summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xezjail-admin73
1 files changed, 58 insertions, 15 deletions
diff --git a/ezjail-admin b/ezjail-admin
index 17d7349..26a626b 100755
--- a/ezjail-admin
+++ b/ezjail-admin
@@ -249,7 +249,12 @@ ezjail_queryftpserver () {
249 249
250# Make a path absolute, if it isn't already 250# Make a path absolute, if it isn't already
251ezjail_makeabsolute ( ) { 251ezjail_makeabsolute ( ) {
252 [ $# -eq 1 ] && path=`pwd -P` || path=$2 252 if [ $# -eq 1 ]; then
253 path=`pwd -P`
254 else
255 path=$2
256 ezjail_makeabsolute path
257 fi
253 eval [ \"\${$1%%[!/]*}\" -o "\${$1}" = "-" ] || eval export ${1}="${path}/\${$1}" 258 eval [ \"\${$1%%[!/]*}\" -o "\${$1}" = "-" ] || eval export ${1}="${path}/\${$1}"
254} 259}
255 260
@@ -825,19 +830,29 @@ archive)
825 # Jail name mandatory 830 # Jail name mandatory
826 fetchjailinfo ${1%.norun} 831 fetchjailinfo ${1%.norun}
827 832
828 # check for existence of jail in our records 833 # Check for existence of jail in our records
829 [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}." 834 [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}."
830 835
831 # if jail is still running, refuse to go any further - unless forced 836 # If jail is still running, refuse to go any further - unless forced
832 [ "${ezjail_id}" -a -z "${ezjail_force}" ] && exerr "Error: Jail appears to be still running, stop it first or [-f]orce archiving." 837 [ "${ezjail_id}" -a -z "${ezjail_force}" ] && exerr "Error: Jail appears to be still running, stop it first or [-f]orce archiving."
833 838
834 # This one goes into archive to identify jail by name and restore date 839 # This one goes into archive to identify jail by name and restore date
835 ezjail_archive_tag="${ezjail_safename}-`date +%Y%m%d%H%M.%S`" 840 ezjail_archive_tag="${ezjail_safename}-`date +%Y%m%d%H%M.%S`"
836 841
837 # if no archive name was specified, make one up 842 # If no archive name was specified, make one up
838 [ "${ezjail_archive}" ] || ezjail_archive="${ezjail_archive_tag}.tar.gz" 843 [ "${ezjail_archive}" ] || ezjail_archive="${ezjail_archive_tag}.tar.gz"
839 844
840 # if archive location is not absolute, prepend archive directory 845 # Archives need to now, where they came from. Restore by default only
846 # reinstalls jails on the same machine. We also warn on OS upgrades and
847 # processor type changes
848 ezjail_hostsystem_name=$( echo -n `uname -n` | tr -c '[:alnum:].' _ )
849 ezjail_hostsystem_version=$( echo -n `uname -r` | tr -c '[:alnum:].' _ )
850 ezjail_hostsystem_cpu=$( echo -n `uname -p` | tr -c '[:alnum:].' _ )
851
852 ezjail_archive_tag="${ezjail_archive_tag}-${ezjail_hostsystem_name}-${ezjail_hostsystem_version}-${ezjail_hostsystem_cpu}"
853 echo $ezjail_archive_tag
854
855 # If archive location is not absolute, prepend archive directory
841 ezjail_makeabsolute ezjail_archive ${ezjail_archivedir} 856 ezjail_makeabsolute ezjail_archive ${ezjail_archivedir}
842 857
843 # It's a tar archive, after all 858 # It's a tar archive, after all
@@ -849,12 +864,10 @@ archive)
849 # For stdout do specify nothing 864 # For stdout do specify nothing
850 [ "${ezjail_archive}" = "-" ] && unset ezjail_archive_opt || ezjail_archive_opt="-f ${ezjail_archive}" 865 [ "${ezjail_archive}" = "-" ] && unset ezjail_archive_opt || ezjail_archive_opt="-f ${ezjail_archive}"
851 866
852 [ -f "${ezjail_etc}/ezjail.conf" ] && ezjail_addfiles="${ezjail_etc}/ezjail.conf" 867 [ -f "/etc/fstab.${ezjail_safename}" ] && ezjail_addfiles=/etc/fstab.${ezjail_safename}
853 [ -f "/etc/fstab.${ezjail_safename}" ] && ezjail_addfiles="${ezjail_addfiles} /etc/fstab.${ezjail_safename}"
854 868
855 cd "${ezjail_rootdir}" || exerr "Error: can't cd to ${ezjail_root}." 869 cd "${ezjail_rootdir}" || exerr "Error: can't cd to ${ezjail_root}."
856 pax -wXtz -x ustar ${ezjail_archive_opt} \ 870 pax -wzXt -x ustar ${ezjail_archive_opt} \
857 -s:"^[^\\.].*/ezjail\\.conf\$":ezjail.conf: \
858 -s:"^[^\\.].*/${ezjail_safename}\$":prop.ezjail-${ezjail_archive_tag}: \ 871 -s:"^[^\\.].*/${ezjail_safename}\$":prop.ezjail-${ezjail_archive_tag}: \
859 -s:"^[^\\.].*/${ezjail_safename}.norun\$":prop.ezjail-${ezjail_archive_tag}.norun: \ 872 -s:"^[^\\.].*/${ezjail_safename}.norun\$":prop.ezjail-${ezjail_archive_tag}.norun: \
860 -s:"etc/fstab.${ezjail_safename}\$":fstab.ezjail: \ 873 -s:"etc/fstab.${ezjail_safename}\$":fstab.ezjail: \
@@ -875,9 +888,7 @@ archive)
875####################### ezjail-admin RESTORE ######################## 888####################### ezjail-admin RESTORE ########################
876restore) 889restore)
877 # Clean variables, prevent polution 890 # Clean variables, prevent polution
878 unset ezjail_archivedir 891 unset ezjail_archivedir ezjail_safename
879
880#ezjail_usage_restore="Usage: ${ezjail_admin} restore [-d archivedir] (archive|jailname)..."
881 892
882 shift; while getopts :d: arg; do case ${arg} in 893 shift; while getopts :d: arg; do case ${arg} in
883 d) ezjail_archivedir=${OPTARG};; 894 d) ezjail_archivedir=${OPTARG};;
@@ -911,11 +922,43 @@ restore)
911 fi 922 fi
912 fi 923 fi
913 924
914 ezjail_nameprop=`tar tzf ${ezjail_fromarchive} --fast-read prop.ezjail_\*` 925 # We want to parse some content from archive. In order to reduce
926 # security implication this may have, we check owner and permission.
927 #
928 # However, this does not protect against admins transporting
929 # archives over insecure lines over the net.
930 [ `stat -f %u "${ezjail_fromarchive}"` -eq 0 ] || exerr "Error: Insecure ownership of archive ${ezjail_fromarchive}. Please check the file and chown it to root if you trust its source."
931 [ $(( `stat -f %OLp "${ezjail_fromarchive}"` & 0022 )) -eq 0 ] || exerr "Error: Insecure permissions for archive ${ezjail_fromarchive}. Please check the file and fix permission (chmod og-w) if you trust its source."
932
933 ezjail_nameprop=`pax -zn -f ${ezjail_fromarchive} prop.ezjail-\*`
915 [ $? -eq 0 -a "${ezjail_nameprop}" ] || exerr "Error: File ${ezjail_fromarchive} is not an ezjail archive." 934 [ $? -eq 0 -a "${ezjail_nameprop}" ] || exerr "Error: File ${ezjail_fromarchive} is not an ezjail archive."
916 935
917 echo "${ezjail_nameprop}" 936 # Figure out, what archive believes it contains
918 937 ezjail_nameprop_safename=`echo ${ezjail_nameprop} | cut -d '-' -f 2`
938
939 # Figure out system environment when archive was created
940 ezjail_nameprop_hsname=`echo ${ezjail_nameprop} | cut -d '-' -f 4`
941 ezjail_nameprop_hsversion=`echo ${ezjail_nameprop} | cut -d '-' -f 5`
942 ezjail_nameprop_hscpu=`echo ${ezjail_nameprop} | cut -d '-' -f 6`
943
944 # Figure out current system environment
945 ezjail_hsname=$( echo -n `uname -n` | tr -c '[:alnum:].' _ )
946 ezjail_hsversion=$( echo -n `uname -r` | tr -c '[:alnum:].' _ )
947 ezjail_hscpu=$( echo -n `uname -p` | tr -c '[:alnum:].' _ )
948
949 # Catch all errors that will likely create a broken backup
950 [ "${ezjail_safename}" -a "${ezjail_safename}" != "${ezjail_nameprop_safename}" ] && exerr "Error: Archive name ${ezjail_fromarchive} does not match archived jail ${ezjail_nameprop_safename}."
951 [ "${ezjail_hsname}" != "${ezjail_nameprop_hsname}" ] && exerr "Error: Can only use restore on the same machine. Consider using \"ezjail-admin create -a\" when migrating ezjails."
952 [ "${ezjail_hscpu} != "${ezjail_nameprop_hscpu}" ] && exerr Error: Archive was created on a different cpu Can not restore. Consider using \"ezjail-admin create -a\" when migrating ezjails."
953
954 # BIG security hole here. Must trust content of archive
955# pax -wzXt -x ustar ${ezjail_fromarchive} \
956# -s:prop.ezjail(): \
957# -s:"^[^\\.].*/${ezjail_safename}.norun\$":prop.ezjail-${ezjail_archive_tag}.norun: \
958# -s:"etc/fstab.${ezjail_safename}\$":fstab.ezjail: \
959# -s:"^\\.":ezjail: \
960# "${ezjail_config}" ${ezjail_addfiles} .
961
919 962
920 shift 1 963 shift 1
921 done 964 done