cloudpanel-site-jailer/jail_all_sites.sh at main · rick001/cloudpanel-site-jailer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
#!/bin/bash
set -euo pipefail
trap 'cleanup_on_exit' EXIT ERR

##############################
# CloudPanel Site Jailer
##############################

# Configuration
DB_PATH="${DB_PATH:-/home/clp/htdocs/app/data/db.sq3}"
JAIL_ROOT="${JAIL_ROOT:-/home/jail}"
LOGFILE="${LOGFILE:-/var/log/jail_all_sites.log}"
BASE_JAIL="${JAIL_ROOT}/_base"
JK_PROFILE="cloudpanel"

# Safety checks
VALID_USERNAME_RE='^[a-z_][a-z0-9_-]*$'
declare -a MOUNTED_PATHS=()
PERSISTENT_MOUNT=false

# Colors
[ -t 1 ] && COLOR=true || COLOR=false
RED=$($COLOR && echo -e '\033[0;31m')    GREEN=$($COLOR && echo -e '\033[0;32m')
YELLOW=$($COLOR && echo -e '\033[1;33m') BLUE=$($COLOR && echo -e '\033[0;34m')
NC=$($COLOR && echo -e '\033[0m')

# Runtime flags
VERBOSE=false FIX_MODE=false DIAGNOSE_MODE=false DIAGNOSE_USER=""

#################################
# Utility Functions
#################################

cleanup_on_exit() {
    local status=$?
    for path in "${MOUNTED_PATHS[@]}"; do
        [[ "$path" == PERSISTENT:* ]] && continue
        if mountpoint -q "$path"; then
            umount "$path" && log INFO "Unmounted $path" || :
        fi
    done
    exit $status
}

log() {
    local level=$1 message=$2
    local color=$NC timestamp="[$(date +'%F %T')]"

    case $level in
        ERROR)   color=$RED ;;
        SUCCESS) color=$GREEN ;;
        WARNING) color=$YELLOW ;;
        INFO)    color=$BLUE ;;
    esac

    $COLOR && echo -e "${color}${timestamp} ${message}${NC}" || echo "${timestamp} [${level}] ${message}"
    echo "${timestamp} [${level}] ${message}" >> "$LOGFILE"
}

validate_user() {
    local u=$1
    [[ "$u" =~ $VALID_USERNAME_RE ]] || {
        log ERROR "Invalid username: $u"; return 1
    }
    getent passwd "$u" >/dev/null || {
        log ERROR "User does not exist: $u"; return 1
    }
}

safe_mount() {
    local src=$1 dst=$2
    mkdir -p "$dst"
    if mountpoint -q "$dst"; then
        log WARNING "Already mounted: $dst"
        return 0
    fi
    if mount --bind "$src" "$dst"; then
        if $PERSISTENT_MOUNT; then
            MOUNTED_PATHS+=("PERSISTENT:$dst")
        else
            MOUNTED_PATHS+=("$dst")
        fi
        log SUCCESS "Mounted $src → $dst"
        return 0
    fi
    log ERROR "Failed mounting $src → $dst"
    return 1
}

#################################
# Core Jail Functions
#################################

init_base_jail() {
    [ -d "$BASE_JAIL" ] && return 0

    log INFO "Creating base jail..."
    mkdir -p "$BASE_JAIL"
    chown root:root "$BASE_JAIL"
    chmod 755 "$BASE_JAIL"

    # Initialize with jailkit
    if ! jk_init -v "$BASE_JAIL" basicshell netutils ssh sftp scp editors; then
        log ERROR "Base jail initialization failed"
        return 1
    fi

    # Create essential directory structure for libraries
    mkdir -p "$BASE_JAIL/lib/x86_64-linux-gnu"

    # Copy critical shared libraries
    log INFO "Copying system libraries..."
    for lib in libc.so.6 ld-linux-x86-64.so.2; do
        lib_path="/lib/x86_64-linux-gnu/$lib"
        if [ -f "$lib_path" ]; then
            cp -pv "$lib_path" "$BASE_JAIL/lib/x86_64-linux-gnu/"
        else
            log ERROR "Critical library missing: $lib_path"
            return 1
        fi
    done

    # Configure valid shells
    log INFO "Configuring shell environment..."
    mkdir -p "$BASE_JAIL/etc"
    echo -e "/usr/sbin/jk_chrootsh\n/bin/bash\n/bin/sh" > "$BASE_JAIL/etc/shells"

    # Add jailkit control binaries
    jk_cp -v -k "$BASE_JAIL" /usr/sbin/jk_lsh /usr/sbin/jk_chrootsh

    # Create essential devices with safety checks
    log INFO "Creating device nodes..."
    mkdir -p "$BASE_JAIL/dev"
    declare -A devices=(
        ["null"]="c 1 3"
        ["zero"]="c 1 5"
        ["random"]="c 1 8"
        ["urandom"]="c 1 9"
    )
    for dev in "${!devices[@]}"; do
        if [ ! -e "$BASE_JAIL/dev/$dev" ]; then
            mknod -m 666 "$BASE_JAIL/dev/$dev" ${devices[$dev]}
        fi
    done

    # Verify base structure
    log INFO "Verifying base jail integrity..."
    local required_paths=(
        "/usr/sbin/jk_chrootsh"
        "/etc/shells"
        "/lib/x86_64-linux-gnu/libc.so.6"
    )
    for path in "${required_paths[@]}"; do
        if [ ! -e "$BASE_JAIL$path" ]; then
            log ERROR "Missing critical path: $BASE_JAIL$path"
            return 1
        fi
    done

    log SUCCESS "Base jail created with full dependencies"
    return 0
}

create_user_jail() {
    local u=$1
    local user_jail="${JAIL_ROOT}/${u}"
    local real_home="/home/${u}"
    local jail_home="${user_jail}${real_home}"

    if [ ! -d "$user_jail" ]; then
        log INFO "Cloning base jail for $u"
        cp -a "$BASE_JAIL" "$user_jail" || {
            log ERROR "Failed cloning base jail"; return 1
        }
    fi

    # Preserve base users and add jailed user
    mkdir -p "${user_jail}/etc"
    cp "${BASE_JAIL}/etc/passwd" "${user_jail}/etc/passwd"
    cp "${BASE_JAIL}/etc/group" "${user_jail}/etc/group"
    grep "^${u}:" /etc/passwd >> "${user_jail}/etc/passwd"
    grep "^${u}:" /etc/group >> "${user_jail}/etc/group"

    # Copy shell configuration
    cp "${BASE_JAIL}/etc/shells" "${user_jail}/etc/shells"

    # Home directory mount
    PERSISTENT_MOUNT=true
    safe_mount "$real_home" "$jail_home" || return 1
    PERSISTENT_MOUNT=false

    if ! grep -qE "^${real_home}[[:space:]]+${jail_home}[[:space:]]+" /etc/fstab; then
        echo "$real_home $jail_home none bind 0 0" >> /etc/fstab
        log INFO "Added fstab entry for $u"
    fi

    if usermod -s /usr/sbin/jk_chrootsh "$u"; then
        log SUCCESS "Configured jail for $u"
        return 0
    fi

    log ERROR "Failed to jail user $u"
    return 1
}

unjail_user() {
    local u=$1
    local user_jail="${JAIL_ROOT}/${u}"
    local jail_home="${user_jail}/home/${u}"

    if mountpoint -q "$jail_home"; then
        umount "$jail_home" || { log ERROR "Unmount failed for $jail_home"; return 1; }
        log INFO "Unmounted $jail_home"
    fi

    sed -i "\|${jail_home}|d" /etc/fstab

    if usermod -s /bin/bash "$u"; then
        log SUCCESS "Restored $u to normal shell"
        return 0
    fi

    log ERROR "Failed to unjail $u"
    return 1
}

#################################
# Main Workflow
#################################

get_site_users() {
    [ -f "$DB_PATH" ] || { log ERROR "Database not found: $DB_PATH"; exit 1; }
    sqlite3 "$DB_PATH" \
        "SELECT DISTINCT user FROM site WHERE user!='' AND user IS NOT NULL;" |
    while read -r u; do
        validate_user "$u" && echo "$u"
    done
}

check_dependencies() {
    local required=("sqlite3" "jailkit")
    local missing=()
    for pkg in "${required[@]}"; do
        dpkg -l "$pkg" &>/dev/null || missing+=("$pkg")
    done

    if [ ${#missing[@]} -gt 0 ]; then
        log INFO "Installing missing packages..."
        apt-get update && apt-get install -y "${missing[@]}"
    fi
}

diagnose_user() {
    local u=$1
    validate_user "$u" || return 1

    echo "=== Diagnosis for $u ==="
    echo "Shell: $(getent passwd "$u" | cut -d: -f7)"
    echo "Jail Home: ${JAIL_ROOT}/${u}/home/${u}"
    echo "Mount Status: $(mountpoint -q "${JAIL_ROOT}/${u}/home/${u}" && echo "Mounted" || echo "Not Mounted")"
    echo "Fstab Entry: $(grep -E "^/home/${u}[[:space:]]+" /etc/fstab || echo "None")"
    echo "=== End Diagnosis ==="
}

main() {
    [ "$(id -u)" -eq 0 ] || { log ERROR "Must be run as root!"; exit 1; }
    check_dependencies
    init_base_jail || exit 1

    if $DIAGNOSE_MODE; then
        diagnose_user "$DIAGNOSE_USER"
        exit 0
    fi

    if $FIX_MODE; then
        while read -r u; do
            unjail_user "$u" || log WARNING "Failed to fix $u"
        done < <(get_site_users)
        exit 0
    fi

    while read -r u; do
        log INFO "Processing user: $u"
        create_user_jail "$u" || log WARNING "Failed to jail $u"
    done < <(get_site_users)

    log SUCCESS "Operation completed"
}

# Argument parsing
while [[ $# -gt 0 ]]; do
    case $1 in
        -v|--verbose) VERBOSE=true; set -x ;;
        --fix) FIX_MODE=true ;;
        --diagnose) DIAGNOSE_MODE=true; DIAGNOSE_USER=$2; shift ;;
        -*) echo "Unknown option: $1"; exit 1 ;;
    esac
    shift
done

mkdir -p "$(dirname "$LOGFILE")"
touch "$LOGFILE"
main