signal(SIGILL,signal_handler); signal(SIGSEGV,signal_handler); signal(SIGTERM,signal_handler); signal(SIGFPE,signal_handler); /* check if it PRORAMNAME that the user wants */ tmp = strrchr(argv[0], '/'); if (!tmp) { tmp = argv[0]; } else { tmp++; } if (strcmp(tmp, PROGRAMNAME) != 0 && strcmp(tmp, "su")!= 0 && strcmp(tmp, "-su")!= 0 && strcmp(tmp, "-"PROGRAMNAME)!=0) { DEBUG_MSG("wrong name, tmp=%s, &tmp[1]=%s\n", tmp, &tmp[1]); syslog(LOG_ERR, "abort, "PROGRAMNAME" is called as %s", argv[0]); exit(1); } /* now test if we are setuid root (the effective user id must be 0, and the real user id > 0 */ if (geteuid() != 0) { if (have_capabilities()) { use_capabilities=1; } else { syslog(LOG_ERR, "abort, effective user ID is not 0, possibly "PROGRAMNAME" is not setuid root"); exit(11); } } if (getuid() == 0) { syslog(LOG_ERR, "abort, "PROGRAMNAME" is run by root, which does not make sense because user root can break out of a jail anyway"); exit(12); } DEBUG_MSG("get user info\n"); /* get user info based on the users name and not on the uid. this enables support for systems with multiple users with the same user id */ tmp = getenv("USER"); if (tmp && strlen(tmp)) { user = strdup(tmp); } if (user) { pw = getpwnam(user); } else { pw = getpwuid(getuid()); } if (!pw) { syslog(LOG_ERR, "abort, failed to get user information for user ID %u: %s, check /etc/passwd", getuid(), strerror(errno)); exit(13); } if (!pw->pw_name || strlen(pw->pw_name)==0) { syslog(LOG_ERR, "abort, got an empty username for user ID %u: %s, check /etc/passwd", getuid(), strerror(errno)); exit(13); } if (user && strcmp(user,pw->pw_name)!=0) { syslog(LOG_ERR, "abort, asked for user %s, got user info for %s", user, pw->pw_name); exit(13); } if (pw->pw_uid != getuid()) { syslog(LOG_ERR, "abort, started by user ID %u, got user info %s with user ID %d,", getuid(), pw->pw_name, pw->pw_uid); exit(13); } DEBUG_MSG("got user %s\nget group info\n",pw->pw_name); gr = getgrgid(getgid()); if (!gr) { syslog(LOG_ERR, "abort, failed to get group information for group ID %u: %s, check /etc/group", getgid(), strerror(errno)); exit(13); } DEBUG_MSG("get additional groups\n"); /* ngroups_max = sysconf(_SC_NGROUPS_MAX);*/ gids = malloc(ngroups_max * sizeof(gid_t)); ngroups = getgroups(ngroups_max,gids); if (ngroups == -1) { syslog(LOG_ERR, "abort, failed to get additional group information: %s, check /etc/group", strerror(errno)); exit(13); } #ifdef DEBUG printf("got additional groups "); for (i=0;igr_name)+7), "group "), gr->gr_name); if (iniparser_has_section(parser, pw->pw_name)) { section = strdup(pw->pw_name); } else if (iniparser_has_section(parser, groupsec)) { section = groupsec; } else if (iniparser_has_section(parser, "DEFAULT")) { section = strdup("DEFAULT"); } if (section != groupsec) free(groupsec); if (section) { unsigned int pos = iniparser_get_position(parser) - strlen(section) - 2; if (iniparser_get_string_at_position(parser, section, "env", pos, buffer, 1024) > 0) { envs = explode_string(buffer, ','); } relax_home_group_permissions = iniparser_get_int_at_position(parser, section, "relax_home_group_permissions", pos, 0); relax_home_other_permissions = iniparser_get_int_at_position(parser, section, "relax_home_other_permissions", pos, 0); relax_home_group = iniparser_get_int_at_position(parser, section, "relax_home_group", pos, 0); relax_home_owner = iniparser_get_int_at_position(parser, section, "relax_home_owner", pos, 0); if (iniparser_get_string_at_position(parser, section, "injail_shell", pos, buffer, 1024) > 0) { injail_shell = strdup(buffer); } if (injail_shell) { skip_injail_passwd_check = iniparser_get_int_at_position(parser, section, "skip_injail_passwd_check", pos, 0); } injail_login_shell = iniparser_get_int_at_position(parser, section, "injail_login_shell", pos, 0); DEBUG_MSG("section %s: relax_home_group_permissions=%d, relax_home_other_permissions=%d, relax_home_group=%d, injail_shell=%s, skip_injail_passwd_check=%d\n", section, relax_home_group_permissions, relax_home_other_permissions, relax_home_group, injail_shell, skip_injail_passwd_check); free(section); } else { DEBUG_MSG("no relevant section found in configfile\n"); } iniparser_close(parser); } else { DEBUG_MSG("no configfile "CONFIGFILE" ??\n"); } DEBUG_MSG("close filedescriptors\n"); /* open file descriptors can be used to break out of a chroot, so we close all of them, except for stdin,stdout and stderr */ #ifdef OPEN_MAX i = OPEN_MAX; #elif defined(NOFILE) i = NOFILE; #else i = getdtablesize(); #endif while (--i > 2) { /*printf("closing file descriptor %d\n",i);*/ while (close(i) != 0 && errno == EINTR); } /* now make sure file descriptors 0 1 and 2 are valid before we (or a child) starts writing to it */ while (1) { int fd; fd = open("/dev/null", O_RDWR); if (fd < 0) exit(10); if (fd > 2) { close(fd); break; } else { DEBUG_MSG("re-opening file descriptor %d\n",fd); } } /* now we clear the environment, except for values allowed in /etc/jailkit/jk_chrootsh.ini */ unset_environ_except(envs); if (envs) { free_array(envs); } if (pw->pw_gid != getgid()) { syslog(LOG_ERR, "abort, the group ID from /etc/passwd (%u) does not match the group ID we run with (%u)", pw->pw_gid, getgid()); exit(15); } if (!pw->pw_dir || strlen(pw->pw_dir) ==0) { syslog(LOG_ERR, "abort, got an empty home directory for user %s (%u)", pw->pw_name, getuid()); exit(16); } if (strstr(pw->pw_dir, "/./") == NULL) { syslog(LOG_ERR, "abort, homedir '%s' for user %s (%u) does not contain the jail separator /./", pw->pw_dir, pw->pw_name, getuid()); exit(17); } DEBUG_MSG("get jaildir\n"); if (!getjaildir(pw->pw_dir, &jaildir, &newhome)) { syslog(LOG_ERR, "abort, failed to read the jail and the home from %s for user %s (%u)",pw->pw_dir, pw->pw_name, getuid()); exit(17); } DEBUG_MSG("dir=%s,jaildir=%s,newhome=%s\n",pw->pw_dir, jaildir, newhome); DEBUG_MSG("get chdir()\n"); if (chdir(jaildir) != 0) { syslog(LOG_ERR, "abort, chdir(%s) failed: %s, check the permissions for %s",jaildir,strerror(errno),jaildir); exit(19); } else { char test[1024]; /* test if it really succeeded */ if (getcwd(test, 1024)==NULL || !dirs_equal(jaildir, test)) { syslog(LOG_ERR, "abort, the current dir is %s after chdir(%s), but it should be %s",test,jaildir,jaildir); exit(21); } } /* here do test the ownership of the jail and the homedir and such the function testsafepath doe exit itself on any failure */ if (!basicjailissafe(jaildir)) { syslog(LOG_ERR, "abort, %s is not a safe jail, check ownership and permissions.", jaildir); exit(53); } ret = testsafepath(pw->pw_dir, getuid(), getgid()); if ((ret & TESTPATH_NOREGPATH) ) { syslog(LOG_ERR, "abort, path %s is not a directory", pw->pw_dir); exit(53); } if (!relax_home_owner && (ret & TESTPATH_OWNER) ) { syslog(LOG_ERR, "abort, path %s is not owned by %u", pw->pw_dir,getuid()); exit(53); } if (!relax_home_group && (ret & TESTPATH_GROUP)) { syslog(LOG_ERR, "abort, path %s does not have group owner %u, set option 'relax_home_group' to relax this check", pw->pw_dir,getgid()); exit(53); } if (!relax_home_group_permissions && (ret & TESTPATH_GROUPW)) { syslog(LOG_ERR, "abort, path %s is group writable, set option 'relax_home_group_permissions' to relax this check", pw->pw_dir); exit(53); } if (!relax_home_other_permissions && (ret & TESTPATH_OTHERW)) { syslog(LOG_ERR, "abort, path %s is writable for other, set option 'relax_home_other_permissions' to relax this check", pw->pw_dir); exit(53); } /* do a final log message */ tmp = implode_array(&argv[1], argc-1, " "); syslog(LOG_INFO, "now entering jail %s for user %s (%u) with arguments %s", jaildir, pw->pw_name, getuid(), tmp); free(tmp); DEBUG_MSG("chroot()\n"); /* do the chroot() call */ if (chroot(jaildir)) { syslog(LOG_ERR, "abort, chroot(%s) failed: %s, check the permissions for %s", jaildir, strerror(errno), jaildir); exit(33); } if (use_capabilities) { #ifdef HAVE_CAP_GET_PROC cap_t caps; cap_value_t capv[1]; /* drop chroot capability, should we drop all other capabilities that may be used to escape from the jail too ? */ if ((caps = cap_get_proc()) == NULL) { syslog(LOG_ERR, "abort, failed to retrieve current capabilities: %s", strerror(errno)); exit(101); } capv[0] = CAP_SYS_CHROOT; /* other capabilities that should/could be dropped: CAP_SETPCAP, CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_PTRACE, CAP_SYS_ADMIN */ if (cap_set_flag(caps, CAP_PERMITTED, 1, capv, CAP_CLEAR)) { syslog(LOG_ERR, "abort, failed to set PERMITTED capabilities: %s", strerror(errno)); exit(102); } if (cap_set_flag(caps, CAP_EFFECTIVE, 1, capv, CAP_CLEAR)) { syslog(LOG_ERR, "abort, failed to set effective capabilities: %s", strerror(errno)); exit(103); } if (cap_set_flag(caps, CAP_INHERITABLE, 1, capv, CAP_CLEAR)) { syslog(LOG_ERR, "abort, failed to set INHERITABLE capabilities: %s", strerror(errno)); exit(104); } if (cap_set_proc(caps)) { syslog(LOG_ERR, "abort, failed to apply new capabilities: %s", strerror(errno)); exit(105); } #else /* we should never get here */ exit(333); #endif } else { /* drop all privileges, it seems that we first have to setgid(), then we have to call initgroups(), then we call setuid() */ if (setgid(getgid())) { syslog(LOG_ERR, "abort, failed to set effective group ID %u: %s", getgid(), strerror(errno)); exit(34); } if (setgroups(ngroups, gids)==-1) { syslog(LOG_ERR, "abort, failed to set additional groups: %s", strerror(errno)); exit(35); } free(gids); /* if (initgroups(pw->pw_name, getgid())) { syslog(LOG_ERR, "abort, failed to init groups for user %s (%d), check %s/etc/group", pw->pw_name,getuid(),jaildir); exit(35); }*/ if (setuid(getuid())) { syslog(LOG_ERR, "abort, failed to set effective user ID %u: %s", getuid(), strerror(errno)); exit(36); } } /* test for user and group info, is it the same? checks username, groupname and home */ if (!skip_injail_passwd_check){ char *oldpw_name,*oldgr_name; oldpw_name = strdup(pw->pw_name); oldgr_name = strdup(gr->gr_name); if (user) { pw = getpwnam(user); } else { pw = getpwuid(getuid()); } if (!pw) { syslog(LOG_ERR, "abort, failed to get user information in the jail for user ID %u: %s, check %s/etc/passwd",getuid(),strerror(errno),jaildir); exit(35); } if (pw->pw_uid != getuid()) { syslog(LOG_ERR, "abort, got user information in the jail for user ID %u instead of user ID %u, check %s/etc/passwd",pw->pw_uid,getuid(),jaildir); exit(35); } DEBUG_MSG("got %s as pw_dir\n",pw->pw_dir); gr = getgrgid(getgid()); if (!gr) { syslog(LOG_ERR, "abort, failed to get group information in the jail for group ID %u: %s, check %s/etc/group",getgid(),strerror(errno),jaildir); exit(35); } if (strcmp(pw->pw_name, oldpw_name)!=0) { syslog(LOG_ERR, "abort, username %s differs from jail username %s for user ID %u, check /etc/passwd and %s/etc/passwd", oldpw_name, pw->pw_name, getuid(), jaildir); exit(37); } if (strcmp(gr->gr_name, oldgr_name)!=0) { syslog(LOG_ERR, "abort, groupname %s differs from jail groupname %s for group ID %u, check /etc/passwd and %s/etc/passwd", oldgr_name, gr->gr_name, getgid(), jaildir); exit(37); } if (strcmp(pw->pw_dir, newhome)!=0) { DEBUG_MSG("%s!=%s\n",pw->pw_dir, newhome); /* if these are different, it could be that getpwuid() gets the real user info (from for example ldap or nscd), and not the info inside the jail, lets test that, and if true, we should use the shell from the internal function as well*/ intpw = internal_getpwuid("/etc/passwd", getuid()); if (!intpw) { DEBUG_MSG("%s!=%s\n",intpw->pw_dir, newhome); syslog(LOG_ERR, "abort, failed to find user %u in %s/etc/passwd", getuid(), jaildir); exit(39); } if (!dirs_equal(intpw->pw_dir, newhome)) { DEBUG_MSG("%s!=%s\n",intpw->pw_dir, newhome); syslog(LOG_ERR, "abort, home directory %s differs from jail home directory %s for user %s (%u), check /etc/passwd and %s/etc/passwd", newhome, pw->pw_dir, pw->pw_name, getuid(), jaildir); exit(39); } } free(oldpw_name); free(oldgr_name); } if (injail_shell) { shell = injail_shell; } else if (intpw) { shell = intpw->pw_shell; } else { shell = pw->pw_shell; } /* test the shell in the jail, it is not allowed to be setuid() root */ testsafepath(shell,0,0); /* prepare the new environment */ setenv("HOME",newhome,1); setenv("USER",pw->pw_name,1); setenv("USERNAME",pw->pw_name,1); setenv("SHELL",shell,1); if (chdir(newhome) != 0) { syslog(LOG_ERR, "abort, chdir(%s) failed inside the jail %s: %s, check the permissions for %s/%s",newhome,jaildir,strerror(errno),jaildir,newhome); exit(41); } /* cleanup before execution */ free(newhome); /* now execute the jailed shell */ if (injail_login_shell) { argc = 2; newargv = malloc0((argc+1)*sizeof(char *)); newargv[0] = shell; newargv[1] = "--login"; } else { newargv = malloc0((argc+1)*sizeof(char *)); newargv[0] = shell; for (i=1;ipw_name,getuid(),jaildir,shell); free(jaildir); exit(111); } jailkit-2.21/src/utils.h0000644000175000017500000000127410714436377015111 0ustar olivierolivier#ifndef __UTILS_H #define __UTILS_H #include "config.h" #ifndef HAVE_MALLOC0 #define malloc0(size) memset(malloc(size),0,size) #define HAVE_MALLOC0 #endif /* HAVE_MALLOC0 */ #ifndef HAVE_STRNDUP char *strndup(const char *s, size_t n); #endif #ifndef HAVE_STRNLEN size_t strnlen(const char *s, size_t n); #endif #ifndef HAVE_WORDEXP #ifndef HAVE_MEMPCPY void *mempcpy(void *dest, const void *src, size_t n); #endif #ifndef HAVE_STPCPY char *stpcpy(char *dest, const char *src); #endif #endif /* HAVE_WORDEXP */ char *return_malloced_getwd(void); #ifndef HAVE_CLEARENV int clearenv(void); #endif #ifndef HAVE_GET_CURRENT_DIR_NAME char *get_current_dir_name(void); #endif #endif /* __UTILS_H */ jailkit-2.21/src/wordexp.c0000644000175000017500000013260010473374511015423 0ustar olivierolivier/* POSIX.2 wordexp implementation. Copyright (C) 1997, 1998, 1999 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Tim Waugh . Changes to make this compile on older *BSD platforms that do not have wordexp() in their libc (C) 2004, 2005, 2006 Olivier Sessink The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with the GNU C Library; see the file COPYING.LIB. If not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #include "config.h" #ifndef HAVE_WORDEXP #include "wordexp.h" #include #include #include #include #include /* memcpy */ #include #include #include #include #include #include #include #include #include #include #include #include #include extern char **environ; #include "utils.h" /* strndup */ /* #include */ /* Undefine the following line for the production version. */ /* #define NDEBUG 1 */ #include /* * This is a recursive-descent-style word expansion routine. */ /* These variables are defined and initialized in the startup code. */ extern int libc_argc; extern char **libc_argv; /* Some forward declarations */ static int parse_dollars(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white, int quoted); static int parse_backtick(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white); static int parse_dquote(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white); static int eval_expr(char *expr, long int *result); /* The w_*() functions manipulate word lists. */ #define W_CHUNK (100) /* Result of w_newword will be ignored if it's the last word. */ static inline char *w_newword(size_t * actlen, size_t * maxlen) { *actlen = *maxlen = 0; return NULL; } static inline char *w_addchar(char *buffer, size_t * actlen, size_t * maxlen, char ch) /* (lengths exclude trailing zero) */ { /* Add a character to the buffer, allocating room for it if needed. */ if (*actlen == *maxlen) { char *old_buffer = buffer; assert(buffer == NULL || *maxlen != 0); *maxlen += W_CHUNK; buffer = realloc(buffer, 1 + *maxlen); if (buffer == NULL) free(old_buffer); } if (buffer != NULL) { buffer[*actlen] = ch; buffer[++(*actlen)] = '\0'; } return buffer; } static char *w_addmem(char *buffer, size_t * actlen, size_t * maxlen, const char *str, size_t len) { /* Add a string to the buffer, allocating room for it if needed. */ if (*actlen + len > *maxlen) { char *old_buffer = buffer; assert(buffer == NULL || *maxlen != 0); *maxlen += MAX(2 * len, W_CHUNK); buffer = realloc(old_buffer, 1 + *maxlen); if (buffer == NULL) free(old_buffer); } if (buffer != NULL) { *((char *) mempcpy(&buffer[*actlen], str, len)) = '\0'; *actlen += len; } return buffer; } static char *w_addstr(char *buffer, size_t * actlen, size_t * maxlen, const char *str) /* (lengths exclude trailing zero) */ { /* Add a string to the buffer, allocating room for it if needed. */ size_t len; assert(str != NULL); /* w_addstr only called from this file */ len = strlen(str); return w_addmem(buffer, actlen, maxlen, str, len); } static int w_addword(wordexp_t * pwordexp, char *word) { /* Add a word to the wordlist */ size_t num_p; char **new_wordv; /* Internally, NULL acts like "". Convert NULLs to "" before * the caller sees them. */ if (word == NULL) { word = strdup(""); if (word == NULL) goto no_space; } num_p = 2 + pwordexp->we_wordc + pwordexp->we_offs; new_wordv = realloc(pwordexp->we_wordv, sizeof(char *) * num_p); if (new_wordv != NULL) { pwordexp->we_wordv = new_wordv; pwordexp->we_wordv[pwordexp->we_wordc++] = word; pwordexp->we_wordv[pwordexp->we_wordc] = NULL; return 0; } no_space: return WRDE_NOSPACE; } /* The parse_*() functions should leave *offset being the offset in 'words' * to the last character processed. */ static int parse_backslash(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset) { /* We are poised _at_ a backslash, not in quotes */ switch (words[1 + *offset]) { case 0: /* Backslash is last character of input words */ return WRDE_SYNTAX; case '\n': ++(*offset); break; default: *word = w_addchar(*word, word_length, max_length, words[1 + *offset]); if (*word == NULL) return WRDE_NOSPACE; ++(*offset); break; } return 0; } static int parse_qtd_backslash(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset) { /* We are poised _at_ a backslash, inside quotes */ switch (words[1 + *offset]) { case 0: /* Backslash is last character of input words */ return WRDE_SYNTAX; case '\n': ++(*offset); break; case '$': case '`': case '"': case '\\': *word = w_addchar(*word, word_length, max_length, words[1 + *offset]); if (*word == NULL) return WRDE_NOSPACE; ++(*offset); break; default: *word = w_addchar(*word, word_length, max_length, words[*offset]); if (*word != NULL) *word = w_addchar(*word, word_length, max_length, words[1 + *offset]); if (*word == NULL) return WRDE_NOSPACE; ++(*offset); break; } return 0; } static int parse_tilde(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, size_t wordc) { /* We are poised _at_ a tilde */ size_t i; if (*word_length != 0) { if (!((*word)[*word_length - 1] == '=' && wordc == 0)) { if (!((*word)[*word_length - 1] == ':' && strchr(*word, '=') && wordc == 0)) { *word = w_addchar(*word, word_length, max_length, '~'); return *word ? 0 : WRDE_NOSPACE; } } } for (i = 1 + *offset; words[i]; i++) { if (words[i] == ':' || words[i] == '/' || words[i] == ' ' || words[i] == '\t' || words[i] == 0) break; if (words[i] == '\\') { *word = w_addchar(*word, word_length, max_length, '~'); return *word ? 0 : WRDE_NOSPACE; } } if (i == 1 + *offset) { /* Tilde appears on its own */ uid_t uid; struct passwd *tpwd; uid = getuid(); /* while ((result = getpwuid_r(uid, &pwd, buffer, buflen, &tpwd)) != 0 && errno == ERANGE) { buflen += 1000; buffer = alloca(buflen); }*/ tpwd = getpwuid(uid); if (tpwd != NULL && tpwd->pw_dir != NULL) { *word = w_addstr(*word, word_length, max_length, tpwd->pw_dir); if (*word == NULL) return WRDE_NOSPACE; } else { *word = w_addchar(*word, word_length, max_length, '~'); if (*word == NULL) return WRDE_NOSPACE; } } else { /* Look up user name in database to get home directory */ char *user = strndup(&words[1 + *offset], i - *offset-1); struct passwd *tpwd; /* printf("looking for user '%s'\n",user);*/ tpwd = getpwnam(user); if (tpwd != NULL && tpwd->pw_dir) *word = w_addstr(*word, word_length, max_length, tpwd->pw_dir); else { /* (invalid login name) */ *word = w_addchar(*word, word_length, max_length, '~'); if (*word != NULL) *word = w_addstr(*word, word_length, max_length, user); } *offset = i - 1; } return *word ? 0 : WRDE_NOSPACE; } static int do_parse_glob(const char *glob_word, char **word, size_t * word_length, size_t * max_length, wordexp_t * pwordexp, const char *ifs, const char *ifs_white) { int error; int match; glob_t globbuf; error = glob(glob_word, GLOB_NOCHECK, NULL, &globbuf); if (error != 0) { /* We can only run into memory problems. */ assert(error == GLOB_NOSPACE); return WRDE_NOSPACE; } if (ifs && !*ifs) { /* No field splitting allowed. */ assert(globbuf.gl_pathv[0] != NULL); *word = w_addstr(*word, word_length, max_length, globbuf.gl_pathv[0]); for (match = 1; match < globbuf.gl_pathc && *word != NULL; ++match) { *word = w_addchar(*word, word_length, max_length, ' '); if (*word != NULL) *word = w_addstr(*word, word_length, max_length, globbuf.gl_pathv[match]); } globfree(&globbuf); return *word ? 0 : WRDE_NOSPACE; } assert(ifs == NULL || *ifs != '\0'); if (*word != NULL) { free(*word); *word = w_newword(word_length, max_length); } for (match = 0; match < globbuf.gl_pathc; ++match) { char *matching_word = strdup(globbuf.gl_pathv[match]); if (matching_word == NULL || w_addword(pwordexp, matching_word)) { globfree(&globbuf); return WRDE_NOSPACE; } } globfree(&globbuf); return 0; } static int parse_glob(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white) { /* We are poised just after a '*', a '[' or a '?'. */ int error = WRDE_NOSPACE; int quoted = 0; /* 1 if singly-quoted, 2 if doubly */ int i; wordexp_t glob_list; /* List of words to glob */ glob_list.we_wordc = 0; glob_list.we_wordv = NULL; glob_list.we_offs = 0; for (; words[*offset] != '\0'; ++*offset) { if ((ifs && strchr(ifs, words[*offset])) || (!ifs && strchr(" \t\n", words[*offset]))) /* Reached IFS */ break; /* Sort out quoting */ if (words[*offset] == '\'') { if (quoted == 0) { quoted = 1; continue; } else if (quoted == 1) { quoted = 0; continue; } } else if (words[*offset] == '"') { if (quoted == 0) { quoted = 2; continue; } else if (quoted == 2) { quoted = 0; continue; } } /* Sort out other special characters */ if (quoted != 1 && words[*offset] == '$') { error = parse_dollars(word, word_length, max_length, words, offset, flags, &glob_list, ifs, ifs_white, quoted == 2); if (error) goto tidy_up; continue; } else if (words[*offset] == '\\') { if (quoted) error = parse_qtd_backslash(word, word_length, max_length, words, offset); else error = parse_backslash(word, word_length, max_length, words, offset); if (error) goto tidy_up; continue; } *word = w_addchar(*word, word_length, max_length, words[*offset]); if (*word == NULL) goto tidy_up; } /* Don't forget to re-parse the character we stopped at. */ --*offset; /* Glob the words */ error = w_addword(&glob_list, *word); *word = w_newword(word_length, max_length); for (i = 0; error == 0 && i < glob_list.we_wordc; i++) error = do_parse_glob(glob_list.we_wordv[i], word, word_length, max_length, pwordexp, ifs, ifs_white); /* Now tidy up */ tidy_up: wordfree(&glob_list); return error; } static int parse_squote(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset) { /* We are poised just after a single quote */ for (; words[*offset]; ++(*offset)) { if (words[*offset] != '\'') { *word = w_addchar(*word, word_length, max_length, words[*offset]); if (*word == NULL) return WRDE_NOSPACE; } else return 0; } /* Unterminated string */ return WRDE_SYNTAX; } /* Functions to evaluate an arithmetic expression */ static int eval_expr_val(char **expr, long int *result) { int sgn = +1; char *digit; /* Skip white space */ for (digit = *expr; digit && *digit && isspace(*digit); ++digit); switch (*digit) { case '(': /* Scan for closing paren */ for (++digit; **expr && **expr != ')'; ++(*expr)); /* Is there one? */ if (!**expr) return WRDE_SYNTAX; *(*expr)++ = 0; if (eval_expr(digit, result)) return WRDE_SYNTAX; return 0; case '+': /* Positive value */ ++digit; break; case '-': /* Negative value */ ++digit; sgn = -1; break; default: if (!isdigit(*digit)) return WRDE_SYNTAX; } *result = 0; for (; *digit && isdigit(*digit); ++digit) *result = (*result * 10) + (*digit - '0'); *expr = digit; *result *= sgn; return 0; } static int eval_expr_multdiv(char **expr, long int *result) { long int arg; /* Read a Value */ if (eval_expr_val(expr, result) != 0) return WRDE_SYNTAX; while (**expr) { /* Skip white space */ for (; *expr && **expr && isspace(**expr); ++(*expr)); if (**expr == '*') { ++(*expr); if (eval_expr_val(expr, &arg) != 0) return WRDE_SYNTAX; *result *= arg; } else if (**expr == '/') { ++(*expr); if (eval_expr_val(expr, &arg) != 0) return WRDE_SYNTAX; *result /= arg; } else break; } return 0; } static int eval_expr(char *expr, long int *result) { long int arg; /* Read a Multdiv */ if (eval_expr_multdiv(&expr, result) != 0) return WRDE_SYNTAX; while (*expr) { /* Skip white space */ for (; expr && *expr && isspace(*expr); ++expr); if (*expr == '+') { ++expr; if (eval_expr_multdiv(&expr, &arg) != 0) return WRDE_SYNTAX; *result += arg; } else if (*expr == '-') { ++expr; if (eval_expr_multdiv(&expr, &arg) != 0) return WRDE_SYNTAX; *result -= arg; } else break; } return 0; } char *my_itoa(long long int convertme, char* buffer, int len) { snprintf(buffer, len, "%lld", convertme); return buffer; } static int parse_arith(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, int bracket) { /* We are poised just after "$((" or "$[" */ int error; int paren_depth = 1; size_t expr_length; size_t expr_maxlen; char *expr; expr = w_newword(&expr_length, &expr_maxlen); for (; words[*offset]; ++(*offset)) { switch (words[*offset]) { case '$': error = parse_dollars(&expr, &expr_length, &expr_maxlen, words, offset, flags, NULL, NULL, NULL, 1); /* The ``1'' here is to tell parse_dollars not to * split the fields. */ if (error) { free(expr); return error; } break; case '`': (*offset)++; error = parse_backtick(&expr, &expr_length, &expr_maxlen, words, offset, flags, NULL, NULL, NULL); /* The first NULL here is to tell parse_backtick not to * split the fields. */ if (error) { free(expr); return error; } break; case '\\': error = parse_qtd_backslash(&expr, &expr_length, &expr_maxlen, words, offset); if (error) { free(expr); return error; } /* I think that a backslash within an * arithmetic expansion is bound to * cause an error sooner or later anyway though. */ break; case ')': if (--paren_depth == 0) { char result[21]; /* 21 = ceil(log10(2^64)) + 1 */ long int numresult = 0; long long int convertme; if (bracket || words[1 + *offset] != ')') { free(expr); return WRDE_SYNTAX; } ++(*offset); /* Go - evaluate. */ if (*expr && eval_expr(expr, &numresult) != 0) { free(expr); return WRDE_SYNTAX; } if (numresult < 0) { convertme = -numresult; *word = w_addchar(*word, word_length, max_length, '-'); if (!*word) { free(expr); return WRDE_NOSPACE; } } else convertme = numresult; result[20] = '\0'; *word = w_addstr(*word, word_length, max_length, my_itoa(convertme,result,20)); free(expr); return *word ? 0 : WRDE_NOSPACE; } expr = w_addchar(expr, &expr_length, &expr_maxlen, words[*offset]); if (expr == NULL) return WRDE_NOSPACE; break; case ']': if (bracket && paren_depth == 1) { char result[21]; /* 21 = ceil(log10(2^64)) + 1 */ long int numresult = 0; /* Go - evaluate. */ if (*expr && eval_expr(expr, &numresult) != 0) { free(expr); return WRDE_SYNTAX; } result[20] = '\0'; *word = w_addstr(*word, word_length, max_length, my_itoa(numresult, result, 20)); free(expr); return *word ? 0 : WRDE_NOSPACE; } free(expr); return WRDE_SYNTAX; case '\n': case ';': case '{': case '}': free(expr); return WRDE_BADCHAR; case '(': ++paren_depth; default: expr = w_addchar(expr, &expr_length, &expr_maxlen, words[*offset]); if (expr == NULL) return WRDE_NOSPACE; } } /* Premature end */ free(expr); return WRDE_SYNTAX; } /* Function to execute a command and retrieve the results */ /* pwordexp contains NULL if field-splitting is forbidden */ static int exec_comm(char *comm, char **word, size_t * word_length, size_t * max_length, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white) { int fildes[2]; int bufsize = 128; int buflen; int i; char *buffer; pid_t pid; /* Don't fork() unless necessary */ if (!comm || !*comm) return 0; if (pipe(fildes)) /* Bad */ return WRDE_NOSPACE; if ((pid = fork()) < 0) { /* Bad */ close(fildes[0]); close(fildes[1]); return WRDE_NOSPACE; } if (pid == 0) { /* Child */ const char *args[4] = { _PATH_BSHELL, "-c", comm, NULL }; /* Redirect output. */ dup2(fildes[1], 1); close(fildes[1]); /* Redirect stderr to /dev/null if we have to. */ if ((flags & WRDE_SHOWERR) == 0) { int fd; close(2); fd = open(_PATH_DEVNULL, O_WRONLY); if (fd >= 0 && fd != 2) { dup2(fd, 2); close(fd); } } /* Make sure the subshell doesn't field-split on our behalf. */ unsetenv("IFS"); close(fildes[0]); execve(_PATH_BSHELL, (char *const *) args, environ); /* Bad. What now? */ abort(); } /* Parent */ close(fildes[1]); buffer = alloca(bufsize); if (!pwordexp) { /* Quoted - no field splitting */ while (1) { if ((buflen = read(fildes[0], buffer, bufsize)) < 1) { if (waitpid(pid, NULL, WNOHANG) == 0) continue; if ((buflen = read(fildes[0], buffer, bufsize)) < 1) break; } *word = w_addmem(*word, word_length, max_length, buffer, buflen); if (*word == NULL) goto no_space; } } else /* Not quoted - split fields */ { int copying = 0; /* 'copying' is: * 0 when searching for first character in a field not IFS white space * 1 when copying the text of a field * 2 when searching for possible non-whitespace IFS */ while (1) { if ((buflen = read(fildes[0], buffer, bufsize)) < 1) { if (waitpid(pid, NULL, WNOHANG) == 0) continue; if ((read(fildes[0], buffer, bufsize)) < 1) break; } for (i = 0; i < buflen; ++i) { if (strchr(ifs, buffer[i]) != NULL) { /* Current character is IFS */ if (strchr(ifs_white, buffer[i]) == NULL) { /* Current character is IFS but not whitespace */ if (copying == 2) { /* current character * | * V * eg: textmoretext * * So, strip whitespace IFS (like at the start) */ copying = 0; continue; } copying = 0; /* fall through and delimit field.. */ } else { /* Current character is IFS white space */ /* If not copying a field, ignore it */ if (copying != 1) continue; /* End of field (search for non-ws IFS afterwards) */ copying = 2; } /* First IFS white space, or IFS non-whitespace. * Delimit the field. Nulls are converted by w_addword. */ if (w_addword(pwordexp, *word) == WRDE_NOSPACE) goto no_space; *word = w_newword(word_length, max_length); /* fall back round the loop.. */ } else { /* Not IFS character */ copying = 1; *word = w_addchar(*word, word_length, max_length, buffer[i]); if (*word == NULL) goto no_space; } } } } /* Bash chops off trailing newlines, which seems sensible. */ while (*word_length > 0 && (*word)[*word_length - 1] == '\n') { (*word)[--*word_length] = '\0'; /* If the last word was entirely newlines, turn it into a new word * which can be ignored if there's nothing following it. */ if (*word_length == 0) { free(*word); *word = w_newword(word_length, max_length); break; } } close(fildes[0]); return 0; no_space: kill(pid, SIGKILL); waitpid(pid, NULL, 0); close(fildes[0]); return WRDE_NOSPACE; } static int parse_comm(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white) { /* We are poised just after "$(" */ int paren_depth = 1; int error = 0; int quoted = 0; /* 1 for singly-quoted, 2 for doubly-quoted */ size_t comm_length; size_t comm_maxlen; char *comm = w_newword(&comm_length, &comm_maxlen); for (; words[*offset]; ++(*offset)) { switch (words[*offset]) { case '\'': if (quoted == 0) quoted = 1; else if (quoted == 1) quoted = 0; break; case '"': if (quoted == 0) quoted = 2; else if (quoted == 2) quoted = 0; break; case ')': if (!quoted && --paren_depth == 0) { /* Go -- give script to the shell */ if (comm) { error = exec_comm(comm, word, word_length, max_length, flags, pwordexp, ifs, ifs_white); free(comm); } return error; } /* This is just part of the script */ break; case '(': if (!quoted) ++paren_depth; } comm = w_addchar(comm, &comm_length, &comm_maxlen, words[*offset]); if (comm == NULL) return WRDE_NOSPACE; } /* Premature end */ if (comm) free(comm); return WRDE_SYNTAX; } static int parse_param(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white, int quoted) { /* We are poised just after "$" */ enum action { ACT_NONE, ACT_RP_SHORT_LEFT = '#', ACT_RP_LONG_LEFT = 'L', ACT_RP_SHORT_RIGHT = '%', ACT_RP_LONG_RIGHT = 'R', ACT_NULL_ERROR = '?', ACT_NULL_SUBST = '-', ACT_NONNULL_SUBST = '+', ACT_NULL_ASSIGN = '=' }; size_t env_length; size_t env_maxlen; size_t pat_length; size_t pat_maxlen; size_t start = *offset; char *env; char *pattern; char *value = NULL; enum action action = ACT_NONE; int depth = 0; int colon_seen = 0; int seen_hash = 0; int free_value = 0; int pattern_is_quoted = 0; /* 1 for singly-quoted, 2 for doubly-quoted */ int error; int special = 0; char buffer[21]; int brace = words[*offset] == '{'; env = w_newword(&env_length, &env_maxlen); pattern = w_newword(&pat_length, &pat_maxlen); if (brace) ++ * offset; /* First collect the parameter name. */ if (words[*offset] == '#') { seen_hash = 1; if (!brace) goto envsubst; ++*offset; } if (isalpha(words[*offset]) || words[*offset] == '_') { /* Normal parameter name. */ do { env = w_addchar(env, &env_length, &env_maxlen, words[*offset]); if (env == NULL) goto no_space; } while (isalnum(words[++*offset]) || words[*offset] == '_'); } else if (isdigit(words[*offset])) { /* Numeric parameter name. */ special = 1; do { env = w_addchar(env, &env_length, &env_maxlen, words[*offset]); if (env == NULL) goto no_space; if (!brace) goto envsubst; } while (isdigit(words[++*offset])); } else if (strchr("*@$", words[*offset]) != NULL) { /* Special parameter. */ special = 1; env = w_addchar(env, &env_length, &env_maxlen, words[*offset]); if (env == NULL) goto no_space; ++*offset; } else { if (brace) goto syntax; } if (brace) { /* Check for special action to be applied to the value. */ switch (words[*offset]) { case '}': /* Evaluate. */ goto envsubst; case '#': action = ACT_RP_SHORT_LEFT; if (words[1 + *offset] == '#') { ++*offset; action = ACT_RP_LONG_LEFT; } break; case '%': action = ACT_RP_SHORT_RIGHT; if (words[1 + *offset] == '%') { ++*offset; action = ACT_RP_LONG_RIGHT; } break; case ':': if (strchr("-=?+", words[1 + *offset]) == NULL) goto syntax; colon_seen = 1; action = words[++*offset]; break; case '-': case '=': case '?': case '+': action = words[*offset]; break; default: goto syntax; } /* Now collect the pattern, but don't expand it yet. */ ++*offset; for (; words[*offset]; ++(*offset)) { switch (words[*offset]) { case '{': if (!pattern_is_quoted) ++depth; break; case '}': if (!pattern_is_quoted) { if (depth == 0) goto envsubst; --depth; } break; case '\\': if (pattern_is_quoted) /* Quoted; treat as normal character. */ break; /* Otherwise, it's an escape: next character is literal. */ if (words[++*offset] == '\0') goto syntax; pattern = w_addchar(pattern, &pat_length, &pat_maxlen, '\\'); if (pattern == NULL) goto no_space; break; case '\'': if (pattern_is_quoted == 0) pattern_is_quoted = 1; else if (pattern_is_quoted == 1) pattern_is_quoted = 0; break; case '"': if (pattern_is_quoted == 0) pattern_is_quoted = 2; else if (pattern_is_quoted == 2) pattern_is_quoted = 0; break; } pattern = w_addchar(pattern, &pat_length, &pat_maxlen, words[*offset]); if (pattern == NULL) goto no_space; } } /* End of input string -- remember to reparse the character that we * stopped at. */ --(*offset); envsubst: if (words[start] == '{' && words[*offset] != '}') goto syntax; if (env == NULL) { if (seen_hash) { /* $# expands to the number of positional parameters */ buffer[20] = '\0'; value = my_itoa(libc_argc - 1, buffer, 20); seen_hash = 0; } else { /* Just $ on its own */ *offset = start - 1; *word = w_addchar(*word, word_length, max_length, '$'); return *word ? 0 : WRDE_NOSPACE; } } /* Is it a numeric parameter? */ else if (isdigit(env[0])) { int n = atoi(env); if (n >= libc_argc) /* Substitute NULL. */ value = NULL; else /* Replace with appropriate positional parameter. */ value = libc_argv[n]; } /* Is it a special parameter? */ else if (special) { /* Is it `$$'? */ if (*env == '$') { buffer[20] = '\0'; value = my_itoa(getpid(), buffer, 20); } /* Is it `${#*}' or `${#@}'? */ else if ((*env == '*' || *env == '@') && seen_hash) { buffer[20] = '\0'; value = my_itoa(libc_argc > 0 ? libc_argc - 1 : 0, buffer, 20); *word = w_addstr(*word, word_length, max_length, value); free(env); if (pattern) free(pattern); return *word ? 0 : WRDE_NOSPACE; } /* Is it `$*' or `$@' (unquoted) ? */ else if (*env == '*' || (*env == '@' && !quoted)) { size_t plist_len = 0; int p; char *end; /* Build up value parameter by parameter (copy them) */ for (p = 1; libc_argv[p]; ++p) plist_len += strlen(libc_argv[p]) + 1; /* for space */ value = malloc(plist_len); if (value == NULL) goto no_space; end = value; *end = 0; for (p = 1; libc_argv[p]; ++p) { if (p > 1) *end++ = ' '; end = stpcpy(end, libc_argv[p]); } free_value = 1; } else { /* Must be a quoted `$@' */ assert(*env == '@' && quoted); /* Each parameter is a separate word ("$@") */ if (libc_argc == 2) value = libc_argv[1]; else if (libc_argc > 2) { int p; /* Append first parameter to current word. */ value = w_addstr(*word, word_length, max_length, libc_argv[1]); if (value == NULL || w_addword(pwordexp, value)) goto no_space; for (p = 2; libc_argv[p + 1]; p++) { char *newword = strdup(libc_argv[p]); if (newword == NULL || w_addword(pwordexp, newword)) goto no_space; } /* Start a new word with the last parameter. */ *word = w_newword(word_length, max_length); value = libc_argv[p]; } else { free(env); free(pattern); return 0; } } } else value = getenv(env); if (value == NULL && (flags & WRDE_UNDEF)) { /* Variable not defined. */ error = WRDE_BADVAL; goto do_error; } if (action != ACT_NONE) { int expand_pattern = 0; /* First, find out if we need to expand pattern (i.e. if we will * use it). */ switch (action) { case ACT_RP_SHORT_LEFT: case ACT_RP_LONG_LEFT: case ACT_RP_SHORT_RIGHT: case ACT_RP_LONG_RIGHT: /* Always expand for these. */ expand_pattern = 1; break; case ACT_NULL_ERROR: case ACT_NULL_SUBST: case ACT_NULL_ASSIGN: if (!value || (!*value && colon_seen)) /* If param is unset, or set but null and a colon has been seen, the expansion of the pattern will be needed. */ expand_pattern = 1; break; case ACT_NONNULL_SUBST: /* Expansion of word will be needed if parameter is set and not null, or set null but no colon has been seen. */ if (value && (*value || !colon_seen)) expand_pattern = 1; break; default: assert(!"Unrecognised action!"); } if (expand_pattern) { /* We need to perform tilde expansion, parameter expansion, command substitution, and arithmetic expansion. We also have to be a bit careful with wildcard characters, as pattern might be given to fnmatch soon. To do this, we convert quotes to escapes. */ char *expanded; size_t exp_len; size_t exp_maxl; char *p; int quoted = 0; /* 1: single quotes; 2: double */ expanded = w_newword(&exp_len, &exp_maxl); for (p = pattern; p && *p; p++) { size_t offset; switch (*p) { case '"': if (quoted == 2) quoted = 0; else if (quoted == 0) quoted = 2; else break; continue; case '\'': if (quoted == 1) quoted = 0; else if (quoted == 0) quoted = 1; else break; continue; case '*': case '?': if (quoted) { /* Convert quoted wildchar to escaped wildchar. */ expanded = w_addchar(expanded, &exp_len, &exp_maxl, '\\'); if (expanded == NULL) goto no_space; } break; case '$': offset = 0; error = parse_dollars(&expanded, &exp_len, &exp_maxl, p, &offset, flags, NULL, NULL, NULL, 1); if (error) { if (free_value) free(value); if (expanded) free(expanded); goto do_error; } p += offset; continue; case '~': if (quoted || exp_len) break; offset = 0; error = parse_tilde(&expanded, &exp_len, &exp_maxl, p, &offset, 0); if (error) { if (free_value) free(value); if (expanded) free(expanded); goto do_error; } p += offset; continue; case '\\': expanded = w_addchar(expanded, &exp_len, &exp_maxl, '\\'); ++p; assert(*p); /* checked when extracted initially */ if (expanded == NULL) goto no_space; } expanded = w_addchar(expanded, &exp_len, &exp_maxl, *p); if (expanded == NULL) goto no_space; } if (pattern) free(pattern); pattern = expanded; } switch (action) { case ACT_RP_SHORT_LEFT: case ACT_RP_LONG_LEFT: case ACT_RP_SHORT_RIGHT: case ACT_RP_LONG_RIGHT: { char *p; char c; char *end; if (value == NULL || pattern == NULL || *pattern == '\0') break; end = value + strlen(value); switch (action) { case ACT_RP_SHORT_LEFT: for (p = value; p <= end; ++p) { c = *p; *p = '\0'; if (fnmatch(pattern, value, 0) != FNM_NOMATCH) { *p = c; if (free_value) { char *newval = strdup(p); if (newval == NULL) { free(value); goto no_space; } free(value); value = newval; } else value = p; break; } *p = c; } break; case ACT_RP_LONG_LEFT: for (p = end; p >= value; --p) { c = *p; *p = '\0'; if (fnmatch(pattern, value, 0) != FNM_NOMATCH) { *p = c; if (free_value) { char *newval = strdup(p); if (newval == NULL) { free(value); goto no_space; } free(value); value = newval; } else value = p; break; } *p = c; } break; case ACT_RP_SHORT_RIGHT: for (p = end; p >= value; --p) { if (fnmatch(pattern, p, 0) != FNM_NOMATCH) { char *newval; newval = malloc(p - value + 1); if (newval == NULL) { if (free_value) free(value); goto no_space; } *(char *) mempcpy(newval, value, p - value) = '\0'; if (free_value) free(value); value = newval; free_value = 1; break; } } break; case ACT_RP_LONG_RIGHT: for (p = value; p <= end; ++p) { if (fnmatch(pattern, p, 0) != FNM_NOMATCH) { char *newval; newval = malloc(p - value + 1); if (newval == NULL) { if (free_value) free(value); goto no_space; } *(char *) mempcpy(newval, value, p - value) = '\0'; if (free_value) free(value); value = newval; free_value = 1; break; } } break; default: break; } break; } case ACT_NULL_ERROR: if (value && *value) /* Substitute parameter */ break; error = 0; if (!colon_seen && value) /* Substitute NULL */ ; else if (*pattern) fprintf(stderr, "%s: %s\n", env, pattern); else { fprintf(stderr, "%s: parameter null or not set\n", env); error = WRDE_BADVAL; } if (free_value) free(value); goto do_error; case ACT_NULL_SUBST: if (value && *value) /* Substitute parameter */ break; if (free_value && value) free(value); if (!colon_seen && value) /* Substitute NULL */ goto success; value = pattern ? strdup(pattern) : pattern; free_value = 1; if (pattern && !value) goto no_space; break; case ACT_NONNULL_SUBST: if (value && (*value || !colon_seen)) { if (free_value && value) free(value); value = pattern ? strdup(pattern) : pattern; free_value = 1; if (pattern && !value) goto no_space; break; } /* Substitute NULL */ if (free_value) free(value); goto success; case ACT_NULL_ASSIGN: if (value && *value) /* Substitute parameter */ break; if (!colon_seen && value) { /* Substitute NULL */ if (free_value) free(value); goto success; } if (free_value && value) free(value); value = pattern ? strdup(pattern) : pattern; free_value = 1; if (pattern && !value) goto no_space; setenv(env, value, 1); break; default: assert(!"Unrecognised action!"); } } free(env); env = NULL; free(pattern); pattern = NULL; if (seen_hash) { char param_length[21]; param_length[20] = '\0'; *word = w_addstr(*word, word_length, max_length, my_itoa(value ? strlen(value) : 0, param_length, 20)); if (free_value) { assert(value != NULL); free(value); } return *word ? 0 : WRDE_NOSPACE; } if (value == NULL) return 0; if (quoted || !pwordexp) { /* Quoted - no field split */ *word = w_addstr(*word, word_length, max_length, value); if (free_value) free(value); return *word ? 0 : WRDE_NOSPACE; } else { /* Need to field-split */ char *value_copy = strdup(value); /* Don't modify value */ char *field_begin = value_copy; int seen_nonws_ifs = 0; if (free_value) free(value); if (value_copy == NULL) goto no_space; do { char *field_end = field_begin; char *next_field; /* If this isn't the first field, start a new word */ if (field_begin != value_copy) { if (w_addword(pwordexp, *word) == WRDE_NOSPACE) { free(value_copy); goto no_space; } *word = w_newword(word_length, max_length); } /* Skip IFS whitespace before the field */ field_begin += strspn(field_begin, ifs_white); if (!seen_nonws_ifs && *field_begin == 0) /* Nothing but whitespace */ break; /* Search for the end of the field */ field_end = field_begin + strcspn(field_begin, ifs); /* Set up pointer to the character after end of field and skip whitespace IFS after it. */ next_field = field_end + strspn(field_end, ifs_white); /* Skip at most one non-whitespace IFS character after the field */ seen_nonws_ifs = 0; if (*next_field && strchr(ifs, *next_field)) { seen_nonws_ifs = 1; next_field++; } /* Null-terminate it */ *field_end = 0; /* Tag a copy onto the current word */ *word = w_addstr(*word, word_length, max_length, field_begin); if (*word == NULL && *field_begin != '\0') { free(value_copy); goto no_space; } field_begin = next_field; } while (seen_nonws_ifs || *field_begin); free(value_copy); } return 0; success: error = 0; goto do_error; no_space: error = WRDE_NOSPACE; goto do_error; syntax: error = WRDE_SYNTAX; do_error: if (env) free(env); if (pattern) free(pattern); return error; } static int parse_dollars(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white, int quoted) { /* We are poised _at_ "$" */ switch (words[1 + *offset]) { case '"': case '\'': case 0: *word = w_addchar(*word, word_length, max_length, '$'); return *word ? 0 : WRDE_NOSPACE; case '(': if (words[2 + *offset] == '(') { /* Differentiate between $((1+3)) and $((echo);(ls)) */ int i = 3 + *offset; int depth = 0; while (words[i] && !(depth == 0 && words[i] == ')')) { if (words[i] == '(') ++depth; else if (words[i] == ')') --depth; ++i; } if (words[i] == ')' && words[i + 1] == ')') { (*offset) += 3; /* Call parse_arith -- 0 is for "no brackets" */ return parse_arith(word, word_length, max_length, words, offset, flags, 0); } } if (flags & WRDE_NOCMD) return WRDE_CMDSUB; (*offset) += 2; return parse_comm(word, word_length, max_length, words, offset, flags, quoted ? NULL : pwordexp, ifs, ifs_white); case '[': (*offset) += 2; /* Call parse_arith -- 1 is for "brackets" */ return parse_arith(word, word_length, max_length, words, offset, flags, 1); case '{': default: ++(*offset); /* parse_param needs to know if "{" is there */ return parse_param(word, word_length, max_length, words, offset, flags, pwordexp, ifs, ifs_white, quoted); } } static int parse_backtick(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white) { /* We are poised just after "`" */ int error; int squoting = 0; size_t comm_length; size_t comm_maxlen; char *comm = w_newword(&comm_length, &comm_maxlen); for (; words[*offset]; ++(*offset)) { switch (words[*offset]) { case '`': /* Go -- give the script to the shell */ error = exec_comm(comm, word, word_length, max_length, flags, pwordexp, ifs, ifs_white); free(comm); return error; case '\\': if (squoting) { error = parse_qtd_backslash(&comm, &comm_length, &comm_maxlen, words, offset); if (error) { free(comm); return error; } break; } ++(*offset); error = parse_backslash(&comm, &comm_length, &comm_maxlen, words, offset); if (error) { free(comm); return error; } break; case '\'': squoting = 1 - squoting; default: comm = w_addchar(comm, &comm_length, &comm_maxlen, words[*offset]); if (comm == NULL) return WRDE_NOSPACE; } } /* Premature end */ free(comm); return WRDE_SYNTAX; } static int parse_dquote(char **word, size_t * word_length, size_t * max_length, const char *words, size_t * offset, int flags, wordexp_t * pwordexp, const char *ifs, const char *ifs_white) { /* We are poised just after a double-quote */ int error; for (; words[*offset]; ++(*offset)) { switch (words[*offset]) { case '"': return 0; case '$': error = parse_dollars(word, word_length, max_length, words, offset, flags, pwordexp, ifs, ifs_white, 1); /* The ``1'' here is to tell parse_dollars not to * split the fields. It may need to, however ("$@"). */ if (error) return error; break; case '`': if (flags & WRDE_NOCMD) return WRDE_CMDSUB; ++(*offset); error = parse_backtick(word, word_length, max_length, words, offset, flags, NULL, NULL, NULL); /* The first NULL here is to tell parse_backtick not to * split the fields. */ if (error) return error; break; case '\\': error = parse_qtd_backslash(word, word_length, max_length, words, offset); if (error) return error; break; default: *word = w_addchar(*word, word_length, max_length, words[*offset]); if (*word == NULL) return WRDE_NOSPACE; } } /* Unterminated string */ return WRDE_SYNTAX; } /* * wordfree() is to be called after pwordexp is finished with. */ void wordfree(wordexp_t * pwordexp) { /* wordexp can set pwordexp to NULL */ if (pwordexp && pwordexp->we_wordv) { char **wordv = pwordexp->we_wordv; for (wordv += pwordexp->we_offs; *wordv; ++wordv) free(*wordv); free(pwordexp->we_wordv); pwordexp->we_wordv = NULL; } } /* * wordexp() */ int wordexp(const char *words, wordexp_t * pwordexp, int flags) { size_t wordv_offset; size_t words_offset; size_t word_length; size_t max_length; char *word = w_newword(&word_length, &max_length); int error; char *ifs; char ifs_white[4]; char **old_wordv = pwordexp->we_wordv; size_t old_wordc = (flags & WRDE_REUSE) ? pwordexp->we_wordc : 0; if (flags & WRDE_REUSE) { /* Minimal implementation of WRDE_REUSE for now */ wordfree(pwordexp); old_wordv = NULL; } if (flags & WRDE_DOOFFS) { pwordexp->we_wordv = calloc(1 + pwordexp->we_offs, sizeof(char *)); if (pwordexp->we_wordv == NULL) { error = WRDE_NOSPACE; goto do_error; } } else { pwordexp->we_wordv = calloc(1, sizeof(char *)); if (pwordexp->we_wordv == NULL) { error = WRDE_NOSPACE; goto do_error; } pwordexp->we_offs = 0; } if ((flags & WRDE_APPEND) == 0) pwordexp->we_wordc = 0; wordv_offset = pwordexp->we_offs + pwordexp->we_wordc; /* Find out what the field separators are. * There are two types: whitespace and non-whitespace. */ ifs = getenv("IFS"); if (!ifs) /* IFS unset - use . */ ifs = strcpy(ifs_white, " \t\n"); else { char *ifsch = ifs; char *whch = ifs_white; /* Start off with no whitespace IFS characters */ ifs_white[0] = '\0'; while (*ifsch != '\0') { if ((*ifsch == ' ') || (*ifsch == '\t') || (*ifsch == '\n')) { /* Whitespace IFS. See first whether it is already in our collection. */ char *runp = ifs_white; while (runp < whch && *runp != '\0' && *runp != *ifsch) ++runp; if (runp == whch) *whch++ = *ifsch; } ++ifsch; } *whch = '\0'; } for (words_offset = 0; words[words_offset]; ++words_offset) switch (words[words_offset]) { case '\\': error = parse_backslash(&word, &word_length, &max_length, words, &words_offset); if (error) goto do_error; break; case '$': error = parse_dollars(&word, &word_length, &max_length, words, &words_offset, flags, pwordexp, ifs, ifs_white, 0); if (error) goto do_error; break; case '`': if (flags & WRDE_NOCMD) { error = WRDE_CMDSUB; goto do_error; } ++words_offset; error = parse_backtick(&word, &word_length, &max_length, words, &words_offset, flags, pwordexp, ifs, ifs_white); if (error) goto do_error; break; case '"': ++words_offset; error = parse_dquote(&word, &word_length, &max_length, words, &words_offset, flags, pwordexp, ifs, ifs_white); if (error) goto do_error; break; case '\'': ++words_offset; error = parse_squote(&word, &word_length, &max_length, words, &words_offset); if (error) goto do_error; break; case '~': error = parse_tilde(&word, &word_length, &max_length, words, &words_offset, pwordexp->we_wordc); if (error) goto do_error; break; case '*': case '[': case '?': error = parse_glob(&word, &word_length, &max_length, words, &words_offset, flags, pwordexp, ifs, ifs_white); if (error) goto do_error; break; default: /* Is it a word separator? */ if (strchr(" \t", words[words_offset]) == NULL) { char ch = words[words_offset]; /* Not a word separator -- but is it a valid word char? */ if (strchr("\n|&;<>(){}", ch)) { /* Fail */ error = WRDE_BADCHAR; goto do_error; } /* "Ordinary" character -- add it to word */ word = w_addchar(word, &word_length, &max_length, ch); if (word == NULL) { error = WRDE_NOSPACE; goto do_error; } break; } /* If a word has been delimited, add it to the list. */ if (word != NULL) { error = w_addword(pwordexp, word); if (error) goto do_error; } word = w_newword(&word_length, &max_length); } /* End of string */ /* There was a word separator at the end */ if (word == NULL) /* i.e. w_newword */ return 0; /* There was no field separator at the end */ return w_addword(pwordexp, word); do_error: /* Error: * free memory used (unless error is WRDE_NOSPACE), and * set we_wordc and wd_wordv back to what they were. */ if (word != NULL) free(word); if (error == WRDE_NOSPACE) return WRDE_NOSPACE; wordfree(pwordexp); pwordexp->we_wordv = old_wordv; pwordexp->we_wordc = old_wordc; return error; } #endif /* HAVE_WORDEXP */ jailkit-2.21/src/utils.c0000644000175000017500000000550410714436377015104 0ustar olivierolivier/* Copyright (c) 2003, 2004, 2005, Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include #include #include #include #include #include #include #include #include "utils.h" #ifndef HAVE_CLEARENV /* doesn't compile on FreeBSD without this */ extern char **environ; #endif #ifndef HAVE_STRNDUP char *strndup(const char *s, size_t n) { char *ret; n = strnlen(s, n); ret = malloc(n+1); if (!ret) return NULL; memcpy(ret, s, n); ret[n] = 0; return ret; } #endif #ifndef HAVE_STRNLEN size_t strnlen(const char *s, size_t n) { int i; for (i=0; s[i] && i #include #include #include #include #include #include #include #include #include "jk_lib.h" #define PROGRAMNAME "jk_procmailwrapper" int user_is_chrooted(const char *homedir) { char *tmp; tmp = strstr(homedir, "/./"); if (tmp != NULL) { return 1; } return 0; } void clean_exit(char * name, int error) { printf("%s, exiting with error %d\n", name, error); exit(error); } int main (int argc, char **argv, char **envp) { int i; struct passwd *pw=NULL; struct group *gr=NULL; char *jaildir=NULL, *newhome=NULL; DEBUG_MSG(PROGRAMNAME", started\n"); pw = getpwuid(getuid()); if (!user_is_chrooted(pw->pw_dir)) { /* if the user does not have a chroot homedir, we start the normal procmail now, but first we drop all privileges */ if (setgid(getgid())) { syslog(LOG_ERR, "abort, failed to become gid %d", getgid()); exit(34); } if (initgroups(pw->pw_name, getgid())) { syslog(LOG_ERR, "abort, failed to initgroups for user %s and group %d", pw->pw_name, getgid()); exit(35); } if (setuid(getuid())) { syslog(LOG_ERR, "abort, failed to become uid %d", getuid()); exit(36); } execve(PROCMAILPATH, argv, envp); /* if we get here, there is something wrong */ exit(1); } /* OK, so the user is a jailed user, now we start checking things!! */ /* open the log facility */ openlog(PROGRAMNAME, LOG_PID, LOG_AUTH); /* check if it us that the user wants */ { char *tmp = strrchr(argv[0], '/'); if (!tmp) { tmp = argv[0]; } else { tmp++; } if (strcmp(tmp, PROGRAMNAME) && (tmp[0] != '-' || strcmp(&tmp[1], PROGRAMNAME))) { DEBUG_MSG("wrong name, tmp=%s, &tmp[1]=%s\n", tmp, &tmp[1]); syslog(LOG_ERR, "abort, "PROGRAMNAME" is called as %s", argv[0]); exit(1); } } DEBUG_MSG("close filedescriptors\n"); /* open file descriptors can be used to break out of a chroot, so we close all of them, except for stdin,stdout and stderr */ for (i=getdtablesize();i>3;i--) { while (close(i) != 0 && errno == EINTR); } /* now test if we are setuid root (the effective user id must be 0, and the real user id > 0 */ if (geteuid() != 0 || getuid() == 0) { syslog(LOG_ERR, "abort, "PROGRAMNAME" is not setuid root, or is run by root"); exit(11); } DEBUG_MSG("get user info\n"); gr = getgrgid(getgid()); if (!pw || !gr) { syslog(LOG_ERR, "abort, failed to get user or group information for %d:%d", getuid(), getgid()); exit(13); } /* now we clear the environment */ clearenv(); if (pw->pw_gid != getgid()) { syslog(LOG_ERR, "abort, the group ID from /etc/passwd (%d) does not match the group ID we run with (%d)", pw->pw_gid, getgid()); exit(15); } if (!pw->pw_dir || strlen(pw->pw_dir) ==0 || strstr(pw->pw_dir, "/./") == NULL) { syslog(LOG_ERR, "abort, the homedir %s does not contain the jail pattern path/./path", pw->pw_dir?pw->pw_dir:"NULL"); exit(17); } DEBUG_MSG("get jaildir\n"); if (!getjaildir(pw->pw_dir, &jaildir, &newhome)) { syslog(LOG_ERR, "abort, failed to read the jail and the home from %s",pw->pw_dir); exit(17); } DEBUG_MSG("get chdir()\n"); if (chdir(jaildir) != 0) { syslog(LOG_ERR, "abort, failed to chdir() to %s",jaildir); exit(19); } else { /* test if it really succeeded */ char *test = get_current_dir_name(); if (strcmp(jaildir, test) != 0) { syslog(LOG_ERR, "abort, current dir != %s after chdir()",jaildir); exit(21); } free(test); } /* here do test the ownership of the jail and the homedir and such the function testsafepath doe exit itself on any failure */ { int ret; DEBUG_MSG("test paths\n"); ret = testsafepath(jaildir,0,0); if (ret != 0) { syslog(LOG_ERR, "abort, path %s is not a safe jail, check ownership and permissions", jaildir); exit(53); } ret = testsafepath(pw->pw_dir, getuid(), getgid()); if ((ret & TESTPATH_NOREGPATH) ) { syslog(LOG_ERR, "abort, path %s is not a directory", pw->pw_dir); exit(53); } if ((ret & TESTPATH_OWNER) ) { syslog(LOG_ERR, "abort, path %s is not owned by %d", pw->pw_dir,getuid()); exit(53); } } /* do a final log message */ syslog(LOG_INFO, "now entering jail %s for user %d", jaildir, getuid()); DEBUG_MSG("chroot()\n"); /* do the chroot() call */ if (chroot(jaildir)) { syslog(LOG_ERR, "abort, failed to chroot() to %s", jaildir); exit(33); } /* drop all privileges, it seems that we first have to setgid(), then we have to call initgroups(), then we call setuid() */ if (setgid(getgid())) { syslog(LOG_ERR, "abort, failed to become gid %d", getgid()); exit(34); } if (initgroups(pw->pw_name, getgid())) { syslog(LOG_ERR, "abort, failed to initgroups for user %s and group %d", pw->pw_name, getgid()); exit(35); } if (setuid(getuid())) { syslog(LOG_ERR, "abort, failed to become uid %d", getuid()); exit(36); } /* test for user and group info, is it the same? checks username, groupname and home */ { char *oldpw_name,*oldgr_name; oldpw_name = strdup(pw->pw_name); oldgr_name = strdup(gr->gr_name); pw = getpwuid(getuid()); gr = getgrgid(getgid()); if (!pw || !gr) { syslog(LOG_ERR, "abort, failed to get user and group information in the jail for %d:%d", getuid(), getgid()); exit(35); } if (strcmp(pw->pw_name, oldpw_name)!=0 || strcmp(gr->gr_name, oldgr_name)!=0) { syslog(LOG_ERR, "abort, user or group names differ inside the jail for %d:%d", getuid(), getgid()); exit(37); } if (strcmp(pw->pw_dir, newhome)!=0) { syslog(LOG_ERR, "abort, home directory is incorrect inside the jail for %d:%d", getuid(), getgid()); exit(39); } free(oldpw_name); free(oldgr_name); } /* test procmail in the jail, it is not allowed to be setuid() or setgid() it is common to have procmail setuid() root and setgid() mail in the regular system, but it is for most situations not required, and therefore very much not recommended inside a jail. So we will simply exit because it is a security risk */ testsafepath(PROCMAILPATH,0,0); /* prepare the new environment */ setenv("HOME",newhome,1); setenv("USER",pw->pw_name,1); if (chdir(newhome) != 0) { syslog(LOG_ERR, "abort, failed to chdir() inside the jail to %s",newhome); exit(41); } /* cleanup before execution */ free(newhome); free(jaildir); /* now execute the jailed shell */ /*execl(pw->pw_shell, pw->pw_shell, NULL);*/ { char **newargv; int i; newargv = malloc0((argc+1)*sizeof(char *)); newargv[0] = PROCMAILPATH; for (i=1;i [OPTIONS] ") print("") print("-h --help : this help screen") print("-j, --jail : the jail to copy to") print("-v, --verbose : show what is being copied") print("-f, --force : overwrite existing files") print("-k, --hardlink : use hardlinks if possible") print("-o, --owner : retain file ownership and group") print("-s, --setuid : retain file setuid/setgid bits") print("\nNote: if no jail is specified, the first argument is\nconsidered to be the jail\n") def testargs(jail, args): if (len(args) == 0 or jail == None): sys.stderr.write('ERROR: need at least a chroot directory and a file to copy\n\n') usage() sys.exit(2) if (not os.path.isdir(jail)): sys.stderr.write('ERROR: '+jail+' is not a directory\n') print("") usage() sys.exit(3) for file in args: if (not os.path.exists(file)): sys.stderr.write('ERROR: '+file+' does not exist\n\n') usage() sys.exit(4) def main(): if (os.getuid()!=0): print('cannot run without root privileges') sys.exit(5) try: opts, args = getopt.getopt(sys.argv[1:], 'fh?vkosj:', ['help', 'verbose', 'force', 'hardlink', 'owner', 'jail', 'setuid']) except getopt.GetoptError: usage() sys.exit(1) config = {} config['verbose'] = 0 config['force'] = 0 config['hardlink'] = 0 config['retainowner'] = 0 config['retainsetuid'] = 0 jail = None for o, a in opts: if o in ("-h",'?', "--help"): usage() sys.exit() if o in ("-j", "--jail"): jail = a if o in ("-v", "--verbose"): config['verbose'] = 1 if o in ("-f", "--force"): config['force'] = 1 if o in ("-k", "--hardlink"): config['hardlink'] = 1 if o in ("-o", "--owner"): config['retainowner'] = 1 if o in ("-s", "--setuid"): config['retainsetuid'] = 1 if (jail == None and len(args)>0 ): jail = args[0] args = args[1:] args = jk_lib.find_files_in_path(args) testargs(jail, args) if (jail[-1] != '/'): jail = jail+'/' if (jk_lib.chroot_is_safe(jail)!=1): sys.exit(6) startcopy(config, jail, args) if __name__ == "__main__": main() jailkit-2.21/py/jk_list.in0000644000175000017500000001106213531040123015400 0ustar olivierolivier#!/usr/bin/python # #Copyright (c) 2006 Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # from __future__ import print_function import os import getopt import sys import pwd import string users = {} def getpwuid_cached(uid): if uid in users: return users[uid] else: user = pwd.getpwuid(uid) users[uid] = user return user class ListResult: pid = None jail = None exe = None uid = None username = None cmdline = None def __init__(self, pid): self.pid = pid sb = os.stat('/proc/'+pid) self.uid = sb.st_uid pwdret = getpwuid_cached(sb.st_uid) self.username = pwdret[0] self.jail = os.readlink('/proc/'+pid+'/root') self.exe = os.readlink('/proc/'+pid+'/exe') fd = open('/proc/'+pid+'/cmdline') buf = fd.read(4096) self.cmdline = ' '.join(buf.split('\0')[1:]) fd.close() def __cmp__(self, other): ret = cmp(self.jail, other.jail) if(ret ==0): ret = cmp(self.uid, other.uid) if(ret ==0): ret = cmp(self.pid, other.pid) return ret def optistr(self,usernamelen,jaillen,cmdlen): formatstring = '%%-06s %%-0%ds %%-0%ds %%-0%ds' % (usernamelen,jaillen,cmdlen) return formatstring % (self.pid, self.username[:usernamelen], self.jail[:jaillen], (self.exe+' '+self.cmdline)[:cmdlen]) def __str__(self): return '%-06s %-05s %-011s %-019s %-019s' % (self.pid, self.username, self.jail, self.exe,self.cmdline) def printResults(results,wide): if (len(results)==0): print('No jailed processes found') return results.sort() usernamelen=4 # User jaillen=4 # Jail cmdlen=7 #Command for result in results: usernamelen = max(usernamelen,len(result.username)) jaillen = max(jaillen,len(result.jail)) cmdlen = max(cmdlen,len(result.cmdline+' '+result.exe)) if (not wide): cmdlen = min(cmdlen,80-5-usernamelen-jaillen-4) titleformat = '%%-06s %%-0%ds %%-0%ds %%-0%ds' % (usernamelen,jaillen,min(cmdlen,80-5-usernamelen-jaillen-4)) print(titleformat % ('Pid', 'User','Jail','Command')) for result in results: if (wide): mycmdlen = len(result.cmdline+' '+result.exe) else: mycmdlen = cmdlen print(result.optistr(usernamelen,jaillen,mycmdlen)) def runList(verbose,jail): # open /proc/ results = [] dirlist = os.listdir('/proc') try: for entry in dirlist: if (entry.isdigit()): # we have a process, now read the link root ret = os.readlink('/proc/'+entry+'/root') if (ret != '/'): results.append(ListResult(entry)) except OSError as e: if (e.errno == 13): print('Permission denied') return results def printusage(): print("jk_list, lists pocesses running in a chroot jail") print("-h --help print this message") print("-j --jail=/path list only processes in this jail") print("-w --wide print wide listing") def main(): try: opts, args = getopt.getopt(sys.argv[1:], "hwj:", ['wide', "help", "jail"]) except getopt.GetoptError: printusage() sys.exit(1) verbose = 0 jail = None wide = 0 for o, a in opts: if o in ("-h", "--help"): printusage() sys.exit() if o in ("-j", "--jail"): jail = a if o in ("-v", "--verbose"): verbose = 1 if o in ("-w", "--wide"): wide = 1 results = runList(verbose,jail) printResults(results,wide) if __name__ == "__main__": main() jailkit-2.21/py/jk_jailuser.in0000644000175000017500000002741513531040023016253 0ustar olivierolivier#!/usr/bin/python # #Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008 Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # from __future__ import print_function import os.path import grp import pwd import sys import getopt import string import shutil PREFIX='/usr' INIPREFIX='/etc/jailkit' LIBDIR='/usr/share/jailkit' sys.path.append(LIBDIR) import jk_lib def striptrailingslash(dir): if (dir[-1] == '/'): return dir[:-1] return dir def dirinjail(testdir, jail): if (testdir[-1]!= '/'): testdir = testdir+'/' return (jail == testdir[:len(jail)]) def addgrouptojail(jail, group_id, user, config): jail = striptrailingslash(jail) gr = grp.getgrgid(group_id) if (not jk_lib.test_group_exist(gr.gr_name, jail+'/etc/group')): file = jail+'/etc/group' if (config['verbose'] == 1): print('adding group '+gr[0]+' to '+file) try: tmp = gr[0]+':x:'+str(gr[2])+':' if (type(user)==str and len(user)>0): tmp = tmp + user tmp = tmp + '\n' fd = open(file, 'a') fd.write(tmp) fd.close() except IOError: sys.stderr.write('ERROR: failed to write group '+gr[0]+' to '+file+'\n') return 0 return 1 def addusertogroupinjail(jail, group_id, user, config): ret = addgrouptojail(jail, group_id, user, config) if (ret == 0): return 0 try: file = jail+'/etc/group' fd = open(file, 'r+') line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): splitted = line.split(':') if (len(splitted)==4 and int(splitted[2]) == group_id): users = splitted[3][:-1].split(',') if (user in users): fd.close() return 1 else : if (config['verbose']): print('Adding user '+user+' to group '+splitted[0]) pos = fd.tell() buf = fd.read() fd.seek(pos-len(line)) if (len(users)==1 and users[0] == ''): users = [user] else: users.append(user) tmp = splitted[0]+':x:'+splitted[2]+':' tmp2 = ','.join(users) tmp += tmp2+'\n'+buf fd.write(tmp) fd.close() return 1 line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') except IOError: sys.stderr.write('ERROR: failed to add user '+user+' to group '+str(group_id)+' in '+file+'\n') return 0 return 0 def addusertojail(jail, user, shell, config): jail = striptrailingslash(jail) if (jk_lib.test_user_exist(user, jail+'/etc/passwd')): if (config['verbose']): sys.stderr.write('user '+user+' already exists in '+jail+'/etc/passwd\n') return 1 pw = pwd.getpwnam(user) # the next check MUST include a trailing slash! (otherwise if a user # has a homedir that starts with the same string as the jail directory # the check has the wrong result) if (dirinjail(pw[5], jail)): if (pw[5][0:len(jail)+3] == jail+'/./'): jailhome = pw[5][len(jail)+2:] else: jailhome = pw[5][len(jail):] else: jailhome = pw[5] try: if (sys.platform[4:7] == 'bsd'): file = jail+'/etc/master.passwd' if (config['verbose'] == 1): print('adding user '+user+' to '+file+' with shell '+shell) fd = open(file, 'a') fd.write(user+':x:'+str(pw[2])+':'+str(pw[3])+'::0:0:'+pw[4]+':'+jailhome+':'+shell+'\n') fd.close() # adding -u user might speed up the next command, but if the password files do not exist # yet (and jail/etc/spwd.db does not exist) this generates an error postcommand = 'pwd_mkdb -p -d '+jail+'/etc '+jail+'/etc/master.passwd && rm '+jail+'/etc/spwd.db' else: #if (sys.platform[:5] == 'linux'): file = jail+'/etc/passwd' if (config['verbose'] == 1): print('adding user '+user+' to '+file+' with shell '+shell) fd = open(file, 'a') fd.write(user+':x:'+str(pw[2])+':'+str(pw[3])+':'+pw[4]+':'+jailhome+':'+shell+'\n') fd.close() postcommand = None except IOError: sys.stderr.write('failed to write to '+file+'\n') return 0 if (postcommand != None): ret = os.system(postcommand) if (ret != 0): sys.stderr.write('failed to execute '+postcommand+'\n') return 0 return 1 def moduser(user, home, shell=PREFIX+'/sbin/jk_chrootsh'): if (sys.platform[:7] == 'freebsd'): command = 'pw usermod '+user+' -d '+home+' -s '+shell elif (sys.platform[:5] == 'linux') or (sys.platform[:7] == 'openbsd') or (sys.platform[:6] == 'sunos5'): command = 'usermod -d '+home+' -s '+shell+' '+user else: sys.stderr.write('please report that user modding on platform '+sys.platform+' is not yet handled\n') sys.stderr.write('to the jailkit developers, and suggest which command is needed to modify users\n') return 0 if (os.system(command)!=0): sys.stderr.write('failed to execute '+command+'\n') return 0 return 1 def jailuser(jail, user, movehome, config): pw = pwd.getpwnam(user) if (jail[-1] != '/'): jail = jail + '/' # add the user in the jail if (not addusertojail(jail, user, config['shell'], config)): sys.exit(2) # lookup the primary group and make sure it also exists in the jail if not addgrouptojail(jail, pw[3], None, config): return 0 # look up all other groups groups = grp.getgrall() for gr in groups: if (user in gr.gr_mem): ret = addusertogroupinjail(jail, gr.gr_gid, user, config) if not ret: return 0 # change the shell and the homedir if (dirinjail(pw[5], jail)): # the home is within in the jail already, does it have the /./ sequence? if (pw[5][:len(jail)+2] == jail+'./'): newhome = pw[5] #print('no need to change home ',newhome) else: newhome = jail+'.'+pw[5][len(jail)-1:] #print('add jail separator, newhome=',newhome) else: newhome = jail+'.'+pw[5] #print('user not in jail, newhome=',newhome) newhome = striptrailingslash(newhome) oldhome = striptrailingslash(pw[5]) if (oldhome != newhome or pw[6] != PREFIX+'/sbin/jk_chrootsh'): if (config['verbose'] == 1): print('modify user '+user+'; dir '+newhome+' and shell '+PREFIX+'/sbin/jk_chrootsh') if (not moduser(user,newhome,PREFIX+'/sbin/jk_chrootsh')): sys.stderr.write('failed to modify user '+user+'\n') else: if (config['verbose'] == 1): print('user '+user+' has a correct home directory and shell already') #move directory contents if (movehome == 1): if (oldhome == newhome): print('home directory '+oldhome+' is already inside the jail') else: if (not os.path.exists(oldhome)): sys.stderr.write('home directory '+oldhome+' does not exist, nothing moved\n') else: # test if the base directory for newhome exists tmp = os.path.dirname(oldhome) #tmp = jk_lib.nextpathup(oldhome) jk_lib.create_parent_path(jail,tmp, config['verbose'], copy_permissions=1, allow_suid=0, copy_ownership=0) if (config['verbose'] == 1): print('Moving files from '+oldhome+' to '+newhome) jk_lib.move_dir_with_permissions_and_owner(oldhome,newhome,(config['verbose']==1)) def user_exists(user): try: pw= pwd.getpwnam(user) return 1 except: return 0 return 0 def usage(): print print('Usage: '+sys.argv[0]+' [OPTIONS] username [more usernames]') print() print(' -j | --jail= jaildir : jail directory') print(' -v | --verbose : verbose output') print(' -n | --noninteractive : no user interaction') print(' -s | --shell= shell : set shell inside jail ('+PREFIX+'/sbin/jk_lsh default)') print(' -m | --move : move home if home outside jail') print(' -h | --help : this message') print() def testjail(jail, shell): if (type(jail) != str or len(jail)==0): return 0 if (jail[-1:] == '/'): jail = jail[:-1] if (not os.path.exists(jail)): sys.stderr.write(jail+' does not exist\n') return 0 if (not os.path.exists(jail+'/etc/passwd')): sys.stderr.write('invalid jail, '+jail+'/etc/passwd does not exist\n') return 0 if (not os.path.exists(jail+shell)): sys.stderr.write('invalid shell, '+jail+shell+' does not exist\n') return 0 if (not os.access(jail+shell,os.X_OK)): sys.stderr.write('invalid shell, '+jail+shell+' is not executable\n') return 0 return 1 def getjail(jail, config): """returns a jail that will have a slash appended""" while (1): if (type(jail) == str and len(jail)>0 and jail[0] != '/'): tmp = os.getcwd()+'/'+jail if (os.path.exists(tmp)): jail = tmp if (type(jail) == str and len(jail)>0 and jail[-1] != '/'): jail=jail+'/' test = testjail(jail, config['shell']) if (test == 1): return jail else: if (not test): jail = None if (jail == None): if (config['interactive'] == 1): if sys.version_info > (3, 0): #Python 3 jail = input('enter jail directory: ') else: jail = raw_input('enter jail directory: ') else: sys.exit(33) def getmovehome(jail,user,config): pw = pwd.getpwnam(user) if (pw[5][0:len(jail)] == jail): # pw[5] == pw.pw_dir return 0 print('home directory '+pw.pw_dir+' is not within '+jail+', move the directory contents?') if sys.version_info > (3, 0): #Python 3 tmp = input('[Y]/[n]') else: tmp = raw_input('[Y]/[n]') if (tmp == 'Y' or tmp == 'y' or tmp == ''): return 1 return 0 def main(): try: opts, args = getopt.getopt(sys.argv[1:],"vs:j:nmh?",['help', 'verbose', 'shell=', 'nomove', 'move', 'jail=']) except getopt.GetoptError: usage() sys.exit(1) config = {} config['verbose'] = 0 config['interactive'] = 1 config['movehome'] = -1 # -1 = interactive config['shell'] = PREFIX+'/sbin/jk_lsh' # default shell jail = None for o, a in opts: if o in ("-h", "-?", "--help"): usage() sys.exit() elif o in ("-v", "--verbose"): config['verbose'] = 1 elif o in ('-s', '--shell'): config['shell'] = a elif o in ("-m", "--move"): config['movehome'] = 1 elif o in ("-n", "--noninteractive"): config['interactive'] = 0 elif o in ('-j', '--jail'): jail = a if (config['interactive'] == 0 and config['movehome'] == -1): config['movehome'] = 0 if (len(args)==0): print print('aborted, no username specified') sys.exit(2) try: jail = getjail(jail,config) for username in args: if user_exists(username): if (config['movehome'] == -1): movehome = getmovehome(jail, username, config) else: movehome = config['movehome'] jailuser(jail, username, movehome, config) else: print('user '+username+' does not exist') except KeyboardInterrupt: print print('aborted.. ') sys.exit(1) if __name__ == "__main__": main() jailkit-2.21/py/jk_update.in0000644000175000017500000002214113531040207015712 0ustar olivierolivier#!/usr/bin/python # #Copyright (c) 2006, 2007, Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # from __future__ import print_function import sys if sys.version_info > (3, 0): #Python 3 from configparser import ConfigParser else: #Python 2 from ConfigParser import ConfigParser import os import string from stat import * import getopt import stat INIPREFIX='/etc/jailkit' LIBDIR='/usr/share/jailkit' sys.path.append(LIBDIR) import jk_lib def comparecontent(fileA, fileB): try: fA=open(fileA, 'rb') fB=open(fileB, 'rb') cont = 1 retval = 1 while (cont==1 and retval==1): bufA = fA.read(4096) bufB = fB.read(4096) if (bufA != bufB): retval = 0 if (len(bufA)==0): cont = 0 fA.close() fB.close() return retval except IOError: return 0 def comparemetadata(fileA, fileB, onlyifAisnewer=1, sbA=None, sbB=None): if (sbA==None): sbA = os.lstat(fileA) if (sbB==None): sbB = os.lstat(fileB) if (sbA[stat.ST_MTIME] > sbB[stat.ST_MTIME]): if (sbA[stat.ST_SIZE] != sbB[stat.ST_SIZE]): return 0 if (stat.S_ISLNK(sbA[stat.ST_MODE]) != stat.S_ISLNK(sbB[stat.ST_MODE])): return 0 if (stat.S_ISLNK(sbA[stat.ST_MODE])): if (os.readlink(fileA) != os.readlink(fileB)): return 0 return 1 def need_update(original, injail, origstatbuf=None): try : if (comparemetadata(original, injail,sbA=origstatbuf)==1): if (comparecontent(original, injail)==1): return 0 return 1 except OSError as e: errno, _ = e.args # files that do not have an original file obviously cannot be updated # but they need cleaning if (errno == 2): return 2 return 0 def find2update(jail, dir, skips, config, files2update=[],files2clean=[]): if (config['verbose'] == 1): print('scanning '+jail+dir) for file in os.listdir(jail+dir): # print('test if '+dir+file+' or '+jail+dir+file+' exists in ',skips) if ((dir+file in skips) or (jail+dir+file in skips)): print('skip '+jail+dir+file) else: try: sbuf = os.lstat(dir+file) if (stat.S_ISDIR(sbuf[stat.ST_MODE])): files2update, files2clean = find2update(jail, dir+file+'/', skips, config, files2update, files2clean) elif (stat.S_ISREG(sbuf[stat.ST_MODE])): if (config['verbose'] == 1): print('checking '+jail+dir+file+'') ret = need_update(dir+file, jail+dir+file, origstatbuf=sbuf) if (ret == 1): files2update.append(dir+file) elif (ret == 2): files2clean.append(dir+file) except OSError as e: errno, strerror = e.args if (errno == 2): if (os.path.isdir(jail+dir+file)): files2update, files2clean = find2update(jail, dir+file+'/', skips, config, files2update, files2clean) files2clean.append(dir+file) else: sys.stderr.write('ERROR: while checking if '+jail+dir+file+' needs to be updated: '+strerror+'\n') return files2update,files2clean def updatejail(jail, dirs, skips, config): jaillen = len(jail) allfiles = [] allcleans = [] for dir in dirs: if (dir[:jaillen] == jail): dir = dir[jaillen:] if (dir[-1:] != '/'): dir += '/' dirnoslash = dir[:-1] #print('test if '+dirnoslash+' or '+jail+dirnoslash+' exists in ',skips) if ((dirnoslash in skips) or (jail+dirnoslash in skips)): print('skip '+jail+dir) else: files = [] cleans = [] cdirs = [] try: files,cleans = find2update(jail, dir, skips, config, [],[]) except OSError as e: _, strerror = e.args sys.stderr.write('ERROR: while scanning dir '+jail+dir+': '+strerror+'\n') for file in files: if (config['dry-run'] == 1): allfiles.append(file) else: print('removing outdated file '+jail+file) try: os.unlink(jail+file) allfiles.append(file) except: sys.stderr.write('ERROR: failed to remove outdated file '+jail+file+'\n') for file in cleans: if (config['dry-run'] == 1): allcleans.append(file) else: if (os.path.isdir(jail+file)): cdirs.append(file) else: print('removing deprecated file '+jail+file) try: os.unlink(jail+file) allcleans.append(file) except: sys.stderr.write('ERROR: failed to remove deprecated file '+jail+file+'\n') for cdir in cdirs: if (config['dry-run'] == 1): allcleans.append(cdir) else: print('removing deprecated directory '+jail+file) try: os.rmdir(jail+cdir) allcleans.append(cdir) except: sys.stderr.write('ERROR: failed to remove deprecated directory '+jail+file+'\n') if (config['dry-run'] == 1): for file in allfiles: print('will update outdated file '+jail+file) for file in allcleans: print('will remove deprecated file '+jail+file) else: handled = jk_lib.copy_binaries_and_libs(jail,allfiles, 0, config['verbose'], try_hardlink=config['hardlink']) if (len(handled)>0): jk_lib.gen_library_cache(jail) def usage(): print('') print("Usage: "+sys.argv[0]+" [OPTIONS] [DIRECTORIES]") print('-h|--help : this message') print('-v|--verbose : give verbose output') print('-c|--configsection=: use options specified in section of config file') print('-j|--jail= : the jail to update') print('-d|--dry-run : show what will be done') print('-s|--skip= : skip file, option can be used multiple times') print('-k|--hardlink : use hardlinks if possible') print('') print('if no directories are specified, jk_update will scan /bin /usr /lib and /opt') print('') def main(): try: opts, args = getopt.getopt(sys.argv[1:], 'hvdj:s:kc:', ['help', 'verbose', 'dry-run', 'jail=', 'skip=', 'hardlink', 'configsection=']) except getopt.GetoptError: usage() sys.exit(1) config = {} config['verbose'] = 0 config['dry-run'] = 0 jail = None configsection = None dirs = [] skips = [] for o, a in opts: if o in ("-c", "--configsection"): configsection = a if o in ("-h", "--help"): usage() sys.exit() elif o in ("-v", "--verbose"): config['verbose'] = 1 elif o in ("-d", "--dry-run"): config['dry-run'] = 1 elif o in ("-s", "--skip"): # the name in skips will never have a slash, whether it is a file or a dir if (os.path.isdir(a) and (a[-1:] == '/')): tmp = a[:-1] else: tmp = a skips.append(tmp) elif o in ("-j", "--jail"): jail = a elif o in ("-k", "--hardlink"): config['hardlink'] = 1 if (jail != None and configsection != None): sys.stderr.write('ERROR: cannot specify both a jail and a configsection\n') sys.exit(21) if (jail == None and configsection == None): sys.stderr.write('ERROR: must at least specify a jail or a configsection using\n -j or --jail or -c or --configsection\n\n') sys.exit(1) if (len(args)>0): dirs = args if (configsection != None): cfile = INIPREFIX+'/jk_update.ini' jail = configsection cfg = ConfigParser() cfg.read(cfile) if (not cfg.has_section(configsection)): sys.stderr.write('ERROR: configfile '+cfile+' does not have a section called '+configsection+'\n') sys.exit(1) tmp = jk_lib.config_get_option_as_list(cfg,configsection,'skips') for entry in tmp: skips.append(entry) if (not config.has_key('hardlink') and cfg.has_option(configsection,'hardlink')): try: tmp = int(cfg.get(section,'hardlink')) config['hardlink'] = tmp except: pass tmp = jk_lib.config_get_option_as_list(cfg,configsection,'directories') for entry in tmp: dirs.append(entry) if (not config.has_key('hardlink')): config['hardlink'] = 0 if (jail[-1:]=='/'): jail = jail[:-1] if (dirs == None or len(dirs)==0): dirs = ['/bin/', '/lib/', '/usr/', '/opt/'] # all directories in 'skips' should be without slash newskips = [] for entry in skips: if (entry[-1] == '/'): newskips.append(entry[:-1]) else: newskips.append(entry) skips = newskips updatejail(jail, dirs, skips, config) if __name__ == "__main__": main() jailkit-2.21/py/Makefile.in0000644000175000017500000000562513531043637015503 0ustar olivierolivier#Copyright (c) 2003, 2004, 2005, 2006, Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # INSTALL = @INSTALL@ PACKAGE = @PACKAGE@ prefix = @prefix@ exec_prefix = @exec_prefix@ sbindir = @sbindir@ datadir = @datadir@ datarootdir = @datarootdir@ sysconfdir = @sysconfdir@ INIPREFIX = ${sysconfdir}/jailkit PREFIX = ${prefix} PYTHONINTERPRETER = @PYTHONINTERPRETER@ PYLIBDIR=${datadir}/${PACKAGE} .SUFFIXES: .SUFFIXES: .in .py .pyc .in: sed -e "s!PREFIX='/usr'!PREFIX='${PREFIX}'!" \ -e "s!INIPREFIX='/etc/jailkit'!INIPREFIX='${INIPREFIX}'!" \ -e "s!LIBDIR='[a-z/]*'!LIBDIR='${PYLIBDIR}'!" \ -e "s!EXEPREFIX='[a-z/]*'!EXEPREFIX='${PREFIX}'!" \ -e "s:#!/usr/bin/python:#!$(PYTHONINTERPRETER):" < $< > $@ .py.pyc: $(PYTHONINTERPRETER) -c "import py_compile;py_compile.compile('$<', cfile='$<' + 'c')" PY_BINS = jk_cp jk_init jk_check jk_jailuser jk_list jk_update PY_LIBS = jk_lib.pyc jailkit: ${PY_BINS} ${PY_LIBS} all: jailkit install: all ${INSTALL} -d -m 755 ${DESTDIR}${sbindir} for file in ${PY_BINS}; do \ ${INSTALL} -m 0755 $${file} ${DESTDIR}${sbindir}/ ; \ done ${INSTALL} -d -m 755 ${DESTDIR}${PYLIBDIR} ${INSTALL} -m 0644 jk_lib.py ${DESTDIR}${PYLIBDIR}/ ${INSTALL} -m 0644 jk_lib.pyc ${DESTDIR}${PYLIBDIR}/ uninstall: for file in ${PY_BINS}; do \ rm -f ${DESTDIR}${sbindir}/$${file} ; \ done rm -f ${DESTDIR}${PYLIBDIR}/jk_lib.* -rmdir --ignore-fail-on-non-empty ${DESTDIR}${PYLIBDIR} clean: rm -f *~ rm -f ${PY_BINS} ${PY_LIBS} distclean: clean rm -f Makefile jailkit-2.21/py/jk_lib.py0000644000175000017500000010467013531040506015232 0ustar olivierolivier# #Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009, 2010, 2011, 2018 Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # from __future__ import print_function import os.path import string #import os import sys import stat import shutil import glob import subprocess dir_mode = 493 #octal 755, "rwxr-xr-x" statcache = {} def cachedlstat(path): ret = statcache.get(path, None) if ret is None: statcache[path] = ret = os.lstat(path) return ret #def nextpathup(path): # #if (path[-1:] == '/'): # # path = path[:-1] # try: # #print('path='+path) # indx = string.rindex(path,'/') # if (indx > 0): # return path[:indx] # except ValueError: # pass # return None def path_is_safe(path, failquiet=0): try: statbuf = cachedlstat(path) except OSError: if (failquiet == 0): sys.stderr.write('ERROR: cannot lstat() '+path+'\n') return -1 if (sys.platform[-3:] == 'bsd'): # on freebsd root is in group wheel if (statbuf[stat.ST_UID] != 0 or statbuf[stat.ST_GID] != grp.getgrnam('wheel').gr_gid): sys.stderr.write('ERROR: '+path+' is not owned by root:wheel!\n') return -3 else: if (statbuf[stat.ST_UID] != 0 or statbuf[stat.ST_GID] != 0): sys.stderr.write('ERROR: '+path+' is not owned by root:root!\n') return -3 if ((statbuf[stat.ST_MODE] & stat.S_IWOTH or statbuf[stat.ST_MODE] & stat.S_IWGRP)and not stat.S_ISLNK(statbuf[stat.ST_MODE])): sys.stderr.write('ERROR: '+path+' is writable by group or others!') return -4 if (not stat.S_ISDIR(statbuf[stat.ST_MODE])): if (stat.S_ISLNK(statbuf[stat.ST_MODE])): # Fedora has moved /sbin /lib and /bin into /usr target = os.readlink(path) print(str(target) + str(path)) if (target[:4] != 'usr/'): sys.stderr.write('ERROR: '+path+' is a symlink, please point to the real directory\n') return -2 else: sys.stderr.write('ERROR: '+path+' is not a directory!\n') return -2 return 1 def chroot_is_safe(path, failquiet=0): """tests if path is a safe jail, not writable, no writable /etc/ and /lib, return 1 if all is OK""" path = os.path.abspath(path) retval = path_is_safe(path,failquiet) if (retval < -1): return retval for subd in 'etc','usr','var','bin','dev','proc','sbin','sys': retval = path_is_safe(path+'/'+subd,1) if (retval < -1): return retval npath = os.path.dirname(path) while (npath != '/'): #print(npath) retval = path_is_safe(npath,0) if (retval != 1): # print('testing path='+npath+'returned '+str(retval)) return retval npath = os.path.dirname(npath) return 1 def test_suid_sgid(path): """returns 1 if the file is setuid or setgid, returns 0 if it is not""" statbuf = cachedlstat(path) if (statbuf[stat.ST_MODE] & (stat.S_ISUID | stat.S_ISGID)): return 1 return 0 def gen_library_cache(jail): if (sys.platform[:5] == 'linux'): create_parent_path(jail,'/etc', 0, copy_permissions=0, allow_suid=0, copy_ownership=0) os.system('ldconfig -r '+jail) def lddlist_libraries_linux(executable): """returns a list of libraries that the executable depends on """ retval = [] p = subprocess.Popen('ldd '+executable, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) line = p.stdout.readline() #pd = os.popen3('ldd '+executable) #line = pd[1].readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): subl = line.split() #print('parse line',subl,'with len',len(subl)) if (len(subl)>0): if (subl[0] == 'statically' and subl[1] == 'linked'): return retval elif (subl[0] == 'not' and subl[2] == 'dynamic' and subl[3] == 'executable'): return retval elif (subl[0] == 'linux-gate.so.1' or subl[0] == 'linux-vdso.so.1'): pass elif (len(subl)==4 and subl[2] == 'not' and subl[3] == 'found'): pass elif (len(subl)>=3): if (os.path.exists(subl[2])): retval += [subl[2]] else: print('ldd returns non existing library '+subl[2]+' for '+executable) # on gentoo amd64 the last entry of ldd looks like '/lib64/ld-linux-x86-64.so.2 (0x0000002a95556000)' elif (len(subl)>=1 and subl[0][0] == '/'): if (os.path.exists(subl[0])): retval += [subl[0]] else: print('ldd returns non existing library '+subl[0]) else: print('WARNING: failed to parse ldd output '+line[:-1]) else: print('WARNING: failed to parse ldd output '+line[:-1]) #line = pd[1].readline() line = p.stdout.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') return retval def lddlist_libraries_openbsd(executable): """returns a list of libraries that the executable depends on """ retval = [] mode = 3 # openbsd 4 has new ldd output p = subprocess.Popen('ldd '+executable, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) line = p.stdout.readline() # pd = os.popen3('ldd '+executable) # line = pd[1].readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): subl = line.split() if (len(subl)>0): if (subl[0] == executable+':'): pass elif (subl[0] == 'Start'): if (len(subl)==7 and subl[6] == 'Name'): mode = 4 pass elif (len(subl)>=5): if (mode == 3): if (os.path.exists(subl[4])): retval += [subl[4]] else: print('ldd returns non existing library '+subl[4]) elif (mode == 4): if (os.path.exists(subl[6])): retval += [subl[6]] else: print('ldd returns non existing library '+subl[6]) else: print('unknown mode, please report this bug in jk_lib.py') else: print('WARNING: failed to parse ldd output '+line[:-1]) else: print('WARNING: failed to parse ldd output '+line[:-1]) line = p.stdout.readline() #line = pd[1].readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') return retval def lddlist_libraries_freebsd(executable): """returns a list of libraries that the executable depends on """ retval = [] p = subprocess.Popen('ldd '+executable, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) line = p.stdout.readline() #pd = os.popen3('ldd '+executable) #line = pd[1].readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): subl = line.split() if (len(subl)>0): if (len(subl)==1 and subl[0][:len(executable)+1] == executable+':'): pass elif (len(subl)>=6 and subl[2] == 'not' and subl[4] == 'dynamic'): return retval elif (len(subl)>=4): if (os.path.exists(subl[2])): retval += [subl[2]] else: print('ldd returns non existing library '+subl[2]) else: print('WARNING: failed to parse ldd output "'+line[:-1]+'"') elif (line[:len(executable)+1] == executable+':'): pass else: print('WARNING: failed to parse ldd output "'+line[:-1]+'"') line = p.stdout.readline() #line = pd[1].readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') return retval def lddlist_libraries(executable): if (sys.platform[:5] == 'linux'): return lddlist_libraries_linux(executable) elif (sys.platform[:7] == 'openbsd'): return lddlist_libraries_openbsd(executable) elif (sys.platform[:7] == 'freebsd'): return lddlist_libraries_freebsd(executable) elif (sys.platform[:5] == 'sunos'): retval = lddlist_libraries_linux(executable) retval += ['/lib/ld.so.1'] return retval else: retval = lddlist_libraries_linux(executable) retval += ['/usr/libexec/ld.so','/usr/libexec/ld-elf.so.1','/libexec/ld-elf.so.1'] return retval def resolve_realpath(path, chroot='', include_file=0): if (path=='/'): return '/' spath = split_path(path) basename = '' if (not include_file): basename = spath[-1] spath = spath[:-1] ret = '/' doscounter=0# a symlink loop may otherwise hang this script #print('path' + path + 'spath' + spath) for entry in spath: ret = os.path.join(ret,entry) #print('lstat' + ret) sb = cachedlstat(ret) if (stat.S_ISLNK(sb.st_mode)): doscounter+=1 realpath = os.readlink(ret) if (realpath[0]=='/'): ret = os.path.normpath(chroot+realpath) else: tmp = os.path.normpath(os.path.join(os.path.dirname(ret),realpath)) if (len(chroot)>0 and tmp[:len(chroot)]!=chroot): sys.stderr.write('ERROR: symlink '+tmp+' points outside jail, ABORT\n') raise Exception("Symlink points outside jail") ret = tmp return os.path.join(ret,basename) # os.path.realpath() seems to do the same: # NO: it cannot handle symlink resolving WITH a chroot def OLDresolve_realpath(path, chroot='', include_file=0): """will return the same path that contains not a single symlink directory element""" chrootlen=len(chroot) if (include_file): donepath = '' todopath = path else: donepath = os.path.basename(path) todopath = os.path.dirname(path) doscounter=0 # a symlink loop may otherwise hang this script while (todopath != '/' and doscounter != 100): #print('todopath=' + todopath + 'donepath=' + donepath) sb = cachedlstat(todopath) if (stat.S_ISLNK(sb.st_mode)): doscounter += 1 realpath = os.readlink(todopath) if (realpath[0]=='/'): todopath = chroot+realpath if (todopath[-1:]=='/'): todopath = todopath[:-1] else: tmp = os.path.normpath(os.path.join(os.path.dirname(todopath),realpath)) if (chrootlen>0 and tmp[:chrootlen]!=chroot): sys.stderr.write('ERROR: symlink '+tmp+' points outside jail, ABORT\n') raise Exception("Symlink points outside jail") todopath=tmp else: donepath = os.path.basename(todopath)+'/'+donepath todopath = os.path.dirname(todopath) sb=None return '/'+donepath def copy_time_and_permissions(src, dst, be_verbose=0, allow_suid=0, copy_ownership=0): # the caller should catch any exceptions! # similar to shutil.copymode(src, dst) but we do not copy any SUID bits sbuf = os.stat(src) # in python 2.1 the return value is a tuple, not an object, st_mode is field 0 # mode = stat.S_IMODE(sbuf.st_mode) mode = stat.S_IMODE(sbuf[stat.ST_MODE]) if (not allow_suid): if (mode & (stat.S_ISUID | stat.S_ISGID)): print('removing setuid and setgid permissions from '+dst) # print('setuid!!! mode='+str(mode)) mode = (mode & ~stat.S_ISUID) & ~stat.S_ISGID # print('setuid!!! after mode='+str(mode)) # print('mode='+str(mode)) os.utime(dst, (sbuf[stat.ST_ATIME], sbuf[stat.ST_MTIME])) if (copy_ownership): os.chown(dst, sbuf[stat.ST_UID], sbuf[stat.ST_GID]) #WARNING: chmod must be AFTER chown to preserve setuid/setgid bits os.chmod(dst, mode) def OLDreturn_existing_base_directory(path): """This function tests if a directory exists, if not tries the parent etc. etc. until it finds a directory that exists""" tmp = path while (not os.path.exists(tmp) and not (tmp == '/' or tmp=='')): tmp = os.path.dirname(tmp) return tmp def OLD_create_parent_path(chroot, path, be_verbose=0, copy_permissions=1, allow_suid=0, copy_ownership=0): """creates the directory and all its parents id needed. copy_ownership can only be used if copy permissions is also used""" directory = path if (directory[-1:] == '/'): directory = directory[:-1] # TODO, this function cannot yet handle if /lib in the jail is a symlink to something else try: chrootdirectory = resolve_realpath(chroot+directory,chroot) if (os.path.exists(chrootdirectory)): return except OSError: pass tmp = return_existing_base_directory(chroot+directory) oldindx = len(tmp)-len(chroot) # find the first slash after the existing directories indx = directory.find('/',oldindx+1) if (indx == -1 ): indx=len(directory) while (indx != -1): # avoid the /bla//bla pitfall if (oldindx +1 == indx): oldindx = indx else: try: sb = cachedlstat(directory[:indx]) except OSError as e: _, strerror = e.args sys.stderr.write('ERROR: failed to lstat('+directory[:indx]+'):'+strerror+'\n') break if (stat.S_ISLNK(sb.st_mode)): # create the link, create the target, and then continue realfile = os.readlink(directory[:indx]) chrootname = resolve_realpath(chroot+directory[:indx],chroot) if (be_verbose): print('Creating symlink '+chrootname+' to '+realfile) try: os.symlink(realfile, chrootname) except OSError as e: errno, _ = e.args if (errno == 17): # file exists pass else: sys.stderr.write('ERROR: failed to create symlink '+chroot+directory[:indx]+'\n'); if (realfile[0]=='/'): create_parent_path(chroot, realfile, be_verbose, copy_permissions, allow_suid, copy_ownership) else: indx2 = string.rfind(directory[:indx],'/') # print('try' + directory[:indx2+1]+realfile) create_parent_path(chroot, directory[:indx2+1]+realfile, be_verbose, copy_permissions, allow_suid, copy_ownership) elif (stat.S_ISDIR(sb.st_mode)): chrootname = resolve_realpath(chroot+directory[:indx],chroot) if (be_verbose): print('Creating directory '+chrootname) os.mkdir(chrootname, dir_mode) if (copy_permissions): try: copy_time_and_permissions(directory[:indx], chrootname, be_verbose, allow_suid, copy_ownership) except OSError as e: _, strerror = e.args sys.stderr.write('ERROR: failed to copy time/permissions/owner from '+directory[:indx]+' to '+chrootname+': '+strerror+'\n') oldindx = indx if (indx==len(directory)): indx=-1 else: indx = directory.find('/',oldindx+1) if (indx==-1): indx=len(directory) def fix_double_slashes(instring): outstring='' slash=0 for i in instring: if (slash==0 or i!= '/'): outstring += i if (i == '/'): slash=1 else: slash=0 return outstring def split_path(path): ret = [] next=fix_double_slashes(os.path.normpath(path)) while (next != '/'): ret.insert(0,os.path.basename(next)) next=os.path.dirname(next) return ret def join_path(spath): if (len(spath)==0): return '/' ret = '' for entry in spath: ret += '/'+entry return ret def create_parent_path(chroot,path,be_verbose=0, copy_permissions=1, allow_suid=0, copy_ownership=0): #print('create_parent_path, path' + path + 'in chroot' + chroot) # the first part of the function checks the already existing paths in the jail # and follows any symlinks relative to the jail spath = split_path(path) existpath = chroot i=0 while (i0 and tmp[:len(chroot)]!=chroot): sys.stderr.write('ERROR: symlink '+tmp+' points outside jail, ABORT\n') raise Exception("Symlink points outside jail") realfile = tmp[len(chroot):] jailpath = create_parent_path(chroot, realfile,be_verbose, copy_permissions, allow_suid, copy_ownership) existpath = jailpath #print('new value for existpath is' + existpath) i+=1 return existpath def copy_dir_with_permissions_and_owner(srcdir,dstdir,be_verbose=0): # used to **move** home directories into the jail #create directory dstdir try: if (be_verbose): print('Creating directory'+dstdir) os.mkdir(dstdir) copy_time_and_permissions(srcdir, dstdir, be_verbose, allow_suid=0, copy_ownership=1) except (IOError, OSError) as e: _, strerror = e.args sys.stderr.write('ERROR: copying directory and permissions '+srcdir+' to '+dstdir+': '+strerror+'\n') return 0 for root, dirs, files in os.walk(srcdir): for name in files: if (be_verbose): print('Copying '+root+'/'+name+' to '+dstdir+'/'+name) try: shutil.copyfile(root+'/'+name,dstdir+'/'+name) copy_time_and_permissions(root+'/'+name, dstdir+'/'+name, be_verbose, allow_suid=0, copy_ownership=1) except (IOError,OSError) as e: _, strerror = e.args sys.stderr.write('ERROR: copying file and permissions '+root+'/'+name+' to '+dstdir+'/'+name+': '+strerror+'\n') return 0 for name in dirs: move_dir_with_permissions_and_owner(root+'/'+name,dstdir+'/'+name,be_verbose) return 1 def move_dir_with_permissions_and_owner(srcdir,dstdir,be_verbose=0): retval = copy_dir_with_permissions_and_owner(srcdir,dstdir,be_verbose) if (retval == 1): # remove the source directory if (be_verbose==1): print('Removing original home directory '+srcdir) try: shutil.rmtree(srcdir) except (OSError, IOError) as e: _, strerror = e.args sys.stderr.write('ERROR: failed to remove '+srcdir+': '+strerror+'\n') else: print('Not everything was copied to '+dstdir+', keeping the old directory '+srcdir) def copy_with_permissions(src, dst, be_verbose=0, try_hardlink=1, allow_suid=0, retain_owner=0): """copies/links the file and the permissions (and possibly ownership and setuid/setgid bits""" do_normal_copy = 1 if (try_hardlink==1): try: os.link(src,dst) do_normal_copy = 0 except: print('Linking '+src+' to '+dst+' failed, will revert to copying') pass if (do_normal_copy == 1): try: shutil.copyfile(src,dst) copy_time_and_permissions(src, dst, be_verbose, allow_suid=allow_suid, copy_ownership=retain_owner) except (IOError, OSError) as e: _, strerror = e.args sys.stderr.write('ERROR: copying file and permissions '+src+' to '+dst+': '+strerror+'\n') def copy_device(chroot, path, be_verbose=1, retain_owner=0): # perhaps the calling function should make sure the basedir exists create_parent_path(chroot,os.path.dirname(path), be_verbose, copy_permissions=1, allow_suid=0, copy_ownership=0) chrootpath = resolve_realpath(chroot+path,chroot) if (os.path.exists(chrootpath)): print('Device '+chrootpath+' does exist already') return sb = os.stat(path) try: if (sys.platform[:5] == 'linux'): major = sb.st_rdev / 256 #major = st_rdev divided by 256 (8bit reserved for the minor number) minor = sb.st_rdev % 256 #minor = remainder of st_rdev divided by 256 elif (sys.platform == 'sunos5'): if (sys.maxint == 2147483647): major = sb.st_rdev / 262144 #major = st_rdev divided by 256 (18 bits reserved for the minor number) minor = sb.st_rdev % 262144 #minor = remainder of st_rdev divided by 256 else: #64 bit solaris has 32 bit minor/32bit major major = sb.st_rdev / 2147483647 minor = sb.st_rdev % 2147483647 else: major = sb.st_rdev / 256 #major = st_rdev divided by 256 minor = sb.st_rdev % 256 #minor = remainder of st_rdev divided by 256 if (stat.S_ISCHR(sb.st_mode)): mode = 'c' elif (stat.S_ISBLK(sb.st_mode)): mode = 'b' else: print('WARNING, '+path+' is not a character or block device') return 1 if (be_verbose==1): print('Creating device '+chroot+path) ret = os.spawnlp(os.P_WAIT, 'mknod','mknod', chrootpath, str(mode), str(major), str(minor)) copy_time_and_permissions(path, chrootpath, allow_suid=0, copy_ownership=retain_owner) except: print('Failed to create device '+chrootpath+', this is a know problem with python 2.1') print('use "ls -l '+path+'" to find out the mode, major and minor for the device') print('use "mknod '+chrootpath+' mode major minor" to create the device') print('use chmod and chown to set the permissions as found by ls -l') def copy_dir_recursive(chroot,dir,force_overwrite=0, be_verbose=0, check_libs=1, try_hardlink=1, allow_suid=0, retain_owner=0, handledfiles=[]): """copies a directory and the permissions recursively, possibly with ownership and setuid/setgid bits""" files2 = () for entry in os.listdir(dir): tmp = os.path.join(dir, entry) try: sbuf = cachedlstat(tmp) if (stat.S_ISDIR(sbuf.st_mode)): create_parent_path(chroot, tmp, be_verbose=be_verbose, copy_permissions=1, allow_suid=allow_suid, copy_ownership=retain_owner) handledfiles = copy_dir_recursive(chroot,tmp,force_overwrite, be_verbose, check_libs, try_hardlink, allow_suid, retain_owner, handledfiles) else: files2 += os.path.join(dir, entry), except OSError as e: sys.stderr.write('ERROR: failed to investigate source file '+tmp+': '+e.strerror+'\n') handledfiles = copy_binaries_and_libs(chroot,files2,force_overwrite, be_verbose, check_libs, try_hardlink, allow_suid, retain_owner, handledfiles) return handledfiles # for root, dirs, files in os.walk(dir): # files2 = () # for name in files: # files2 += os.path.join(root, name), # handledfiles = copy_binaries_and_libs(chroot,files2,force_overwrite, be_verbose, check_libs, try_hardlink, retain_owner, handledfiles) # for name in dirs: # tmp = os.path.join(root, name) # create_parent_path(chroot, tmp, be_verbose=be_verbose, copy_permissions=1, allow_suid=0, copy_ownership=retain_owner) # handledfiles = copy_dir_recursive(chroot,os.path.join(root, name),force_overwrite, be_verbose, check_libs, try_hardlink, retain_owner, handledfiles) # return handledfiles # there is a very tricky situation for this function: # suppose /srv/jail/opt/bin is a symlink to /usr/bin # try to lstat(/srv/jail/opt/bin/foo) and you get the result for /usr/bin/foo # so use resolve_realpath to find you want lstat(/srv/jail/usr/bin/foo) # def copy_binaries_and_libs(chroot, binarieslist, force_overwrite=0, be_verbose=0, check_libs=1, try_hardlink=1, allow_suid=0, retain_owner=0, try_glob_matching=0, handledfiles=[]): """copies a list of executables and their libraries to the chroot""" if (chroot[-1] == '/'): chroot = chroot[:-1] for file in binarieslist: if (file in handledfiles): continue try: sb = cachedlstat(file) except OSError as e: if (e.errno == 2): if (try_glob_matching == 1): ret = glob.glob(file) if (len(ret)>0): handledfiles = copy_binaries_and_libs(chroot, ret, force_overwrite, be_verbose, check_libs, try_hardlink=try_hardlink, retain_owner=retain_owner, try_glob_matching=0, handledfiles=handledfiles) elif (be_verbose): print('Source file(s) '+file+' do not exist') elif (be_verbose): print('Source file '+file+' does not exist') else: sys.stderr.write('ERROR: failed to investigate source file '+file+': '+e.strerror+'\n') continue # source file exists, resolve the chroot realfile create_parent_path(chroot,os.path.dirname(file), be_verbose, copy_permissions=1, allow_suid=allow_suid, copy_ownership=retain_owner) chrootrfile = resolve_realpath(os.path.normpath(chroot+'/'+file),chroot) #if (rfile in handledfiles): # create_parent_path(chroot,os.path.dirname(file), be_verbose, copy_permissions=1, allow_suid=0, copy_ownership=retain_owner) # continue try: chrootsb = cachedlstat(chrootrfile) chrootfile_exists = 1 except OSError as e: if (e.errno == 2): chrootfile_exists = 0 else: sys.stderr.write('ERROR: failed to investigate destination file '+chroot+file+': '+e.strerror+'\n') if ((force_overwrite == 0) and chrootfile_exists and not stat.S_ISDIR(chrootsb.st_mode)): if (be_verbose): print(''+chrootrfile+' already exists, will not touch it') else: if (chrootfile_exists): if (force_overwrite): if (stat.S_ISREG(chrootsb.st_mode)): if (be_verbose): print('Destination file '+chrootrfile+' exists, will delete to force update') try: os.unlink(chrootrfile) except OSError as e: sys.stderr.write('ERROR: failed to delete '+chroot+rfile+': '+e.strerror+'\ncannot force update '+chroot+rfile+'\n') # BUG: perhaps we can fix the permissions so we can really delete the file? # but what permissions cause this error? elif (stat.S_ISDIR(chrootsb.st_mode)): print('Destination dir '+chrootrfile+' exists') else: if (stat.S_ISDIR(chrootsb.st_mode)): pass # for a directory we also should inspect all the contents, so we do not # skip to the next item of the loop else: if (be_verbose): print('Destination file '+chrootrfile+' exists') continue create_parent_path(chroot,os.path.dirname(file), be_verbose, copy_permissions=1, allow_suid=allow_suid, copy_ownership=retain_owner) if (stat.S_ISLNK(sb.st_mode)): realfile = os.readlink(file) if (chrootfile_exists): if (be_verbose): print('Destination symlink '+chrootrfile+' exists, will delete to force update') try: os.unlink(chrootrfile) except OSError as e: sys.stderr.write('ERROR: failed to delete '+chroot+rfile+': '+e.strerror+'\ncannot force update '+chroot+rfile+'\n') try: print('Creating symlink '+chrootrfile+' to '+realfile) os.symlink(realfile, chrootrfile) except OSError: # if the file exists already, check if it is correct pass handledfiles.append(file) if (realfile[0] != '/'): realfile = os.path.normpath(os.path.join(os.path.dirname(file),realfile)) handledfiles = copy_binaries_and_libs(chroot, [realfile], force_overwrite, be_verbose, check_libs, try_hardlink, allow_suid, retain_owner, handledfiles) elif (stat.S_ISDIR(sb.st_mode)): handledfiles = copy_dir_recursive(chroot,file,force_overwrite, be_verbose, check_libs, try_hardlink, allow_suid, retain_owner, handledfiles) elif (stat.S_ISREG(sb.st_mode)): if (try_hardlink): print('Trying to link '+file+' to '+chrootrfile) else: print('Copying '+file+' to '+chrootrfile) copy_with_permissions(file,chrootrfile,be_verbose, try_hardlink, allow_suid, retain_owner) handledfiles.append(file) elif (stat.S_ISCHR(sb.st_mode) or stat.S_ISBLK(sb.st_mode)): copy_device(chroot, file, be_verbose, retain_owner) else: sys.stderr.write('Failed to find how to copy '+file+' into a chroot jail, please report to the Jailkit developers\n') # in python 2.1 the return value is a tuple, not an object, st_mode is field 0 # mode = stat.S_IMODE(sbuf.st_mode) mode = stat.S_IMODE(sb[stat.ST_MODE]) if (check_libs and (file.find('lib') != -1 or file.find('.so') != -1 or (mode & (stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)))): libs = lddlist_libraries(file) handledfiles = copy_binaries_and_libs(chroot, libs, force_overwrite, be_verbose, 0, try_hardlink, handledfiles=handledfiles) return handledfiles def config_get_option_as_list(cfgparser, sectionname, optionname): """retrieves a comma separated option from the configparser and splits it into a list, returning an empty list if it does not exist""" retval = [] if (cfgparser.has_option(sectionname,optionname)): inputstr = cfgparser.get(sectionname,optionname) for tmp in inputstr.split(','): retval += [tmp.strip()] return retval def clean_exit(exitno,message,usagefunc,type='ERROR'): print('') print(type+': '+message) usagefunc() sys.exit(exitno) def test_numitem_exist(item,num,filename): try: fd = open(filename,'r') except: #print(''+filename+' does not exist') return 0 line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): pwstruct = line.split(':') #print('len pwstruct='+str(len(pwstruct))+' while looking for '+item) if (len(pwstruct) > num and pwstruct[num] == item): fd.close() return 1 line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') return 0 def test_user_exist(user, passwdfile): return test_numitem_exist(user,0,passwdfile) def test_group_exist(group, groupfile): return test_numitem_exist(group,0,groupfile) def init_passwd_and_group(chroot,users,groups,be_verbose=0): if (chroot[-1] == '/'): chroot = chroot[:-1] create_parent_path(chroot,'/etc/', be_verbose, copy_permissions=0, allow_suid=0, copy_ownership=0) if (sys.platform[4:7] == 'bsd'): open(chroot+'/etc/passwd','a').close() open(chroot+'/etc/spwd.db','a').close() open(chroot+'/etc/pwd.db','a').close() open(chroot+'/etc/master.passwd','a').close() else: if (not os.path.isfile(chroot+'/etc/passwd')): fd2 = open(chroot+'/etc/passwd','w') else: # the chroot passwds file exists, check if any of the users exist already fd2 = open(chroot+'/etc/passwd','r+') line = fd2.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): pwstruct = line.split(':') if (len(pwstruct) >=3): if ((pwstruct[0] in users) or (pwstruct[2] in users)): if (be_verbose): print('user '+pwstruct[0]+' exists in '+chroot+'/etc/passwd') try: users.remove(pwstruct[0]) except ValueError: pass try: users.remove(pwstruct[2]) except ValueError: pass line = fd2.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') fd2.seek(0,2) if (len(users) > 0): fd = open('/etc/passwd','r') line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): pwstruct = line.split(':') if (len(pwstruct) >=3): if ((pwstruct[0] in users) or (pwstruct[2] in users)): fd2.write(line) if (be_verbose): print('writing user '+pwstruct[0]+' to '+chroot+'/etc/passwd') if (not pwstruct[3] in groups): groups += [pwstruct[3]] line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') fd.close() fd2.close() # do the same sequence for the group files if (not os.path.isfile(chroot+'/etc/group')): fd2 = open(chroot+'/etc/group','w') else: fd2 = open(chroot+'/etc/group','r+') line = fd2.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): groupstruct = line.split(':') if (len(groupstruct) >=2): if ((groupstruct[0] in groups) or (groupstruct[2] in groups)): if (be_verbose): print('group '+groupstruct[0]+' exists in '+chroot+'/etc/group') try: groups.remove(groupstruct[0]) except ValueError: pass try: groups.remove(groupstruct[2]) except ValueError: pass line = fd2.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') fd2.seek(0,2) if (len(groups) > 0): fd = open('/etc/group','r') line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (len(line)>0): groupstruct = line.split(':') if (len(groupstruct) >=2): if ((groupstruct[0] in groups) or (groupstruct[2] in groups)): fd2.write(line) if (be_verbose): print('writing group '+groupstruct[0]+' to '+chroot+'/etc/group') line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') fd.close() fd2.close() def find_file_in_path(filename): search_path = os.getenv('PATH') paths = search_path.split(':') for path in paths: joined = os.path.join(path, filename) if os.path.exists(joined): return os.path.abspath(joined) return None def find_files_in_path(paths): paths2 = [] for tmp in paths: if (tmp[0] == '/'): paths2.append(tmp) else: tmp2 = find_file_in_path(tmp) if (tmp2): paths2.append(tmp2) return paths2 jailkit-2.21/py/jk_init.in0000644000175000017500000002325513531037544015414 0ustar olivierolivier#!/usr/bin/python # #Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2013, 2014 Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # from __future__ import print_function import sys if sys.version_info > (3, 0): #Python 3 from configparser import ConfigParser else: #Python 2 from ConfigParser import ConfigParser import os import os.path import string import getopt import shutil import stat dir_mode = 493 #octal 755, "rwxr-xr-x" INIPREFIX='/etc/jailkit' LIBDIR='/usr/share/jailkit' sys.path.append(LIBDIR) import jk_lib class jk_init: def __init__(self): self.didfiles = [] self.didsections = [] self.diddevices = [] self.didusers = [] self.didgroups = [] def logsocket(self,config,chroot): if (not os.path.exists(chroot+'/dev')): os.mkdir(chroot+'/dev') fd = open(INIPREFIX+'/jk_socketd.ini', 'r') line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') while (line): if (line[:-1] == '['+chroot+'/dev/log]'): if (config['verbose']): print('we already have '+chroot+'/dev/log in '+INIPREFIX+'/jk_socketd.ini') return line = fd.readline() if sys.version_info > (3, 0) and isinstance(line, bytes): #Python 3 line = line.decode('utf-8', 'replace') fd = open(INIPREFIX+'/jk_socketd.ini', 'a') fd.write('\n['+chroot+'/dev/log]\nbase=512\npeak=2048\ninterval=10\n') fd.close() def proc_mount(self,config, chroot): if (sys.platform[:5] == 'linux'): if (config['verbose']): print('appending proc mount '+chroot+'proc to /etc/fstab') fd = open('/etc/fstab', 'a') fd.write("proc "+chroot+"proc proc defaults 0 0\n") fd.close() if (config['verbose']): print('executing mount '+chroot+'proc') os.spawnlp(os.P_WAIT, 'mount','mount', chroot+'proc') else: print('Not processing proc mount; proc mounts are Linux specific') def add_jk_socketd_entry(self,config, chroot): print('not yet implemented') def handle_cfg_section(self,config,chroot,cfg,section): if(chroot[-1] == '/'): chroot = chroot[:-1] # first create the chroot jail itself if it does not yet exist if (not os.path.exists(chroot)): print('Creating jail '+chroot) os.makedirs(chroot, mode=dir_mode) # if the parent is setuid or setgid that is not covered by the umask set above, so we remove that os.chmod(chroot, dir_mode) sections = jk_lib.config_get_option_as_list(cfg,section,'includesections') for tmp in sections: if (tmp not in self.didsections): self.handle_cfg_section(config,chroot,cfg,tmp) self.didsections.append(tmp) #libraries, executables, regularfiles and directories are now all handled as 'paths' paths = jk_lib.config_get_option_as_list(cfg,section,'paths') paths = paths + jk_lib.config_get_option_as_list(cfg,section,'libraries') paths = paths + jk_lib.config_get_option_as_list(cfg,section,'executables') paths = paths + jk_lib.config_get_option_as_list(cfg,section,'regularfiles') paths = paths + jk_lib.config_get_option_as_list(cfg,section,'directories') paths2 = jk_lib.find_files_in_path(paths) self.didfiles = jk_lib.copy_binaries_and_libs(chroot, paths2, config['force'], config['verbose'], 1, try_hardlink=config['hardlink'],try_glob_matching=1,handledfiles=self.didfiles) paths_w_owner = jk_lib.config_get_option_as_list(cfg,section,'paths_w_owner') if (len(paths_w_owner)>0): self.didfiles = jk_lib.copy_binaries_and_libs(chroot, paths_w_owner, config['force'], config['verbose'], check_libs=1, try_hardlink=config['hardlink'], retain_owner=1,try_glob_matching=1, handledfiles=self.didfiles) paths_w_setuid = jk_lib.config_get_option_as_list(cfg,section,'paths_w_setuid') if (len(paths_w_setuid)>0): self.didfiles = jk_lib.copy_binaries_and_libs(chroot, paths_w_setuid, config['force'], config['verbose'], check_libs=1, try_hardlink=config['hardlink'], allow_suid=1, retain_owner=1, try_glob_matching=3, handledfiles=self.didfiles) emptydirs = jk_lib.config_get_option_as_list(cfg,section,'emptydirs') for edir in emptydirs: # print('DEBUG emptydir='+edir) jk_lib.create_parent_path(chroot,edir, config['verbose'], copy_permissions=0, allow_suid=0, copy_ownership=0) users = [] groups = [] tmplist = jk_lib.config_get_option_as_list(cfg,section,'users') for tmp in tmplist: if (tmp not in self.didusers): users.append(tmp) tmplist = jk_lib.config_get_option_as_list(cfg,section,'groups') for tmp in tmplist: if (tmp not in self.didusers): groups.append(tmp) jk_lib.init_passwd_and_group(chroot,users,groups,config['verbose']) self.didusers = self.didusers + users self.didgroups = self.didusers + groups if (cfg.has_option(section,'need_proc')): do_proc = cfg.get(section,'need_proc') if (do_proc): self.proc_mount(config,chroot) if (cfg.has_option(section,'need_logsocket')): do_logsocket = cfg.get(section,'need_logsocket') if (do_logsocket): self.logsocket(config,chroot) devices = jk_lib.config_get_option_as_list(cfg,section,'devices') for tmp in devices: if (tmp not in self.diddevices): jk_lib.create_parent_path(chroot,os.path.dirname(tmp), config['verbose'], copy_permissions=0, allow_suid=0, copy_ownership=0) jk_lib.copy_device(chroot,tmp,config['verbose']) self.diddevices.append(tmp) def activateConfig(config, jail, args): cfg = ConfigParser() cfg.read([config['file']]) start = 0 if (jail == None): jail = args[0] start = 1 ji = jk_init() for section in args[start:]: if (cfg.has_section(section)): ji.handle_cfg_section(config,jail,cfg,section) else: print('WARNING: section '+section+' does not exist in '+config['file']) jk_lib.gen_library_cache(jail) def usage(): print('') print("Usage: "+sys.argv[0]+" [OPTIONS]") print("Usage: "+sys.argv[0]+" [OPTIONS] -j jaildir sections...") print('') print("-h --help : this help screen") print("-c, --configfile=FILE : specify configfile location") print('-l, --list : list all available sections in the configfile') print('-j, --jail= : specify the jail to use.') print(' For backwards compatibility, if no jail is specified, the first') print(' argument after the options will be used as jail') print("-v, --verbose : show what is being done") print("-f, --force : force overwriting of existing files") print("-k, --hardlink : use hardlinks if possible") print('') def listsections(file): cfg = ConfigParser() cfg.read(file) sections = cfg.sections() sections.sort() print('\n** Available sections in '+file+' **\n') for sec in sections: if cfg.has_option(sec, 'comment'): print(sec+' - '+cfg.get(sec, 'comment')) else: print(sec) print('') def testargs(config,jail,args): if ((len(args)<2 and jail == None) or (jail != None and len(args)<1)): jk_lib.clean_exit(2,'need at least a jail directory and a configfile-section',usage) if (jail == None): jail = args[0] if (jail[0] != '/'): jail = os.path.abspath(jail) else: jail = os.path.normpath(jail) if (jk_lib.chroot_is_safe(jail) != 1): jk_lib.clean_exit(3,'jail directory '+args[0]+' is not safe',usage) if (not os.path.isfile(config['file'])): jk_lib.clean_exit(3,'configfile '+config['file']+' does not exist',usage) return jail def main(): if (os.getuid()!=0): print('Cannot create chroot jail without root privileges. Abort.') sys.exit(5) try: opts, args = getopt.getopt(sys.argv[1:], "vhflc:kj:", ["help", "configfile=", "verbose", "force", 'list', 'hardlink', 'jail']) except getopt.GetoptError: usage() sys.exit(1) config = {} config['file'] = INIPREFIX+'/jk_init.ini' config['verbose'] = 0 config['force'] = 0 config['hardlink'] = 0 jail = None list = 0 for o, a in opts: if o in ("-h", "--help"): usage() sys.exit() if o in ("-c", "--configfile"): config['file'] = a if o in ("-l", "--list"): list = 1 if o in ("-v", "--verbose"): config['verbose'] = 1 if o in ("-f", "--force"): config['force'] = 1 if o in ("-k", "--hardlink"): config['hardlink'] = 1 if o in ("-j", "--jail="): jail = a if (list ==1): listsections(config['file']) sys.exit() jail = testargs(config,jail,args) activateConfig(config, jail, args) if __name__ == "__main__": main() jailkit-2.21/py/jk_check.in0000644000175000017500000002627513531035041015521 0ustar olivierolivier#!/usr/bin/python # #Copyright (c) 2003, 2004, 2005, 2006 Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # from __future__ import print_function import sys if sys.version_info > (3, 0): #Python 3 from configparser import ConfigParser else: #Python 2 from ConfigParser import ConfigParser import os import string from stat import * import hashlib import getopt import random import stat INIPREFIX='/etc/jailkit' LIBDIR='/usr/share/jailkit' EXEPREFIX='/usr' sys.path.append(LIBDIR) import jk_lib def testchrootdir(config, path): if (config['verbose']): print("testing basedir "+path) jk_lib.chroot_is_safe(path) def md5Digest(filename, startAt): """Returns md5 digest of a 1024 bytes blobk in filename, at position startAt.""" t = 0 m = hashlib.md5() f=open(filename, 'rb') f.seek(startAt) buf = f.read(1024) f.close() m.update(buf) return m.digest() def file_in_list(thelist, file): for tmp in thelist: if (tmp == file): return 1 return 0 def filebasedir_in_list(thelist, file): for ipath in thelist: # print('is '+ipath+'=='+file[:len(ipath)]) if (file[:len(ipath)] == ipath): return 1 return 0 def testfilepermissions(config,path): try: statbuf = os.lstat(path) except OSError: sys.stderr.write('ERROR: cannot lstat() '+path+'\n') return 1 if (config['verbose']): print("testing file permissions for "+path) if (statbuf[ST_UID] == 0 or statbuf[ST_GID] == 0): # we have a root:root file if (statbuf[ST_MODE] & S_ISUID or statbuf[ST_MODE] & S_ISGID): # it is setuid or setgid if (statbuf[ST_MODE] & S_IXOTH): if (file_in_list(config['ignoresetuidexecuteforothers'], path)==0): print("WARNING: "+path+" is executable for others and setuid root!!") if (statbuf[ST_MODE] & S_IXGRP): if (file_in_list(config['ignoresetuidexecuteforgroup'], path)==0): print("WARNING: "+path+" is executable for group and setuid root!!") if (statbuf[ST_MODE] & S_IXUSR): if (file_in_list(config['ignoresetuidexecuteforuser'], path)==0): print("WARNING: "+path+" is executable for user and setuid root!!") def testdirpermissions(config,path): try: statbuf = os.lstat(path) except OSError: sys.stderr.write('ERROR: cannot lstat() '+path+'\n') return 1 if (config['verbose']): print("testing directory permissions for "+path) if (statbuf[ST_MODE] & S_IWOTH): if (filebasedir_in_list(config['ignorewritableforothers'], path) == 0): print("WARNING: "+path+" is writable for others!") if (statbuf[ST_MODE] & S_IWGRP): if (filebasedir_in_list(config['ignorewritableforgroup'], path) == 0): print("WARNING: "+path+" is writable for group!") def comparefiles(config,first, second): if (config['verbose']): print("comparing "+first+" and "+second) try: sb1 = os.lstat(first) sb2 = os.lstat(second) if (sb1[stat.ST_SIZE] != sb2[stat.ST_SIZE]): sys.stderr.write('ERROR: '+first+' and '+second+' have a different size!\n') return if (stat.S_ISLNK(sb1[stat.ST_MODE]) != stat.S_ISLNK(sb1[stat.ST_MODE])): print('ERROR: '+first+' and '+second+' are not both symlinks!') return if (stat.S_ISLNK(sb1[stat.ST_MODE])): if (os.readlink(first) != os.readlink(second)): print('ERROR: symlinks '+first+' and '+second+' point to different files!') return else: if (sb1[stat.ST_SIZE] > 1024): startAt = random.randint(0,sb1[stat.ST_SIZE]-1024) else: startAt = 0 if (md5Digest(first, startAt) != md5Digest(second, startAt)): print('ERROR: '+first+' and '+second+' are not the same!') except IOError: print('ERROR: cannot read '+first+' or '+second+' !') except OSError: print('ERROR: cannot stat() '+first+' or '+second+' !') def testchrootfiles(config, chroothome, path=''): try: if (not os.path.exists(chroothome+path)): print('cannot check files in '+chroothome+path+', it does not exist') return testdirpermissions(config,chroothome+path) for f in os.listdir(chroothome+path): chrootpath = chroothome+path+f if (filebasedir_in_list(config['ignorepatheverywhere'],chrootpath) == 0): if os.path.isfile(chrootpath): if (filebasedir_in_list(config['ignorepathoncompare'],chrootpath) == 0): realpath = '/'+path+f comparefiles(config,chrootpath, realpath) testfilepermissions(config,chrootpath) elif os.path.isdir(chrootpath) and not os.path.islink(chrootpath): testchrootfiles(config, chroothome, path+f+'/') else: if (config['verbose']): print("ignoring path "+chrootpath) except OSError: print('ERROR, failed to test any files in '+chroothome+path) def testjailusers(config, chroothome): if (os.path.exists(chroothome+'/etc/passwd')): jailep = open(chroothome+'/etc/passwd','r') realep = open('/etc/passwd','r') jline = jailep.readline() if sys.version_info > (3, 0) and isinstance(jline, bytes): #Python 3 jline = jline.decode('utf-8', 'replace') while (len(jline)>0): jpw = jline.split(':') if (jpw[0] == 'root'): if (config['verbose']): print('ignoring entry for user root in jail/etc/passwd') else: if (config['verbose']): print('comparing jailed user '+jpw[0]+' with the real user') # we test for the username, uid and primary gid found = 0 realep.seek(0) rline = realep.readline() if sys.version_info > (3, 0) and isinstance(rline, bytes): #Python 3 rline = rline.decode('utf-8', 'replace') while (len(rline)>0 and found ==0): rpw = rline.split(':') if (rpw[0] == jpw[0]): found = 1 if (rpw[2] != jpw[2] or rpw[3] != jpw[3]): print('ERROR: user '+rpw[0]+' is changed in jail '+chroothome) # now check if the jail is correct if (rpw[5] != chroothome+'.'+jpw[5]): print('ERROR: the real homedir and jail homedir for user '+jpw[0]+' do not correspond in jail '+chroothome) ## test for jk_lsh and test if the user/group is in the config file rline = realep.readline() if sys.version_info > (3, 0) and isinstance(rline, bytes): #Python 3 rline = rline.decode('utf-8', 'replace') if (found == 0): print('ERROR: user '+jpw[0]+' in jail '+chroothome+' does not exist on the real system') jline = jailep.readline() if sys.version_info > (3, 0) and isinstance(jline, bytes): #Python 3 jline = jline.decode('utf-8', 'replace') def testrealpasswd(): """reads the real /etc/passwd and looks for users that have a jail configured, returns a list of jails""" rep = open('/etc/passwd') rline = rep.readline() if sys.version_info > (3, 0) and isinstance(rline, bytes): #Python 3 rline = rline.decode('utf-8', 'replace') retval = [] while (len(rline)>0): rpw = rline.split(':') if (len(rpw)>=6): # test if the entry has any jail characteristics jaildot = rpw[5].find('/./') if (jaildot != -1): chroot = rpw[5][:jaildot+1] retval += [chroot] # test if the user actually exists in the chroot if (not jk_lib.test_user_exist(rpw[0], chroot+'/etc/passwd')): print('ERROR: user '+rpw[0]+' does not exist in '+chroot+'/etc/passwd') chrootsh = os.path.join(EXEPREFIX, 'sbin/jk_chrootsh') if (rpw[6].strip() != chrootsh): print('ERROR: user '+rpw[0]+' has a /./ but does not have the '+chrootsh+' shell') rline = rep.readline() if sys.version_info > (3, 0) and isinstance(rline, bytes): #Python 3 rline = rline.decode('utf-8', 'replace') return retval def get_list_option(cfgparser, sectionname, optionname): retval = [] if (cfgparser.has_option(sectionname,optionname)): inputstr = cfgparser.get(sectionname,optionname) for tmp in inputstr.split(','): retval += [tmp.strip()] return retval def activateConfig(configfile, verbose): cfg = ConfigParser() if (os.path.isfile(configfile)): cfg.read([configfile]) else: print('WARNING: '+configfile+' does not exist, only checking jails found in /etc/passwd') jails = testrealpasswd() for jail in jails: if ((jail not in cfg.sections()) and (jail[:-1] not in cfg.sections())): cfg.add_section(jail) for section in cfg.sections(): chrootdir = section if (chrootdir[-1:] != '/'): chrootdir += '/' config = {} config['verbose'] = verbose config['ignorepathoncompare'] = get_list_option(cfg,section, 'ignorepathoncompare') config['ignoresetuidexecuteforuser'] = get_list_option(cfg,section, 'ignoresetuidexecuteforuser') config['ignoresetuidexecuteforgroup'] = get_list_option(cfg,section, 'ignoresetuidexecuteforgroup') config['ignoresetuidexecuteforothers'] = get_list_option(cfg,section, 'ignoresetuidexecuteforothers') config['ignorewritableforothers'] = get_list_option(cfg,section, 'ignorewritableforothers') config['ignorewritableforgroup'] = get_list_option(cfg,section, 'ignorewritableforgroup') config['ignorepatheverywhere'] = get_list_option(cfg,section, 'ignorepatheverywhere') testchrootdir(config, chrootdir) testchrootfiles(config, chrootdir) testjailusers(config, chrootdir) def clean_exit(errno, message): print("** FAILURE **") print(message) print("") sys.exit(errno) def usage(): print("Usage: "+sys.argv[0]+" [OPTIONS]") print("") print("-h --help : this help screen") print("-c, --configfile=FILE : specify configfile location") print("-v, --verbose : show what is being tested") print("") def main(): try: opts, args = getopt.getopt(sys.argv[1:], "vhc:", ["help", "configfile=", "verbose"]) except getopt.GetoptError: usage() sys.exit(1) configfile = INIPREFIX+'/jk_check.ini' verbose = 0 for o, a in opts: if o in ("-h", "--help"): usage() sys.exit() if o in ("-c", "--configfile"): configfile = a if o in ("-v", "--verbose"): verbose = 1 activateConfig(configfile, verbose) if __name__ == "__main__": main() jailkit-2.21/install-sh0000755000175000017500000001272007765345573015024 0ustar olivierolivier#!/bin/sh # # install - install a program, script, or datafile # This comes from X11R5 (mit/util/scripts/install.sh). # # Copyright 1991 by the Massachusetts Institute of Technology # # Permission to use, copy, modify, distribute, and sell this software and its # documentation for any purpose is hereby granted without fee, provided that # the above copyright notice appear in all copies and that both that # copyright notice and this permission notice appear in supporting # documentation, and that the name of M.I.T. not be used in advertising or # publicity pertaining to distribution of the software without specific, # written prior permission. M.I.T. makes no representations about the # suitability of this software for any purpose. It is provided "as is" # without express or implied warranty. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. It can only install one file at a time, a restriction # shared with many OS's install programs. # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit="${DOITPROG-}" # put in absolute paths if you don't have them in your path; or use env. vars. mvprog="${MVPROG-mv}" cpprog="${CPPROG-cp}" chmodprog="${CHMODPROG-chmod}" chownprog="${CHOWNPROG-chown}" chgrpprog="${CHGRPPROG-chgrp}" stripprog="${STRIPPROG-strip}" rmprog="${RMPROG-rm}" mkdirprog="${MKDIRPROG-mkdir}" transformbasename="" transform_arg="" instcmd="$mvprog" chmodcmd="$chmodprog 0755" chowncmd="" chgrpcmd="" stripcmd="" rmcmd="$rmprog -f" mvcmd="$mvprog" src="" dst="" dir_arg="" while [ x"$1" != x ]; do case $1 in -c) instcmd="$cpprog" shift continue;; -d) dir_arg=true shift continue;; -m) chmodcmd="$chmodprog $2" shift shift continue;; -o) chowncmd="$chownprog $2" shift shift continue;; -g) chgrpcmd="$chgrpprog $2" shift shift continue;; -s) stripcmd="$stripprog" shift continue;; -t=*) transformarg=`echo $1 | sed 's/-t=//'` shift continue;; -b=*) transformbasename=`echo $1 | sed 's/-b=//'` shift continue;; *) if [ x"$src" = x ] then src=$1 else # this colon is to work around a 386BSD /bin/sh bug : dst=$1 fi shift continue;; esac done if [ x"$src" = x ] then echo "install: no input file specified" exit 1 else true fi if [ x"$dir_arg" != x ]; then dst=$src src="" if [ -d $dst ]; then instcmd=: else instcmd=mkdir fi else # Waiting for this to be detected by the "$instcmd $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if [ -f $src -o -d $src ] then true else echo "install: $src does not exist" exit 1 fi if [ x"$dst" = x ] then echo "install: no destination specified" exit 1 else true fi # If destination is a directory, append the input filename; if your system # does not like double slashes in filenames, you may need to add some logic if [ -d $dst ] then dst="$dst"/`basename $src` else true fi fi ## this sed command emulates the dirname command dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` # Make sure that the destination directory exists. # this part is taken from Noah Friedman's mkinstalldirs script # Skip lots of stat calls in the usual case. if [ ! -d "$dstdir" ]; then defaultIFS=' ' IFS="${IFS-${defaultIFS}}" oIFS="${IFS}" # Some sh's can't handle IFS=/ for some reason. IFS='%' set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` IFS="${oIFS}" pathcomp='' while [ $# -ne 0 ] ; do pathcomp="${pathcomp}${1}" shift if [ ! -d "${pathcomp}" ] ; then $mkdirprog "${pathcomp}" else true fi pathcomp="${pathcomp}/" done fi if [ x"$dir_arg" != x ] then $doit $instcmd $dst && if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi else # If we're going to rename the final executable, determine the name now. if [ x"$transformarg" = x ] then dstfile=`basename $dst` else dstfile=`basename $dst $transformbasename | sed $transformarg`$transformbasename fi # don't allow the sed command to completely eliminate the filename if [ x"$dstfile" = x ] then dstfile=`basename $dst` else true fi # Make a temp file name in the proper directory. dsttmp=$dstdir/#inst.$$# # Move or copy the file name to the temp name $doit $instcmd $src $dsttmp && trap "rm -f ${dsttmp}" 0 && # and set any options; do chmod last to preserve setuid bits # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $instcmd $src $dsttmp" command. if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && # Now rename the file to the real destination. $doit $rmcmd -f $dstdir/$dstfile && $doit $mvcmd $dsttmp $dstdir/$dstfile fi && exit 0 jailkit-2.21/configure0000755000175000017500000054227713544213044014721 0ustar olivierolivier#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for jailkit 2.21. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 as_fn_exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes else as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir/$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : CONFIG_SHELL=$as_shell as_have_required=yes if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : break 2 fi fi done;; esac as_found=false done $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : CONFIG_SHELL=$SHELL as_have_required=yes fi; } IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno; then : $as_echo "$0: This script requires a shell more modern than all" $as_echo "$0: the shells that I found on your system." if test x${ZSH_VERSION+set} = xset ; then $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and $0: https://savannah.nongnu.org/bugs/?group=jailkit about $0: your system, including any error possibly output before $0: this message. Then install a modern shell, or manually $0: run the script under such a shell if you do have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='jailkit' PACKAGE_TARNAME='jailkit' PACKAGE_VERSION='2.21' PACKAGE_STRING='jailkit 2.21' PACKAGE_BUGREPORT='https://savannah.nongnu.org/bugs/?group=jailkit' PACKAGE_URL='' ac_default_prefix=/usr ac_unique_file="src/jk_socketd.c" # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef STDC_HEADERS # include # include #else # ifdef HAVE_STDLIB_H # include # endif #endif #ifdef HAVE_STRING_H # if !defined STDC_HEADERS && defined HAVE_MEMORY_H # include # endif # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_subst_vars='LTLIBOBJS LIBOBJS HAVEPROCMAIL_TRUE PROCMAILPATH PYTHONINTERPRETER INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM EGREP GREP CPP OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC VERSION PACKAGE target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir runstatedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking ' ac_precious_vars='build_alias host_alias target_alias CC CFLAGS LDFLAGS LIBS CPPFLAGS CPP PYTHONINTERPRETER PROCMAILPATH' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -runstatedir | --runstatedir | --runstatedi | --runstated \ | --runstate | --runstat | --runsta | --runst | --runs \ | --run | --ru | --r) ac_prev=runstatedir ;; -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ | --run=* | --ru=* | --r=*) runstatedir=$ac_optarg ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures jailkit 2.21 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/jailkit] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of jailkit 2.21:";; esac cat <<\_ACEOF Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor PYTHONINTERPRETER The `python' binary with path. Use it to define or override the location of `python'. PROCMAILPATH The `procmail' binary with path. Use it to define or override the location of `procmail'. Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for guested configure. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF jailkit configure 2.21 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_cpp () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } > conftest.i && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp # ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists, giving a warning if it cannot be compiled using # the include files in INCLUDES and setting the cache variable VAR # accordingly. ac_fn_c_check_header_mongrel () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if eval \${$3+:} false; then : { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } else # Is the header compilable? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 $as_echo_n "checking $2 usability... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_header_compiler=yes else ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 $as_echo "$ac_header_compiler" >&6; } # Is the header present? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 $as_echo_n "checking $2 presence... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include <$2> _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : ac_header_preproc=yes else ac_header_preproc=no fi rm -f conftest.err conftest.i conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 $as_echo "$ac_header_preproc" >&6; } # So? What about this header? case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( yes:no: ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 $as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ;; no:yes:* ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 $as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 $as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ( $as_echo "## -------------------------------------------------------------- ## ## Report this to https://savannah.nongnu.org/bugs/?group=jailkit ## ## -------------------------------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=\$ac_header_compiler" fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_mongrel # ac_fn_c_try_run LINENO # ---------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. Assumes # that executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then : ac_retval=0 else $as_echo "$as_me: program exited with status $ac_status" >&5 $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly ac_fn_c_check_func () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (); below. Prefer to if __STDC__ is defined, since exists even on freestanding compilers. */ #ifdef __STDC__ # include #else # include #endif #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main () { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by jailkit $as_me 2.21, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. $as_echo "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Save into config.log some information that might help in debugging. { echo $as_echo "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo $as_echo "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then $as_echo "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then $as_echo "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && $as_echo "$as_me: caught signal $ac_signal" $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h $as_echo "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_URL "$PACKAGE_URL" _ACEOF # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. ac_site_file1=NONE ac_site_file2=NONE if test -n "$CONFIG_SITE"; then # We do not want a PATH search for config.site. case $CONFIG_SITE in #(( -*) ac_site_file1=./$CONFIG_SITE;; */*) ac_site_file1=$CONFIG_SITE;; *) ac_site_file1=./$CONFIG_SITE;; esac elif test "x$prefix" != xNONE; then ac_site_file1=$prefix/share/config.site ac_site_file2=$prefix/etc/config.site else ac_site_file1=$ac_default_prefix/share/config.site ac_site_file2=$ac_default_prefix/etc/config.site fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu PACKAGE=jailkit cat >>confdefs.h <<_ACEOF #define PACKAGE "jailkit" _ACEOF VERSION=2.21 cat >>confdefs.h <<_ACEOF #define VERSION "2.21" _ACEOF if test "$prefix" = "NONE"; then sysconfdir="/etc" { $as_echo "$as_me:${as_lineno-$LINENO}: config files will be in /etc/jailkit/" >&5 $as_echo "$as_me: config files will be in /etc/jailkit/" >&6;} fi ac_config_headers="$ac_config_headers src/config.h" ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 $as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an `-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else ac_file='' fi if test -z "$ac_file"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See \`config.log' for more details" "$LINENO" 5; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 $as_echo_n "checking for C compiler default output file name... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 $as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with # `rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { FILE *f = fopen ("conftest.out", "w"); return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 $as_echo_n "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details" "$LINENO" 5; } fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 $as_echo "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } if ${ac_cv_objext+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : break fi done ac_cv_prog_CPP=$CPP fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } if ${ac_cv_path_GREP+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then ac_path_GREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_GREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 $as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } if ${ac_cv_path_EGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else if test -z "$EGREP"; then ac_path_EGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_EGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 $as_echo "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi # On IRIX 5.3, sys/types and inttypes.h are conflicting. for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ inttypes.h stdint.h unistd.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default " if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done ac_fn_c_check_header_mongrel "$LINENO" "minix/config.h" "ac_cv_header_minix_config_h" "$ac_includes_default" if test "x$ac_cv_header_minix_config_h" = xyes; then : MINIX=yes else MINIX= fi if test "$MINIX" = yes; then $as_echo "#define _POSIX_SOURCE 1" >>confdefs.h $as_echo "#define _POSIX_1_SOURCE 2" >>confdefs.h $as_echo "#define _MINIX 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether it is safe to define __EXTENSIONS__" >&5 $as_echo_n "checking whether it is safe to define __EXTENSIONS__... " >&6; } if ${ac_cv_safe_to_define___extensions__+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ # define __EXTENSIONS__ 1 $ac_includes_default int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_safe_to_define___extensions__=yes else ac_cv_safe_to_define___extensions__=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_safe_to_define___extensions__" >&5 $as_echo "$ac_cv_safe_to_define___extensions__" >&6; } test $ac_cv_safe_to_define___extensions__ = yes && $as_echo "#define __EXTENSIONS__ 1" >>confdefs.h $as_echo "#define _ALL_SOURCE 1" >>confdefs.h $as_echo "#define _GNU_SOURCE 1" >>confdefs.h $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing strerror" >&5 $as_echo_n "checking for library containing strerror... " >&6; } if ${ac_cv_search_strerror+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char strerror (); int main () { return strerror (); ; return 0; } _ACEOF for ac_lib in '' cposix; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_strerror=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_strerror+:} false; then : break fi done if ${ac_cv_search_strerror+:} false; then : else ac_cv_search_strerror=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_strerror" >&5 $as_echo "$ac_cv_search_strerror" >&6; } ac_res=$ac_cv_search_strerror if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 $as_echo_n "checking for inline... " >&6; } if ${ac_cv_c_inline+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo () {return 0; } $ac_kw foo_t foo () {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext test "$ac_cv_c_inline" != no && break done fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 $as_echo "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break elif test -f "$ac_dir/install.sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install.sh -c" break elif test -f "$ac_dir/shtool"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/shtool install -c" break fi done if test -z "$ac_aux_dir"; then as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. # Account for people who put trailing slashes in PATH elements. case $as_dir/ in #(( ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' if test "$CC" = "gcc" ; then CFLAGS="$CFLAGS -Wall -pipe" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi for ac_header in errno.h stdio.h ctype.h getopt.h math.h time.h sys/socket.h pthread.h pwd.h wordexp.h liberty.h strings.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in strnlen wordexp clearenv get_current_dir_name do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in strndup do : ac_fn_c_check_func "$LINENO" "strndup" "ac_cv_func_strndup" if test "x$ac_cv_func_strndup" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRNDUP 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for strndup in -liberty" >&5 $as_echo_n "checking for strndup in -liberty... " >&6; } if ${ac_cv_lib_iberty_strndup+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-liberty $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char strndup (); int main () { return strndup (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_iberty_strndup=yes else ac_cv_lib_iberty_strndup=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iberty_strndup" >&5 $as_echo "$ac_cv_lib_iberty_strndup" >&6; } if test "x$ac_cv_lib_iberty_strndup" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBIBERTY 1 _ACEOF LIBS="-liberty $LIBS" fi fi done for ac_func in mempcpy do : ac_fn_c_check_func "$LINENO" "mempcpy" "ac_cv_func_mempcpy" if test "x$ac_cv_func_mempcpy" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_MEMPCPY 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mempcpy in -liberty" >&5 $as_echo_n "checking for mempcpy in -liberty... " >&6; } if ${ac_cv_lib_iberty_mempcpy+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-liberty $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char mempcpy (); int main () { return mempcpy (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_iberty_mempcpy=yes else ac_cv_lib_iberty_mempcpy=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iberty_mempcpy" >&5 $as_echo "$ac_cv_lib_iberty_mempcpy" >&6; } if test "x$ac_cv_lib_iberty_mempcpy" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBIBERTY 1 _ACEOF LIBS="-liberty $LIBS" fi fi done for ac_func in stpcpy do : ac_fn_c_check_func "$LINENO" "stpcpy" "ac_cv_func_stpcpy" if test "x$ac_cv_func_stpcpy" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STPCPY 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stpcpy in -liberty" >&5 $as_echo_n "checking for stpcpy in -liberty... " >&6; } if ${ac_cv_lib_iberty_stpcpy+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-liberty $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char stpcpy (); int main () { return stpcpy (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_iberty_stpcpy=yes else ac_cv_lib_iberty_stpcpy=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iberty_stpcpy" >&5 $as_echo "$ac_cv_lib_iberty_stpcpy" >&6; } if test "x$ac_cv_lib_iberty_stpcpy" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBIBERTY 1 _ACEOF LIBS="-liberty $LIBS" fi fi done # Check if -pthread is available # if not try -lpthread OLDCFLAGS=$CFLAGS OLDLDFLAGS=$LDFLAGS CFLAGS="$CFLAGS -pthread" LDFLAGS="$LDFLAGS -pthread" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread support" >&5 $as_echo_n "checking for pthread support... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include void *g(void *d) { return NULL; } int main () { pthread_t t; pthread_create(&t,NULL,g,NULL); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: use -pthread" >&5 $as_echo "use -pthread" >&6; } else CFLAGS=$OLDCFLAGS LDFLAGS=$OLDLDFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 $as_echo_n "checking for pthread_create in -lpthread... " >&6; } if ${ac_cv_lib_pthread_pthread_create+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpthread $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char pthread_create (); int main () { return pthread_create (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pthread_pthread_create=yes else ac_cv_lib_pthread_pthread_create=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5 $as_echo "$ac_cv_lib_pthread_pthread_create" >&6; } if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBPTHREAD 1 _ACEOF LIBS="-lpthread $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5 $as_echo_n "checking for pthread_create in -lc_r... " >&6; } if ${ac_cv_lib_c_r_pthread_create+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lc_r $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char pthread_create (); int main () { return pthread_create (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_c_r_pthread_create=yes else ac_cv_lib_c_r_pthread_create=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5 $as_echo "$ac_cv_lib_c_r_pthread_create" >&6; } if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBC_R 1 _ACEOF LIBS="-lc_r $LIBS" else as_fn_error $? "libpthread not found" "$LINENO" 5 fi fi fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext # solaris has -lsocket or -lxnet for various socket functions for ac_func in recvfrom do : ac_fn_c_check_func "$LINENO" "recvfrom" "ac_cv_func_recvfrom" if test "x$ac_cv_func_recvfrom" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_RECVFROM 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for recvfrom in -lxnet" >&5 $as_echo_n "checking for recvfrom in -lxnet... " >&6; } if ${ac_cv_lib_xnet_recvfrom+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lxnet $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char recvfrom (); int main () { return recvfrom (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_xnet_recvfrom=yes else ac_cv_lib_xnet_recvfrom=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_xnet_recvfrom" >&5 $as_echo "$ac_cv_lib_xnet_recvfrom" >&6; } if test "x$ac_cv_lib_xnet_recvfrom" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBXNET 1 _ACEOF LIBS="-lxnet $LIBS" fi fi done for ac_func in send do : ac_fn_c_check_func "$LINENO" "send" "ac_cv_func_send" if test "x$ac_cv_func_send" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_SEND 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for send in -lsocket" >&5 $as_echo_n "checking for send in -lsocket... " >&6; } if ${ac_cv_lib_socket_send+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char send (); int main () { return send (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_socket_send=yes else ac_cv_lib_socket_send=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_send" >&5 $as_echo "$ac_cv_lib_socket_send" >&6; } if test "x$ac_cv_lib_socket_send" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBSOCKET 1 _ACEOF LIBS="-lsocket $LIBS" fi fi done # solaris needs -lrt or -lposix4 for nanosleep() for ac_func in nanosleep do : ac_fn_c_check_func "$LINENO" "nanosleep" "ac_cv_func_nanosleep" if test "x$ac_cv_func_nanosleep" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_NANOSLEEP 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nanosleep in -lposix4" >&5 $as_echo_n "checking for nanosleep in -lposix4... " >&6; } if ${ac_cv_lib_posix4_nanosleep+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lposix4 $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char nanosleep (); int main () { return nanosleep (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_posix4_nanosleep=yes else ac_cv_lib_posix4_nanosleep=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_posix4_nanosleep" >&5 $as_echo "$ac_cv_lib_posix4_nanosleep" >&6; } if test "x$ac_cv_lib_posix4_nanosleep" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBPOSIX4 1 _ACEOF LIBS="-lposix4 $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nanosleep in -lrt" >&5 $as_echo_n "checking for nanosleep in -lrt... " >&6; } if ${ac_cv_lib_rt_nanosleep+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lrt $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char nanosleep (); int main () { return nanosleep (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_rt_nanosleep=yes else ac_cv_lib_rt_nanosleep=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_nanosleep" >&5 $as_echo "$ac_cv_lib_rt_nanosleep" >&6; } if test "x$ac_cv_lib_rt_nanosleep" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBRT 1 _ACEOF LIBS="-lrt $LIBS" else as_fn_error $? "nanosleep not found" "$LINENO" 5 fi fi fi done # FreeBSD has a gnugetopt library for this # Solaris might have libiberty for ac_func in getopt_long do : ac_fn_c_check_func "$LINENO" "getopt_long" "ac_cv_func_getopt_long" if test "x$ac_cv_func_getopt_long" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_GETOPT_LONG 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for getopt_long in -lgnugetopt" >&5 $as_echo_n "checking for getopt_long in -lgnugetopt... " >&6; } if ${ac_cv_lib_gnugetopt_getopt_long+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lgnugetopt $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char getopt_long (); int main () { return getopt_long (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_gnugetopt_getopt_long=yes else ac_cv_lib_gnugetopt_getopt_long=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gnugetopt_getopt_long" >&5 $as_echo "$ac_cv_lib_gnugetopt_getopt_long" >&6; } if test "x$ac_cv_lib_gnugetopt_getopt_long" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBGNUGETOPT 1 _ACEOF LIBS="-lgnugetopt $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for getopt_long in -liberty" >&5 $as_echo_n "checking for getopt_long in -liberty... " >&6; } if ${ac_cv_lib_iberty_getopt_long+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-liberty $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char getopt_long (); int main () { return getopt_long (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_iberty_getopt_long=yes else ac_cv_lib_iberty_getopt_long=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_iberty_getopt_long" >&5 $as_echo "$ac_cv_lib_iberty_getopt_long" >&6; } if test "x$ac_cv_lib_iberty_getopt_long" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBIBERTY 1 _ACEOF LIBS="-liberty $LIBS" else as_fn_error $? "getopt_long not found" "$LINENO" 5 fi fi fi done for ac_header in sys/capability.h do : ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default" if test "x$ac_cv_header_sys_capability_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_SYS_CAPABILITY_H 1 _ACEOF fi done for ac_func in cap_get_proc do : ac_fn_c_check_func "$LINENO" "cap_get_proc" "ac_cv_func_cap_get_proc" if test "x$ac_cv_func_cap_get_proc" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_CAP_GET_PROC 1 _ACEOF else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_get_proc in -lcap" >&5 $as_echo_n "checking for cap_get_proc in -lcap... " >&6; } if ${ac_cv_lib_cap_cap_get_proc+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lcap $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char cap_get_proc (); int main () { return cap_get_proc (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_cap_cap_get_proc=yes else ac_cv_lib_cap_cap_get_proc=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_cap_get_proc" >&5 $as_echo "$ac_cv_lib_cap_cap_get_proc" >&6; } if test "x$ac_cv_lib_cap_cap_get_proc" = xyes; then : $as_echo "#define HAVE_CAP_GET_PROC 1" >>confdefs.h LDFLAGS="$LDFLAGS -lcap" fi fi done # Extract the first word of "python", so it can be a program name with args. set dummy python; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_PYTHONINTERPRETER+:} false; then : $as_echo_n "(cached) " >&6 else case $PYTHONINTERPRETER in [\\/]* | ?:[\\/]*) ac_cv_path_PYTHONINTERPRETER="$PYTHONINTERPRETER" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_PYTHONINTERPRETER="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_PYTHONINTERPRETER" && ac_cv_path_PYTHONINTERPRETER="no" ;; esac fi PYTHONINTERPRETER=$ac_cv_path_PYTHONINTERPRETER if test -n "$PYTHONINTERPRETER"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHONINTERPRETER" >&5 $as_echo "$PYTHONINTERPRETER" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$PYTHONINTERPRETER" = "xno" ; then as_fn_error $? "python not found please install python" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for up to date python" >&5 $as_echo_n "checking for up to date python... " >&6; } echo -n "checking for up to date python... " if $PYTHONINTERPRETER -c 'i=1;i+=1' >/dev/null 2>&1 ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 $as_echo "failed" >&6; } as_fn_error $? "your python version is too old, please install python 2 or newer" "$LINENO" 5 fi # Extract the first word of "procmail", so it can be a program name with args. set dummy procmail; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_PROCMAILPATH+:} false; then : $as_echo_n "(cached) " >&6 else case $PROCMAILPATH in [\\/]* | ?:[\\/]*) ac_cv_path_PROCMAILPATH="$PROCMAILPATH" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_PROCMAILPATH="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_PROCMAILPATH" && ac_cv_path_PROCMAILPATH="no" ;; esac fi PROCMAILPATH=$ac_cv_path_PROCMAILPATH if test -n "$PROCMAILPATH"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PROCMAILPATH" >&5 $as_echo "$PROCMAILPATH" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$PROCMAILPATH" != "xno" ; then cat >>confdefs.h <<_ACEOF #define PROCMAILPATH "$PROCMAILPATH" _ACEOF else HAVEPROCMAIL_TRUE=# fi ac_config_files="$ac_config_files Makefile src/Makefile py/Makefile man/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by jailkit $as_me 2.21, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ jailkit config.status 2.21 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: \`$1' Try \`$0 --help' for more information.";; --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX $as_echo "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "src/config.h") CONFIG_HEADERS="$CONFIG_HEADERS src/config.h" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; "py/Makefile") CONFIG_FILES="$CONFIG_FILES py/Makefile" ;; "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with `./config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script `defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`$as_echo "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi jailkit-2.21/debian/0000755000175000017500000000000013544213117014214 5ustar olivierolivierjailkit-2.21/debian/docs0000644000175000017500000000001310113440653015055 0ustar olivierolivierREADME.txt jailkit-2.21/debian/rules0000755000175000017500000000625610542064721015305 0ustar olivierolivier#!/usr/bin/make -f # GNU copyright 1997 to 1999 by Joey Hess. # # Modified to make a template file for a multi-binary package with separated # build-arch and build-indep targets by Bill Allombert 2001 # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 # This has to be exported to make some magic below work. export DH_OPTIONS # These are used for cross-compiling and for saving the configure script # from having to guess our platform (since we know it already) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) CFLAGS = -Wall -g ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -O0 else CFLAGS += -O2 endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif config.status: configure dh_testdir # Here the commands to configure the package. CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --sysconfdir=/etc --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info #Architecture build: build-arch build-indep build-arch: build-arch-stamp build-arch-stamp: config.status # Here the commands to compile the arch part of the package. $(MAKE) touch build-arch-stamp build-indep: build-indep-stamp build-indep-stamp: config.status # Here could be the commands to compile the indep part of the package, but there are none. touch build-indep-stamp clean: dh_testdir dh_testroot rm -f build-arch-stamp build-indep-stamp #CONFIGURE-STAMP# # Here the commands to clean up after the build process. -$(MAKE) distclean ifneq "$(wildcard /usr/share/misc/config.sub)" "" cp -f /usr/share/misc/config.sub config.sub endif ifneq "$(wildcard /usr/share/misc/config.guess)" "" cp -f /usr/share/misc/config.guess config.guess endif dh_clean install: install-arch #install-indep: # # there is no indep install-arch: dh_testdir dh_testroot dh_clean -k -s dh_installdirs -s # Here the commands to install the arch part of the package into # $(CURDIR)/debian/ cd src && $(MAKE) install prefix=$(CURDIR)/debian/jailkit/usr cd man && $(MAKE) install prefix=$(CURDIR)/debian/jailkit/usr cd py && $(MAKE) install prefix=$(CURDIR)/debian/jailkit/usr install -m 644 ini/*.ini $(CURDIR)/debian/jailkit/etc/jailkit/ install -m 755 extra/jailkit $(CURDIR)/debian/jailkit/etc/init.d/ install -m 644 debian/lintian.override $(CURDIR)/debian/jailkit/usr/share/lintian/overrides/jailkit dh_install -s # This is called by binary-arch/binary-indep # in another 'make' thread. binary-common: dh_testdir dh_testroot dh_installchangelogs dh_installdocs dh_installexamples dh_installinit dh_installman dh_link dh_strip dh_compress dh_fixperms --exclude jk_chrootsh --exclude jk_procmailwrapper dh_makeshlibs dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb # There are no architecture independent sections #binary-indep: build-indep install-indep # # Build architecture dependant packages using the common target. binary-arch: build-arch install-arch $(MAKE) -f debian/rules DH_OPTIONS=-a binary-common binary: binary-arch .PHONY: build clean binary-arch binary install install-arch jailkit-2.21/debian/changelog0000644000175000017500000001707313544213044016075 0ustar olivierolivierjailkit (2.21-1) UNRELEASED; urgency=medium * python 3 compatibility * removed deprecated jk_addjailuser jailkit (2.20-1) UNRELEASED; urgency=medium * somehow a bug URL was pasted into the ini file location in the sourcecode for jk_chrootsh in the 2.18 release. Fixed. * fixing jk_procmailrc for users with a dot (other than /./ ) in their home directory * fixing jk_cp and jk_update to renew symlinks as well * fixes jk_update to remove deprecated directories when empty * improved some man pages -- Olivier Wed, 18 Nov 2015 20:38:44 +0100 jailkit (2.18-1) UNRELEASED; urgency=medium * maintenance release, fix uid_t printing for very high uid numbers * minor improvements to jk_init.ini * add possibility to force --login in jk_chrootsh * * -- Olivier Sun, 29 Sep 2019 22:34:07 +0200 jailkit (2.17-1) precise; urgency=low * fix compiling with -lcap for some newer linux distributions * improve some argument checking and error messages * do not abort when called as -su * improve jk_socketd man page * make jk_cp honor option -j again -- Olivier Fri, 03 Jan 2014 23:43:26 +0100 jailkit (2.16-1) precise; urgency=low * fix compiling if -pthread and -lcap are both needed * fix bug in environment cleaning function * improve jk_init.ini for some 64bit linux distributions * improve error messages -- Olivier Thu, 18 Apr 2013 21:57:34 +0200 jailkit (2.15-1) lucid; urgency=low * use -pthreads if available instead of -lpthread * allow symlinks for /bin /lib and /sbin if they are moved into /usr/ (as fedora 17 has) -- Olivier Sessink Thu, 07 Jun 2012 23:20:26 +0200 jailkit (2.14-1) lucid; urgency=low * move jk_check to hashlib * fix for the prefix directory of jk_check * enable jk_chrootsh to be called su -- Olivier Sessink Thu, 28 Apr 2011 10:25:24 +0200 jailkit (2.13-1) lucid; urgency=low * fixes a regression in 2.12 - INIPREFIX was updated incorrectly in some cases -- Olivier Sessink Sun, 10 Oct 2010 22:35:24 +0200 jailkit (2.12-1) lucid; urgency=low * jk_init and jk_cp can now resolve binaries using PATH -- Olivier Sessink Sun, 12 Sep 2010 21:30:23 +0200 jailkit (2.11-1) hardy; urgency=low * mostly documentation updates * minor Solaris specific improvements * fixed possible jk_lsh crash -- Olivier Sun, 07 Feb 2010 17:23:16 +0100 jailkit (2.10-1) hardy; urgency=low * 2.9 fix was incompatible with jk_jailuser, fixed now * compiler warning fixes -- Olivier Thu, 22 Oct 2009 13:31:18 +0200 jailkit (2.9-1) hardy; urgency=low * fix symlink handling, if a symlink inside the jail points to the real system jk_init and jk_cp could write files into the real system -- Olivier Wed, 14 Oct 2009 23:07:33 +0200 jailkit (2.8-1) hardy; urgency=low * support for capabilities to replace the setuid bit * minor Solaris compatibility fixes -- Olivier Thu, 20 Aug 2009 12:51:05 +0200 jailkit (2.7-1) hardy; urgency=low * fix a regression in jk_chrootsh and jk_uchroot for interactive sessions -- Olivier Sun, 05 Apr 2009 20:20:38 +0200 jailkit (2.6-1) hardy; urgency=low * some minor code cleanups and improvements * some fixes for Solaris compatibility -- Olivier Wed, 01 Apr 2009 21:13:20 +0200 jailkit (2.5-1) unstable; urgency=low * fixed an issue in jk_cp and jk_init that symlinks to directories were sometimes copied as directories instead of symlinks * improved some documentation * added a -j option to all utilities to improve consistency -- Olivier Sessink Fri, 07 Dec 2007 13:53:52 +0100 jailkit (2.4-1) unstable; urgency=low * added a new jk_uchroot utility * fixed a rare crash in configuration file parsing * added new jk_init configuration file options * added new options to jk_cp and jk_init to retain ownership when copying files into the jail * improved the documentation * improved several chroot security checks * fixed some build issues on OpenBSD * improved error reporting -- Olivier Sessink Tue, 17 Jul 2007 20:32:41 +0200 jailkit (2.3-1) unstable; urgency=low * various small fixes for the new jk_update utility * added a -k option to jk_cp, jk_init and jk_update to use hardlinks instead of copying * various fixes to install jailkit in a different location -- Olivier Sessink Thu, 28 Dec 2006 13:51:00 +0100 jailkit (2.2-1) unstable; urgency=low * Jailkit 2.2 released with a new utility jk_update to keep jails up-to-date and various improvements on *BSD operating systems -- Olivier Sessink Fri, 8 Dec 2006 00:00:00 +0200 jailkit (2.1-2) unstable; urgency=low * tarballs are uploaded again, there was a Makefile issue -- Olivier Sessink Fri, 8 Sep 2006 00:00:00 jailkit (2.1-1) unstable; urgency=low * improved logging * allowed sub-second intervals for jk_socketd * improved various checks in jk_jailuser * improved handling of recursive directories in jk_cp * new utility jk_list to list all jailed processes -- Olivier Sessink Thu, 7 Sep 2006 00:00:00 jailkit (2.0-1) unstable; urgency=low * fixes to allow jk_chrootsh to function on systems that use a name service caching daemon, or ldap authentication and others * some options for jk_chrootsh to relax some strict checks * replaced jk_addjailuser with jk_jailuser, which should work on more platforms * added the DEFAULT section to jk_lsh.ini and jk_chrootsh.ini to allow easier configuration -- Olivier Sessink Wed, 9 Aug 2006 00:00:00 jailkit (1.3-1) unstable; urgency=low * fixes some issues with Gentoo Linux * fixes some FreeBSD issues * fixes option --force for jk_init * better defaults in jk_init.ini * much more verbose error reporting by jk_lsh and jk_chrootsh -- Olivier Sessink Thu, 5 Aug 2004 19:22:41 jailkit (1.2-1) unstable; urgency=low * new upstream 1.2 release * mainly *BSD and MacOSX build related fixes -- Olivier Sessink Thu, 26 Aug 2004 21:34:01 +0200 jailkit (1.1-2) unstable; urgency=low * adding lintian override file, package now is lintian clean -- Olivier Sessink Sun, 15 Aug 2004 11:47:44 +0200 jailkit (1.1-1) unstable; urgency=low * new upstream 1.1 release * fixes some leftovers from /usr/bin/ to /usr/sbin/ transition * fixes minor bug in jk_init -- Olivier Sessink Fri, 13 Aug 2004 21:23:43 +0200 jailkit (1.0-1) unstable; urgency=low * new upstream 1.0 release * jk_adduser improvements * documentation improvements * moved all binaries to /usr/sbin/ -- Olivier Sessink Thu, 5 Aug 2004 19:22:41 +0200 jailkit (0.9-1) unstable; urgency=low * new upstream 0.9 release * jk_cp and jk_init speed improvements -- Olivier Sessink Sun, 23 May 2004 21:28:17 +0200 jailkit (0.8-1) unstable; urgency=low * new upstream 0.8 release * adds wildcard expansion (*,?,~, etc.) to jk_lsh -- Olivier Sessink Tue, 18 May 2004 21:05:08 +0200 jailkit (0.7-1) unstable; urgency=low * Initial Release. * First Debian package -- Olivier Sessink Sat, 1 May 2004 12:02:18 +0200 jailkit-2.21/debian/postinst0000644000175000017500000000061310106616725016025 0ustar olivierolivier#!/bin/sh #DEBHELPER# set -e if ! grep /usr/sbin/jk_chrootsh /etc/shells >/dev/null; then \ echo "/usr/sbin/jk_chrootsh" >> /etc/shells ;\ fi if [ -x "/etc/init.d/jailkit" ]; then update-rc.d jailkit defaults >/dev/null if [ -x /usr/sbin/invoke-rc.d ]; then invoke-rc.d jailkit start else /etc/init.d/jailkit start fi fi exit 0 jailkit-2.21/debian/postrm0000644000175000017500000000015310075560327015466 0ustar olivierolivier#!/bin/sh #DEBHELPER# set -e if [ "$1" = "purge" ] ; then update-rc.d jailkit remove >/dev/null fi jailkit-2.21/debian/dirs0000644000175000017500000000012610107627341015077 0ustar olivierolivieretc/init.d etc/jailkit usr/bin usr/sbin usr/share/man/man8 usr/share/lintian/overridesjailkit-2.21/debian/copyright0000644000175000017500000000332510263326041016146 0ustar olivierolivierThis package was debianized by Olivier Sessink on Fri, 8 July 2005 12:02:18 +0200. It was downloaded from http://olivier.sessink.nl/jailkit/ Upstream Author: Olivier Sessink Copyright: Copyright (c) 2003-2004, Olivier Sessink All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. jailkit-2.21/debian/conffiles0000644000175000017500000000000010075564470016104 0ustar olivierolivierjailkit-2.21/debian/control0000644000175000017500000000105010263326041015607 0ustar olivierolivierSource: jailkit Section: admin Priority: optional Maintainer: Olivier Sessink Build-Depends: debhelper (>= 4.0.0) Standards-Version: 3.6.2 Package: jailkit Architecture: any Depends: ${shlibs:Depends}, python (>= 2.1.3) Description: chroot jail utilities Jailkit is a set of utilities to create chroot jails for users, processes and daemons. There are utilities to build a jail, to test a jail, and to run a jail. See 'man jailkit' for further information. The jailkit website is at http://olivier.sessink.nl/jailkit/ jailkit-2.21/debian/compat0000644000175000017500000000000213544213044015411 0ustar olivierolivier9 jailkit-2.21/debian/lintian.override0000644000175000017500000000017510107627341017416 0ustar olivierolivierjailkit: setuid-binary usr/sbin/jk_procmailwrapper 4755 root/root jailkit: setuid-binary usr/sbin/jk_chrootsh 4755 root/root jailkit-2.21/debian/prerm0000644000175000017500000000033710075560327015273 0ustar olivierolivier#!/bin/sh #DEBHELPER# set -e if [ -x "/etc/init.d/jailkit" ]; then if [ -x /usr/sbin/invoke-rc.d ] ; then invoke-rc.d jailkit stop else /etc/init.d/jailkit stop fi fi jailkit-2.21/man/0000755000175000017500000000000013544213117013545 5ustar olivierolivierjailkit-2.21/man/jk_check.80000644000175000017500000000640311333563222015401 0ustar olivierolivier.TH jk_check 8 07-02-2010 JAILKIT jk_check .SH NAME jk_check \- a utility that will check a jail for security problems .SH SYNOPSIS .B jk_check jail .B jk_check -v -c configfile jail .SH DESCRIPTION jk_check will run several tests on all files and directories in a jail. The tests are: -test for setuid (set user id) or setgid (set group id) files -test for file modifications, using an MD5 checksum on the file in the jail and the same file in the real root -test for group writable or world writable directories -test for matching user information in the jail and on the real system It will test directories based on the config file .I /etc/jailkit/jk_check.ini but also based on jail patterns (dir/./dir) found in the home directories in .I /etc/passwd .SH EXAMPLE .SS "Minimal configfile" The most minimal configuration looks like: .nf .sp [/home/testchroot] .fi This will include all the files and directories in /home/testchroot for testing. .SS "More extended configfile" Often you want to ignore some tests on some directories, the following configfile shows some examples: .nf .sp [/home/testchroot] ignorepatheverywhere = ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc ignorewritableforgroup = /home/testchroot/home ignorewritableforothers = /home/testchroot/home/tmp ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt ignoresetuidexecuteforothers = .fi .B ignorepatheverywhere .RS no single test is performed in these directories. You should not use this option unless you what you are doing. .RE .B ignorepathoncompare .RS files in listed directories are not compared with their non-jail counterparts. Useful for directories like /etc/ and /home/ where you know you'll have different files inside the jail and outside the jail .RE .B ignorewritableforgroup .RS listed directories that are writable for the group are not reported .RE .B ignorewritableforothers .RS listed directories that are writable for others are not reported .RE .B ignoresetuidexecuteforuser .RS ignore the setuid bit on a file that is executable for a user, a file with -rws------ permissions that is. Use with care! Remember that user root can break out of a jail, therefore any program running with root priviledges is theoretically capable of breaking out of the jail! .RE .B ignoresetuidexecuteforgroup .RS ignore the setuid bit for a file that is executable for the group, a file with -rws--x--- permissions that is. .RE .B ignoresetuidexecuteforothers .RS ignore the setuid bit for a file that is executable for others, a file with -rws--x--x permissions that is .RE .SH OPTIONS .TP .BR \-v Will give verbose output .TP .BR \-c\ configfile Use alternative configfile .TP .BR \-h The help screen .SH FILES .I /etc/jailkit/jk_check.ini .SH "SEE ALSO" .BR jailkit(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_lsh.80000644000175000017500000000737011333563222015116 0ustar olivierolivier.TH jk_lsh 8 07-02-2010 JAILKIT jk_lsh .SH NAME jk_lsh \- a shell that limits the binaries it will execute .SH SYNOPSIS .B jk_lsh -c command .SH DESCRIPTION The jailkit limited shell jk_lsh is not an interactive shell. jk_lsh will only execute commands that are passed during startup (e.g. /bin/sh -c command) and will deny to start all but explicitly allowed commands. All other commands, or regular shell access are denied. This can be used to restrict an account to a specific use. For example, jk_lsh can be used to make rsync-, cvs-, sftp- or scp-only accounts, or even an account that can start firefox or opera but nothing else. The allowed actions are read from .I /etc/jailkit/jk_lsh.ini If you run jk_lsh inside a changed root jail, make sure jk_lsh.ini is present inside that chroot jail. .SH LIMITATIONS Some shells can process complex commandlines, such as command1 && command2, or kill `ps |grep foo`. The limited shell jk_lsh cannot do anything like that, another shell should be used if you want enable such features. It is not planned to include this in any future version. .SH OPTIONS jk_lsh can do word expansion such as *.txt expanding to each file that ends with .txt. This is very useful when running rsync or scp with jk_lsh. Option allow_word_expansion should be set to 1 in order to allow this. jk_lsh can also set environment variables. This is a comma separated list with key=value pairs. Options can be set for a specific user, for the primary group of a user, or for all users in section DEFAULT. .SH EXAMPLE An example config file for user test or group test is shown below .nf .sp [DEFAULT] executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync paths = /usr/bin/, /usr/lib allow_word_expansion = 1 [test] executables = /usr/bin/scp, /usr/lib/sftp-server paths = /usr/bin/, /usr/lib allow_word_expansion = 0 umask = 002 [group test] executables = /usr/bin/rsync paths = /usr/bin/ allow_word_expansion = 1 environment=TERM=linux,FOO=bar .fi If user test has primary group test, however, he can not execute rsync in the above example. First the user section is checked, and only if no user section is found the primary group section is looked for, and only if no group section is found, the DEFAULT section is looked for. If no section is found, jk_lsh aborts. The .B executables entry specifies all executables that jk_lsh will execute. The .B paths entry specifies in which directories jk_lsh will look for these executables if no path is specified. The PATH environment variable is ignored by jk_lsh. The .B allow_word_expansion if set to 1, will make jk_lsh do word expansion (*, ?, ~, $) using .BR wordexp(3) which is very useful for remote commands like .I rsync server:./* . or .I scp server:somedir/* /tmp/ .B umask if you want a specific umask The common way to use jk_lsh is to use it as default shell for those restricted accounts. It is recomended to run these accounts inside a changed root using .BR jk_chrootsh(8) .SH FILES .I /etc/jailkit/jk_lsh.ini .I /etc/passwd .I JAIL/etc/jailkit/jk_lsh.ini .I JAIL/etc/passwd .SH DIAGNOSTICS jk_lsh logs errors to syslog, so check your log files. If you run jk_lsh inside a changed root, you have to have a /dev/log in that changed root. See .BR jk_socketd(8) for more information how to do this. .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_procmailwrapper.80000644000175000017500000000260211333563222017530 0ustar olivierolivier.TH jk_procmailwrapper 8 07-02-2010 JAILKIT jk_procmailwrapper .SH NAME jk_procmailwrapper \- a wrapper to prevent procmail execution by jailed users .SH DESCRIPTION jk_procmailwrapper is a wrapper around the regular procmail utility. For regular users it will execute the normal procmail utility. For users that are in a chroot jail (the home directory contains a . character) it will change root into the jail, and execute the procmail utility inside the jail. This enables safe mail delivery for jailed users. Without this utility, users in a jail can execute commands outside the jail by placing them in their .procmailrc. It should be used as a replacement for procmail in your mail server's configuration. .SH WARNING If your mailserver allows users to have a .forward file, they can still run scripts outside the jail! Make sure users cannot use a .forward file to run scripts on the real system!! .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .BR procmail(1) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_chrootsh.80000644000175000017500000001044513312764244016164 0ustar olivierolivier.TH jk_chrootsh 8 07-02-2010 JAILKIT jk_chrootsh .SH NAME jk_chrootsh \- a shell that will put the user inside a changed root .SH SYNOPSIS .B jk_chrootsh .SH DESCRIPTION jk_chrootsh can be used as a shell for a user (e.g. in /etc/passwd or your ldap store). That user will be put into a changed root. The directory where to put the user in is read from the users home directory, the last occurring /./ sequence is used to mark the location of the changed root. An example line in /etc/passwd would look like test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh In this example the user will be chroot-ed into /home/testchroot Inside the chroot-ed directory, it will look for /etc/passwd and it will execute the shell for the user from that file. For the above example the /etc/passwd file inside the jail should have an entry like test:x:10000:10000::/home/test:/usr/sbin/jk_lsh Notice that the home directory and the shell are local inside the chroot jk_chrootsh needs certain elevated privileges to make the .BR chroot(2) system call. Therefore it is setuid root. It will drop its root priveleges immediately after making the chroot() system call. Since Jailkit 2.8 jk_chrootsh may also use the CAP_SYS_CHROOT capability on systems that support capabilities, and then the setuid bit can be removed. By default jk_chrootsh does not copy any environment variables. For some functionality, however, environment variables need to be copied (e.g. the TERM variable for a functional terminal emulation, or the DISPLAY variable for X forwarding). In .I /etc/jailkit/jk_chrootsh.ini the required environment variables can be listed. An example config file is shown below. In the example, user bill will get the DISPLAY variable, and all users in group jail will get the TERM and PATH variables. By default jk_chrootsh requires a home directory owned by the user with the same group as the primary group from the user, and requires the home directory to be non-writable for group and others. You can relax these requirements in the configfile as shown below. .nf .sp [DEFAULT] relax_home_group=1 [bill] env= DISPLAY relax_home_owner=1 relax_home_group_permissions=1 relax_home_other_permissions=1 [group jail] env = TERM, PATH injail_login_shell=1 .fi If user bill is in group jail, however, he will not get the TERM variable in the above example. Neither will any user with primary group jail get relaxed requirements for the ownership and the permissions of the home directory. First the user is checked, and only if no user section is found the primary group section is looked for, and if no group section is found, the DEFAULT section is used. Normally jk_chrootsh will pass all arguments it is called with to the shell in the jail. You can force jk_chrootsh to call the shell inside the jail with a single argument --login by setting injail_login_shell=1 in the config file. jk_chrootsh can be configured not to read the final shell from the /etc/passwd file in the jail. An example configfile is shown below. .nf .sp [group jail2] skip_injail_passwd_check=1 injail_shell=/bin/bash .fi .SH FILES .I /etc/passwd .I /etc/jailkit/jk_chrootsh.ini .SH DIAGNOSTICS jk_chrootsh logs everything to syslog, please check the log files. Logging is sent to the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT for critical errors, LOG_NOTICE for non-critical errors, and LOG_INFO for normal events. On most systems the command .B grep jk_ /var/log/* will give you the information you need. commonly made mistakes are: forgetting to add the user to JAIL/etc/passwd or the group to JAIL/etc/group forgetting to have the correct permissions on all files inside the jail, or forgetting files inside the jail (the shell itself, or any libraries used by the shell) referring to a file outside the chroot .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .BR syslogd(8) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2018 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_list.80000644000175000017500000000205311333563222015274 0ustar olivierolivier.TH jk_list 8 07-02-2010 JAILKIT jk_list .SH NAME jk_list \- a utility to list all processes in a chroot jail .SH SYNOPSIS .B jk_list .B jk_list -w .SH DESCRIPTION jk_list will show all processes that are running in a chroot jail, which jail they are running in, and which user is running the process. .SH OPTIONS .TP .BR \-w Show wide listing (does not abbreviate commandline options) .SH BUGS Currently jk_list needs a /proc filesystem to function, and is therefore unlikely to function on operating systems that do not have a /proc filesystem .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_init.80000644000175000017500000001037211333563222015267 0ustar olivierolivier.TH jk_init 8 07-02-2010 JAILKIT jk_init .SH NAME jk_init \- a utility to quicky create functional jail directories .SH SYNOPSIS .B jk_init -j jail section .B jk_init -v -f -k -j jail section .SH DESCRIPTION It is not an easy task to setup a jail (a changed root) in a functional way. If you want the user to be able to run cvs for example, it will not work to simply copy the cvs binary into the users jail. You will find that cvs needs libraries as well. cvs also needs the /dev/null device. Finally you need something to start cvs: you need a shell too. And the shell might need files like /etc/passwd and /etc/nsswitch.conf. With jk_init you can automate these tasks. You can create a section in the configfile .I /etc/jailkit/jk_init.ini that has all the files, directories and devices, and you can use jk_init to setup such a jail with a single command. The default configfile has examples for cvs, sftp, scp, rsync and more for Debian and Ubuntu Linux. For other operating systems the defaults might need some (minor) updates. .SH EXAMPLE An example configfile section might look like this: .nf .sp [jk_lsh] comment = Jailkit limited shell paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini users = root groups = root need_logsocket = 1 includesections = uidbasics [sftp] comment = ssh secure ftp with Jailkit limited shell paths = /usr/lib/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null emptydirs = /svr .fi The .B comment entry specifies the comment that is shown if jk_init option -l or --list is used. The .B paths entry specifies which files and directories need to be copied into the jail. Executables and libraries are checked for any required libraries, and these requirements are copied too. All files are created with user root as owner. The .B paths_w_owner entry specifies which paths need to be copied with their current ownership. This can be used to copy files that need to be writable by a server process that does not run as user root (for example database files). The .B users and .B groups entries specify which users and groups that need to be present in /etc/passwd. If the .B need_logsocket entry is set to "1" the .I jk_socketd.ini file is modified to include a .I /dev/log socket in this jail. The .B devices entry specifies which devices are required in the jail. The .B includesections entry specifies which other sections need to be processed as well when processing the current section. In the above example, the jk_lsh section is automatically included if the sftp section is processed. Finally the .B emptydirs entry specifies which directories to create as empty directories. This can be useful to create for example mountpoints in the jail. .SH DEPRECATED CONFIGFILE ENTRIES The entries .B executables , .B regularfiles , .B directories and .B libraries are all replaced by the entry .B paths. They are still supported, but are handled similar to the paths entry. .SH LIMITATIONS Many unix like operating systems install files in different locations. The defaulkt jk_init config file has defaults taken from Debian and Ubuntu. The default config file may not work on other platforms. You probably need to customise jk_init.ini for your platform and your applications. .SH OPTIONS .TP .BR \-f\ \-\-force Force overwriting of existing files .TP .BR \-v\ \-\-verbose Will give verbose output .TP .BR \-k\ \-\-hardlink Try to create hardlinks instead of copying the files .TP .BR \-c\ configfile\ \-\-configfile=configfile Use alternative configfile .TP .BR \-l\ \-\-list List available sections in the config file .TP .BR \-j\ \-\-jail\ Specify the jail directory to operate on. .TP .BR \-h\ \-\-help The help screen .SH FILES .I /etc/jailkit/jk_init.ini .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .BR ldd(1) .BR mknod(1) .BR ln(1) .BR chmod(1) .BR mkdir(1) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/Makefile.in0000644000175000017500000000311113531043637015612 0ustar olivierolivierINSTALL = @INSTALL@ prefix = @prefix@ datadir = @datadir@ datarootdir = @datarootdir@ mandir = @mandir@ SRCS = \ jailkit.8 \ jk_chrootsh.8 \ jk_uchroot.8 \ jk_lsh.8 \ jk_socketd.8 \ jk_init.8 \ jk_check.8 \ jk_cp.8 \ jk_chrootlaunch.8 \ jk_jailuser.8 \ jk_list.8 \ jk_update.8 @HAVEPROCMAIL_TRUE@SRCS += jk_procmailwrapper.8 MANS = $(SRCS:.8=.8.gz) #%.8.gz : %.8 # gzip -9 > $@ < $< #.in.default: #all: ${SRCS} # for file in ${SRCS} ; do \ # gzip < $${file} > $${file}.gz ;\ # done jailkit.8.gz: jailkit.8 gzip -9 < jailkit.8 > $@ jk_chrootsh.8.gz: jk_chrootsh.8 gzip -9 < jk_chrootsh.8 > $@ jk_uchroot.8.gz: jk_uchroot.8 gzip -9 < jk_uchroot.8 > $@ jk_lsh.8.gz: jk_lsh.8 gzip -9 < jk_lsh.8 > $@ jk_socketd.8.gz: jk_socketd.8 gzip -9 < jk_socketd.8 > $@ jk_init.8.gz: jk_init.8 gzip -9 < jk_init.8 > $@ jk_check.8.gz: jk_check.8 gzip -9 < jk_check.8 > $@ jk_cp.8.gz: jk_cp.8 gzip -9 < jk_cp.8 > $@ jk_chrootlaunch.8.gz: jk_chrootlaunch.8 gzip -9 < jk_chrootlaunch.8 > $@ jk_procmailwrapper.8.gz: jk_procmailwrapper.8 gzip -9 < jk_procmailwrapper.8 > $@ jk_jailuser.8.gz: jk_jailuser.8 gzip -9 < jk_jailuser.8 > $@ jk_list.8.gz: jk_list.8 gzip -9 < jk_list.8 > $@ jk_update.8.gz: jk_update.8 gzip -9 < jk_update.8 > $@ jailkit: ${MANS} all: jailkit install: jailkit ${INSTALL} -d -m 755 ${DESTDIR}${mandir}/man8/ for file in ${MANS} ; do \ ${INSTALL} -m 0644 $${file} ${DESTDIR}${mandir}/man8/ ;\ done uninstall: for file in ${MANS} ; do \ rm -f ${DESTDIR}${mandir}/man8/$${file} ;\ done clean: rm -f *.gz rm -f *~ distclean: clean rm -f Makefile jailkit-2.21/man/jk_chrootlaunch.80000644000175000017500000000677313312764242017033 0ustar olivierolivier.TH jk_chrootlaunch 8 07-02-2010 JAILKIT jk_chrootlaunch .SH NAME jk_chrootlaunch \- a launcher that can start a deamon in a jail, with a specified uid and gid .SH SYNOPSIS .B jk_chrootlaunch [-h] [-p .I pidfile .B ] [-u user] [-g group] -j .I jaildir .B -x .I executable .B -- [executable options] .B jk_chrootlaunch [--help] [--pidfile= .I pidfile .B ] [--user user] [--group group] --jail .I jaildir .B --exec .I executable .B -- [executable options] .SH DESCRIPTION This launcher can be used to start some other process inside a jail. That process is typically a daemon that cannot do .BR chroot(2) itself. The process can optionally be started with a certain user ID or group ID. Optionally this utility can write a pidfile to some location. This utility needs to make the .BR chroot(2) call to jail the process, therefore it can only be started in a useful way by user root. Because you can break out of a jail with root privileges it is recommended to start the daemon as some other user and group using the --user and --group options. If this is not possible because that daemon needs root privileges as well (for example to open a port below 1024) the jail can perhaps delay a hacker, but it cannot prevent it. There are several daemons that should not be started by jk_chrootlaunch. All daemons that do a .BR chroot(2) themselves (for example jk_socketd, postfix and openvpn) can do it themselves much better. Daemons that need access to files on the real system (for example the samba smbd daemon) can also not be jailed, unless you can move all those files into the jail and do not need them on the real system. .SH OPTIONS .TP .BR \-j\ \-\-jail the directory to jail the process in .TP .BR \-u\ \-\-user the name or uid of the user to start the process as .TP .BR \-g\ \-\-group the name or gid of the group to start the process as .TP .BR \-x\ \-\-exec the executable to start .TP .BR \-\- any options after the -- are passed to the executable .SH EXAMPLE Suppose you want to start Apache inside a jail. Apache needs root privileges because it needs to open TCP port 80. But after opening port 80 it will start subprocesses as a regular user (for example user www-data). Therefore the subprocesses cannot break out of the jail. Apache can also write it's own pidfile, so we also don't need that option. First we create the jail using .BR jk_init(8). The apachectl program is a shell script, it also needs /bin/sh and /usr/bin/kill. We also have to copy these into the jail using .BR jk_cp(8). Apache also needs its modules from /usr/lib/apache, copy those as well. Then we can start Apache: jk_chrootlaunch -j /home/webjail -x /home/webjail/usr/sbin/apachectl -- start There are some smarter ways to do this. You can remove the /bin/sh and /bin/kill executables from the jail if you edit the apachectl script, and add jk_chrootlaunch to the script itself. .SH DIAGNOSTICS jk_chrootlaunch logs errors to syslog, so check your log files. On most systems the command .B grep jk_ /var/log/* will give you the information you need. .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2018 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_socketd.80000644000175000017500000000724712261630330015763 0ustar olivierolivier.TH jk_socketd 8 02-08-2012 JAILKIT jk_socketd .SH NAME jk_socketd \- a daemon to create a rate-limited /dev/log socket inside a chroot .SH SYNOPSIS .B jk_socketd .B jk_socketd -p .I pidfile .B -n .B jk_socketd --pidfile= .I pidfile .B --nodetach .SH DESCRIPTION The jailkit socket daemon creates a rate-limited /dev/log socket inside a jail according to .I /etc/jailkit/jk_socketd.ini and writes all data eventually to syslog using the real .I /dev/log Programs like jk_lsh and also many daemons need a /dev/log socket to do logging to syslog. jk_socketd is an alternative for syslog to create /dev/log inside the jail (see your syslog manual how to accomplish this). However, if you are worrying about an attacker disrupting normal system operation by filling your logs you should use jk_socketd. jk_socketd can limit the number of bytes written trough the socket. If the logging is limited by jk_socketd, processes that run inside the jail will be slowed down if they try to use the logging service. If you expect a high logging rate in a jail, it is recommended to use syslog to create the socket in the jail instead of jk_socketd. On (Open)Solaris /dev/log is not a socket and therefore jk_socketd will not function. On (Open)Solaris you should create the devices .I /dev/log and .I /dev/conslog in the jail to enable logging inside the jail. The rate limiting is done based on three parameters, the base, the peak and the interval. The interval is the number of seconds that jk_socketd will use to count up to the number of bytes. The base and peak are both a number in bytes. A socket is normally only allowed to have base bytes going trough per interval seconds. Only if in the previous interval the number of bytes has been lower than base, peak number of bytes is allowed. So a peak can only happen if the previous interval has been lower than base. The config file consists of several entries where each entry looks like this: .nf .sp [/home/testchroot/dev/log] base = 512 peak = 2048 interval = 5.0 .fi The title of the section is the socket to be created. The directory to create the socket in should exist. .SS "Security" The jailkit socket daemon will change to user nobody and will chroot() into an empty dir once all sockets are opened. If the /dev/log socket is closed by the syslog daemon (for example during log rotation), .B jk_socketd needs a restart to open it again. .SH OPTIONS .TP .BR \-n\ \-\-nodetach do not detach from the terminal and print debugging output .TP .BR \-p\ pidfile\ \-\-pidfile=pidfile write PID to pidfile .TP .BR \-h\ \-\-help show help screen .TP .BR \-\-socket=/path/to/socket do not read ini file, create specific socket .TP .BR \-\-base=integer message rate limit (in bytes) per interval for socket specified by --socket .TP .BR \-\-peak=integer message rate limit peak (in bytes) for socket specified by --socket .TP .BR \-\-interval=float message rate limit interval in seconds for socket specified by --socket .SH FILES .I /etc/jailkit/jk_socketd.ini .SH DIAGNOSTICS jk_socketd logs errors to syslog, so check your log files otherwise run jk_socketd -n and it will not detach from the terminal, and it will print some debugging output. .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .BR syslogd(8) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_uchroot.80000644000175000017500000000420113312764244016007 0ustar olivierolivier.TH jk_uchroot 8 07-02-2010 JAILKIT jk_uchroot .SH NAME jk_uchroot \- grant regular users the right to change root into certain directories .SH SYNOPSIS .B jk_uchroot -j -x .SH DESCRIPTION jk_uchroot can be used to give regular users access to the chroot() system call in a safe way. jk_uchroot will only grant chroot into a jail if the configuration file lists this user and jail combination. jk_uchroot will furthermore only grant access if the chroot jail is safe. Safe means that it is owned by uid 0 gid 0 and not writable for others, including the system directories such as /bin, /lib, /dev/, /sbin, and /usr. jk_uchroot needs certain elevated privileges to make the .BR chroot(2) system call. Therefore it is setuid root. It will drop its root priveleges immediately after making the chroot() system call. Since Jailkit 2.8 jk_uchroot may also use the CAP_SYS_CHROOT capability on systems that support capabilities, and then the setuid bit can be removed. .nf .sp [john] allowed_jails = /srv/johnjail, /srv/commonjail skip_injail_passwd_check = 1 [group users] allowed_jails = /srv/commonjail skip_injail_passwd_check = 1 .fi In the above example jk_uchroot is configured not to check if the user exists in the /etc/passwd file in the jails. .SH FILES .I /etc/jailkit/jk_uchroot.ini .SH DIAGNOSTICS jk_uchroot logs everything to syslog, please check the log files. Logging is sent to the LOG_AUTH facility with levels LOG_ERR and LOG_CRIT for critical errors, LOG_NOTICE for non-critical errors, and LOG_INFO for normal events. On most systems the command .B grep jk_ /var/log/* will give you the information you need. .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_update(8) .BR chroot(2) .BR syslogd(8) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2018 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_jailuser.80000644000175000017500000000416111333563222016141 0ustar olivierolivier.TH jk_jailuser 8 07-02-2010 JAILKIT jk_jailuser .SH NAME jk_jailuser \- a utility to put an existing user in a jail .SH SYNOPSIS .B jk_jailuser [OPTIONS] [more usernames] .B jk_jailuser --jail=/path/to/jail .SH DESCRIPTION The jk_jailuser utility will change the shell of an existing user to jk_chrootsh and change the home directory to /./, and it will add the user to /etc/passwd. On *BSD systems this is /etc/master.passwd and pwd_mkdb is used to generate the other password files. The jk_jailuser utility will abort if the /etc/passwd file is missing, or if the shell is missing in the jail. If was already inside the jail, a /./ seperator is placed on the correct location in the path. If the previous home directory was not in the jail, it is changed. In interactive mode you are asked if you want to move the contents. In non-interactive mode the contents are only moved if the --move option is specified. .SH OPTIONS .TP .BR \-j\ \-\-jail= jail The jail directory to use. This jail should exist, and should have at least /etc/passwd .TP .BR \-v\ \-\-verbose Will give verbose output .TP .BR \-h\ \-\-help The help screen .TP .BR \-m\ \-\-move Move the contents of the home directory inside the jail. If in interactive mode, jk_jailuser will ask if the directory should be moved if that is necessary. In non-interactive mode this option is disabled by default. .TP .BR \-n\ \-\-noninteractive No user interaction. .TP .BR \-s\ \-\-shell= shell The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .BR usermod(8) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_cp.80000644000175000017500000000347111333563222014730 0ustar olivierolivier.TH jk_cp 8 07-02-2010 JAILKIT jk_cp .SH NAME jk_cp \- a utility to copy files including permissions and libraries into a jail .SH SYNOPSIS .B jk_cp -j jail source .B jk_cp -v -k -f -j jail source .SH DESCRIPTION jk_cp will copy any file into a jail on the identical location, with identical permissions and (if required) including any required libraries. It will remove any set user id (setuid) or set group id (setgid) permissions from all files and directories copied. .SH EXAMPLE jk_cp -j /home/testchroot /usr/bin/cvs will copy /usr/bin/cvs to /home/testchroot/usr/bin/cvs, and it will copy the libraries used by cvs also to the jail. jk_cp -k -j /svr/testjail /usr/bin/firefox /usr/share/firefox will hardlink /usr/bin/firefox and all files in /usr/share/firefox into jail /svr/testjail .SH OPTIONS .TP .BR \-j\ \-\-jail The destination jail. If no jail is specified, the first argument is used as jail for backwards compatibility .TP .BR \-f\ \-\-force Force overwriting of existing files .TP .BR \-k\ \-\-hardlink Try to create hardlinks instead of copying the files. If linking fails it falls back to copying. .TP .BR \-o\ \-\-owner Retains the file ownership and group when copying files and directories. .TP .BR \-v\ \-\-verbose Will give verbose output .TP .BR \-h\ \-\-help The help screen .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .BR jk_socketd(8) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jailkit.80000644000175000017500000002354213531043044015267 0ustar olivierolivier.TH jailkit 8 07-02-2010 JAILKIT jailkit .SH NAME jailkit \- utilities for jailing a user or process .SH DESCRIPTION Jailkit is a set of utilities that can limit user accounts to a specific directory tree and to specific commands. Setting up a jail is much easier using the jailkit utilities that doing so 'by hand'. A jail is a directory tree that you create within your file system; the user cannot see any directories or files that are outside the jail directory. The user is jailed in that directory and it subdirectories. The .BR chroot(2) system call is used by jailkit to put the user inside the jail. If you want the user to be able to do just one thing, you can set up the jail so that the user is able to do exactly and only that one thing. For example, if you want the user to be able to run scp, you install a copy of scp in the jail along with just enough support to execute it (e.g., using a limited shell). As you can understand, the fewer executables you have in a jail (and the more their capabilities are limited such as using strict configurations), the more work a hacker needs to break out of it. It is important to note that a chroot jail can be easily escaped if the user is able to elevate to the root level, so it's very important to prevent the user from doing so. In this summary, the top-level directory of the jail is referred to as JAIL. You can configure the JAIL to be any suitable directory (e.g., your JAIL may be /usr/local/chrootjail or /home/chroot). The JAIL directory should obviously be chosen so as not collide or interfere with other standard directories (e.g., it's probably a bad idea to use /home/chroot as the JAIL and also create a user named 'chroot'). A reference to JAIL/etc means "the etc/ subdirectory in your top-level jail directory". From the jailed user's point of view, the top-level jail directory is "/". .SH SECURITY CONSIDERATIONS .B A badly configured jail is a security risk! If a jailed user or a jailed process can modify files in (for example) the JAIL/lib/ or JAIL/etc/ directory (i.e., those within the jail directory), the user can bypass security checks and gain root privileges. .B No directory inside the jail .B except for the user's home directory or tmp should be writable by the user. Especially the root of the jail should .B not be writable by the user. Jailkit utilities can be used to perform some basic checks to verify that a jail is secure and abort if a jail is not secure. Check your logfiles if things don't work as expected. The super user (root), or any process running with root privileges, can always break out of a jail. It is therefore important that the processes inside the jail do not have root privileges, nor have the means to receive those privileges. Avoid setuid (+s) executables inside the jail. If the jail is on a separate filesystem, the jail filesystem can mounted with the .I nosuid flag. .SH CONTENTS This section gives summary sketches of the various programs that comprise jailkit. For details on how a program operates and is configured, read the reference pages of each program. .BR jk_init can be used to quickly create a jail with several files or directories needed for a specific task or profile. Creating the same jail over and over again is easily automated with jk_init. There are many tasks in .I /etc/jailkit/jk_init.ini predefined that work on Debian or Ubuntu systems. For other platforms you might need to update the predefined configuration. For example, you can use jk_init to quickly set up a limited shell, a jail to run apache, or a jail for just sftp and scp. It will copy the binaries, the required libraries (and related symlinks) as well as other files such as /etc/passwd. These are all copied into the jail directory so that a jailed process can run them. .BR jk_cp can be used to copy a file or device into a jail. Each file or device is copied with the same permissions with the exception that any setuid or setgid permissions are removed. If the file is a binary executable, the libraries required to execute it (as reported by ldd) are copied as well. .BR jk_chrootsh is a shell that jails a user in a specific directory, called the JAIL. It does this using the .BR chroot(2) (change root) system call. This makes the filesystem 'above' the JAIL directory inaccessible to the user. Because the user can no longer access directories such as /usr/bin that are accessible to a 'non-jailed' user, the JAIL directory must recreate enough of a file system to allow the jailed user to execute programs. For example, the JAIL directory typically contains a lib/ directory to contain shared libraries, and it normally has a etc/ directory to contain a minimal set of files such as etc/passwd (though this passwd file contains only a few key entries, not all those of the 'real' /etc/passwd). The jk_chrootsh program is normally installed as the user's shell (replacing /bin/bash) in the 'real' .I /etc/passwd file. When the user logs in, jk_chrootsh is executed as the user's shell. The jk_chrootsh enacts the chroot into the JAIL directory. It then reads the passwd file found within the JAIL (i.e., .I JAIL/etc/passwd ), obtains the program to be run as the user's shell (typically jk_lsh, the limited shell), and executes it within the jail. This combination limits the user's file system access to the JAIL directory (implemented by jk_chrootsh) and limits which programs the user is allowed to execute (implemented by jk_lsh). .BR jk_lsh is a limited shell that allows only those commands to be executed as specified in its configuration file. .I /etc/jailkit/jk_lsh.ini. It is typically started in one of two ways, by specifying it as the user's shell or by using the jk_chrootsh program. The first way is implemented by specifying jk_lsh as the shell in the user's entry in the 'real' .I /etc/passwd file. In this case, it executes in the normal file system and reads its configuration from .I /etc/jailkit/jk_lsh.ini. In the second way, jk_lsh is started from within jk_chrootsh by specifying it as the shell in the passwd file located inside the JAIL directory: .I JAIL/etc/passwd, in which case it reads its configuration from within the JAIL: .I JAIL/etc/jailkit/jk_lsh.ini. The latter is the recommended approach for highest security. Use this program if you want to deny regular shell access (e.g. logins) but you want to allow execution of only one or a few commands such sftp, scp, rsync, or cvs. .BR jk_uchroot is a utility to give regular users access to the .BR chroot(2) (change root) system call in a safe way. Which users are allowed in which jails is controlled from .I /etc/jailkit/jk_uchroot.ini Use this utility for users that can run processes both inside a jail and outside a jail. .BR jk_socketd is a daemon that allows logging safely to syslog from within a jail. It limits the logging rate based on parameters set in its configuration file: .I /etc/jailkit/jk_socketd.ini .BR jk_chrootlaunch is a utility to start a daemon that cannot do a .BR chroot(2) call itself in a jail. It can change the user and group id after jailing the process, and before executing the daemon. .BR jk_jailuser is a tool to move an existing user account into a jail. This moves the user's entire home directory (and subdirectories) into the appropriate place in the JAIL directory (e.g., JAIL/home/someuser). .BR jk_check is a jail integrity checker. It checks a jail for some of the potential security problems. (Obviously it does not check all possible weaknesses.) It reports any setuid and setgid programs, checks for any modified programs, checks for world writable directories, and more. It is configured by .I /etc/jailkit/jk_check.ini . .BR jk_list lists all jailed processes on a system, showing the PID, UID, and the jail directory. .BR jk_procmailwrapper is a wrapper for procmail. For regular users, it runs procmail and allows access to their normal .procmailrc file. For jailed users, it runs procmail and allows access only to the jailed .procmailrc (e.g., JAIL/home/someuser/.procmailrc). In the latter case, procmail must be available inside the jail. .BR jk_update is a tool to update files inside a jail according to updates on the real system. .SH EXAMPLE Suppose you wish to create an account 'test' that is permitted to execute only sftp and scp. Assume you also want it contained in a jail called /home/sftproot, in which it has a home directory /home/test (as seen by processes run by user 'test'; the actual directory will be JAIL/home/test). .nf .sp # Initialise the jail mkdir /home/sftproot chown root:root /home/sftproot chmod 0755 /home/sftproot jk_init -j /home/sftproot jk_lsh jk_init -j /home/sftproot sftp jk_init -j /home/sftproot scp # Move the account into the jail jk_jailuser -j /home/sftproot -s /usr/bin/jk_lsh -m test # Edit the jk_lsh configfile in the jail; see man jk_lsh. # You can use every editor you want; I choose 'joe' joe /home/sftproot/etc/jailkit/jk_lsh.ini # Restart jk_socketd so that log messages are transferred killall jk_socketd jk_socketd # Test the account sftp test@localhost # Check the logs to see if everything is correct tail /var/log/daemon.log /var/log/auth.log # or if you use systemd journalctl --since=-1h .fi .SH FILES The jailkit configuration files are located in .I /etc/jailkit/ Note that in some cases the configuration files must be replicated into the JAIL/etc/jailkit directory and edited appropriately. A jk program that is run within the jail directory is able to read its configuration from only the jailed .I etc/jailkit directory. .SH "SEE ALSO" .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR jk_update(8) .BR chroot(2) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/man/jk_update.80000644000175000017500000000751111333563222015607 0ustar olivierolivier.TH jk_update 8 07-02-2010 JAILKIT jk_update .SH NAME jk_update \- a utility to update and cleanup a jail according to changes on the real system .SH SYNOPSIS .B jk_update -j .B jk_update -c
.B jk_update -v -d -k -j -s .B jk_update --verbose --dry-run --hardlink --jail= --skip= .SH DESCRIPTION jk_update will compare the files in a jail with the corresponding files on the real system. If the corresponding file on the real system is newer, and the file on the real system is different, the file from the real system will be copied to the jail including any required libraries just like jk_cp would do. Files that do not exist on the real system will be deleted in the jail. jk_update works well to pass security updates on the real system to a jail. jk_update does not work well with larger upgrades on the real system. In that case files are often replaced by other files in which case jk_update will delete the old file but not copy the new file. .SS "Avoid unwanted updates or cleanups" To avoid unwanted updates, or to avoid files being deleted, files or directories can be skipped by jk_update, either by specifying them on the commandline or by specifying them in the configfile. .SS "Directories to include in the update" By default jk_update will scan /usr, /bin, /opt, and /lib for updates. If one or more arguments is passed as directories to update, these default directries are not scanned, unless they are part of the arguments. The default directories can also be set in the config file. .B jk_update -j will scan /usr, /bin, /opt, and /lib, while .B jk_update -j /bin will only scan /bin .SH EXAMPLE An example configfile could look like this: .nf .sp [/home/testchroot] skips = /usr/bin/myscript hardlinks = 1 directories = /usr, /bin, /lib [/home/otherjail] skips = /usr/share/firefox, /usr/bin/firefox, /usr/lib/firefox .fi where the options have the following meaning: .B skips .RS the files and directories to skip .RE .B hardlinks .RS a boolean whether to use hardlinks (1) or copy the files (0) .RE .B directories .RS specifies the directories to include in the update. .RE .SH WARNING If you have changed files in the jail, it is recommended to do a "dry run" first and see what jk_update will do. jk_update does now know if a file is manually changed or not. If a file in the jail is older and different from the file on the real system it is updated. If a file in the jail does not have an equivalent on the real system it is deleted. Use the skip option to exclude any files that you changed or added manually. .SH OPTIONS .TP .BR \-v\ \-\-verbose Will give verbose output .TP .BR \-h\ \-\-help The help screen .TP .BR \-c\ \ \-\-configsection= The jail to update .TP .BR \-j\ \ \-\-jail= The jail to update .TP .BR \-d\ \-\-dry\-run Do a "dry run". Show what will be done but don't do anything. .TP .BR \-k\ \-\-hardlink Try to create hardlinks instead of copying the files when updating .TP .BR \-s\ \ \-\-skip\ Do not update this file. The argument can either be the path in the jail or the path on the real system. In order to skip multiple files, use this option multiple times. .SH "SEE ALSO" .BR jailkit(8) .BR jk_check(8) .BR jk_chrootlaunch(8) .BR jk_chrootsh(8) .BR jk_cp(8) .BR jk_init(8) .BR jk_jailuser(8) .BR jk_list(8) .BR jk_lsh(8) .BR jk_procmailwrapper(8) .BR jk_socketd(8) .BR jk_uchroot(8) .BR chroot(2) .SH COPYRIGHT Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/Makefile.in0000644000175000017500000000614711442703766015060 0ustar olivierolivier#Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Olivier Sessink #All rights reserved. # #Redistribution and use in source and binary forms, with or without #modification, are permitted provided that the following conditions #are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * The names of its contributors may not be used to endorse or # promote products derived from this software without specific # prior written permission. # #THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS #"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT #LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS #FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE #COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, #INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, #BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; #LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER #CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN #ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. # INSTALL = @INSTALL@ prefix = @prefix@ sysconfdir = @sysconfdir@ iniprefix = ${sysconfdir}/jailkit/ PACKAGE = @PACKAGE@ INIFILES = jk_check.ini jk_init.ini jk_lsh.ini jk_socketd.ini jk_chrootsh.ini jk_update.ini jk_uchroot.ini jailkit: all all: @cd src/ && $(MAKE) all @cd py/ && $(MAKE) all @cd man/ && $(MAKE) all clean: rm -f core *~ ini/*~ @cd src/ && $(MAKE) clean @cd py/ && $(MAKE) clean @cd man/ && $(MAKE) clean distclean: clean rm -rf autom4te.cache/ rm -f Makefile config.log config.status config.cache @cd src/ && $(MAKE) distclean @cd py/ && $(MAKE) distclean @cd man/ && $(MAKE) distclean install: ${INSTALL} -d -m 755 ${DESTDIR}${iniprefix} for file in ${INIFILES} ; do \ if [ -f ${DESTDIR}${iniprefix}$${file} ]; then \ ${INSTALL} -m 0644 ini/$${file} ${DESTDIR}${iniprefix}$${file}.dist ;\ else \ ${INSTALL} -m 0644 ini/$${file} ${DESTDIR}${iniprefix} ;\ fi ;\ done @cd src/ && $(MAKE) install @cd py/ && $(MAKE) install @cd man/ && $(MAKE) install # test if the jk_chrootsh is already in /etc/shells # this previously had @echo but that fails on FreeBSD if test -w /etc/shells; then \ if ! grep ${prefix}/sbin/jk_chrootsh /etc/shells ; then \ echo "appending ${prefix}/sbin/jk_chroots to /etc/shells";\ echo ${prefix}/sbin/jk_chrootsh >> /etc/shells ;\ fi \ fi uninstall: rm -f ${iniprefix}/*.ini @cd py/ && $(MAKE) uninstall @cd man/ && $(MAKE) uninstall @cd src/ && $(MAKE) uninstall -rmdir --ignore-fail-on-non-empty ${DESTDIR}${iniprefix} @echo "You must manually remove jk_chrootsh from /etc/shells" # remove jk_chrootsh from /etc/shells jailkit-2.21/README.txt0000644000175000017500000000334210726241105014467 0ustar olivierolivierABOUT Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a jail is a lot easier using these utilities. See 'man jailkit' for more detailed info on the different utilities in this package. If you have not yet installed jailkit you can see this man page using 'man man/jailkit.8'. REQUIREMENTS The most elementary tools are written in C and only need libc and libpthreads (available on almost any Linux system and most other posix compliant systems). The scripts are written in python, so they need python installed. COPYRIGHT Jailkit is an open source project written by Olivier Sessink. It is released under a modified BSD licence. EXAMPLE Suppose you need to create an account 'test' that can do sftp and scp only. You want it in a jail called /home/sftproot where it will have a homedirectory /home/test #initialise the jail mkdir /home/sftproot jk_init -j /home/sftproot jk_lsh jk_init -j /home/sftproot sftp jk_init -j /home/sftproot scp # create the account adduser test jk_jailuser -j /home/sftproot test # edit the jk_lsh configfile in the jail (man jk_lsh) # you can use every editor you want, I chose 'joe' joe /home/sftproot/etc/jailkit/jk_lsh.ini # now restart jk_socketd killall jk_socketd jk_socketd # test the account sftp test@localhost # check the logs if everything is correct tail /var/log/daemon.log /var/log/auth.log NOTES ON VARIOUS APPLICATIONS cvs - cvs needs /tmp/ for temporary files procmail - needs /dev/null COPYRIGHT Copyright (C) 2003, 2004, 2005, Olivier Sessink Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. jailkit-2.21/ini/0000755000175000017500000000000013544213117013551 5ustar olivierolivierjailkit-2.21/ini/jk_socketd.ini0000644000175000017500000000012110551020357016361 0ustar olivierolivier# example #[/home/testchroot/dev/log] #base = 1024 #peak = 10240 #interval = 2.0 jailkit-2.21/ini/jk_init.ini0000644000175000017500000001153113415461551015706 0ustar olivierolivier[uidbasics] # this section probably needs adjustment on 64bit systems # or non-Linux systems comment = common files for all jails that need user/group information paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.1, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, /lib/arm-linux-gnueabihf/libnsl*.so.1, /etc/nsswitch.conf, /etc/ld.so.conf # Solaris needs # paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, /etc/nsswitch.conf [netbasics] comment = common files for all jails that need any internet connectivity paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services # on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure [logbasics] comment = timezone information and log sockets paths = /etc/localtime need_logsocket = 1 # Solaris does not need logsocket # but needs # devices = /dev/log, /dev/conslog [jk_lsh] comment = Jailkit limited shell paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini users = root groups = root includesections = uidbasics, logbasics [limitedshell] comment = alias for jk_lsh includesections = jk_lsh [cvs] comment = Concurrent Versions System paths = cvs devices = /dev/null [git] comment = Fast Version Control System paths = /usr/bin/git*, /usr/lib/git-core, /usr/bin/basename, /bin/uname, /usr/bin/pager includesections = editors, perl [scp] comment = ssh secure copy paths = scp includesections = netbasics, uidbasics devices = /dev/urandom [sftp] comment = ssh secure ftp paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null # on solaris #paths = /usr/lib/ssh/sftp-server [ssh] comment = ssh secure shell paths = ssh includesections = netbasics, uidbasics devices = /dev/urandom, /dev/tty, /dev/null [rsync] paths = rsync includesections = netbasics, uidbasics [procmail] comment = procmail mail delivery paths = procmail, /bin/sh devices = /dev/null [basicshell] comment = bash based shell with several basic utilities paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8 users = root groups = root includesections = uidbasics [midnightcommander] comment = Midnight Commander paths = mc, mcedit, mcview, /usr/share/mc includesections = basicshell, terminfo [extendedshell] comment = bash shell including things like awk, bzip, tail, less paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami includesections = basicshell, midnightcommander, editors [terminfo] comment = terminfo databases, required for example for ncurses or vim paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo [editors] comment = vim, joe and nano includesections = terminfo paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim [netutils] comment = several internet utilities like wget, ftp, rsync, scp, ssh paths = wget, lynx, ftp, host, rsync, smbclient includesections = netbasics, ssh, sftp, scp [apacheutils] comment = htpasswd utility paths = htpasswd [extshellplusnet] comment = alias for extendedshell + netutils + apacheutils includesections = extendedshell, netutils, apacheutils [openvpn] comment = jail for the openvpn daemon paths = /usr/sbin/openvpn users = root,nobody groups = root,nogroup includesections = netbasics devices = /dev/urandom, /dev/random, /dev/net/tun includesections = netbasics, uidbasics need_logsocket = 1 [apache] comment = the apache webserver, very basic setup, probably too limited for you paths = /usr/sbin/apache users = root, www-data groups = root, www-data includesections = netbasics, uidbasics [perl] comment = the perl interpreter and libraries paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5 [xauth] comment = getting X authentication to work paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf [xclients] comment = minimal files for X clients paths = /usr/X11R6/lib/X11/rgb.txt includesections = xauth [vncserver] comment = the VNC server program paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/ includesections = xclients [ping] comment = Ping program paths_w_setuid = /bin/ping #[xterm] #comment = xterm #paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo #devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4 jailkit-2.21/ini/jk_lsh.ini0000644000175000017500000000052110413564446015530 0ustar olivierolivier## example for a user #[test] #paths= /usr/lib/ #executables= /usr/lib/sftp-server #allow_word_expansion = 0 #umask = 002 # ##example for a group, there should be only 1 space inbetween the words! #[group users] #paths = /usr/bin #executables = /usr/bin/cvs #allow_word_expansion = 0 #environment= HELIX_PATH=/opt/RealPlayer/, TMP=/tmp/ jailkit-2.21/ini/jk_chrootsh.ini0000644000175000017500000000114712304655563016602 0ustar olivierolivier# understand that there is only one section that will be used: # - highest priority: a section specific for the user # - second priority: a section for the primary group of the user # - third priority: the DEFAULT section # ## example for a user #[test] #env= DISPLAY, XAUTHORITY # ##example for a group, there should be only 1 space inbetween the words! #[group users] #env = DISPLAY, XAUTHORITY # ## example for a default section #[DEFAULT] #relax_home_group=1 #env= DISPLAY # #[group jail] #env = TERM, PATH #relax_home_owner=1 #relax_home_group=1 #relax_home_group_permissions=1 #relax_home_other_permissions=1 jailkit-2.21/ini/jk_uchroot.ini0000644000175000017500000000024611267103721016422 0ustar olivierolivier#[john] #allowed_jails = /srv/johnjail, /srv/commonjail #skip_injail_passwd_check = 1 # #[group users] #allowed_jails = /srv/commonjail #skip_injail_passwd_check = 1 jailkit-2.21/ini/jk_check.ini0000644000175000017500000000207707771615537016042 0ustar olivierolivier[/home/testchroot] # jk_check does not run any tests in this directory (useful for proc filesystem) # be careful!! there is I repeat NO SINGLE TEST in this directory #ignorepatheverywhere = # jk_check compares files if they are equal to their counterparts in the real system, # using md5sum(). In the specified directories it will not test if files are equal # it will still test for world writable directories and setuid files ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc # jk_check tests directory permissions, if you deliberately made some directories writable # for group or others, or you don't care, specify them here ignorewritableforgroup = /home/testchroot/home ignorewritableforothers = /home/testchroot/home/tmp # jk_check tests for setuid root and setgid root files # if you deliberately have such files specify them here ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount ignoresetuidexecuteforothers = jailkit-2.21/ini/jk_update.ini0000644000175000017500000000011510573226662016225 0ustar olivierolivier[/home/testjail] skips = /usr/bin/myscript hardlinks = 0 directories = /usr