diff options
Diffstat (limited to 'ezjail-admin')
-rwxr-xr-x | ezjail-admin | 73 |
1 files changed, 58 insertions, 15 deletions
diff --git a/ezjail-admin b/ezjail-admin index 17d7349..26a626b 100755 --- a/ezjail-admin +++ b/ezjail-admin | |||
@@ -249,7 +249,12 @@ ezjail_queryftpserver () { | |||
249 | 249 | ||
250 | # Make a path absolute, if it isn't already | 250 | # Make a path absolute, if it isn't already |
251 | ezjail_makeabsolute ( ) { | 251 | ezjail_makeabsolute ( ) { |
252 | [ $# -eq 1 ] && path=`pwd -P` || path=$2 | 252 | if [ $# -eq 1 ]; then |
253 | path=`pwd -P` | ||
254 | else | ||
255 | path=$2 | ||
256 | ezjail_makeabsolute path | ||
257 | fi | ||
253 | eval [ \"\${$1%%[!/]*}\" -o "\${$1}" = "-" ] || eval export ${1}="${path}/\${$1}" | 258 | eval [ \"\${$1%%[!/]*}\" -o "\${$1}" = "-" ] || eval export ${1}="${path}/\${$1}" |
254 | } | 259 | } |
255 | 260 | ||
@@ -825,19 +830,29 @@ archive) | |||
825 | # Jail name mandatory | 830 | # Jail name mandatory |
826 | fetchjailinfo ${1%.norun} | 831 | fetchjailinfo ${1%.norun} |
827 | 832 | ||
828 | # check for existence of jail in our records | 833 | # Check for existence of jail in our records |
829 | [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}." | 834 | [ "${ezjail_config}" ] || exerr "Error: Nothing known about jail ${ezjail_name}." |
830 | 835 | ||
831 | # if jail is still running, refuse to go any further - unless forced | 836 | # If jail is still running, refuse to go any further - unless forced |
832 | [ "${ezjail_id}" -a -z "${ezjail_force}" ] && exerr "Error: Jail appears to be still running, stop it first or [-f]orce archiving." | 837 | [ "${ezjail_id}" -a -z "${ezjail_force}" ] && exerr "Error: Jail appears to be still running, stop it first or [-f]orce archiving." |
833 | 838 | ||
834 | # This one goes into archive to identify jail by name and restore date | 839 | # This one goes into archive to identify jail by name and restore date |
835 | ezjail_archive_tag="${ezjail_safename}-`date +%Y%m%d%H%M.%S`" | 840 | ezjail_archive_tag="${ezjail_safename}-`date +%Y%m%d%H%M.%S`" |
836 | 841 | ||
837 | # if no archive name was specified, make one up | 842 | # If no archive name was specified, make one up |
838 | [ "${ezjail_archive}" ] || ezjail_archive="${ezjail_archive_tag}.tar.gz" | 843 | [ "${ezjail_archive}" ] || ezjail_archive="${ezjail_archive_tag}.tar.gz" |
839 | 844 | ||
840 | # if archive location is not absolute, prepend archive directory | 845 | # Archives need to now, where they came from. Restore by default only |
846 | # reinstalls jails on the same machine. We also warn on OS upgrades and | ||
847 | # processor type changes | ||
848 | ezjail_hostsystem_name=$( echo -n `uname -n` | tr -c '[:alnum:].' _ ) | ||
849 | ezjail_hostsystem_version=$( echo -n `uname -r` | tr -c '[:alnum:].' _ ) | ||
850 | ezjail_hostsystem_cpu=$( echo -n `uname -p` | tr -c '[:alnum:].' _ ) | ||
851 | |||
852 | ezjail_archive_tag="${ezjail_archive_tag}-${ezjail_hostsystem_name}-${ezjail_hostsystem_version}-${ezjail_hostsystem_cpu}" | ||
853 | echo $ezjail_archive_tag | ||
854 | |||
855 | # If archive location is not absolute, prepend archive directory | ||
841 | ezjail_makeabsolute ezjail_archive ${ezjail_archivedir} | 856 | ezjail_makeabsolute ezjail_archive ${ezjail_archivedir} |
842 | 857 | ||
843 | # It's a tar archive, after all | 858 | # It's a tar archive, after all |
@@ -849,12 +864,10 @@ archive) | |||
849 | # For stdout do specify nothing | 864 | # For stdout do specify nothing |
850 | [ "${ezjail_archive}" = "-" ] && unset ezjail_archive_opt || ezjail_archive_opt="-f ${ezjail_archive}" | 865 | [ "${ezjail_archive}" = "-" ] && unset ezjail_archive_opt || ezjail_archive_opt="-f ${ezjail_archive}" |
851 | 866 | ||
852 | [ -f "${ezjail_etc}/ezjail.conf" ] && ezjail_addfiles="${ezjail_etc}/ezjail.conf" | 867 | [ -f "/etc/fstab.${ezjail_safename}" ] && ezjail_addfiles=/etc/fstab.${ezjail_safename} |
853 | [ -f "/etc/fstab.${ezjail_safename}" ] && ezjail_addfiles="${ezjail_addfiles} /etc/fstab.${ezjail_safename}" | ||
854 | 868 | ||
855 | cd "${ezjail_rootdir}" || exerr "Error: can't cd to ${ezjail_root}." | 869 | cd "${ezjail_rootdir}" || exerr "Error: can't cd to ${ezjail_root}." |
856 | pax -wXtz -x ustar ${ezjail_archive_opt} \ | 870 | pax -wzXt -x ustar ${ezjail_archive_opt} \ |
857 | -s:"^[^\\.].*/ezjail\\.conf\$":ezjail.conf: \ | ||
858 | -s:"^[^\\.].*/${ezjail_safename}\$":prop.ezjail-${ezjail_archive_tag}: \ | 871 | -s:"^[^\\.].*/${ezjail_safename}\$":prop.ezjail-${ezjail_archive_tag}: \ |
859 | -s:"^[^\\.].*/${ezjail_safename}.norun\$":prop.ezjail-${ezjail_archive_tag}.norun: \ | 872 | -s:"^[^\\.].*/${ezjail_safename}.norun\$":prop.ezjail-${ezjail_archive_tag}.norun: \ |
860 | -s:"etc/fstab.${ezjail_safename}\$":fstab.ezjail: \ | 873 | -s:"etc/fstab.${ezjail_safename}\$":fstab.ezjail: \ |
@@ -875,9 +888,7 @@ archive) | |||
875 | ####################### ezjail-admin RESTORE ######################## | 888 | ####################### ezjail-admin RESTORE ######################## |
876 | restore) | 889 | restore) |
877 | # Clean variables, prevent polution | 890 | # Clean variables, prevent polution |
878 | unset ezjail_archivedir | 891 | unset ezjail_archivedir ezjail_safename |
879 | |||
880 | #ezjail_usage_restore="Usage: ${ezjail_admin} restore [-d archivedir] (archive|jailname)..." | ||
881 | 892 | ||
882 | shift; while getopts :d: arg; do case ${arg} in | 893 | shift; while getopts :d: arg; do case ${arg} in |
883 | d) ezjail_archivedir=${OPTARG};; | 894 | d) ezjail_archivedir=${OPTARG};; |
@@ -911,11 +922,43 @@ restore) | |||
911 | fi | 922 | fi |
912 | fi | 923 | fi |
913 | 924 | ||
914 | ezjail_nameprop=`tar tzf ${ezjail_fromarchive} --fast-read prop.ezjail_\*` | 925 | # We want to parse some content from archive. In order to reduce |
926 | # security implication this may have, we check owner and permission. | ||
927 | # | ||
928 | # However, this does not protect against admins transporting | ||
929 | # archives over insecure lines over the net. | ||
930 | [ `stat -f %u "${ezjail_fromarchive}"` -eq 0 ] || exerr "Error: Insecure ownership of archive ${ezjail_fromarchive}. Please check the file and chown it to root if you trust its source." | ||
931 | [ $(( `stat -f %OLp "${ezjail_fromarchive}"` & 0022 )) -eq 0 ] || exerr "Error: Insecure permissions for archive ${ezjail_fromarchive}. Please check the file and fix permission (chmod og-w) if you trust its source." | ||
932 | |||
933 | ezjail_nameprop=`pax -zn -f ${ezjail_fromarchive} prop.ezjail-\*` | ||
915 | [ $? -eq 0 -a "${ezjail_nameprop}" ] || exerr "Error: File ${ezjail_fromarchive} is not an ezjail archive." | 934 | [ $? -eq 0 -a "${ezjail_nameprop}" ] || exerr "Error: File ${ezjail_fromarchive} is not an ezjail archive." |
916 | 935 | ||
917 | echo "${ezjail_nameprop}" | 936 | # Figure out, what archive believes it contains |
918 | 937 | ezjail_nameprop_safename=`echo ${ezjail_nameprop} | cut -d '-' -f 2` | |
938 | |||
939 | # Figure out system environment when archive was created | ||
940 | ezjail_nameprop_hsname=`echo ${ezjail_nameprop} | cut -d '-' -f 4` | ||
941 | ezjail_nameprop_hsversion=`echo ${ezjail_nameprop} | cut -d '-' -f 5` | ||
942 | ezjail_nameprop_hscpu=`echo ${ezjail_nameprop} | cut -d '-' -f 6` | ||
943 | |||
944 | # Figure out current system environment | ||
945 | ezjail_hsname=$( echo -n `uname -n` | tr -c '[:alnum:].' _ ) | ||
946 | ezjail_hsversion=$( echo -n `uname -r` | tr -c '[:alnum:].' _ ) | ||
947 | ezjail_hscpu=$( echo -n `uname -p` | tr -c '[:alnum:].' _ ) | ||
948 | |||
949 | # Catch all errors that will likely create a broken backup | ||
950 | [ "${ezjail_safename}" -a "${ezjail_safename}" != "${ezjail_nameprop_safename}" ] && exerr "Error: Archive name ${ezjail_fromarchive} does not match archived jail ${ezjail_nameprop_safename}." | ||
951 | [ "${ezjail_hsname}" != "${ezjail_nameprop_hsname}" ] && exerr "Error: Can only use restore on the same machine. Consider using \"ezjail-admin create -a\" when migrating ezjails." | ||
952 | [ "${ezjail_hscpu} != "${ezjail_nameprop_hscpu}" ] && exerr Error: Archive was created on a different cpu Can not restore. Consider using \"ezjail-admin create -a\" when migrating ezjails." | ||
953 | |||
954 | # BIG security hole here. Must trust content of archive | ||
955 | # pax -wzXt -x ustar ${ezjail_fromarchive} \ | ||
956 | # -s:prop.ezjail(): \ | ||
957 | # -s:"^[^\\.].*/${ezjail_safename}.norun\$":prop.ezjail-${ezjail_archive_tag}.norun: \ | ||
958 | # -s:"etc/fstab.${ezjail_safename}\$":fstab.ezjail: \ | ||
959 | # -s:"^\\.":ezjail: \ | ||
960 | # "${ezjail_config}" ${ezjail_addfiles} . | ||
961 | |||
919 | 962 | ||
920 | shift 1 | 963 | shift 1 |
921 | done | 964 | done |